Cryptography for Beginners - Midwest PHP 2018
•
1 like•233 views
Cryptography is a complex and confusing subject. In this talk you will learn about the core components of cryptography used in software development: securing data with encryption, ensuring data integrity with hashes and digital signatures, and protecting passwords with key derivation functions. While learning how to use these components, you will also learn the best practices that drive strong cryptography. This talk won’t make you a cryptography expert but it will give you the knowledge necessary to use cryptography properly. No prior knowledge of cryptography is required for this presentation.
Recommended
More Related Content
Similar to Cryptography for Beginners - Midwest PHP 2018
Similar to Cryptography for Beginners - Midwest PHP 2018 (20)
More from Adam Englander
More from Adam Englander (20)
Recently uploaded
Recently uploaded (20)
Cryptography for Beginners - Midwest PHP 2018
- 1. @adam_englander Cryptography for Beginners Adam Englander Software Architect, iovation
- 2. @adam_englander I am a Virtual Crime Fighter
- 3. @adam_englander Let’s Set Some Expectations
- 5. @adam_englander –Wikipedia “Cryptography…is the practice and study of techniques for secure communication in the presence of third parties called adversaries.”
- 6. @adam_englander –Wikipedia “Cryptography…is the practice and study of techniques for secure communication in the presence of third parties called adversaries.”
- 10. @adam_englander
- 11. @adam_englander
- 12. @adam_englander
- 13. @adam_englander
- 14. @adam_englander How is cryptography used?
- 21. @adam_englander Collisions occur when two input values create the same hash
- 22. @adam_englander Any modern hashing algorithm will never create collision for an input value whose size is equal to or less then the hash output size
- 24. @adam_englander db110e4553b9fb646c8d01d928668046 33,571 byte input and 32 byte output
- 25. @adam_englander Hashes by themselves aren’t very useful!
- 27. @adam_englander Data Key Signature Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e Foo KeyTwo db97086208d9dd34d4b288959cac612f Bar KeyOne 8624de374522eaf1b4ae9f0b872c2169
- 28. @adam_englander Data Key Signature Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e Foo KeyTwo db97086208d9dd34d4b288959cac612f Bar KeyOne 8624de374522eaf1b4ae9f0b872c2169
- 29. @adam_englander Data Key Signature Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e Foo KeyTwo db97086208d9dd34d4b288959cac612f Bar KeyOne 8624de374522eaf1b4ae9f0b872c2169
- 30. @adam_englander Data Key Signature Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e Foo KeyTwo db97086208d9dd34d4b288959cac612f Bar KeyOne 8624de374522eaf1b4ae9f0b872c2169
- 33. @adam_englander ihatepasswords randomsalt gPqSXKzzeStBAqT3 gPqSXKzzeStBAqT3 randomsalt hoEiNrLNefkxRNPR
- 34. @adam_englander ihatepasswords randomsalt gPqSXKzzeStBAqT3 gPqSXKzzeStBAqT3 randomsalt hoEiNrLNefkxRNPR hoEiNrLNefkxRNPR randomsalt MgbfofelpvLjM0Hx
- 35. @adam_englander ihatepasswords randomsalt gPqSXKzzeStBAqT3 gPqSXKzzeStBAqT3 randomsalt hoEiNrLNefkxRNPR hoEiNrLNefkxRNPR randomsalt MgbfofelpvLjM0Hx MgbfofelpvLjM0Hx randomsalt xYjyM0wXf1VYboBa
- 36. @adam_englander ihatepasswords randomsalt gPqSXKzzeStBAqT3 gPqSXKzzeStBAqT3 randomsalt hoEiNrLNefkxRNPR hoEiNrLNefkxRNPR randomsalt MgbfofelpvLjM0Hx MgbfofelpvLjM0Hx randomsalt xYjyM0wXf1VYboBa xYjyM0wXf1VYboBa randomsalt OpWKejkZt/u1wFCk
- 37. @adam_englander How do I get good cryptography?
- 38. @adam_englander Good cryptography obscures data in such a way that it is difficult and costly to duplicate or reverse.
- 40. @adam_englander
- 41. @adam_englander
- 42. @adam_englander
- 43. @adam_englander
- 44. @adam_englander
- 45. @adam_englander
- 46. @adam_englander
- 47. @adam_englander There are ways to fight all that power...
- 52. @adam_englander
- 53. @adam_englander –Oxford Dictionary Entropy: Lack of order or predictability; gradual decline into disorder.”
- 54. @adam_englander Real world data has very predictable patterns.
- 55. @adam_englander HTTP/1.1 200 OK Content-Type: application/json Server: Apache/2.1 Date: Thu, 08 Feb 2018 18:19:56 GMT { "account": "my-secret-account-number", "date_of_birth": "1980-01-02", "first_name": "Jane", "last_name": "Doe", "ssn_last4": "1234", }
- 56. @adam_englander HTTP/1.1 200 OK Content-Type: application/json Server: Apache/2.1 Date: Thu, 08 Feb 2018 18:19:56 GMT { "account": "my-secret-account-number", "date_of_birth": "1980-01-02", "first_name": "Jane", "last_name": "Doe", "ssn_last4": "1234", }
- 57. @adam_englander HTTP/1.1 200 OK Content-Type: application/json Server: Apache/2.1 Date: Thu, 08 Feb 2018 18:19:56 GMT { "account": "my-secret-account-number", "date_of_birth": "1980-01-02", "first_name": "Jane", "last_name": "Doe", "ssn_last4": "1234", }
- 58. @adam_englander HTTP/1.1 200 OK Content-Type: application/json Server: Apache/2.1 Date: Thu, 08 Feb 2018 18:19:56 GMT { "account": "my-secret-account-number", "date_of_birth": "1980-01-02", "first_name": "Jane", "last_name": "Doe", "ssn_last4": "1234", }
- 59. @adam_englander Credential data is highly predictable
- 60. @adam_englander Most services use email for the username
- 61. @adam_englander Passwords have very high predictability and are reused
- 62. @adam_englander –iovation: August 2015 Password Survey https://s3.amazonaws.com/launchkey-blog/LaunchKey_Password_Survey_Results.pdf “68% of people reuse passwords”
- 63. @adam_englander –Keeper Security: The Most Common Passwords of 2016 https://keepersecurity.com/public/Most-Common-Passwords-of-2016-Keeper-Security-Study.pdf “The top 25 passwords of 2016 constitute over 50% of the 10M passwords that were analyzed.”
- 64. @adam_englander –Keeper Security: The Most Common Passwords of 2016 https://keepersecurity.com/public/Most-Common-Passwords-of-2016-Keeper-Security-Study.pdf “Nearly 17% of users are safeguarding their accounts with “123456."”
- 65. @adam_englander Most users will choose passwords based on ease of recall rather than entropy
- 66. @adam_englander All the reuse and predictability in passwords creates a very serious problem
- 67. @adam_englander user1 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc user2 eHc9kCCZAzmR8HrelHeOAOs67XBo6OQe user3 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc user4 7U02IuFr4KJdjcexi26XFBWOuB3rTGLh user5 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc
- 68. @adam_englander user1 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc user2 eHc9kCCZAzmR8HrelHeOAOs67XBo6OQe user3 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc user4 7U02IuFr4KJdjcexi26XFBWOuB3rTGLh user5 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc
- 69. @adam_englander Good cryptography uses random salts to add entropy to hashes
- 70. @adam_englander user1 4Ka7pm2M hqebP0ZRMl1DuBuoDC6+aA== user2 lmsnAV/G XW0sV+kkle4DGaRyCul9mg== user3 dLi1KjpE WrxmEs5ebHl1BiSp78fAeg== user4 oRj3JUBE dATxMWkabTpBUwsjtNu3Eg== user5 SD1sEqV tHKLSj5J8FoO0LHJfeI6lA==
- 71. @adam_englander Nearly every type of data has recognizable patterns
- 72. @adam_englander English Message Patterns • Spaces can be determined based on predictable word patterns • Single letter words will be either the letter i or a • In a two letter word, one of the letters is a vowel • Three letter words mostly start and end with consonants and nearly always have a vowel in the middle • The letter e is the most common of all letters
- 79. @adam_englander Random salts and IVs need good random values
- 81. @adam_englander Stop it! You’re blowing my mind!
- 82. @adam_englander Use the password extension!
- 84. @adam_englander <?php function validate_password($password, $user) { if (!password_verify($password, $user->password)) { throw new InvalidArgumentException("Password Failed"); } }
- 85. @adam_englander <?php function validate_password($password, $user) { if (!password_verify($password, $user->password)) { throw new InvalidArgumentException("Password Failed"); } if (password_needs_rehash($user->password, PASSWORD_DEFAULT)) { $user->password = password_hash($password, PASSWORD_DEFAULT); $user->save(); } }
- 86. @adam_englander It’s encryption that’s good for you
- 87. @adam_englander // Generating your encryption key $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
- 88. @adam_englander // Generating your encryption key $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); // Generate a random nonce $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
- 89. @adam_englander // Generating your encryption key $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); // Generate a random nonce $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); // Using your key to encrypt information $ciphertext = sodium_crypto_secretbox('test', $nonce, $key);
- 90. @adam_englander // Generating your encryption key $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); // Generate a random nonce $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); // Using your key to encrypt information $ciphertext = sodium_crypto_secretbox('test', $nonce, $key); // Decrypting a message requires the nonce and key used to encrypt $plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key); if ($plaintext === false) { throw new Exception("Bad ciphertext"); }
- 91. @adam_englander
- 92. @adam_englander Books • The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography - Simon Singh - ISBN: 0-385-49532 • Cryptography Engineering: Design Principles and Practical Applications - Niels Ferguson, Bruce Schneider, Tadayoshi Kohno - ISBN: 978-0-470-47424-2
- 93. @adam_englander Websites • https://secure.php.net/manual/en/book.password.php • https://paragonie.com/book/pecl-libsodium • https://secure.php.net/manual/en/book.openssl.php • https://secure.php.net/manual/en/book.csprng.php • https://en.wikipedia.org/wiki/Cryptography