This document provides an overview of basic cryptography and security concepts. It discusses creating and revealing digital secrets using techniques like encryption, hashing, and passwords. It provides examples of encryption tools like PuTTY and warns against improperly implementing your own encryption. The document outlines key principles like key length and management, and how asymmetric keys work. It also discusses password security best practices and techniques like key derivation functions and salting hashes.
This document discusses current and emerging web attacks. It notes that while cross-site scripting (XSS) and SQL injection attacks were once prevalent, modern web applications and browsers incorporate defenses against these attacks. However, the document argues that web applications and browsers are evolving in ways that enable new types of multi-layer attacks. Examples are provided of attacks that combine layers like the database management system, JavaScript execution in browsers, and HTML parsing quirks to bypass defenses. The document urges security researchers and practitioners to consider these evolving attack techniques and the growing diversity of client devices and applications.
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
- The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features.
- It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive information like passwords without using JavaScript.
- The attacks demonstrate that even without scripting, features in HTML5 and CSS can be abused to conduct traditional XSS attacks and undermine security defenses, so more work is needed to protect against side-channels and unwanted data leakage from the browser.
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
This document discusses using ES5 capabilities to help mitigate cross-site scripting (XSS) vulnerabilities. It summarizes the history of JavaScript and XSS, current approaches to mitigation, and limitations. It then proposes using ES5 features like Object.defineProperty to prohibit unauthorized access to DOM properties and add monitoring of property access. This could enable intrusion detection and role-based access control without impedance mismatches. Examples show freezing DOM objects to prevent tampering. Limitations include blacklisting and compatibility issues, but the approach aims to detect and prevent XSS at the client level without server-side filtering.
This document summarizes a talk given by Gareth Heyes and Mario Heiderich on web security and the PHPIDS project. It describes the early challenges of detecting attacks using simple blacklists and how the project evolved to address increasingly complex obfuscated payloads. Key points discussed include the introduction of a payload canonicalizer to normalize strings before detection, ongoing challenges of new browser behaviors and standards, and the importance of an open community approach to security research.
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
Mario Heiderich gave a presentation on active content injection using SVG files. He discussed how SVG files are XML-based and support scripting, allowing execution of JavaScript. This enables security issues like XSS. Browser implementations of SVG are inconsistent, with different levels of script support depending on how SVG files are deployed (inline, via <img>, etc). Exploits discussed SVG vulnerabilities in Firefox, Opera, and Chromium. Defense is difficult due to lack of documentation and filters, and new vectors are found weekly. Future work proposed a SVG purifier and raising awareness of issues.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
This document discusses current and emerging web attacks. It notes that while cross-site scripting (XSS) and SQL injection attacks were once prevalent, modern web applications and browsers incorporate defenses against these attacks. However, the document argues that web applications and browsers are evolving in ways that enable new types of multi-layer attacks. Examples are provided of attacks that combine layers like the database management system, JavaScript execution in browsers, and HTML parsing quirks to bypass defenses. The document urges security researchers and practitioners to consider these evolving attack techniques and the growing diversity of client devices and applications.
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
- The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features.
- It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive information like passwords without using JavaScript.
- The attacks demonstrate that even without scripting, features in HTML5 and CSS can be abused to conduct traditional XSS attacks and undermine security defenses, so more work is needed to protect against side-channels and unwanted data leakage from the browser.
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
This document discusses using ES5 capabilities to help mitigate cross-site scripting (XSS) vulnerabilities. It summarizes the history of JavaScript and XSS, current approaches to mitigation, and limitations. It then proposes using ES5 features like Object.defineProperty to prohibit unauthorized access to DOM properties and add monitoring of property access. This could enable intrusion detection and role-based access control without impedance mismatches. Examples show freezing DOM objects to prevent tampering. Limitations include blacklisting and compatibility issues, but the approach aims to detect and prevent XSS at the client level without server-side filtering.
This document summarizes a talk given by Gareth Heyes and Mario Heiderich on web security and the PHPIDS project. It describes the early challenges of detecting attacks using simple blacklists and how the project evolved to address increasingly complex obfuscated payloads. Key points discussed include the introduction of a payload canonicalizer to normalize strings before detection, ongoing challenges of new browser behaviors and standards, and the importance of an open community approach to security research.
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
Mario Heiderich gave a presentation on active content injection using SVG files. He discussed how SVG files are XML-based and support scripting, allowing execution of JavaScript. This enables security issues like XSS. Browser implementations of SVG are inconsistent, with different levels of script support depending on how SVG files are deployed (inline, via <img>, etc). Exploits discussed SVG vulnerabilities in Firefox, Opera, and Chromium. Defense is difficult due to lack of documentation and filters, and new vectors are found weekly. Future work proposed a SVG purifier and raising awareness of issues.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
Public Key Infrastructure (PKI) uses public/private key cryptography and digital certificates to authenticate users and devices, encrypt and sign messages and documents. The document discusses how PKI works including the use of digital signatures to authenticate messages, the need for a trusted authority to issue certificates binding public keys to identities, and recommendations for implementing a basic PKI including documenting policies and procedures. Common cryptographic algorithms for encryption, signatures and hashing are also briefly described.
The document provides an overview of public key infrastructure (PKI) and how it works. It explains foundational concepts like encryption, authentication, and digital signatures. It then discusses how PKI enables the use of public/private key cryptography to securely distribute keys and authenticate parties through the use of digital certificates verified by a certificate authority. The document covers common algorithms like RSA, ECC, AES, and hash functions and provides recommendations around implementing and securing a PKI.
Chapter 4 access control fundamental iiSyaiful Ahdan
This document discusses access control fundamentals and authentication methods. It covers passwords as a common authentication method and their weaknesses, such as being prone to dictionary attacks. It also discusses other authentication factors like biometrics and two-factor authentication. Password cracking tools are mentioned as a way for administrators to test for weak passwords.
The document discusses authentication and identity. It covers common authentication factors like passwords, two-factor authentication using a mobile phone, and biometrics. It provides details on securely storing passwords using techniques like salts and hash functions to prevent cracking. It also discusses risks of password reuse across sites and how two-factor authentication helps address this. The document emphasizes the importance of secure authentication and not allowing the security level to be degraded without re-authentication.
(SEC325) Satisfy PCI Obligations While Continuing to InnovateAmazon Web Services
As an online payments provider, Stripe has always had a close relationship with PCI DSS. And as a partner to hundreds of thousands of online businesses, we take the security of our users' personal information very seriously. But as a fast-growing startup company where fast innovation is a key advantage, we also can't let PCI control us. In this session, we will discuss strategies we have used that both make us more secure and satisfy our PCI (and other) obligations, all without slowing down our ability to innovate. Though useful for PCI and other compliance obligations, these strategies can just as easily be applied to security problems across your organization.
Practical Cryptography and Security Concepts for DevelopersGökhan Şengün
This document summarizes Gökhan Şengün's presentation on practical cryptography and security concepts for developers at DEVOPS Zirvesi 2017. The presentation covers the history of cryptography, cryptographic hash functions, secure storage of secrets, symmetric and asymmetric encryption, public key infrastructure (PKI) and digital signatures, and techniques and use cases including HTTPS and SSL/TLS handshakes. The presentation aims to help developers understand basic cryptography concepts and how they apply to building secure systems.
Crypto failures every developer should avoidOwaspCzech
This document discusses common cryptography failures that developers should avoid. It begins by outlining what conventional wisdom says about cryptography implementation challenges. It then examines specific failures like improper password storage, misuse of hash functions, lack of authentication with encryption, reuse of nonces/IVs, poor randomness, and TLS certificate issues. For each failure, it provides examples of real world incidents and outlines the proper approaches to implementation. The goal is to help developers learn from these mistakes and understand cryptography at a level needed to use it securely.
Crypto failures every developer should avoidFilip Šebesta
This document discusses common cryptography failures that developers should avoid. It begins by outlining what conventional wisdom says about cryptography implementation challenges. It then examines specific failures like improper password storage, misuse of hash functions, lack of authentication with encryption, reuse of nonces/IVs, poor randomness, and TLS certificate issues. For each failure, it provides examples of real world incidents and outlines the proper approaches to implementation. The goal is to help developers learn from these mistakes and understand cryptography at a level needed to use it securely.
The document provides an overview of a course on PKI (Public Key Infrastructure) technology. It outlines the topics that will be covered over two days, including secret key cryptography algorithms like AES and RSA, digital certificates, certificate authorities, and practical PKI applications like S/MIME, SSL, and IPSEC. The objectives of the course are to understand cryptographic fundamentals, public key infrastructure elements and how they interact, and why PKI is useful for enabling e-commerce and enhancing security.
Password and Account Management Strategies - April 2019Kimberley Dray
This document provides a summary of a presentation about password and account management strategies. It discusses the importance of using long passphrases instead of complex passwords. It also recommends using a password manager to generate and store unique passwords for each account. Additionally, it advocates for the use of multi-factor authentication whenever available to add an extra layer of security. The presentation highlights factors to consider regarding who has access, what devices are used, locations, and recommended regularly changing passphrases and monitoring accounts.
Secure & authentication By Lai HIEU - eXo SEAThuy_Dang
- The document discusses secure communication and authentication, covering topics like digital certificates, public key infrastructure (PKI), TLS/SSL, Java security architecture, and eXo platform implementation.
- It provides an overview of TLS/SSL and how it is based on public key cryptography. Digital certificates are used to bind a public key with an identity to authenticate parties.
- PKI utilizes public/private key pairs to facilitate secure exchange of information between two parties like in the example conversation between Nobita and Doraemon.
This document discusses different types of encryption. It describes symmetric encryption which uses a single secret key for encryption and decryption. It also describes asymmetric encryption which uses a public key and private key. The document outlines some encryption algorithms like stream ciphers and block ciphers. It discusses how public key infrastructure works using certificate authorities and digital certificates. Finally, it provides examples of how encryption is used and some best practices for effective encryption.
The document provides an overview of encryption:
1) Encryption is the process of encoding information to prevent unauthorized access. It involves transforming plain text into ciphertext using cryptographic algorithms and encryption keys.
2) There are two main types of encryption - symmetric which uses the same key for encryption and decryption, and asymmetric which uses a public/private key pair.
3) When implementing encryption, organizations must determine what data needs protection, how it will be encrypted both in transit and at rest, and how encryption keys will be managed. Failure to properly manage keys could result in permanent data loss.
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
Andy Watson gave a presentation on properly using cryptography in applications. He discussed random number generation, hashing, salting passwords, key derivation functions, symmetric encryption, and common mistakes made with cryptography. The presentation covered topics like cryptographically secure random number generation, choosing secure hash functions, adding salts to hashes, using functions like PBKDF2 for key derivation, different encryption modes like ECB and GCM, and real examples of cryptography mistakes from companies like LinkedIn.
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
Daniel Crowley - Speaking with Cryptographic OraclesBaronZor
When using cryptography, leaking data about crypto operations can expose the system to powerful attacks. Even if you're using unbroken algorithms, you may expose yourself to attacks which can completely bypass your use of crypto.
This document provides an overview of SSL/TLS (Secure Sockets Layer/Transport Layer Security) and how it works to secure data transmission over the internet. It discusses why SSL is important for encrypting data and verifying identities. It then explains the basic process of how SSL works, including how a client encrypts requests using a server's public key and how the server decrypts with its private key. The document outlines the requirements to implement SSL, including generating a key and obtaining a certificate. It differentiates between self-signed and authorized certificates. Finally, it provides steps to create a certificate using OpenSSL and configure the Apache web server to use SSL.
This document provides eight rules for writing secure PHP programs:
1. Use proper cryptography and do not invent your own algorithms.
2. Validate all input from external sources before using.
3. Sanitize data sent to databases or other systems to prevent injection attacks.
4. Avoid leaking sensitive information through error messages or other means.
5. Properly manage user sessions to prevent hijacking and ensure users remain authenticated.
6. Enforce authentication and authorization separately using least privilege.
7. Use SSL/TLS to encrypt all authenticated or sensitive communications.
8. Keep security straightforward and avoid relying on obscurity.
Data Security Essentials - JavaOne 2013javagroup2006
This document provides an overview of data security essentials and cryptographic concepts. It discusses motivation for data security, including reputation, business competitiveness, and cloud computing. The agenda includes basic cryptographic concepts like hashes, symmetric and asymmetric cryptography. It also covers secure credential storage, data confidentiality, authentication, and recent trends in cloud data security.
"Crypto wallets security. For developers", Julia PotapenkoFwdays
From a security perspective, cryptocurrency wallets are just applications. Similar to banking apps, wallets operate users’ funds and allow making transactions. But are they as secure as banking apps? Let’s talk about the risks and threats of crypto wallets, then move to design concerns and implementation issues. What types of data should be protected? What are the most common vulnerabilities? And why encrypting data is not as trivial as it may seem?
GNU Parallel: Lab meeting—technical talkHoffman Lab
The document summarizes an upcoming lab meeting technical talk on GNU Parallel, a shell tool for executing jobs in parallel. The talk will cover why GNU Parallel is useful, basic examples and syntax from its tutorial, additional advanced syntax for various tasks, recently added features since 2020, and more examples from the tutorial and the speaker's own use of GNU Parallel.
This document summarizes a new technique and Python package called TCRpower for quantifying the detection power of T-cell receptor sequencing methods using spike-in standards. TCRpower uses a negative binomial model to estimate detection probabilities of target T-cell receptors based on sequencing read counts. It calibrates this model using spike-in controls containing known T-cell receptor sequences added at defined concentrations. Results from applying TCRpower to PCR-based T-cell receptor sequencing data show it can reliably detect clonotypes down to a frequency of 10-6 but has higher variability for rarer clonotypes below 300 per million RNA. TCRpower improves method selection, optimization and reproducibility for T-cell receptor sequencing.
Public Key Infrastructure (PKI) uses public/private key cryptography and digital certificates to authenticate users and devices, encrypt and sign messages and documents. The document discusses how PKI works including the use of digital signatures to authenticate messages, the need for a trusted authority to issue certificates binding public keys to identities, and recommendations for implementing a basic PKI including documenting policies and procedures. Common cryptographic algorithms for encryption, signatures and hashing are also briefly described.
The document provides an overview of public key infrastructure (PKI) and how it works. It explains foundational concepts like encryption, authentication, and digital signatures. It then discusses how PKI enables the use of public/private key cryptography to securely distribute keys and authenticate parties through the use of digital certificates verified by a certificate authority. The document covers common algorithms like RSA, ECC, AES, and hash functions and provides recommendations around implementing and securing a PKI.
Chapter 4 access control fundamental iiSyaiful Ahdan
This document discusses access control fundamentals and authentication methods. It covers passwords as a common authentication method and their weaknesses, such as being prone to dictionary attacks. It also discusses other authentication factors like biometrics and two-factor authentication. Password cracking tools are mentioned as a way for administrators to test for weak passwords.
The document discusses authentication and identity. It covers common authentication factors like passwords, two-factor authentication using a mobile phone, and biometrics. It provides details on securely storing passwords using techniques like salts and hash functions to prevent cracking. It also discusses risks of password reuse across sites and how two-factor authentication helps address this. The document emphasizes the importance of secure authentication and not allowing the security level to be degraded without re-authentication.
(SEC325) Satisfy PCI Obligations While Continuing to InnovateAmazon Web Services
As an online payments provider, Stripe has always had a close relationship with PCI DSS. And as a partner to hundreds of thousands of online businesses, we take the security of our users' personal information very seriously. But as a fast-growing startup company where fast innovation is a key advantage, we also can't let PCI control us. In this session, we will discuss strategies we have used that both make us more secure and satisfy our PCI (and other) obligations, all without slowing down our ability to innovate. Though useful for PCI and other compliance obligations, these strategies can just as easily be applied to security problems across your organization.
Practical Cryptography and Security Concepts for DevelopersGökhan Şengün
This document summarizes Gökhan Şengün's presentation on practical cryptography and security concepts for developers at DEVOPS Zirvesi 2017. The presentation covers the history of cryptography, cryptographic hash functions, secure storage of secrets, symmetric and asymmetric encryption, public key infrastructure (PKI) and digital signatures, and techniques and use cases including HTTPS and SSL/TLS handshakes. The presentation aims to help developers understand basic cryptography concepts and how they apply to building secure systems.
Crypto failures every developer should avoidOwaspCzech
This document discusses common cryptography failures that developers should avoid. It begins by outlining what conventional wisdom says about cryptography implementation challenges. It then examines specific failures like improper password storage, misuse of hash functions, lack of authentication with encryption, reuse of nonces/IVs, poor randomness, and TLS certificate issues. For each failure, it provides examples of real world incidents and outlines the proper approaches to implementation. The goal is to help developers learn from these mistakes and understand cryptography at a level needed to use it securely.
Crypto failures every developer should avoidFilip Šebesta
This document discusses common cryptography failures that developers should avoid. It begins by outlining what conventional wisdom says about cryptography implementation challenges. It then examines specific failures like improper password storage, misuse of hash functions, lack of authentication with encryption, reuse of nonces/IVs, poor randomness, and TLS certificate issues. For each failure, it provides examples of real world incidents and outlines the proper approaches to implementation. The goal is to help developers learn from these mistakes and understand cryptography at a level needed to use it securely.
The document provides an overview of a course on PKI (Public Key Infrastructure) technology. It outlines the topics that will be covered over two days, including secret key cryptography algorithms like AES and RSA, digital certificates, certificate authorities, and practical PKI applications like S/MIME, SSL, and IPSEC. The objectives of the course are to understand cryptographic fundamentals, public key infrastructure elements and how they interact, and why PKI is useful for enabling e-commerce and enhancing security.
Password and Account Management Strategies - April 2019Kimberley Dray
This document provides a summary of a presentation about password and account management strategies. It discusses the importance of using long passphrases instead of complex passwords. It also recommends using a password manager to generate and store unique passwords for each account. Additionally, it advocates for the use of multi-factor authentication whenever available to add an extra layer of security. The presentation highlights factors to consider regarding who has access, what devices are used, locations, and recommended regularly changing passphrases and monitoring accounts.
Secure & authentication By Lai HIEU - eXo SEAThuy_Dang
- The document discusses secure communication and authentication, covering topics like digital certificates, public key infrastructure (PKI), TLS/SSL, Java security architecture, and eXo platform implementation.
- It provides an overview of TLS/SSL and how it is based on public key cryptography. Digital certificates are used to bind a public key with an identity to authenticate parties.
- PKI utilizes public/private key pairs to facilitate secure exchange of information between two parties like in the example conversation between Nobita and Doraemon.
This document discusses different types of encryption. It describes symmetric encryption which uses a single secret key for encryption and decryption. It also describes asymmetric encryption which uses a public key and private key. The document outlines some encryption algorithms like stream ciphers and block ciphers. It discusses how public key infrastructure works using certificate authorities and digital certificates. Finally, it provides examples of how encryption is used and some best practices for effective encryption.
The document provides an overview of encryption:
1) Encryption is the process of encoding information to prevent unauthorized access. It involves transforming plain text into ciphertext using cryptographic algorithms and encryption keys.
2) There are two main types of encryption - symmetric which uses the same key for encryption and decryption, and asymmetric which uses a public/private key pair.
3) When implementing encryption, organizations must determine what data needs protection, how it will be encrypted both in transit and at rest, and how encryption keys will be managed. Failure to properly manage keys could result in permanent data loss.
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
Andy Watson gave a presentation on properly using cryptography in applications. He discussed random number generation, hashing, salting passwords, key derivation functions, symmetric encryption, and common mistakes made with cryptography. The presentation covered topics like cryptographically secure random number generation, choosing secure hash functions, adding salts to hashes, using functions like PBKDF2 for key derivation, different encryption modes like ECB and GCM, and real examples of cryptography mistakes from companies like LinkedIn.
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
Daniel Crowley - Speaking with Cryptographic OraclesBaronZor
When using cryptography, leaking data about crypto operations can expose the system to powerful attacks. Even if you're using unbroken algorithms, you may expose yourself to attacks which can completely bypass your use of crypto.
This document provides an overview of SSL/TLS (Secure Sockets Layer/Transport Layer Security) and how it works to secure data transmission over the internet. It discusses why SSL is important for encrypting data and verifying identities. It then explains the basic process of how SSL works, including how a client encrypts requests using a server's public key and how the server decrypts with its private key. The document outlines the requirements to implement SSL, including generating a key and obtaining a certificate. It differentiates between self-signed and authorized certificates. Finally, it provides steps to create a certificate using OpenSSL and configure the Apache web server to use SSL.
This document provides eight rules for writing secure PHP programs:
1. Use proper cryptography and do not invent your own algorithms.
2. Validate all input from external sources before using.
3. Sanitize data sent to databases or other systems to prevent injection attacks.
4. Avoid leaking sensitive information through error messages or other means.
5. Properly manage user sessions to prevent hijacking and ensure users remain authenticated.
6. Enforce authentication and authorization separately using least privilege.
7. Use SSL/TLS to encrypt all authenticated or sensitive communications.
8. Keep security straightforward and avoid relying on obscurity.
Data Security Essentials - JavaOne 2013javagroup2006
This document provides an overview of data security essentials and cryptographic concepts. It discusses motivation for data security, including reputation, business competitiveness, and cloud computing. The agenda includes basic cryptographic concepts like hashes, symmetric and asymmetric cryptography. It also covers secure credential storage, data confidentiality, authentication, and recent trends in cloud data security.
"Crypto wallets security. For developers", Julia PotapenkoFwdays
From a security perspective, cryptocurrency wallets are just applications. Similar to banking apps, wallets operate users’ funds and allow making transactions. But are they as secure as banking apps? Let’s talk about the risks and threats of crypto wallets, then move to design concerns and implementation issues. What types of data should be protected? What are the most common vulnerabilities? And why encrypting data is not as trivial as it may seem?
GNU Parallel: Lab meeting—technical talkHoffman Lab
The document summarizes an upcoming lab meeting technical talk on GNU Parallel, a shell tool for executing jobs in parallel. The talk will cover why GNU Parallel is useful, basic examples and syntax from its tutorial, additional advanced syntax for various tasks, recently added features since 2020, and more examples from the tutorial and the speaker's own use of GNU Parallel.
This document summarizes a new technique and Python package called TCRpower for quantifying the detection power of T-cell receptor sequencing methods using spike-in standards. TCRpower uses a negative binomial model to estimate detection probabilities of target T-cell receptors based on sequencing read counts. It calibrates this model using spike-in controls containing known T-cell receptor sequences added at defined concentrations. Results from applying TCRpower to PCR-based T-cell receptor sequencing data show it can reliably detect clonotypes down to a frequency of 10-6 but has higher variability for rarer clonotypes below 300 per million RNA. TCRpower improves method selection, optimization and reproducibility for T-cell receptor sequencing.
Efficient querying of genomic reference databases with ggetHoffman Lab
gget is a free, open-source command-line tool and Python package for efficiently querying genomic reference databases. It allows users to retrieve gene and transcript sequences, search for genes, find correlated genes from expression databases, enrich gene sets in pathways and ontologies, and more. gget also integrates tools for sequence alignment, BLAST/BLAT searches, and protein structure prediction with AlphaFold.
The WashU Epigenome Browser is an online tool for exploring epigenomic data. It was recently updated in 2022 with new features like dynamic tracks that allow users to overlay additional data on top of existing tracks. The meeting covered a live demo of the browser and directed attendees to its documentation and dynamic tracks feature page to learn more.
Wireguard: A Virtual Private Network TunnelHoffman Lab
Wireguard is a simple yet secure VPN tunnel that can provide access to an entire private network rather than just a single machine. It runs on Linux, Windows, macOS, and phones. With Wireguard, you create a virtual network interface and cryptographic key pair, share your public key, and add the public keys of networks you want to access. This allows you to securely connect your device to the private network and access resources like network attached storage from anywhere via an encrypted single point of access.
Plotting heatmap with matplotlib/seabornHoffman Lab
The document describes several methods for creating heatmaps using the matplotlib and seaborn Python libraries. It provides code examples for creating basic heatmaps with matplotlib and seaborn, heatmaps with labels and annotations using seaborn, combining multiple heatmaps, and manually creating heatmaps with matplotlib by adding colored rectangles. The final sections provide an example of creating a heatmap with two colors and adding polygons manually.
Go Get Data (GGD) is a genomics data management system that provides access to processed and curated genomic data files. It allows users to create "data recipes" that define genomic data files and their metadata. These recipes are used to generate data packages that can be installed and their files accessed via environment variables. GGD also supports finding, installing, uninstalling, and listing installed data packages.
The document discusses fastp, an ultra-fast all-in-one FASTQ preprocessor. Fastp performs adapter trimming, quality trimming, base correction, polyG/polyX tail trimming, and can handle UMIs. It is very fast due to being written in C++ and multi-threaded. Fastp outputs metrics that can be integrated into MultiQC reports. The document provides examples of fastp commands and usage with GNU Parallel for processing multiple samples simultaneously.
R markdown allows connecting data, code, and text into reports, presentations, and other documents. It works with R, Python, and Bash code. The rmdformats package creates clean HTML documents from R markdown files using different template designs like "readthedown" and "docute". Templates allow formatting code and content into pages, tables of contents, and other features. Parameters control template features such as figure sizes and code folding. Resources for learning more about R markdown and rmdformats were also provided.
This document discusses various file searching tools. It introduces grep for searching files using regular expressions. Faster alternatives to grep like Ag, Ack, and Ripgrep are presented. The document also covers finding files using find or fd, fuzzy filtering with FZF, code searching with ctags or language servers, and summarizes to consider faster tools when possible and leverage editor plugins for code context.
The document discusses Better BibTeX (BBT), an add-on for the desktop version of Zotero. BBT improves on the standard BibTeX file export from Zotero by handling key formatting, duplicates, special characters, and journal abbreviations to produce cleaner BibTeX files that are suitable for use in LaTeX documents on platforms like Overleaf.
Bioawk is a tool that extends GNU awk to facilitate working with biological file formats like FASTA, FASTQ, SAM, BED, GFF, and VCF. It directly reads gzipped files and treats spanning sequences as single records. Some key functions added in Bioawk include calculating GC content, reversing/reverse complementing sequences, and working with quality values. Bioawk allows for convenient parsing, manipulation and statistical analysis of genomic data.
This document discusses terminals and shells. It defines that a shell is a program that interprets commands from a user and executes those commands, while a terminal is a physical device for displaying output and reading input. It provides a brief history of terminals, from telexes and teletypewriters to modern terminal emulators. It also covers terminal configuration, customization, multiplexing using software like tmux and screen, and pseudoterminals. Finally, it discusses different shells, how to choose a shell, shell modes of operation, and shell configuration files like bashrc and profiles.
This document discusses molecular biology concepts for computer scientists and tools for creating glossaries and displaying acronyms. It introduces BioRender, a tool for creating biological diagrams and illustrations. It then evaluates different LaTeX packages for creating glossaries and displaying acronyms, finding that the glossaries-extra package allows for creating both a glossary and acronyms. It concludes that BioRender is easy to use and has a useful icon library, and that glossaries-extra is effective for defining terms and acronyms.
Linters in R provides a 3 sentence summary of the document:
The document discusses the R package lintr, which checks R code for adherence to style guidelines, syntax errors, and possible semantic issues. It describes how to install lintr for use with RStudio, Emacs, and Vim and configure which checks or "linters" are applied. The document also gives examples of what lintr checks for, such as syntax, formatting, code quality, and provides information on customizing lintr using a project-specific configuration file.
BioSyntax: syntax highlighting for computational biologyHoffman Lab
bioSyntax is syntax highlighting software for computational biology. It highlights nucleotides, amino acids, and quality scores in common file formats used in bioinformatics like FASTA, FASTQ, SAM, BAM, VCF, GTF and custom formats. bioSyntax works in many text editors and terminals to help visualize and interpret genomic data. It supports common color schemes and allows customizing colors for specific nucleotides, amino acids or quality scores to highlight features of interest in sequences and alignments.
This document provides an overview and introduction to using the version control system Git. It covers basic Git concepts and operations including configuration, the three main states files can be in, committing changes, viewing history and logs, branching, merging, rebasing, tagging, and collaborating remotely. The document also discusses some internals of Git including how objects are stored and how Git and other version control systems originated.
The document discusses the UCSC Genome Browser, an online tool for viewing and interacting with genomic data. It allows users to view multiple data sources simultaneously for a genomic region across many organisms. The document covers basic usage, uploading temporary custom tracks, creating permanent track hubs to host data, and sharing views using saved sessions. Track hubs and sessions allow sharing genomic views and custom data without time limits.
MultiQC: summarize analysis results for multiple tools and samples in a singl...Hoffman Lab
MultiQC is a tool that aggregates bioinformatics quality control (QC) results from different tools into a single HTML report. It currently supports 73 tools and can integrate QC metrics from preprocessing, alignment, and post-alignment stages. MultiQC generates interactive plots and tables in an customizable report to allow users to compare QC metrics across multiple samples and tools in an flexible manner.
Esquisse is an R package called dreamRs that provides an interactive graphical user interface for creating ggplot2 graphs. The interface allows users to build plots by selecting aesthetic mappings and geoms directly in the UI without writing any code. dreamRs can be launched from within R or installed directly from GitHub, and it offers various customization options for adjusting plot properties through the visual interface.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...AlexanderRichford
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
"Scaling RAG Applications to serve millions of users", Kevin GoedeckeFwdays
How we managed to grow and scale a RAG application from zero to thousands of users in 7 months. Lessons from technical challenges around managing high load for LLMs, RAGs and Vector databases.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
QA or the Highway - Component Testing: Bridging the gap between frontend appl...zjhamm304
These are the slides for the presentation, "Component Testing: Bridging the gap between frontend applications" that was presented at QA or the Highway 2024 in Columbus, OH by Zachary Hamm.
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxSunil Jagani
Discover how AI is transforming the workplace and learn strategies for reskilling and upskilling employees to stay ahead. This comprehensive guide covers the impact of AI on jobs, essential skills for the future, and successful case studies from industry leaders. Embrace AI-driven changes, foster continuous learning, and build a future-ready workforce.
Read More - https://bit.ly/3VKly70
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
2. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
● Cryptographic terminology
● Public keys and passwords
● Evaluating your personal
security
Motivation
3. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW
Plain Text:
“Hoffman Lab!”
Cipher Text:
“Elccjxk Ixy!”
Creating Secrets
4. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Plain Text: “11110000”
Key: “01010101”
Cipher text: “10100101”
Cipher: Exclusive OR (XOR)
● Switch if ‘1’ in the key
Creating Digital Secrets
5. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Cipher text: “10100101”
Key: “01010101”
Plain Text: “11110000”
One Time Pad
● Use the key only once
Revealing Digital Secrets
6. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
● What about a 2 TB secret?
Key Problems
Block Ciphers Stream Ciphers
(Triple) DES - 56 bit key RC4 - 40 to 256 bit keys
AES (Rijndael) -
128/192/256 bit keys
Salsa20 - 256 bit keys
7. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
PuTTY example
8. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
VIM example (don’t use)
:set cryptmethod=”blowfish2”
● Doesn’t provide any
message authentication
○ Easy to temper with
● Easy to brute force decipher
Don’t try to implement your own encryption
- even published standards. Use libraries.
Block cipher
https://github.com/vim/vim/issues/638
9. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Key principles
● Key length:
○ Age of the universe:
■ 4.36 x 1026 ns
○ 256 bit key:
■ 1.15 x 1077 possibilities
● Re-using keys makes them
less secure
10. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Asymmetric keys
“Hello!” Encrypt
My Public Key
“Hello!” Decrypt
My Private Key
Transfer
Anyone who wishes to send me a private message:
Me as the receiver:
● Different keys are used for encrypting and decrypting
11. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Creating a public key (ssh)
$ ssh-keygen
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N
new_passphrase] [-C comment] [-f output_keyfile]
$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
...
Your identification has been saved in /users/eroberts/.ssh/id_ed25519.
Your public key has been saved in /users/eroberts/.ssh/id_ed25519.pub.
● ed25519 is recommended currently however it may not be available
on older servers
● Otherwise: “ssh-keygen -t rsa -b 4096 -a 100 -o”
12. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Sharing your public key
$ ssh-copy-id mordor
13. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Secure your private keys
This should not be possible:
$ ssh -i /users/cviner/.ssh/id_rsa mordor
Trustico - SSL
certificate reseller
Never trust any service that produces a
private / public key on your behalf
Washington Post article
on TSA keys
14. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
● Technically keys
● Key Derivation Functions
○ MD5
○ PBKDF
○ bcrypt
○ scrypt
Passwords
15. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
* https://www.tarsnap.com/scrypt/scrypt-slides.pdf (From 2009)
16. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
From horrible to less horrible:
1. Stored as plain text
2. Run through a hash
function
3. Run through a hash
function with a salt
Bad Password Storage
17. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Hashing (Passwords)
Data (or
password) as
large as you
want
Unique 256-bit number
Hash function
(SHA-256)
● Same input always
produces the
same output
● No known two
inputs to produce
the same output
for SHA-256
● Shattered.io
● Passwords and
rainbow tables
● Salt is public and
avoids fights
rainbow tables
Salt
(unique
gibberish)
Example:
98c0f87ec38b0c86817cfa9dc9d894a3468b611048f45060729509505d4543b
5
18. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password DBs
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Bad Password databases
Username Hashed Password
Mickael c616027b32758d9220a0e6b91899b2c1a06f521381fd6ac222
c6fda6a3ace6ec
Rachel 531eb382d6274e9cad931b209a359842d6c79022b35361ec5
c9c4c1afc559d71
Mehran c616027b32758d9220a0e6b91899b2c1a06f521381fd6ac222
c6fda6a3ace6ec
● Weak password = look up in a table
● Password leaked for Mickeal = Password leaked for Mehran
Bad Network Database
19. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Better Password DBs
Username Hashed Password Salt (public!)
Mickael 8d3dcedf007d016be15a3016
b60711d6146d1107e62229fc
ff503bc6f97b2649
b95093mvf89s8a
Rachel c80b21d4a843f38f00b33cde
9634171d602779fbdb65a273
108bb09ecc439df8
b9t0p94jhlf980qf083
Mehran 69a0168e9d9a180b43ebf237
09cb96dff2173f5ed430f2136
5b5e57a52623ab9
9b08v23r8yfeh3791bj
20. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
● LinkedIn (2012) - unsalted SHA-1
● Evernote (2013) - unsalted MD5
● Yahoo (2013) - (unsalted?) MD5
● NCIX (3 weeks ago)
○ (unsalted?) MD5
○ Credit card info in plaintext
● Toronto and Region Conservation
Authority (2017 - present?)
○ Plain Text
* haveibeenpwned.com (look yourself up)
Password Mismanagement
21. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
● Use a Password Manager
○ 1Password
○ LastPass
○ KeyPass
● Only have to remember 1 very
strong password
● Not perfect
Password Management
22. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Auth
1. Knowledge (Password)
2. Possession (Device)
3. Inherence (Fingerprint)
Multi-factor Authentication
● Use two of these
factors when possible
23. Crypto and Security
Motivation
Creating Secrets
Creating Digital Secrets
Revealing Digital Secrets
Key Problems
PuTTy example
VIM example (don’t use)
Key Principles
Asymmetric Keys
Creating a public key
Sharing a public key
Secure your private keys
Passwords
KDF relative strength
Bad Password Storage
Hashing (Passwords)
Bad Password Databases
Better Password DBs
Passwd Mismanagement
Password Management
Multi-factor Authentication
Questions?
Cryptographic Right Answers:
https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html
Editor's Notes
The point of this presentation is to arm yourself with at least a broad-strokes understanding of keeping your data and yourself secure at any computer you use.
There is an awful lot of jargon when it comes to Cryptography and we’ll go over what I think is believed to be the most relevant and will give you enough context to make your own educated decisions and understand programs you use better (like SSH, e-mail, your web browser).
Passwords are hazardous and everyone, but not everyone in this lab, should be using public/private keys when it comes to use on Bitbucket or logging into other machines.
And ideally armed with all of this information everyone should be able to make more conscious decisions about evaluating security of your own and other systems
The idea of secretly storing or transmitting messages is nothing new. Here we have the quitenessential Ceaser Cipher. The letters are moved back 3 letters in their respective alphabet. In cryptograhic terms the original message is called “Plain text” while the encrypted message is called “Cipher text”.
This was actually used by Ceaser evidentally. No you should not use it.
In the world of computing, our infomation is stored binary digits or bits so we have to come up with methods of encrypting (and decrypting) information in this format.
Even in digital formats, information is universally still referred to as plain text.
Here we’re introducing a “key” which “locks” or encrypts a message. The idea is if you see a “1” in the key, you switch the corresponding bit in the plain text to produce the following cyphertext.
Exclusive OR is likely the most important cypher in crytographic history. The NSA called it "perhaps one of the most important in the history of cryptography."
To decrypt, use the same key and the same rule as before the get the “plain text” back!
This cipher is called a One Time Pad. It is actually perfectly secure if you can trust the source.
It’s not had to imagine if you had only the cipher text and no key, your best bet to get at the plain text is to only guess. Each bit “flips” whether or not there is a corresponding 1 in the key. If the key is truly hidden your stuck unless you guess at every possible key.
It’s called a one time pad since, in this case, the key should only be used once. If you use it repeatedly, say on characters of an e-mail, you suddenly give a would be secret stealer more information and hints as to what the original key is (by say counting repeated occurances of a cyphertext and assuming the top pick is likely the letter ‘e’, etc).
No one uses the one time pad. One of the most glaring problems is if someone wants to send 2 TB of data secretly, you’d have to come up with a 2 TB key first (and somehow mutually and securely decide on it before hand).
Practically ciphers are used with a key that is *much* shorter than than the given text is used to encrypt data. Most ciphers, but not all, use XOR significantly in their constructions.
Ciphers typically work on chunks of data whether that’s in a stream of bits or a blocks. I’ve given some popular examples below. It’s not important to really know how they work only that there are a lot of them and recognizing when you might be using an insecure or out-of-date one. These names will come up every once in a while.
These ciphers are far more common than you think even though you don’t see their names too often. AES, for example, has worked into the instruction set of intel-based processors since 2008.2
Never ever try to create your own cipher. Older ones are likely to be insecure. RC4 and (not triple) DES should be avoided if at all possible.
So you’re thinking when would ever care to know about these ciphers?
Here you can actually select or disallow ciphers. Maybe not practical in some cases - but very useful to know in case someone has, for example, checked that box for use of single-DES.
Here’s a good example of why you should be wary about other people implementing ciphers. VIM has a rather forgetting cryptmethod option. Don’t use it. It’s bad by all security standards.
Neovim, a popular fork of VIM, removed this option entirely.
For creating and using keys bigger is better. As to some context as to why even a 256 bit key is usually good enough is to show how large the possible number of keys there are compared to say - the lifetime of the universe in nanoseconds. If you had a computer running since the dawn of time guessing at your secret 256 bit key, chances are you’re still very safe. Notably on average, a guesser only needs to guess half of the possibilites before arriving at the answer. Grover’s algorithm?
As mentioned before key re-use is bad since it continually gives out information about the cipher text however so slight. If you wonder why some websites suddenly become “insecure” - it’s because their key has “expired” and is considered no longer secure enough. So they need to create a new one or the update has yet to be reflected on your computer.
There are forms of cryptography where the same key is not used for both encrypting and decrypting data. This is incredibly useful since it means if I want to have secure communication with any stranger all I have to do is provide a public key where I secretly keep my corresponding private key.
This is like providing an open lockbox or safe to a stranger and keeping the key. They could put their message inside, mail or deliver it, and only you could open it.
It’s very easy to create. The -t option allows you to choose the algorithm or type of public/private key you wish to generate. RSA and DSA are old and not as secure as the ecdsa or ed25519. These algorithms refer to elliptic curves, or specifically the “ec” portion. RSA stands for Rivest–Shamir–Adleman.
Here I generated an an elliptic curve public/private key pair and kept the defaults (256 bits and 16 iterations). It’s more secure than a 4096 bit key for RSA. The program importantly tells you where your private and public keys are stored. Your private key *must* stay private.
This is how you copy your public key to mordor. Now if you don’t have a passphrase attached to your key - you can login without a password. The computer you login in from, after adding your key, is implictly trusted unless you specify otherwise.
On bitbucket you have to copy your public key manually. The public key from the file given by ssh-keygen.
After this presentation I’m removing the password option from pushing the website script. Just put a key on bitbucket and be significantly happier for yourself please.
I should not be able to login using someone else’s ID. This should be the default though if you’ve accidentally granted read access to your entire home directory then you’re in a bit of trouble.
Other real examples of bad private key sharing include the Washington post providing a very hi-res photo of the TSA master keys. These were prompted produced into 3d printable versions (that work)
Back in March (of 2018), a SSL certificate reseller, a service that certifies your public key, claimed that a bunch of their keys they had been compromised. They proved this fact by e-mailing out over 50000 private keys. How they got the private keys is questionable and why they decided to e-mail them out is also questionable.
Passwords can act like keys (in real life)
For secure use digitally, they are transformed by a key derivation function which takes a text password, and produces a key that is unique to that user. This is in the best case and you can only at best trust that the service storing your password is actually doing this.
These attacks timings are a decade old (read much faster now) and are against the *best possible case* someone has done the right thing by storing your password.
Passwords can act like keys (in real life)
For secure use digitally, they are transformed by a key derivation function which takes a text password, and produces a key that is unique to that user. This is in the best case and you can only at best trust that the service storing your password is actually doing this.
SHA-1 has been proven to be broken as of 2017 (A forged PDF with the same resulting hash)
It’s possible to download freely produced tables of all combinations of say all 10 numbers and letters and see what their resulting hash is for a given function. If a would be attacker gets a hold of your only just-hashed password that is relatively short (< 10 characters) they can just look it up in a database.
In case it isn’t blindly obvious - never share passwords across sites.
A password manager is a program that stores your passwords in a single secure repository. It can generate passwords and ensure you do not have repeated passwords across devices, websites, etc. It seems like a bad idea to have a single point of failure.
“Password managers don't have to be perfect, they just have to be better than not having one”
In the world of authentication there are 3 types of evidence you can provide.
Most commonly the device is your phone. Though there are other devices that specialize in, say, storing a private key such as Yubikey
Lots of topics I did not address such as Message Authentication Codes, Side-channel attacks, Sources of randomness (for key generation), etc. I’m by all means not an expert on these topics and I’d wager that there is probably only a very small number of people in the world who are. In general stick to recommendations, audited implementations, and avoid doing this stuff on your own.
If you google Cryptographic Right Answers there’s been a long evolving-over-the-years discussion of what the recommended go-to for particular applications are required. Hopefully after a brief overview from this presentation you should be able to make better sense of the discussion invovled.