SlideShare a Scribd company logo

Basic Cryptography & Security

Download as PPTX, PDF
H
Hoffman Lab

This document provides an overview of basic cryptography and security concepts. It discusses creating and revealing digital secrets using techniques like encryption, hashing, and passwords. It provides examples of encryption tools like PuTTY and warns against improperly implementing your own encryption. The document outlines key principles like key length and management, and how asymmetric keys work. It also discusses password security best practices and techniques like key derivation functions and salting hashes.

Technology
1 of 23
Basic Cryptography & Security Eric Roberts Hoffman Lab
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● Cryptographic terminology ● Public keys and passwords ● Evaluating your personal security Motivation
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW Plain Text: “Hoffman Lab!” Cipher Text: “Elccjxk Ixy!” Creating Secrets
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Plain Text: “11110000” Key: “01010101” Cipher text: “10100101” Cipher: Exclusive OR (XOR) ● Switch if ‘1’ in the key Creating Digital Secrets
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Cipher text: “10100101” Key: “01010101” Plain Text: “11110000” One Time Pad ● Use the key only once Revealing Digital Secrets
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● What about a 2 TB secret? Key Problems Block Ciphers Stream Ciphers (Triple) DES - 56 bit key RC4 - 40 to 256 bit keys AES (Rijndael) - 128/192/256 bit keys Salsa20 - 256 bit keys
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication PuTTY example
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication VIM example (don’t use) :set cryptmethod=”blowfish2” ● Doesn’t provide any message authentication ○ Easy to temper with ● Easy to brute force decipher Don’t try to implement your own encryption - even published standards. Use libraries. Block cipher https://github.com/vim/vim/issues/638
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Key principles ● Key length: ○ Age of the universe: ■ 4.36 x 1026 ns ○ 256 bit key: ■ 1.15 x 1077 possibilities ● Re-using keys makes them less secure
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Asymmetric keys “Hello!” Encrypt My Public Key “Hello!” Decrypt My Private Key Transfer Anyone who wishes to send me a private message: Me as the receiver: ● Different keys are used for encrypting and decrypting
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Creating a public key (ssh) $ ssh-keygen usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase] [-C comment] [-f output_keyfile] $ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. ... Your identification has been saved in /users/eroberts/.ssh/id_ed25519. Your public key has been saved in /users/eroberts/.ssh/id_ed25519.pub. ● ed25519 is recommended currently however it may not be available on older servers ● Otherwise: “ssh-keygen -t rsa -b 4096 -a 100 -o”
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Sharing your public key $ ssh-copy-id mordor
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Secure your private keys This should not be possible: $ ssh -i /users/cviner/.ssh/id_rsa mordor Trustico - SSL certificate reseller Never trust any service that produces a private / public key on your behalf Washington Post article on TSA keys
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● Technically keys ● Key Derivation Functions ○ MD5 ○ PBKDF ○ bcrypt ○ scrypt Passwords
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication * https://www.tarsnap.com/scrypt/scrypt-slides.pdf (From 2009)
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication From horrible to less horrible: 1. Stored as plain text 2. Run through a hash function 3. Run through a hash function with a salt Bad Password Storage
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Hashing (Passwords) Data (or password) as large as you want Unique 256-bit number Hash function (SHA-256) ● Same input always produces the same output ● No known two inputs to produce the same output for SHA-256 ● Shattered.io ● Passwords and rainbow tables ● Salt is public and avoids fights rainbow tables Salt (unique gibberish) Example: 98c0f87ec38b0c86817cfa9dc9d894a3468b611048f45060729509505d4543b 5
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password DBs Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Bad Password databases Username Hashed Password Mickael c616027b32758d9220a0e6b91899b2c1a06f521381fd6ac222 c6fda6a3ace6ec Rachel 531eb382d6274e9cad931b209a359842d6c79022b35361ec5 c9c4c1afc559d71 Mehran c616027b32758d9220a0e6b91899b2c1a06f521381fd6ac222 c6fda6a3ace6ec ● Weak password = look up in a table ● Password leaked for Mickeal = Password leaked for Mehran Bad Network Database
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Better Password DBs Username Hashed Password Salt (public!) Mickael 8d3dcedf007d016be15a3016 b60711d6146d1107e62229fc ff503bc6f97b2649 b95093mvf89s8a Rachel c80b21d4a843f38f00b33cde 9634171d602779fbdb65a273 108bb09ecc439df8 b9t0p94jhlf980qf083 Mehran 69a0168e9d9a180b43ebf237 09cb96dff2173f5ed430f2136 5b5e57a52623ab9 9b08v23r8yfeh3791bj
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● LinkedIn (2012) - unsalted SHA-1 ● Evernote (2013) - unsalted MD5 ● Yahoo (2013) - (unsalted?) MD5 ● NCIX (3 weeks ago) ○ (unsalted?) MD5 ○ Credit card info in plaintext ● Toronto and Region Conservation Authority (2017 - present?) ○ Plain Text * haveibeenpwned.com (look yourself up) Password Mismanagement
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● Use a Password Manager ○ 1Password ○ LastPass ○ KeyPass ● Only have to remember 1 very strong password ● Not perfect Password Management
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Auth 1. Knowledge (Password) 2. Possession (Device) 3. Inherence (Fingerprint) Multi-factor Authentication ● Use two of these factors when possible
Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Questions? Cryptographic Right Answers: https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html

Recommended

The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
cgvwzq
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 

Recommended

The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
cgvwzq
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
UskuMusku1
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
Information Security Awareness Group
 
Chapter 4 access control fundamental ii
Chapter 4 access control fundamental iiChapter 4 access control fundamental ii
Chapter 4 access control fundamental ii
Syaiful Ahdan
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
Andre N. Klingsheim
 
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
Amazon Web Services
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
OwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
Filip Šebesta
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
Sylvain Maret
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
Kimberley Dray
 
Secure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEASecure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEA
Thuy_Dang
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
Abdulafeez Fasasi
 
Encryption Primer por Cathy Nolan
Encryption Primer por Cathy NolanEncryption Primer por Cathy Nolan
Encryption Primer por Cathy Nolan
Joao Galdino Mello de Souza
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
All Things Open
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
Great Wide Open
 
Daniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesDaniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic Oracles
BaronZor
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
BU
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
Aleksandr Yampolskiy
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013
javagroup2006
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
Fwdays
 
GNU Parallel: Lab meeting—technical talk
GNU Parallel: Lab meeting—technical talkGNU Parallel: Lab meeting—technical talk
GNU Parallel: Lab meeting—technical talk
Hoffman Lab
 
TCRpower
TCRpowerTCRpower
TCRpower
Hoffman Lab
 

More Related Content

Similar to Basic Cryptography & Security

BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
UskuMusku1
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
Information Security Awareness Group
 
Chapter 4 access control fundamental ii
Chapter 4 access control fundamental iiChapter 4 access control fundamental ii
Chapter 4 access control fundamental ii
Syaiful Ahdan
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
Andre N. Klingsheim
 
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
Amazon Web Services
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
OwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
Filip Šebesta
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
Sylvain Maret
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
Kimberley Dray
 
Secure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEASecure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEA
Thuy_Dang
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
Abdulafeez Fasasi
 
Encryption Primer por Cathy Nolan
Encryption Primer por Cathy NolanEncryption Primer por Cathy Nolan
Encryption Primer por Cathy Nolan
Joao Galdino Mello de Souza
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
All Things Open
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
Great Wide Open
 
Daniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesDaniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic Oracles
BaronZor
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
BU
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
Aleksandr Yampolskiy
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013
javagroup2006
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
Fwdays
 

Similar to Basic Cryptography & Security (20)

BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
Chapter 4 access control fundamental ii
Chapter 4 access control fundamental iiChapter 4 access control fundamental ii
Chapter 4 access control fundamental ii
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
 
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Secure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEASecure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEA
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
 
Encryption Primer por Cathy Nolan
Encryption Primer por Cathy NolanEncryption Primer por Cathy Nolan
Encryption Primer por Cathy Nolan
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
Daniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesDaniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic Oracles
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 

More from Hoffman Lab

GNU Parallel: Lab meeting—technical talk
GNU Parallel: Lab meeting—technical talkGNU Parallel: Lab meeting—technical talk
GNU Parallel: Lab meeting—technical talk
Hoffman Lab
 
TCRpower
TCRpowerTCRpower
TCRpower
Hoffman Lab
 
Efficient querying of genomic reference databases with gget
Efficient querying of genomic reference databases with ggetEfficient querying of genomic reference databases with gget
Efficient querying of genomic reference databases with gget
Hoffman Lab
 
WashU Epigenome Browser
WashU Epigenome BrowserWashU Epigenome Browser
WashU Epigenome Browser
Hoffman Lab
 
Wireguard: A Virtual Private Network Tunnel
Wireguard: A Virtual Private Network TunnelWireguard: A Virtual Private Network Tunnel
Wireguard: A Virtual Private Network Tunnel
Hoffman Lab
 
Plotting heatmap with matplotlib/seaborn
Plotting heatmap with matplotlib/seabornPlotting heatmap with matplotlib/seaborn
Plotting heatmap with matplotlib/seaborn
Hoffman Lab
 
Go Get Data (GGD)
Go Get Data (GGD)Go Get Data (GGD)
Go Get Data (GGD)
Hoffman Lab
 
fastp: the FASTQ pre-processor
fastp: the FASTQ pre-processorfastp: the FASTQ pre-processor
fastp: the FASTQ pre-processor
Hoffman Lab
 
R markdown and Rmdformats
R markdown and RmdformatsR markdown and Rmdformats
R markdown and Rmdformats
Hoffman Lab
 
File searching tools
File searching toolsFile searching tools
File searching tools
Hoffman Lab
 
Better BibTeX (BBT) for Zotero
Better BibTeX (BBT) for ZoteroBetter BibTeX (BBT) for Zotero
Better BibTeX (BBT) for Zotero
Hoffman Lab
 
Awk primer and Bioawk
Awk primer and BioawkAwk primer and Bioawk
Awk primer and Bioawk
Hoffman Lab
 
Terminals and Shells
Terminals and ShellsTerminals and Shells
Terminals and Shells
Hoffman Lab
 
BioRender & Glossary/Acronym
BioRender & Glossary/AcronymBioRender & Glossary/Acronym
BioRender & Glossary/Acronym
Hoffman Lab
 
Linters in R
Linters in RLinters in R
Linters in R
Hoffman Lab
 
BioSyntax: syntax highlighting for computational biology
BioSyntax: syntax highlighting for computational biologyBioSyntax: syntax highlighting for computational biology
BioSyntax: syntax highlighting for computational biology
Hoffman Lab
 
Get Good With Git
Get Good With GitGet Good With Git
Get Good With Git
Hoffman Lab
 
Tech Talk: UCSC Genome Browser
Tech Talk: UCSC Genome BrowserTech Talk: UCSC Genome Browser
Tech Talk: UCSC Genome Browser
Hoffman Lab
 
MultiQC: summarize analysis results for multiple tools and samples in a singl...
MultiQC: summarize analysis results for multiple tools and samples in a singl...MultiQC: summarize analysis results for multiple tools and samples in a singl...
MultiQC: summarize analysis results for multiple tools and samples in a singl...
Hoffman Lab
 
dreamRs: interactive ggplot2
dreamRs: interactive ggplot2dreamRs: interactive ggplot2
dreamRs: interactive ggplot2
Hoffman Lab
 

More from Hoffman Lab (20)

GNU Parallel: Lab meeting—technical talk
GNU Parallel: Lab meeting—technical talkGNU Parallel: Lab meeting—technical talk
GNU Parallel: Lab meeting—technical talk
 
TCRpower
TCRpowerTCRpower
TCRpower
 
Efficient querying of genomic reference databases with gget
Efficient querying of genomic reference databases with ggetEfficient querying of genomic reference databases with gget
Efficient querying of genomic reference databases with gget
 
WashU Epigenome Browser
WashU Epigenome BrowserWashU Epigenome Browser
WashU Epigenome Browser
 
Wireguard: A Virtual Private Network Tunnel
Wireguard: A Virtual Private Network TunnelWireguard: A Virtual Private Network Tunnel
Wireguard: A Virtual Private Network Tunnel
 
Plotting heatmap with matplotlib/seaborn
Plotting heatmap with matplotlib/seabornPlotting heatmap with matplotlib/seaborn
Plotting heatmap with matplotlib/seaborn
 
Go Get Data (GGD)
Go Get Data (GGD)Go Get Data (GGD)
Go Get Data (GGD)
 
fastp: the FASTQ pre-processor
fastp: the FASTQ pre-processorfastp: the FASTQ pre-processor
fastp: the FASTQ pre-processor
 
R markdown and Rmdformats
R markdown and RmdformatsR markdown and Rmdformats
R markdown and Rmdformats
 
File searching tools
File searching toolsFile searching tools
File searching tools
 
Better BibTeX (BBT) for Zotero
Better BibTeX (BBT) for ZoteroBetter BibTeX (BBT) for Zotero
Better BibTeX (BBT) for Zotero
 
Awk primer and Bioawk
Awk primer and BioawkAwk primer and Bioawk
Awk primer and Bioawk
 
Terminals and Shells
Terminals and ShellsTerminals and Shells
Terminals and Shells
 
BioRender & Glossary/Acronym
BioRender & Glossary/AcronymBioRender & Glossary/Acronym
BioRender & Glossary/Acronym
 
Linters in R
Linters in RLinters in R
Linters in R
 
BioSyntax: syntax highlighting for computational biology
BioSyntax: syntax highlighting for computational biologyBioSyntax: syntax highlighting for computational biology
BioSyntax: syntax highlighting for computational biology
 
Get Good With Git
Get Good With GitGet Good With Git
Get Good With Git
 
Tech Talk: UCSC Genome Browser
Tech Talk: UCSC Genome BrowserTech Talk: UCSC Genome Browser
Tech Talk: UCSC Genome Browser
 
MultiQC: summarize analysis results for multiple tools and samples in a singl...
MultiQC: summarize analysis results for multiple tools and samples in a singl...MultiQC: summarize analysis results for multiple tools and samples in a singl...
MultiQC: summarize analysis results for multiple tools and samples in a singl...
 
dreamRs: interactive ggplot2
dreamRs: interactive ggplot2dreamRs: interactive ggplot2
dreamRs: interactive ggplot2
 

Recently uploaded

Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 

Recently uploaded (20)

Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 

Basic Cryptography & Security

  • 1. Basic Cryptography & Security Eric Roberts Hoffman Lab
  • 2. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● Cryptographic terminology ● Public keys and passwords ● Evaluating your personal security Motivation
  • 3. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW Plain Text: “Hoffman Lab!” Cipher Text: “Elccjxk Ixy!” Creating Secrets
  • 4. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Plain Text: “11110000” Key: “01010101” Cipher text: “10100101” Cipher: Exclusive OR (XOR) ● Switch if ‘1’ in the key Creating Digital Secrets
  • 5. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Cipher text: “10100101” Key: “01010101” Plain Text: “11110000” One Time Pad ● Use the key only once Revealing Digital Secrets
  • 6. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● What about a 2 TB secret? Key Problems Block Ciphers Stream Ciphers (Triple) DES - 56 bit key RC4 - 40 to 256 bit keys AES (Rijndael) - 128/192/256 bit keys Salsa20 - 256 bit keys
  • 7. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication PuTTY example
  • 8. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication VIM example (don’t use) :set cryptmethod=”blowfish2” ● Doesn’t provide any message authentication ○ Easy to temper with ● Easy to brute force decipher Don’t try to implement your own encryption - even published standards. Use libraries. Block cipher https://github.com/vim/vim/issues/638
  • 9. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Key principles ● Key length: ○ Age of the universe: ■ 4.36 x 1026 ns ○ 256 bit key: ■ 1.15 x 1077 possibilities ● Re-using keys makes them less secure
  • 10. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Asymmetric keys “Hello!” Encrypt My Public Key “Hello!” Decrypt My Private Key Transfer Anyone who wishes to send me a private message: Me as the receiver: ● Different keys are used for encrypting and decrypting
  • 11. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Creating a public key (ssh) $ ssh-keygen usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase] [-C comment] [-f output_keyfile] $ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. ... Your identification has been saved in /users/eroberts/.ssh/id_ed25519. Your public key has been saved in /users/eroberts/.ssh/id_ed25519.pub. ● ed25519 is recommended currently however it may not be available on older servers ● Otherwise: “ssh-keygen -t rsa -b 4096 -a 100 -o”
  • 12. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Sharing your public key $ ssh-copy-id mordor
  • 13. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Secure your private keys This should not be possible: $ ssh -i /users/cviner/.ssh/id_rsa mordor Trustico - SSL certificate reseller Never trust any service that produces a private / public key on your behalf Washington Post article on TSA keys
  • 14. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● Technically keys ● Key Derivation Functions ○ MD5 ○ PBKDF ○ bcrypt ○ scrypt Passwords
  • 15. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication * https://www.tarsnap.com/scrypt/scrypt-slides.pdf (From 2009)
  • 16. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication From horrible to less horrible: 1. Stored as plain text 2. Run through a hash function 3. Run through a hash function with a salt Bad Password Storage
  • 17. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Hashing (Passwords) Data (or password) as large as you want Unique 256-bit number Hash function (SHA-256) ● Same input always produces the same output ● No known two inputs to produce the same output for SHA-256 ● Shattered.io ● Passwords and rainbow tables ● Salt is public and avoids fights rainbow tables Salt (unique gibberish) Example: 98c0f87ec38b0c86817cfa9dc9d894a3468b611048f45060729509505d4543b 5
  • 18. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password DBs Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Bad Password databases Username Hashed Password Mickael c616027b32758d9220a0e6b91899b2c1a06f521381fd6ac222 c6fda6a3ace6ec Rachel 531eb382d6274e9cad931b209a359842d6c79022b35361ec5 c9c4c1afc559d71 Mehran c616027b32758d9220a0e6b91899b2c1a06f521381fd6ac222 c6fda6a3ace6ec ● Weak password = look up in a table ● Password leaked for Mickeal = Password leaked for Mehran Bad Network Database
  • 19. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Better Password DBs Username Hashed Password Salt (public!) Mickael 8d3dcedf007d016be15a3016 b60711d6146d1107e62229fc ff503bc6f97b2649 b95093mvf89s8a Rachel c80b21d4a843f38f00b33cde 9634171d602779fbdb65a273 108bb09ecc439df8 b9t0p94jhlf980qf083 Mehran 69a0168e9d9a180b43ebf237 09cb96dff2173f5ed430f2136 5b5e57a52623ab9 9b08v23r8yfeh3791bj
  • 20. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● LinkedIn (2012) - unsalted SHA-1 ● Evernote (2013) - unsalted MD5 ● Yahoo (2013) - (unsalted?) MD5 ● NCIX (3 weeks ago) ○ (unsalted?) MD5 ○ Credit card info in plaintext ● Toronto and Region Conservation Authority (2017 - present?) ○ Plain Text * haveibeenpwned.com (look yourself up) Password Mismanagement
  • 21. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication ● Use a Password Manager ○ 1Password ○ LastPass ○ KeyPass ● Only have to remember 1 very strong password ● Not perfect Password Management
  • 22. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Auth 1. Knowledge (Password) 2. Possession (Device) 3. Inherence (Fingerprint) Multi-factor Authentication ● Use two of these factors when possible
  • 23. Crypto and Security Motivation Creating Secrets Creating Digital Secrets Revealing Digital Secrets Key Problems PuTTy example VIM example (don’t use) Key Principles Asymmetric Keys Creating a public key Sharing a public key Secure your private keys Passwords KDF relative strength Bad Password Storage Hashing (Passwords) Bad Password Databases Better Password DBs Passwd Mismanagement Password Management Multi-factor Authentication Questions? Cryptographic Right Answers: https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html

Editor's Notes

  1. The point of this presentation is to arm yourself with at least a broad-strokes understanding of keeping your data and yourself secure at any computer you use. There is an awful lot of jargon when it comes to Cryptography and we’ll go over what I think is believed to be the most relevant and will give you enough context to make your own educated decisions and understand programs you use better (like SSH, e-mail, your web browser). Passwords are hazardous and everyone, but not everyone in this lab, should be using public/private keys when it comes to use on Bitbucket or logging into other machines. And ideally armed with all of this information everyone should be able to make more conscious decisions about evaluating security of your own and other systems
  2. The idea of secretly storing or transmitting messages is nothing new. Here we have the quitenessential Ceaser Cipher. The letters are moved back 3 letters in their respective alphabet. In cryptograhic terms the original message is called “Plain text” while the encrypted message is called “Cipher text”. This was actually used by Ceaser evidentally. No you should not use it.
  3. In the world of computing, our infomation is stored binary digits or bits so we have to come up with methods of encrypting (and decrypting) information in this format. Even in digital formats, information is universally still referred to as plain text. Here we’re introducing a “key” which “locks” or encrypts a message. The idea is if you see a “1” in the key, you switch the corresponding bit in the plain text to produce the following cyphertext. Exclusive OR is likely the most important cypher in crytographic history. The NSA called it "perhaps one of the most important in the history of cryptography."
  4. To decrypt, use the same key and the same rule as before the get the “plain text” back! This cipher is called a One Time Pad. It is actually perfectly secure if you can trust the source. It’s not had to imagine if you had only the cipher text and no key, your best bet to get at the plain text is to only guess. Each bit “flips” whether or not there is a corresponding 1 in the key. If the key is truly hidden your stuck unless you guess at every possible key. It’s called a one time pad since, in this case, the key should only be used once. If you use it repeatedly, say on characters of an e-mail, you suddenly give a would be secret stealer more information and hints as to what the original key is (by say counting repeated occurances of a cyphertext and assuming the top pick is likely the letter ‘e’, etc).
  5. No one uses the one time pad. One of the most glaring problems is if someone wants to send 2 TB of data secretly, you’d have to come up with a 2 TB key first (and somehow mutually and securely decide on it before hand). Practically ciphers are used with a key that is *much* shorter than than the given text is used to encrypt data. Most ciphers, but not all, use XOR significantly in their constructions. Ciphers typically work on chunks of data whether that’s in a stream of bits or a blocks. I’ve given some popular examples below. It’s not important to really know how they work only that there are a lot of them and recognizing when you might be using an insecure or out-of-date one. These names will come up every once in a while. These ciphers are far more common than you think even though you don’t see their names too often. AES, for example, has worked into the instruction set of intel-based processors since 2008.2 Never ever try to create your own cipher. Older ones are likely to be insecure. RC4 and (not triple) DES should be avoided if at all possible.
  6. So you’re thinking when would ever care to know about these ciphers? Here you can actually select or disallow ciphers. Maybe not practical in some cases - but very useful to know in case someone has, for example, checked that box for use of single-DES.
  7. Here’s a good example of why you should be wary about other people implementing ciphers. VIM has a rather forgetting cryptmethod option. Don’t use it. It’s bad by all security standards. Neovim, a popular fork of VIM, removed this option entirely.
  8. For creating and using keys bigger is better. As to some context as to why even a 256 bit key is usually good enough is to show how large the possible number of keys there are compared to say - the lifetime of the universe in nanoseconds. If you had a computer running since the dawn of time guessing at your secret 256 bit key, chances are you’re still very safe. Notably on average, a guesser only needs to guess half of the possibilites before arriving at the answer. Grover’s algorithm? As mentioned before key re-use is bad since it continually gives out information about the cipher text however so slight. If you wonder why some websites suddenly become “insecure” - it’s because their key has “expired” and is considered no longer secure enough. So they need to create a new one or the update has yet to be reflected on your computer.
  9. There are forms of cryptography where the same key is not used for both encrypting and decrypting data. This is incredibly useful since it means if I want to have secure communication with any stranger all I have to do is provide a public key where I secretly keep my corresponding private key. This is like providing an open lockbox or safe to a stranger and keeping the key. They could put their message inside, mail or deliver it, and only you could open it.
  10. It’s very easy to create. The -t option allows you to choose the algorithm or type of public/private key you wish to generate. RSA and DSA are old and not as secure as the ecdsa or ed25519. These algorithms refer to elliptic curves, or specifically the “ec” portion. RSA stands for Rivest–Shamir–Adleman. Here I generated an an elliptic curve public/private key pair and kept the defaults (256 bits and 16 iterations). It’s more secure than a 4096 bit key for RSA. The program importantly tells you where your private and public keys are stored. Your private key *must* stay private.
  11. This is how you copy your public key to mordor. Now if you don’t have a passphrase attached to your key - you can login without a password. The computer you login in from, after adding your key, is implictly trusted unless you specify otherwise. On bitbucket you have to copy your public key manually. The public key from the file given by ssh-keygen. After this presentation I’m removing the password option from pushing the website script. Just put a key on bitbucket and be significantly happier for yourself please.
  12. I should not be able to login using someone else’s ID. This should be the default though if you’ve accidentally granted read access to your entire home directory then you’re in a bit of trouble. Other real examples of bad private key sharing include the Washington post providing a very hi-res photo of the TSA master keys. These were prompted produced into 3d printable versions (that work) Back in March (of 2018), a SSL certificate reseller, a service that certifies your public key, claimed that a bunch of their keys they had been compromised. They proved this fact by e-mailing out over 50000 private keys. How they got the private keys is questionable and why they decided to e-mail them out is also questionable.
  13. Passwords can act like keys (in real life) For secure use digitally, they are transformed by a key derivation function which takes a text password, and produces a key that is unique to that user. This is in the best case and you can only at best trust that the service storing your password is actually doing this.
  14. These attacks timings are a decade old (read much faster now) and are against the *best possible case* someone has done the right thing by storing your password.
  15. Passwords can act like keys (in real life) For secure use digitally, they are transformed by a key derivation function which takes a text password, and produces a key that is unique to that user. This is in the best case and you can only at best trust that the service storing your password is actually doing this.
  16. SHA-1 has been proven to be broken as of 2017 (A forged PDF with the same resulting hash) It’s possible to download freely produced tables of all combinations of say all 10 numbers and letters and see what their resulting hash is for a given function. If a would be attacker gets a hold of your only just-hashed password that is relatively short (< 10 characters) they can just look it up in a database.
  17. In case it isn’t blindly obvious - never share passwords across sites.
  18. A password manager is a program that stores your passwords in a single secure repository. It can generate passwords and ensure you do not have repeated passwords across devices, websites, etc. It seems like a bad idea to have a single point of failure. “Password managers don't have to be perfect, they just have to be better than not having one”
  19. In the world of authentication there are 3 types of evidence you can provide. Most commonly the device is your phone. Though there are other devices that specialize in, say, storing a private key such as Yubikey
  20. Lots of topics I did not address such as Message Authentication Codes, Side-channel attacks, Sources of randomness (for key generation), etc. I’m by all means not an expert on these topics and I’d wager that there is probably only a very small number of people in the world who are. In general stick to recommendations, audited implementations, and avoid doing this stuff on your own. If you google Cryptographic Right Answers there’s been a long evolving-over-the-years discussion of what the recommended go-to for particular applications are required. Hopefully after a brief overview from this presentation you should be able to make better sense of the discussion invovled.