Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

End-to-End Encryption of Distributed Applications

806 views

Published on

In today's internet connected environment protection from hackers when developing a distributed or internet connected application is crucial. This talk will discuss the options available to us as developers for encrypting the traffic between the nodes of our distributed applications to insure that even intercepted messages are un-readable, and un-encryptable by an adversary. To achieve this we will use one-time and self-destructible private keys, along with dispensable, one-use secrets to generate our encrypted message. We will then learn how to structure our message for transmission to insure it is decryptable by the receiving party, with little risk of being compromised during transmission. To end, we will learn how to decrypt the messages received "on the fly", using only the supplied crypted message itself. This talk is aimed at mid-level Python users but is understandable by beginners.

  • Be the first to comment

  • Be the first to like this

End-to-End Encryption of Distributed Applications

  1. 1. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Hi, I'm Jeff
  2. 2. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The need for applications to speak in encrypted messages is no longer an after-thought it is a requirement
  3. 3. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru What is End-to-End Encryption?
  4. 4. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru A method of communicating where only the authorized users can read the messages
  5. 5. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru This method is used by apps like WhatsApp & Signal
  6. 6. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru It prevents man-in-the-middle attacks
  7. 7. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru If done right, you need physical access to read the communications
  8. 8. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Even if an ISP is asked to supply a customers communications, it will only appear as..
  9. 9. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The recent WikiLeaks show that even.. The CIA could not break End-to-End Encryption
  10. 10. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru They had to create malware that “uses” the app on your phone in order to read the messages. Or Keyloggers that capture the message as you enter it into the program before it is encrypted
  11. 11. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru So how do we implement this?
  12. 12. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru We want our system to be as secure as possible
  13. 13. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru We don't want to store our keys somewhere they can be hacked/stolen. They need to be generated and one-time use only.
  14. 14. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Give Me Your Keys!!!
  15. 15. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru What Keys?
  16. 16. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru When encrypting our messages, we also don't want to know the password. They need to be generated and one-time use only.
  17. 17. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru We want to use the strongest encryption available
  18. 18. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Not SHA-1 ;) Thanks Google!
  19. 19. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru We want to sign our message so we know it was not tampered with during transit.
  20. 20. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru We don't want someone monitoring our network traffic to easily recognize the format of our messages. The structure should be random.
  21. 21. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru What are some of options we have?
  22. 22. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Option 01: JSON Web Tokens
  23. 23. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Output: Our Code:
  24. 24. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The Benefits
  25. 25. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Our payload is encrypted into a small packet
  26. 26. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru We can use different algorithms
  27. 27. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The Problems
  28. 28. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru There are too many constants, even when the payload and secret are different
  29. 29. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru
  30. 30. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru This is partly because the header contains information about what algorithm is used and the type of token So it will remain constant if these are the same
  31. 31. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The separator is always a period
  32. 32. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The secret is embedded into our code
  33. 33. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Is there a better way?
  34. 34. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Option 02: blanket
  35. 35. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Output: Our Code:
  36. 36. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The Benefits
  37. 37. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Our outputs are more randomized than in JWT
  38. 38. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru
  39. 39. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The secret is generated for us and destroyed after use
  40. 40. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The Problems
  41. 41. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Our separator could be more random It is currently a random three digit number
  42. 42. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The message size is much bigger vs
  43. 43. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru The Differences
  44. 44. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru JWT blanket
  45. 45. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru In JSON Web Tokens (JWT) Even with a new secret, parts of the message structure and output are always the same
  46. 46. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru In blanket Our secret is random and the output is always different, even with the same input
  47. 47. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Things We Can Improve
  48. 48. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru We can randomize the size and location of the separator to further disguise the structure of our messages
  49. 49. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru We can use a hardware secret generator Like YubiKey or Embedded Chips
  50. 50. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Over time our own sequence, even though more random, could be discovered. So we should constantly improve our own code and think of ways to break it
  51. 51. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Nothing is ever “secure enough”!
  52. 52. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru For more information you can visit.. github.com/jpadilla/pyjwt or github.com/JeffinkoGuru/blanket
  53. 53. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Thank You!
  54. 54. End-to-End Encryption in Distributed Applications @jeffinkoguru – emailme@jeffinko.guru Questions?

×