#owaspkyiv @vixentael
THINGS TO DECIDE ON
PADDING
KEY LENGTH
KEY ROTATION
MODE KEY DERIVATION
KEY STORAGE
KEY EXCHANGE
DATA SCOPE ALGORITHM
IV
KEY REVOCATION
AS USERS WE WANT…
more ciphers!
more vulnerabilities!
more side channel attacks!
more attacks!
more constant time checks :)
more protocols!
more patches!
#owaspkyiv @vixentael
AS USERS WE WANT…
more ciphers!
BORING CRYPTO
#owaspkyiv @vixentael
BORING CRYPTO
#owaspkyiv @vixentael
— crypto that simply works, solidly
resists attacks, never needs any
upgrades
https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
Daniel J. Bernstein
WHAT DO WE WANT?
instead of adjusting
our resources
— SOLVE USE-CASES!
WHAT DO WE WANT?
— HIGH-LEVEL FUNCTIONS
I want to store data securely
I want to send data securely
I want to verify data integrity
#owaspkyiv @vixentael
WHAT DO WE WANT?
store data securely
send data securely
verify data integrity
key derivation
key exchange
key rotation
sign/verify ephemeral keys
encr / decr
#owaspkyiv @vixentael
— HIGH-LEVEL FUNCTIONS
#owaspkyiv @vixentael
HSM & TPM: PROS
fast hardware crypto!
trusted environment
known security guarantees
keys calculations
#owaspkyiv @vixentael
HSM & TPM: CONS
vendor lock / vendor trust
bad for interactive encryption
complicated to maintain
(install, upgrade, support,
not cross-platform)
#owaspkyiv @vixentael
HSM & TPM: PRO & CONS
HSM
app
plaintext
data
plaintext data is
far away from
the place it is used
#owaspkyiv @vixentael
SOFTWARE CRYPTO SYSTEMS
https://github.com/sobolevn/awesome-cryptography
any kind of encryption
plaintext data is closer
to its usage
cross-platform
#owaspkyiv @vixentael
SOFTWARE CRYPTO SYSTEMS
https://github.com/sobolevn/awesome-cryptography
any kind of encryption
plaintext data is closer
to its usage
cross-platform
NO DEVICE TRUST
LINKS 1
Boring crypto, Daniel J. Bernstein
https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
Why does cryptographic software fail?
https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf
API design for cryptography
https://2017.hack.lu/archive/2017/hacklu-crypto-api.pdf
LINKS 2
Encrypting strings in Android: Let’s make better mistakes
https://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/
Awesome crypto papers
https://github.com/pFarb/awesome-crypto-papers
12 And 1 Ideas How To Enhance Backend Data Security
https://www.cossacklabs.com/backend-data-security-modern-ideas.html
Attestation and Trusted Computing
https://courses.cs.washington.edu/courses/csep590/06wi/finalprojects/bare.pdf
MY OTHER SECURITY SLIDES
https://github.com/
vixentael/my-talks
…and more