SlideShare a Scribd company logo

Encryption Deep Dive

Diego Pacheco
Diego Pacheco

Encryption Deep Dive: Randomness, Entropy, RNG, PRNG, AES, AES Operational Modes, Data Rotations, Java Encryption APIs, Tradeoffs, challenges, Envelope Encryption, KMS, and much more on all things encryption.

Technology
1 of 36
Download to read offline
Encryption Deep Dive Diego Pacheco
@diego_pacheco ❏ Cat's Father ❏ Head of Software Architect ❏ Agile Coach ❏ SOA/Microservices Expert ❏ DevOps Practitioner ❏ Speaker ❏ Author diegopacheco http://diego-pacheco.blogspot.com.br/ About me... https://diegopacheco.github.io/
https://www.youtube.com/watch?v=WnkCdQb7S9s Security 101
Asymmetrical Encryption ❏ Protect Data at Transit ❏ Public Key Cryptography ❏ Public Key does Encryption ❏ Private Key does Decryption ❏ Used on TLS/mTLS(HTTPS), SSH ❏ Algos: RSA, Diffie-Hellman, ECC ❏ Key Size often from 1 to 4kb
Symmetrical Encryption ❏ Protect Data at Rest (Payment, PII, etc…) ❏ Requires RNG and PRNG ❏ Biggest problem: Share / Access the encryption keys ❏ Block vs Stream Algos ❏ Algos: AES, RC4, RC5 ❏ Key Sizes: 128, 192, 256 ❏ C = E(K,P ) - P = D(K,C)
Symmetrical Encryption ❏ Ciphertext same or slightly bigger than the plaintext ❏ Ciphertext is never smaller than the plaintext ❏ Permutations should be determined by the key ❏ Different keys should result in different permutation ❏ The permutation should look random ❏ Kerckhoffs Principle - 1883 - Really on a secret key - not on the secrecy of the Cipher ❏ Storage vs Application level encryption
Application side encryption Drawbacks ❏ For sure more secure, however… ❏ Requires Engineering Discipline ❏ Requires constant Education / Training ❏ Cripple Features (Uniquines, Joins, Search) ❏ Bugs, Changes, Improvements Intrusive Require Migrations ❏ Key Scoping is mirror by Conway’s law / Architecture
Protecting Keys ❏ Storing the key on a hardware token(Smart Card or USB dongle) ❏ On the fly generation from a password ❏ Wrapping - protecting the key with another key ❏ Key Management System
Randomness ❏ Randomness is a probability distribution ❏ Probability is about the likelihood of something happening: 0 never, 1 certain. ❏ Uniform Distribution when all probabilities are equal chance do happens ❏ Toss a coin (Tail or Head) is 1/2 + 1/2 = 1, 1/2 chance head, 1/2 chance tail.
Entropy ❏ Entropy as a measure of Uncertain ❏ The measure of disorder in a system ❏ Entropy is the amount of surprise found in the result of a random process ❏ Higher entropy less the certain found on the result ❏ Entropy is maximized when the distribution is uniform
RNG ❏ A Source of incertain, or a source of entropy ❏ A Crypto algo to produce high-quality bits from the source of entropy ❏ RNG could be sampling from(Sources of entropy): ❏ measurements of temperature, acoustic noise, air turbulence, or electric static (which are not always available) ❏ Entropy from OS: sensors, I/O devices, network, disk, logs, running process (But can be fragile and manipulated by an attacker)
PRNG ❏ Relly on RNG ❏ RNG product random bits(Analog) but slow and no deterministic and no guarantee of high entropy ❏ PRNG: Random looking data, Quickly from Digital Sources, deterministic and maximum entropy.
PRNG ❏ PRNG needs to ensure backtracking resistance (previously generated bits are impossible to recover) ❏ PRNG needs to ensure prediction resistance (impossible to predict future bits) ❏ /dev/random vs /dev/urandom (un-blocking) ❏ Java Secure Random
AES ❏ World defacto standard encryption ❏ NSA approved AES for TOP-Secret information ❏ AES is more Belgian than American ❏ Blocks of 128 bits (128, 192, 256) ❏ AES will never be broken ❏ All input bytes depends on output bytes in some complex pseudo random way
AES ❏ 2011 - People found a way to recover AES 128 bits key but require an insane amount of data plaintext ciphertext pairs 2 ^ 88 bits (so we don't need to worry about it) ❏ The biggest threat is not the CORE algo bug the Operation Modes ❏ Authentication vs Confidentiality modes
AES Operational Modes ❏ Authenticated Encryption ❏ GCM ❏ CCM ❏ SIV ❏ AES-GCM-SIV ❏ Confidentiality only ❏ ECB ❏ CBC ❏ PCBC ❏ CFB, OFB and CTR
AES Operational Modes - ECB (Electronic Code Book)
AES Operational Modes - ECB (Electronic Code Book)
AES Operational Modes - CBC (Cipher Block Chaining)
AES Operational Modes - PCBC (Propagate Cipher Block Chaining) Each Block XORed plaintext + ciphertext
AES Operational Modes - CFB (Cipher Feedback) ❏ Stream Cipher ❏ Decrypt Parallel ❏ Encryption Blocking
AES Operational Modes - OFB (Output Feedback) ❏ Stream Cipher ❏ Encrypt IV ❏ XOR plaintext ❏ Does not require Padding Data
AES Operational Modes - CTR encryption/decryption parallelization
Java Secure Random https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SecureRandom
Java Secure Random
Java Generate Keys
Java Encrypt
Java Encrypt
Java Decrypt
Java Decrypt
Keys & Data Rotations ❏ Use cases: Regular or Breach ❏ Standard Industry Practice ❏ In AVG around 90 days ❏ Downtime vs No-Downtime ❏ Can have reliability implications ❏ Requires Data Catalogs ❏ Operationality, Observability, Rowbacability challenges
Envelope Encryption ❏ More Secure ❏ Industry Standard ❏ Keys with the Data ❏ Key Encrypting: Keys, Metadata and Data ❏ Bootstrapping problem ❏ KMS
AWS KMS ❏ Uses Cloud HSM to protect the Keys ❏ Keys lever leave AWS ❏ Remote Encryption always ❏ Symmetrical and Asymmetrical encryption ❏ Integrated with IAM and other services(EBS, S3, Kinesis, RedShift, etc...) ❏ Cloud Trail
AWS KMS
Books
Encryption Deep Dive Diego Pacheco

Recommended

Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptographyzahid-mian
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptographysubhradeep mitra
 
Ch11 Basic Cryptography
Ch11 Basic CryptographyCh11 Basic Cryptography
Ch11 Basic CryptographyInformation Technology
 
Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)Anas Rock
 
OpenPGP/GnuPG Encryption
OpenPGP/GnuPG EncryptionOpenPGP/GnuPG Encryption
OpenPGP/GnuPG EncryptionTanner Lovelace
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptographyPerfect Training Center
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101n|u - The Open Security Community
 
Hybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and GoHybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and GoEleanor McHugh
 

Recommended

Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptographyzahid-mian
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptographysubhradeep mitra
 
Ch11 Basic Cryptography
Ch11 Basic CryptographyCh11 Basic Cryptography
Ch11 Basic CryptographyInformation Technology
 
Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)Information Security Cryptography ( L02- Types Cryptography)
Information Security Cryptography ( L02- Types Cryptography)Anas Rock
 
OpenPGP/GnuPG Encryption
OpenPGP/GnuPG EncryptionOpenPGP/GnuPG Encryption
OpenPGP/GnuPG EncryptionTanner Lovelace
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptographyPerfect Training Center
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101n|u - The Open Security Community
 
Hybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and GoHybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and GoEleanor McHugh
 
Cryptography
CryptographyCryptography
CryptographyPPT4U
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Cryptography
CryptographyCryptography
CryptographyJens Patel
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network SecurityPa Van Tanku
 
Data encryption, Description, DES
Data encryption, Description, DESData encryption, Description, DES
Data encryption, Description, DESHuawei Technologies
 
Data encryption standard
Data encryption standardData encryption standard
Data encryption standardPrasad Prabhu
 
Old Linux Security Talk
Old Linux Security TalkOld Linux Security Talk
Old Linux Security TalkTanner Lovelace
 
Evolution of Network, Internet, Security and Public cryptography
Evolution of Network, Internet, Security and Public cryptographyEvolution of Network, Internet, Security and Public cryptography
Evolution of Network, Internet, Security and Public cryptographyjiricejka
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701Amit Pathak
 
Cryptography
CryptographyCryptography
Cryptographysubodh pawar
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityNagendra Um
 
Cryptography
CryptographyCryptography
CryptographySuhepi Saputri
 
Cryptography and network security
Cryptography and network security Cryptography and network security
Cryptography and network securityMahipesh Satija
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptographyHossain Md Shakhawat
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: CryptographySam Bowne
 
Ppt cns
Ppt cnsPpt cns
Ppt cnsAmit Pathak
 
cryptography
cryptographycryptography
cryptographyAbhijeet Singh
 
Cryptography
CryptographyCryptography
CryptographyPratiksha Patil
 
Cryptography
CryptographyCryptography
CryptographyIGZ Software house
 
Cryptography cse,ru
Cryptography cse,ruCryptography cse,ru
Cryptography cse,ruHossain Md Shakhawat
 
Go paranoid
Go paranoidGo paranoid
Go paranoidNisheed KM
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 

More Related Content

What's hot

Cryptography
CryptographyCryptography
CryptographyPPT4U
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network SecurityPa Van Tanku
 
Data encryption, Description, DES
Data encryption, Description, DESData encryption, Description, DES
Data encryption, Description, DESHuawei Technologies
 
Data encryption standard
Data encryption standardData encryption standard
Data encryption standardPrasad Prabhu
 
Evolution of Network, Internet, Security and Public cryptography
Evolution of Network, Internet, Security and Public cryptographyEvolution of Network, Internet, Security and Public cryptography
Evolution of Network, Internet, Security and Public cryptographyjiricejka
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701Amit Pathak
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityNagendra Um
 
Cryptography and network security
Cryptography and network security Cryptography and network security
Cryptography and network securityMahipesh Satija
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: CryptographySam Bowne
 

What's hot (20)

Cryptography
CryptographyCryptography
Cryptography
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography ppt
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network Security
 
Data encryption, Description, DES
Data encryption, Description, DESData encryption, Description, DES
Data encryption, Description, DES
 
Data encryption standard
Data encryption standardData encryption standard
Data encryption standard
 
Old Linux Security Talk
Old Linux Security TalkOld Linux Security Talk
Old Linux Security Talk
 
Evolution of Network, Internet, Security and Public cryptography
Evolution of Network, Internet, Security and Public cryptographyEvolution of Network, Internet, Security and Public cryptography
Evolution of Network, Internet, Security and Public cryptography
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography and network security
Cryptography and network security Cryptography and network security
Cryptography and network security
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: Cryptography
 
Ppt cns
Ppt cnsPpt cns
Ppt cns
 
cryptography
cryptographycryptography
cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography cse,ru
Cryptography cse,ruCryptography cse,ru
Cryptography cse,ru
 

Similar to Encryption Deep Dive

Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Matthew McCullough
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010idsecconf
 
Introduction to encryption
Introduction to encryptionIntroduction to encryption
Introduction to encryptionfaffyman
 
Demystifying Secure enclave processor
Demystifying Secure enclave processorDemystifying Secure enclave processor
Demystifying Secure enclave processorPriyanka Aash
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsMarian Marinov
 
Tips on High Performance Server Programming
Tips on High Performance Server ProgrammingTips on High Performance Server Programming
Tips on High Performance Server ProgrammingJoshua Zhu
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoTMark Carney
 
Encryption Boot Camp on the JVM
Encryption Boot Camp on the JVMEncryption Boot Camp on the JVM
Encryption Boot Camp on the JVMMatthew McCullough
 
10 application security fundamentals - part 2 - security mechanisms - encry...
10 application security fundamentals - part 2 - security mechanisms - encry...10 application security fundamentals - part 2 - security mechanisms - encry...
10 application security fundamentals - part 2 - security mechanisms - encry...appsec
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...Amazon Web Services
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyJoshua McDougall
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
Cryptography
CryptographyCryptography
CryptographyRohan04
 

Similar to Encryption Deep Dive (20)

Go paranoid
Go paranoidGo paranoid
Go paranoid
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010
 
Introduction to encryption
Introduction to encryptionIntroduction to encryption
Introduction to encryption
 
Demystifying Secure enclave processor
Demystifying Secure enclave processorDemystifying Secure enclave processor
Demystifying Secure enclave processor
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Tips on High Performance Server Programming
Tips on High Performance Server ProgrammingTips on High Performance Server Programming
Tips on High Performance Server Programming
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoT
 
Encryption Boot Camp on the JVM
Encryption Boot Camp on the JVMEncryption Boot Camp on the JVM
Encryption Boot Camp on the JVM
 
10 application security fundamentals - part 2 - security mechanisms - encry...
10 application security fundamentals - part 2 - security mechanisms - encry...10 application security fundamentals - part 2 - security mechanisms - encry...
10 application security fundamentals - part 2 - security mechanisms - encry...
 
Aes jul-upload
Aes jul-uploadAes jul-upload
Aes jul-upload
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation Ceremony
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
 
Cryptography
CryptographyCryptography
Cryptography
 
AllBits presentation - Security in Theory
AllBits presentation - Security in TheoryAllBits presentation - Security in Theory
AllBits presentation - Security in Theory
 

More from Diego Pacheco

Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Diego Pacheco
 
Continuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfContinuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfDiego Pacheco
 
Thoughts about Shape Up
Thoughts about Shape UpThoughts about Shape Up
Thoughts about Shape UpDiego Pacheco
 
Management: Doing the non-obvious! III
Management: Doing the non-obvious! IIIManagement: Doing the non-obvious! III
Management: Doing the non-obvious! IIIDiego Pacheco
 
Design is not Subjective
Design is not SubjectiveDesign is not Subjective
Design is not SubjectiveDiego Pacheco
 
Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!Diego Pacheco
 
Management doing the non-obvious II
Management doing the non-obvious II Management doing the non-obvious II
Management doing the non-obvious II Diego Pacheco
 
Testing in production
Testing in productionTesting in production
Testing in productionDiego Pacheco
 
Nine lies about work
Nine lies about workNine lies about work
Nine lies about workDiego Pacheco
 
Management: doing the nonobvious!
Management: doing the nonobvious!Management: doing the nonobvious!
Management: doing the nonobvious!Diego Pacheco
 
Dealing with dependencies
Dealing with dependenciesDealing with dependencies
Dealing with dependenciesDiego Pacheco
 
Dealing with dependencies in tests
Dealing with dependencies in testsDealing with dependencies in tests
Dealing with dependencies in testsDiego Pacheco
 

More from Diego Pacheco (20)

Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!
 
Continuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfContinuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdf
 
Thoughts about Shape Up
Thoughts about Shape UpThoughts about Shape Up
Thoughts about Shape Up
 
Holacracy
HolacracyHolacracy
Holacracy
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
 
CDKs
CDKsCDKs
CDKs
 
Sec 101
Sec 101Sec 101
Sec 101
 
Reflections on SCM
Reflections on SCMReflections on SCM
Reflections on SCM
 
Management: Doing the non-obvious! III
Management: Doing the non-obvious! IIIManagement: Doing the non-obvious! III
Management: Doing the non-obvious! III
 
Design is not Subjective
Design is not SubjectiveDesign is not Subjective
Design is not Subjective
 
Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!
 
Management doing the non-obvious II
Management doing the non-obvious II Management doing the non-obvious II
Management doing the non-obvious II
 
Testing in production
Testing in productionTesting in production
Testing in production
 
Nine lies about work
Nine lies about workNine lies about work
Nine lies about work
 
Management: doing the nonobvious!
Management: doing the nonobvious!Management: doing the nonobvious!
Management: doing the nonobvious!
 
AI and the Future
AI and the FutureAI and the Future
AI and the Future
 
Dealing with dependencies
Dealing with dependenciesDealing with dependencies
Dealing with dependencies
 
Dealing with dependencies in tests
Dealing with dependencies in testsDealing with dependencies in tests
Dealing with dependencies in tests
 
Kanban 2020
Kanban 2020Kanban 2020
Kanban 2020
 
Lean 2020
Lean 2020Lean 2020
Lean 2020
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Encryption Deep Dive

  • 2. @diego_pacheco ❏ Cat's Father ❏ Head of Software Architect ❏ Agile Coach ❏ SOA/Microservices Expert ❏ DevOps Practitioner ❏ Speaker ❏ Author diegopacheco http://diego-pacheco.blogspot.com.br/ About me... https://diegopacheco.github.io/
  • 4. Asymmetrical Encryption ❏ Protect Data at Transit ❏ Public Key Cryptography ❏ Public Key does Encryption ❏ Private Key does Decryption ❏ Used on TLS/mTLS(HTTPS), SSH ❏ Algos: RSA, Diffie-Hellman, ECC ❏ Key Size often from 1 to 4kb
  • 5. Symmetrical Encryption ❏ Protect Data at Rest (Payment, PII, etc…) ❏ Requires RNG and PRNG ❏ Biggest problem: Share / Access the encryption keys ❏ Block vs Stream Algos ❏ Algos: AES, RC4, RC5 ❏ Key Sizes: 128, 192, 256 ❏ C = E(K,P ) - P = D(K,C)
  • 6. Symmetrical Encryption ❏ Ciphertext same or slightly bigger than the plaintext ❏ Ciphertext is never smaller than the plaintext ❏ Permutations should be determined by the key ❏ Different keys should result in different permutation ❏ The permutation should look random ❏ Kerckhoffs Principle - 1883 - Really on a secret key - not on the secrecy of the Cipher ❏ Storage vs Application level encryption
  • 7. Application side encryption Drawbacks ❏ For sure more secure, however… ❏ Requires Engineering Discipline ❏ Requires constant Education / Training ❏ Cripple Features (Uniquines, Joins, Search) ❏ Bugs, Changes, Improvements Intrusive Require Migrations ❏ Key Scoping is mirror by Conway’s law / Architecture
  • 8. Protecting Keys ❏ Storing the key on a hardware token(Smart Card or USB dongle) ❏ On the fly generation from a password ❏ Wrapping - protecting the key with another key ❏ Key Management System
  • 9. Randomness ❏ Randomness is a probability distribution ❏ Probability is about the likelihood of something happening: 0 never, 1 certain. ❏ Uniform Distribution when all probabilities are equal chance do happens ❏ Toss a coin (Tail or Head) is 1/2 + 1/2 = 1, 1/2 chance head, 1/2 chance tail.
  • 10. Entropy ❏ Entropy as a measure of Uncertain ❏ The measure of disorder in a system ❏ Entropy is the amount of surprise found in the result of a random process ❏ Higher entropy less the certain found on the result ❏ Entropy is maximized when the distribution is uniform
  • 11. RNG ❏ A Source of incertain, or a source of entropy ❏ A Crypto algo to produce high-quality bits from the source of entropy ❏ RNG could be sampling from(Sources of entropy): ❏ measurements of temperature, acoustic noise, air turbulence, or electric static (which are not always available) ❏ Entropy from OS: sensors, I/O devices, network, disk, logs, running process (But can be fragile and manipulated by an attacker)
  • 12. PRNG ❏ Relly on RNG ❏ RNG product random bits(Analog) but slow and no deterministic and no guarantee of high entropy ❏ PRNG: Random looking data, Quickly from Digital Sources, deterministic and maximum entropy.
  • 13. PRNG ❏ PRNG needs to ensure backtracking resistance (previously generated bits are impossible to recover) ❏ PRNG needs to ensure prediction resistance (impossible to predict future bits) ❏ /dev/random vs /dev/urandom (un-blocking) ❏ Java Secure Random
  • 14. AES ❏ World defacto standard encryption ❏ NSA approved AES for TOP-Secret information ❏ AES is more Belgian than American ❏ Blocks of 128 bits (128, 192, 256) ❏ AES will never be broken ❏ All input bytes depends on output bytes in some complex pseudo random way
  • 15. AES ❏ 2011 - People found a way to recover AES 128 bits key but require an insane amount of data plaintext ciphertext pairs 2 ^ 88 bits (so we don't need to worry about it) ❏ The biggest threat is not the CORE algo bug the Operation Modes ❏ Authentication vs Confidentiality modes
  • 16. AES Operational Modes ❏ Authenticated Encryption ❏ GCM ❏ CCM ❏ SIV ❏ AES-GCM-SIV ❏ Confidentiality only ❏ ECB ❏ CBC ❏ PCBC ❏ CFB, OFB and CTR
  • 17. AES Operational Modes - ECB (Electronic Code Book)
  • 18. AES Operational Modes - ECB (Electronic Code Book)
  • 19. AES Operational Modes - CBC (Cipher Block Chaining)
  • 20. AES Operational Modes - PCBC (Propagate Cipher Block Chaining) Each Block XORed plaintext + ciphertext
  • 21. AES Operational Modes - CFB (Cipher Feedback) ❏ Stream Cipher ❏ Decrypt Parallel ❏ Encryption Blocking
  • 22. AES Operational Modes - OFB (Output Feedback) ❏ Stream Cipher ❏ Encrypt IV ❏ XOR plaintext ❏ Does not require Padding Data
  • 23. AES Operational Modes - CTR encryption/decryption parallelization
  • 31. Keys & Data Rotations ❏ Use cases: Regular or Breach ❏ Standard Industry Practice ❏ In AVG around 90 days ❏ Downtime vs No-Downtime ❏ Can have reliability implications ❏ Requires Data Catalogs ❏ Operationality, Observability, Rowbacability challenges
  • 32. Envelope Encryption ❏ More Secure ❏ Industry Standard ❏ Keys with the Data ❏ Key Encrypting: Keys, Metadata and Data ❏ Bootstrapping problem ❏ KMS
  • 33. AWS KMS ❏ Uses Cloud HSM to protect the Keys ❏ Keys lever leave AWS ❏ Remote Encryption always ❏ Symmetrical and Asymmetrical encryption ❏ Integrated with IAM and other services(EBS, S3, Kinesis, RedShift, etc...) ❏ Cloud Trail
  • 35. Books