The document provides an overview of cryptography, explaining its purpose as a method for secure communication against adversaries, and details several cryptographic techniques such as encryption, hashing, and key derivation. It emphasizes the importance of good cryptography in obscuring data to prevent duplication or reverse engineering, and highlights common issues like password predictability and the use of random salts to enhance security. Additionally, it includes practical examples and resources for further understanding cryptographic methods.

1. @adam_englander
Cryptography for Beginners
Adam Englander
Software Architect, iovation

2. @adam_englander
I am a Virtual Crime Fighter

3. @adam_englander
Let’s Set Some Expectations

4. @adam_englander
What is cryptography?

5. @adam_englander
–Wikipedia
“Cryptography…is the practice and
study of techniques for secure
communication in the presence of third
parties called adversaries.”

6. @adam_englander
–Wikipedia
“Cryptography…is the practice and
study of techniques for secure
communication in the presence of third
parties called adversaries.”

7. @adam_englander
How Cryptography Works

8. @adam_englander

9. @adam_englander

10. @adam_englander

11. @adam_englander

12. @adam_englander

13. @adam_englander

14. @adam_englander
How is cryptography used?

15. @adam_englander
Encryption Signatures
Key Derivation Hashing

16. @adam_englander
Encryption

17. @adam_englander
Asymmetric Encryption

18. @adam_englander
Symmetric Encryption

19. @adam_englander
Hashing

20. @adam_englander
Input MD5 SHA1
Foo
1356c67d7ad1638d816bfb82
2dd2c25d
201a6b3053cc1422d2c3670b6
2616221d2290929
Bar
ddc35f88fa71b6ef142ae61f35
364653
e496fd20136d4bb7828ebb0ab
925b1bd977208e4

21. @adam_englander
Collisions occur when two input
values create the same hash

22. @adam_englander
Any modern hashing algorithm will
never create collision for an input
value whose size is equal to or less
then the hash output size

23. @adam_englander
Input MD5 SHA1
Foo
1356c67d7ad1638d816bfb82
2dd2c25d
201a6b3053cc1422d2c3670b6
2616221d2290929
Bar
ddc35f88fa71b6ef142ae61f35
364653
e496fd20136d4bb7828ebb0ab
925b1bd977208e4

24. @adam_englander
db110e4553b9fb646c8d01d928668046
33,571 byte input and 32 byte output

25. @adam_englander
Hashes by themselves aren’t very useful!

26. @adam_englander
Signatures

27. @adam_englander
Data Key Signature
Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e
Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e
Foo KeyTwo db97086208d9dd34d4b288959cac612f
Bar KeyOne 8624de374522eaf1b4ae9f0b872c2169

28. @adam_englander
Data Key Signature
Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e
Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e
Foo KeyTwo db97086208d9dd34d4b288959cac612f
Bar KeyOne 8624de374522eaf1b4ae9f0b872c2169

29. @adam_englander
Data Key Signature
Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e
Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e
Foo KeyTwo db97086208d9dd34d4b288959cac612f
Bar KeyOne 8624de374522eaf1b4ae9f0b872c2169

30. @adam_englander
Data Key Signature
Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e
Foo KeyOne b4ac60b7d319d41df60c99a6d064c18e
Foo KeyTwo db97086208d9dd34d4b288959cac612f
Bar KeyOne 8624de374522eaf1b4ae9f0b872c2169

31. @adam_englander
Key Derivation

32. @adam_englander
ihatepasswords randomsalt gPqSXKzzeStBAqT3

33. @adam_englander
ihatepasswords randomsalt gPqSXKzzeStBAqT3
gPqSXKzzeStBAqT3 randomsalt hoEiNrLNefkxRNPR

34. @adam_englander
ihatepasswords randomsalt gPqSXKzzeStBAqT3
gPqSXKzzeStBAqT3 randomsalt hoEiNrLNefkxRNPR
hoEiNrLNefkxRNPR randomsalt MgbfofelpvLjM0Hx

35. @adam_englander
ihatepasswords randomsalt gPqSXKzzeStBAqT3
gPqSXKzzeStBAqT3 randomsalt hoEiNrLNefkxRNPR
hoEiNrLNefkxRNPR randomsalt MgbfofelpvLjM0Hx
MgbfofelpvLjM0Hx randomsalt xYjyM0wXf1VYboBa

36. @adam_englander
ihatepasswords randomsalt gPqSXKzzeStBAqT3
gPqSXKzzeStBAqT3 randomsalt hoEiNrLNefkxRNPR
hoEiNrLNefkxRNPR randomsalt MgbfofelpvLjM0Hx
MgbfofelpvLjM0Hx randomsalt xYjyM0wXf1VYboBa
xYjyM0wXf1VYboBa randomsalt OpWKejkZt/u1wFCk

37. @adam_englander
How do I get good
cryptography?

38. @adam_englander
Good cryptography obscures data
in such a way that it is difficult and
costly to duplicate or reverse.

39. @adam_englander
Attacking Cryptography

40. @adam_englander

41. @adam_englander

42. @adam_englander

43. @adam_englander

44. @adam_englander

45. @adam_englander

46. @adam_englander

47. @adam_englander
There are ways to fight all that
power...

48. @adam_englander
Algorithm Complexity

49. @adam_englander
Large Keys

50. @adam_englander
System Resources

51. @adam_englander
Iteration

52. @adam_englander

53. @adam_englander
–Oxford Dictionary
Entropy:
Lack of order or predictability; gradual
decline into disorder.”

54. @adam_englander
Real world data has very
predictable patterns.

55. @adam_englander
HTTP/1.1 200 OK
Content-Type: application/json
Server: Apache/2.1
Date: Thu, 08 Feb 2018 18:19:56 GMT
{
"account": "my-secret-account-number",
"date_of_birth": "1980-01-02",
"first_name": "Jane",
"last_name": "Doe",
"ssn_last4": "1234",
}

56. @adam_englander
HTTP/1.1 200 OK
Content-Type: application/json
Server: Apache/2.1
Date: Thu, 08 Feb 2018 18:19:56 GMT
{
"account": "my-secret-account-number",
"date_of_birth": "1980-01-02",
"first_name": "Jane",
"last_name": "Doe",
"ssn_last4": "1234",
}

57. @adam_englander
HTTP/1.1 200 OK
Content-Type: application/json
Server: Apache/2.1
Date: Thu, 08 Feb 2018 18:19:56 GMT
{
"account": "my-secret-account-number",
"date_of_birth": "1980-01-02",
"first_name": "Jane",
"last_name": "Doe",
"ssn_last4": "1234",
}

58. @adam_englander
HTTP/1.1 200 OK
Content-Type: application/json
Server: Apache/2.1
Date: Thu, 08 Feb 2018 18:19:56 GMT
{
"account": "my-secret-account-number",
"date_of_birth": "1980-01-02",
"first_name": "Jane",
"last_name": "Doe",
"ssn_last4": "1234",
}

59. @adam_englander
Credential data is highly
predictable

60. @adam_englander
Most services use email for the
username

61. @adam_englander
Passwords have very high
predictability and are reused

62. @adam_englander
–iovation: August 2015 Password Survey
https://s3.amazonaws.com/launchkey-blog/LaunchKey_Password_Survey_Results.pdf
“68% of people reuse passwords”

63. @adam_englander
–Keeper Security: The Most Common Passwords of 2016
https://keepersecurity.com/public/Most-Common-Passwords-of-2016-Keeper-Security-Study.pdf
“The top 25 passwords of 2016
constitute over 50% of the 10M
passwords that were analyzed.”

64. @adam_englander
–Keeper Security: The Most Common Passwords of 2016
https://keepersecurity.com/public/Most-Common-Passwords-of-2016-Keeper-Security-Study.pdf
“Nearly 17% of users are safeguarding
their accounts with “123456."”

65. @adam_englander
Most users will choose
passwords based on ease of
recall rather than entropy

66. @adam_englander
All the reuse and predictability
in passwords creates a very
serious problem

67. @adam_englander
user1 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc
user2 eHc9kCCZAzmR8HrelHeOAOs67XBo6OQe
user3 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc
user4 7U02IuFr4KJdjcexi26XFBWOuB3rTGLh
user5 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc

68. @adam_englander
user1 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc
user2 eHc9kCCZAzmR8HrelHeOAOs67XBo6OQe
user3 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc
user4 7U02IuFr4KJdjcexi26XFBWOuB3rTGLh
user5 wI6Lx2klirB32K5T/4iQzsRVXI0PoVfc

69. @adam_englander
Good cryptography uses random
salts to add entropy to hashes

70. @adam_englander
user1 4Ka7pm2M hqebP0ZRMl1DuBuoDC6+aA==
user2 lmsnAV/G XW0sV+kkle4DGaRyCul9mg==
user3 dLi1KjpE WrxmEs5ebHl1BiSp78fAeg==
user4 oRj3JUBE dATxMWkabTpBUwsjtNu3Eg==
user5 SD1sEqV tHKLSj5J8FoO0LHJfeI6lA==

71. @adam_englander
Nearly every type of data has
recognizable patterns

72. @adam_englander
English Message Patterns
• Spaces can be determined based on predictable word patterns
• Single letter words will be either the letter i or a
• In a two letter word, one of the letters is a vowel
• Three letter words mostly start and end with consonants and nearly
always have a vowel in the middle
• The letter e is the most common of all letters

73. @adam_englander
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
VXXo7Ov5OxFC5l6hEwDECoSjyTAIF1emZQY=
uoZjkwYzCwwN18xU8aZMzISjyTAIF1SmZQU=
yUe6wRXtblMRxrYP/N4n1ISjyTAIF1SmZQY=
coqei5pw+HHPDpaCPzcNW4SjyTMIF1emZQU=

74. @adam_englander
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
VXXo7Ov5OxFC5l6hEwDECoSjyTAIF1emZQY=
uoZjkwYzCwwN18xU8aZMzISjyTAIF1SmZQU=
yUe6wRXtblMRxrYP/N4n1ISjyTAIF1SmZQY=
coqei5pw+HHPDpaCPzcNW4SjyTMIF1emZQU=

75. @adam_englander
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
VXXo7Ov5OxFC5l6hEwDECoSjyTAIF1emZQY=
uoZjkwYzCwwN18xU8aZMzISjyTAIF1SmZQU=
yUe6wRXtblMRxrYP/N4n1ISjyTAIF1SmZQY=
coqei5pw+HHPDpaCPzcNW4SjyTMIF1emZQU=

76. @adam_englander
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
VXXo7Ov5OxFC5l6hEwDECoSjyTAIF1emZQY=
uoZjkwYzCwwN18xU8aZMzISjyTAIF1SmZQU=
yUe6wRXtblMRxrYP/N4n1ISjyTAIF1SmZQY=
coqei5pw+HHPDpaCPzcNW4SjyTMIF1emZQU=

77. @adam_englander
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
RrSRvtw/2Mk993TmCMjoAoSjyTAIF1emZQU=
VXXo7Ov5OxFC5l6hEwDECoSjyTAIF1emZQY=
uoZjkwYzCwwN18xU8aZMzISjyTAIF1SmZQU=
yUe6wRXtblMRxrYP/N4n1ISjyTAIF1SmZQY=
coqei5pw+HHPDpaCPzcNW4SjyTMIF1emZQU=

78. @adam_englander
H4pyN6ucltNSlZBsaT5h2SBIuAXvITa0N3U=
uAHjDXC+A0QcyxLugng2wGd/QoghrgbHMaM=
o3O+HjdzJOZ7bZEi8X5MBbMWVphZmGnHEoQ=
RCsavNOf1KNgf7FAqn0o6xV/nWWMsT3KkNU=
dkHaoUx4npXSIOvO8rvY07CdWfOoQ7+Pht4=
rBdxOfwfsGmavqsgpqcavapMNb2/vYEFW6c=

79. @adam_englander
Random salts and IVs need
good random values

80. @adam_englander
CSPRNG

81. @adam_englander
Stop it! You’re blowing my mind!

82. @adam_englander
Use the password extension!

83. @adam_englander
<?php
function validate_password($password, $user) {
}

84. @adam_englander
<?php
function validate_password($password, $user) {
if (!password_verify($password, $user->password)) {
throw new InvalidArgumentException("Password Failed");
}
}

85. @adam_englander
<?php
function validate_password($password, $user) {
if (!password_verify($password, $user->password)) {
throw new InvalidArgumentException("Password Failed");
}
if (password_needs_rehash($user->password, PASSWORD_DEFAULT)) {
$user->password = password_hash($password, PASSWORD_DEFAULT);
$user->save();
}
}

86. @adam_englander
It’s encryption that’s good for you

87. @adam_englander
// Generating your encryption key
$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);

88. @adam_englander
// Generating your encryption key
$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
// Generate a random nonce
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);

89. @adam_englander
// Generating your encryption key
$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
// Generate a random nonce
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
// Using your key to encrypt information
$ciphertext = sodium_crypto_secretbox('test', $nonce, $key);

90. @adam_englander
// Generating your encryption key
$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
// Generate a random nonce
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
// Using your key to encrypt information
$ciphertext = sodium_crypto_secretbox('test', $nonce, $key);
// Decrypting a message requires the nonce and key used to encrypt
$plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
if ($plaintext === false) {
throw new Exception("Bad ciphertext");
}

91. @adam_englander

92. @adam_englander
Books
• The Code Book: The Science of Secrecy from
Ancient Egypt to Quantum Cryptography -
Simon Singh - ISBN: 0-385-49532
• Cryptography Engineering: Design Principles
and Practical Applications - Niels Ferguson,
Bruce Schneider, Tadayoshi Kohno - ISBN:
978-0-470-47424-2

93. @adam_englander
Websites
• https://secure.php.net/manual/en/book.password.php
• https://paragonie.com/book/pecl-libsodium
• https://secure.php.net/manual/en/book.openssl.php
• https://secure.php.net/manual/en/book.csprng.php
• https://en.wikipedia.org/wiki/Cryptography

94. @adam_englander
https://joind.in/talk/f411c