Hello everyone, thank you for coming. I’m Andy Watson and I’m here to talk to you about ways to use cryptography correctly in your applications
I’m currently a senior engineer at Ionic Security which is a data protection security company based out of Atlanta, GA
I’ve been a software developer professionally since 1996 when I got my first job developing large scale, distributed systems for processing streams of data collected out of particle accelerators with some Physics professors at FSU. This was “cloud” computing before it had a name.
Since then I’ve built mobile, desktop and web applications for companies like The Walt Disney World Resort, Maersk Sealand, Cox Communications, CoffeeCup Software and many many others.
So why am I up here today? Simply put, a lot of people do cryptography terribly - if they even attempt it.
This means that when the people using those applications enter data into them it’s vulnerable to theft and loss.
I’ll show some terrible examples of this later.
fuck, that looks delicious.
Back in the old days, a lot of applications would simply md5() your password and store that in their database.
Some still do this. Some don’t do anything! More on that later…
Collisions like this are rare but they can happen. This means that MD5 is not suitable for any cryptographic operations, especially things like verifying the authenticity of TLS certificates.
To protect sensitive information like passwords, you should use a derivation function that repeats a hashing process thousands of times to produce unique and irreversible hashes
the first key derivation function was created almost 40 years ago but it had significant weaknesses.
More modern derivation functions are much better at protecting information because they use better hashes and perform them thousands of times.
Another variation of PBKDF2 would be to use 1000 iterations of SHA-256 instead of SHA-1
So what if you need to protect something that you have to get back in its original form? That’s where symmetric encryption is used.
Using Cryptography Properly in Applications
Properly in Applications
Great Wide Open
Random Number Generators
RNG: A computational or physical device designed to
generate a sequence of numbers that lack any pattern
True random number generators depend on an entropy
source like radioactive decay or radio frequency noise
For cryptographic functions, higher levels of entropy
are required to work properly
Computational RNG are known as Pseudo
PRNG are “seeded” with a value to generate a
series of numbers
Hashing Function (n.)
A Function that represents data of arbitrary
size as data of a fixed size.
$ echo "Great Wide Open 2016" | md5
$ echo "All Things Open 2015 " | md5
When to Hash
Use hashing functions when saving the original data would
be a liability you have no business dealing with
For Example: Linux Passwords
Don’t Store The Clear
Credentials should be hashed when
During login, hash the password
entered and check it against the hash
When Hashes Collide
These two blocks have the same md5 hash of
You. Must. Hash. Securely.
Cryptographically Secure Hash Function (n.)
A hash function which is infeasible to reverse back to the
original message and not subject to collisions
$ echo "Great Wide Open 2016" | shasum -a
Taste the Rainbow Table
A rainbow table is a precomputed table for reversing
cryptographic hash functions, usually for cracking
Password MD5 Hash
What is a Salt?
Random data added to your input to create
better output from one way functions
Useful for defending against dictionary and rainbow table attacks.
$ echo "secret" | md5
$ openssl rand -hex 16
$ echo "72f72e199d1292317ee60cbe3c50b5ba secret" | md5
Key Derivation Functions
KDF create new secret keys from a secret
value and a known value - like a password
Key Derivation Functions can be used in a “key stretching”
routing to enhance hashing functions to provide much more
protection from rainbow tables and brute force attacks
Original KDF: crypt
● Invented in 1978 to protect UNIX passwords
● Used only a 12 bit salt
● Limited passwords to 8 characters
● 64 bit random salt
● 5000 iterations of SHA1 (hashing function)
● Consumes large amounts of memory on
PBKDF2 In A Nutshell™
Save the Salt
Store the salt, the resulting hash and the
number of iterations in your data store
You’ll have to calculate the derived key of the
credential again to verify it is correct
• ASICs exists that can run PBKDF2
processes very quickly
• bcrypt requires the use of more memory so it
makes it harder to implement in silicon
• scrypt is more modern and can be tuned to
use even more memory
Used when your application needs to protect data at rest
(on disk etc) but will need to use those values later
The most common algorithm for symmetric encryption is
AES (Advanced Encryption Standard)
It can operate in multiple modes like ECB, CBC, CTR and
GCM - each suited to different uses
Electronic Code Book
Simplest mode: Operates on blocks of plaintext
Comparing ECB to other modes
Galois Counter Mode (GCM)
Encrypts and Authenticates Messages
Reduces the opportunity for interference with
messages to go undetected
Functions at a high rate of speed
Became NIST standard in 2007
My password is stored in their
database in plaintext.
It was not hashed or they could
not have emailed it to me!
Obviously, the password I use
with them is a special
Which is bad because...
A lot of people use the same password
everywhere and use their email address as
An attacker that gets this password list can try
to log in to all kinds of things as you!
3. credit reporting
4. even NetFlix!
Millions of “encrypted” passwords stolen
Hashed with MD5
Large numbers of them found in rainbow tables
Most Common Password: 123456
Beware The Default Settings
Default settings for Android Bouncy Castle
starting in 2.1 were horribly unsafe
Defaulted to ECB mode!
Empirical Study of Android Apps
11,748 applications analyzed
5,656 used ECB mode by default
3,644 used a constant symmetric key
2,000 used ECB mode ON PURPOSE!
1,932 used a constant IV
1,629 seeded PRNG with static value
Seeding the PRNG
In 2006 a bug in Debian and Ubuntu caused
the PID to be used as the output of the PRNG -
only 32,768 possible values!
(hint: that’s not enough!)
In 2012, LinkedIn password hashes were
They were not salted.
60% of them were cracked.
Crisis Averted at Slack
User profile data stolen in February 2015
Passwords hashed with bcrypt and random
Unlocking Your Prius
System uses rotating codes in a small range
Some built in (pre-shared) keys for repair use
No protection from replaying codes
Brute force attacks possible