The document discusses the Web Crypto API which allows cryptographic operations like hashing, signatures, and encryption/decryption to be performed in web applications. It covers the SubtleCrypto interface which provides cryptographic algorithms and methods. Some key methods include importKey, deriveKey, encrypt, and decrypt. It also discusses concepts like symmetric keys, AES-GCM encryption, PBKDF2 key derivation, and storing encrypted data with salts and initialization vectors. An example is provided of encrypting and decrypting data with a password using these Web Crypto API methods.
Cryptography involves techniques for securing communications and information. The document discusses several cryptographic concepts:
1. Hashing involves running data through a function to generate a fixed-size output called a digest or hash. Common hashing algorithms are MD5, SHA-1, and SHA-256.
2. Symmetric encryption uses the same key for encryption and decryption. Algorithms like AES and DES encrypt blocks of data under a secret key.
3. Asymmetric encryption uses different public and private keys. RSA and ECC are common algorithms. Keys can be generated, and data encrypted and decrypted.
4. Digital signatures provide integrity by allowing the authenticity of data to be verified. Signatures can
This document discusses common security anti-patterns and cargo cult programming practices related to cryptography. It describes how using cryptographic primitives incorrectly or for the wrong purposes can significantly weaken security. For example, using non-cryptographic random number generators, reusing initialization vectors, or rolling your own encryption when libraries are available. The document advocates identifying true security goals, using the correct cryptographic primitive, and relying on proven libraries instead of writing custom crypto code whenever possible.
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
Cryptography for Absolute Beginners
Svetlin Nakov @ Sofia Science Festival, May 2019
Video (Bulgarian language): https://youtu.be/-QzFcUkM7_4
Blog: https://nakov.com/blog/2019/05/13/cryptography-for-absolute-beginners-nakov-at-sofia-science-festival-may-2019/
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
This document summarizes Otavio Santana's presentation on stateless microservice security using JWT and MicroProfile. The presentation covered the limitations of Basic Auth and OAuth 2.0, and introduced JSON Web Tokens (JWT) as an alternative token-based authentication approach. It demonstrated how JWT can be used to securely transmit user authentication and authorization information in HTTP requests to microservices.
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?
In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.
Attend this session to become "that one colleague"!
Geth is widely used to interact with Ethereum networks. Ethereum software enables a user to set up a
“private” or “testnet” Ethereum chain. This chain will be totally different from main chain.
Component that tell geth that we want to use/create a private Ethereum Chain:
1. Custom Genesis file
2. Custom Data Directory
3. Custom Network Id
4. Disable Node Discovery
Cryptography involves techniques for securing communications and information. The document discusses several cryptographic concepts:
1. Hashing involves running data through a function to generate a fixed-size output called a digest or hash. Common hashing algorithms are MD5, SHA-1, and SHA-256.
2. Symmetric encryption uses the same key for encryption and decryption. Algorithms like AES and DES encrypt blocks of data under a secret key.
3. Asymmetric encryption uses different public and private keys. RSA and ECC are common algorithms. Keys can be generated, and data encrypted and decrypted.
4. Digital signatures provide integrity by allowing the authenticity of data to be verified. Signatures can
This document discusses common security anti-patterns and cargo cult programming practices related to cryptography. It describes how using cryptographic primitives incorrectly or for the wrong purposes can significantly weaken security. For example, using non-cryptographic random number generators, reusing initialization vectors, or rolling your own encryption when libraries are available. The document advocates identifying true security goals, using the correct cryptographic primitive, and relying on proven libraries instead of writing custom crypto code whenever possible.
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
Cryptography for Absolute Beginners
Svetlin Nakov @ Sofia Science Festival, May 2019
Video (Bulgarian language): https://youtu.be/-QzFcUkM7_4
Blog: https://nakov.com/blog/2019/05/13/cryptography-for-absolute-beginners-nakov-at-sofia-science-festival-may-2019/
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
This document summarizes Otavio Santana's presentation on stateless microservice security using JWT and MicroProfile. The presentation covered the limitations of Basic Auth and OAuth 2.0, and introduced JSON Web Tokens (JWT) as an alternative token-based authentication approach. It demonstrated how JWT can be used to securely transmit user authentication and authorization information in HTTP requests to microservices.
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?
In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.
Attend this session to become "that one colleague"!
Geth is widely used to interact with Ethereum networks. Ethereum software enables a user to set up a
“private” or “testnet” Ethereum chain. This chain will be totally different from main chain.
Component that tell geth that we want to use/create a private Ethereum Chain:
1. Custom Genesis file
2. Custom Data Directory
3. Custom Network Id
4. Disable Node Discovery
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
This document summarizes password security concepts and provides code examples for implementing password hashing and salting. It discusses how storing passwords in plaintext is insecure and how hashing passwords with a salt adds security against dictionary attacks. The code example shows a MiniPasswordManager class that initially stored passwords in plaintext but is modified to hash passwords and add salts for increased security.
This document discusses various approaches for securely handling passwords during the login process to prevent accidental logging or exposure. It examines hashing passwords on the client-side but finds issues with replay attacks. It also considers encrypting the password with the server's public key, but this still allows replays if the encrypted password is logged. The best approach sends an encrypted password plus a nonce to prevent replays and ensure the password is never exposed in plaintext during transit or logging.
See common anti-patterns for securing web applications and how to correct them. Learn how to differentiate between authentication, authorization, secrecy, integrity, non-repudiation, and other security goals.
Examples include how:
* a theoretical "secret" banking request is corrupted to pad an attacker's bank account,
* an insecure "session" authentication token is attacked, and
* a "random" XSRF value gives a false sense of security.
Correct principles and patterns are analyzed and compared with common incorrect ones.
Presented at OpenWest 2014
The document discusses symmetric encryption in Java. It shows how to generate a symmetric key, use it to encrypt a message with DESede encryption, and output the encrypted bytes as a base64 encoded string. Securely transmitting the symmetric key between parties is identified as a challenge for symmetric encryption.
An attacker was able to gain access to an internal network by phishing a secretary's smartphone. They then used lateral movement techniques like pass-the-hash to escalate privileges and access sensitive files. This included obtaining Domain Admin credentials for the "adm.arazzi" user. The attacker was ultimately able to exfiltrate data and establish persistence on the network.
How does cryptography work? by Jeroen OomsAjay Ohri
This document provides a conceptual introduction to cryptographic methods. It explains that cryptography works by using the XOR operator and one-time pads or stream ciphers to encrypt messages. With one-time pads, a message is XOR'd with random data and can only be decrypted by someone with the pad. Stream ciphers generate pseudo-random streams from a key and nonce to encrypt messages. Public-key encryption uses Diffie-Hellman key exchange to allow parties to establish a shared secret to encrypt messages.
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
This document discusses SSL/TLS and provides an overview of how it works. It explains public/private key encryption, signed certificates, and certificate authorities. It describes how a secure TLS connection is negotiated and shows examples of debugging TLS handshake failures and viewing server certificates. Common tools for interacting with TLS are also listed. Finally, it discusses the DigiNotar security breach to illustrate the importance of certificate authority trust and security.
JavaFest. Nanne Baars. Web application security for developersFestGroup
Security is an important topic for developers however security is often an afterthought in a project. This presentation will focus on practices which developers need to be aware of, and make security fun again. This is an in depth talk about 10 topics not an overview for security best practices.
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
The document discusses various approaches for securing REST APIs, including basic authentication and its limitations, OAuth 2.0 protocols, and using hashing and signing techniques like HMAC and RSA. It provides examples of basic authentication, OAuth 2.0 password and refresh grants, and generating and verifying hashes and signatures of data. The presentation aims to explore standards for REST security beyond basic authentication and improving statelessness.
This document provides an overview of HashiCorp Vault for securely storing, accessing, and managing secrets. It discusses how Vault can be used to securely store secrets like API keys, passwords, and certificates. The document outlines Vault's architecture, data storage options, authentication methods, policies for access control, and integrating systems using Vault. It also provides an agenda for a demonstration of Spring Cloud Vault integration for retrieving database credentials from Vault and using them to connect to a MySQL database.
This document discusses JSON Web Tokens (JWT) for authentication. It begins by explaining the need for authorization in web applications and how token-based authentication addresses issues with server-based authentication. The structure of a JWT is described as a JSON object with a header, payload, and signature. Python libraries for working with JWT like PyJWT, Django REST Framework JWT, and Flask-JWT are presented. The document demonstrates generating and verifying JWT in Python code. Examples of using JWT for authentication in the Kalay IoT platform and Diuit messaging API are provided.
Passwords are often reused and breached, exposing users to risk. While hashing passwords provides some protection, attackers can still crack passwords using GPUs, ASICs, and password lists from previous breaches. Public-key cryptography avoids sending passwords over networks but early approaches were still vulnerable. New password-authenticated key exchange (PAKE) protocols use blinding techniques and oblivious transfers to allow password-derived keys while preventing offline cracking. Implementation requires integration with operating systems and browsers, but proof-of-concepts demonstrate the potential to significantly improve password security.
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGEPriyanka Aash
Methods for securely outsourcing storage are discussed. Topic 1: Composable and Robust Outsourced Storage Authors: Christian Badertscher; Ueli Maurer Topic 2: Secure Deduplication of Encrypted Data: Refined Model and New Constructions Authors: Jian Liu; Li Duan; Yong Li; N. Asokan
(Source: RSA Conference USA 2018)
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
This document provides an overview of cryptography concepts for PHP developers. It discusses keeping data secure from viewing, tampering and forgery through encryption but notes cryptography is not a silver bullet and vulnerabilities still exist. The document covers random number generation, symmetric and asymmetric encryption, hashing, common ciphers and modes, and securely storing passwords through hashing rather than encryption. It strongly recommends using existing libraries rather than implementing cryptography directly due to the complexity and risk of bugs.
This document discusses data encryption in Hadoop. It describes two common cases for encrypting data: using a Crypto API to encrypt/decrypt with an AES key stored in a keystore, and encrypting MapReduce outputs using a CryptoContext. It also covers the Hadoop Encryption Framework APIs, HBase encryption via HBASE-7544, and related JIRAs around Hive and Pig encryption. Key management tools like keytool and potential future improvements like Knox gateway integration are also mentioned.
The document discusses best practices for securely implementing cryptography and discusses common cryptography algorithms and implementations such as hashing, symmetric encryption, asymmetric encryption, and password hashing. It emphasizes using proven implementations like those in Django and OpenSSL and enabling HTTPS to securely transmit data. The document also cautions that securely managing cryptographic keys is critical for encryption to provide security.
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
This document summarizes password security concepts and provides code examples for implementing password hashing and salting. It discusses how storing passwords in plaintext is insecure and how hashing passwords with a salt adds security against dictionary attacks. The code example shows a MiniPasswordManager class that initially stored passwords in plaintext but is modified to hash passwords and add salts for increased security.
This document discusses various approaches for securely handling passwords during the login process to prevent accidental logging or exposure. It examines hashing passwords on the client-side but finds issues with replay attacks. It also considers encrypting the password with the server's public key, but this still allows replays if the encrypted password is logged. The best approach sends an encrypted password plus a nonce to prevent replays and ensure the password is never exposed in plaintext during transit or logging.
See common anti-patterns for securing web applications and how to correct them. Learn how to differentiate between authentication, authorization, secrecy, integrity, non-repudiation, and other security goals.
Examples include how:
* a theoretical "secret" banking request is corrupted to pad an attacker's bank account,
* an insecure "session" authentication token is attacked, and
* a "random" XSRF value gives a false sense of security.
Correct principles and patterns are analyzed and compared with common incorrect ones.
Presented at OpenWest 2014
The document discusses symmetric encryption in Java. It shows how to generate a symmetric key, use it to encrypt a message with DESede encryption, and output the encrypted bytes as a base64 encoded string. Securely transmitting the symmetric key between parties is identified as a challenge for symmetric encryption.
An attacker was able to gain access to an internal network by phishing a secretary's smartphone. They then used lateral movement techniques like pass-the-hash to escalate privileges and access sensitive files. This included obtaining Domain Admin credentials for the "adm.arazzi" user. The attacker was ultimately able to exfiltrate data and establish persistence on the network.
How does cryptography work? by Jeroen OomsAjay Ohri
This document provides a conceptual introduction to cryptographic methods. It explains that cryptography works by using the XOR operator and one-time pads or stream ciphers to encrypt messages. With one-time pads, a message is XOR'd with random data and can only be decrypted by someone with the pad. Stream ciphers generate pseudo-random streams from a key and nonce to encrypt messages. Public-key encryption uses Diffie-Hellman key exchange to allow parties to establish a shared secret to encrypt messages.
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
This document discusses SSL/TLS and provides an overview of how it works. It explains public/private key encryption, signed certificates, and certificate authorities. It describes how a secure TLS connection is negotiated and shows examples of debugging TLS handshake failures and viewing server certificates. Common tools for interacting with TLS are also listed. Finally, it discusses the DigiNotar security breach to illustrate the importance of certificate authority trust and security.
JavaFest. Nanne Baars. Web application security for developersFestGroup
Security is an important topic for developers however security is often an afterthought in a project. This presentation will focus on practices which developers need to be aware of, and make security fun again. This is an in depth talk about 10 topics not an overview for security best practices.
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
The document discusses various approaches for securing REST APIs, including basic authentication and its limitations, OAuth 2.0 protocols, and using hashing and signing techniques like HMAC and RSA. It provides examples of basic authentication, OAuth 2.0 password and refresh grants, and generating and verifying hashes and signatures of data. The presentation aims to explore standards for REST security beyond basic authentication and improving statelessness.
This document provides an overview of HashiCorp Vault for securely storing, accessing, and managing secrets. It discusses how Vault can be used to securely store secrets like API keys, passwords, and certificates. The document outlines Vault's architecture, data storage options, authentication methods, policies for access control, and integrating systems using Vault. It also provides an agenda for a demonstration of Spring Cloud Vault integration for retrieving database credentials from Vault and using them to connect to a MySQL database.
This document discusses JSON Web Tokens (JWT) for authentication. It begins by explaining the need for authorization in web applications and how token-based authentication addresses issues with server-based authentication. The structure of a JWT is described as a JSON object with a header, payload, and signature. Python libraries for working with JWT like PyJWT, Django REST Framework JWT, and Flask-JWT are presented. The document demonstrates generating and verifying JWT in Python code. Examples of using JWT for authentication in the Kalay IoT platform and Diuit messaging API are provided.
Passwords are often reused and breached, exposing users to risk. While hashing passwords provides some protection, attackers can still crack passwords using GPUs, ASICs, and password lists from previous breaches. Public-key cryptography avoids sending passwords over networks but early approaches were still vulnerable. New password-authenticated key exchange (PAKE) protocols use blinding techniques and oblivious transfers to allow password-derived keys while preventing offline cracking. Implementation requires integration with operating systems and browsers, but proof-of-concepts demonstrate the potential to significantly improve password security.
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGEPriyanka Aash
Methods for securely outsourcing storage are discussed. Topic 1: Composable and Robust Outsourced Storage Authors: Christian Badertscher; Ueli Maurer Topic 2: Secure Deduplication of Encrypted Data: Refined Model and New Constructions Authors: Jian Liu; Li Duan; Yong Li; N. Asokan
(Source: RSA Conference USA 2018)
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
This document provides an overview of cryptography concepts for PHP developers. It discusses keeping data secure from viewing, tampering and forgery through encryption but notes cryptography is not a silver bullet and vulnerabilities still exist. The document covers random number generation, symmetric and asymmetric encryption, hashing, common ciphers and modes, and securely storing passwords through hashing rather than encryption. It strongly recommends using existing libraries rather than implementing cryptography directly due to the complexity and risk of bugs.
This document discusses data encryption in Hadoop. It describes two common cases for encrypting data: using a Crypto API to encrypt/decrypt with an AES key stored in a keystore, and encrypting MapReduce outputs using a CryptoContext. It also covers the Hadoop Encryption Framework APIs, HBase encryption via HBASE-7544, and related JIRAs around Hive and Pig encryption. Key management tools like keytool and potential future improvements like Knox gateway integration are also mentioned.
The document discusses best practices for securely implementing cryptography and discusses common cryptography algorithms and implementations such as hashing, symmetric encryption, asymmetric encryption, and password hashing. It emphasizes using proven implementations like those in Django and OpenSSL and enabling HTTPS to securely transmit data. The document also cautions that securely managing cryptographic keys is critical for encryption to provide security.
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
Cryptography for Java Developers
Hashes, MAC, Key Derivation, Encrypting Passwords, Symmetric Ciphers & AES, Digital Signatures & ECDSA
About the Speaker
What is Cryptography?
Cryptography in Java – APIs and Libraries
Hashes, MAC Codes and Key Derivation (KDF)
Encrypting Passwords: from Plaintext to Argon2
Symmetric Encryption: AES (KDF + Block Modes + IV + MAC)
Digital Signatures, Elliptic Curves, ECDSA, EdDSA
Live demos and code examples: https://github.com/nakov/Java-Cryptography-Examples
Video (in Bulgarian language): https://youtu.be/ZG3BLXWVwJM
Blog: https://nakov.com/blog/2019/01/26/cryptography-for-java-developers-nakov-at-jprofessionals-jan-2019/
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
This document provides an overview of Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It discusses the evolution of SSL/TLS, the SSL/TLS handshake process, common attacks like man-in-the-middle attacks using tools like SSLStrip, recent attacks on SSL/TLS like BEAST and CRIME, and security guidelines for configuring SSL/TLS on servers.
Chapter 4 discusses symmetric encryption in Java, including algorithms like Blowfish, modes like CBC and CFB, initialization vectors, key generators, ciphers, and password-based encryption. It also covers storing encrypted keys, encrypting files and objects, and examples like FileEncryptor that demonstrate symmetric encryption concepts in Java.
The document discusses introducing cryptography concepts from a developer perspective using JavaScript. It covers authentication and encryption methods like AES, RSA, and hashing algorithms. It also discusses browser storage, the Web Cryptography API, cryptography libraries for JavaScript like CryptoJS, encrypting data on servers with Node.js, and tools for analyzing encryption. Practical examples are provided on implementing cryptography in apps.
Secure integration of cryptographic software. By modeling the variability in cryptography components, we help application developers configure the cryptography tasks they need. Presented at ONWARD! '15 in Pittsburgh.
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
Spring Boot is an efficient way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.
This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!
You’ll learn how to add these features to a real application, using the Java language you know and love.
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
* OIDC demo: http://bit.ly/spring-oidc-demo
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
Cryptography 101 for_java_developers, Fall 2019Michel Schudel
So you’re logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you’re not at all surprised that, security wise, everything’s hunky dory…
The amount of cryptography to make all this happen is staggering. In order to appreciate and understand what goes on under the hood, as a developer, it’s really important to dive into the key concepts of cryptography.
In this session, we discover what cryptography actually is, and will use the JCA (Java Cryptography API) en JCE (Java Cryptography Extensions) in the JDK to explain and demo key concepts such as:
– Message digests (hashing)
– Encryption, both symmetric and asymmetric
– Digital signatures, both symmetric and asymmetric
Furthermore, we’ll show how these concepts find their way into a variety of practical applications such as:
– https and certificates
– salted password checking
– block chain technology
After this session, you’ll have a better understanding of basic cryptography, its applications, and how to use the cryptography APIs in Java.
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
"Crypto wallets security. For developers", Julia PotapenkoFwdays
From a security perspective, cryptocurrency wallets are just applications. Similar to banking apps, wallets operate users’ funds and allow making transactions. But are they as secure as banking apps? Let’s talk about the risks and threats of crypto wallets, then move to design concerns and implementation issues. What types of data should be protected? What are the most common vulnerabilities? And why encrypting data is not as trivial as it may seem?
This document provides an introduction to Kibana4 and how to use its features. It discusses the major components of Kibana4 including Discover, Visualize, and Dashboard. It also covers visualization types like metrics, buckets, and aggregations. The document provides examples of using aggregations versus facets and describes settings, scripted fields, and plugins. It concludes by discussing potential future directions for Kibana.
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.
This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!
You’ll learn how to add these features to a real application, using the Java language you know and love.
* YouTube video: https://www.youtube.com/watch?v=PpqNMhe4Bd0
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?
In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.
Attend this session to become "that one colleague"!
This document summarizes Microsoft's Cryptographic API (Crypto API) and techniques for managing session keys. It discusses key concepts like key containers, session keys, and cryptographic service providers (CSPs). It also provides an example of exchanging encrypted session keys between parties and matching session keys to container keys using an exponent-of-one transformation.
Random musings on SSL/TLS configurationextremeunix
The document discusses securing applications with SSL/TLS. It recommends disabling SSL v2.0, using ECDHE cipher suites where possible as they provide both fast performance and forward secrecy. Additionally, it advises not trusting default SSL/TLS configurations that come with software packages.
This document discusses SSL/TLS and certificate authorities. It provides background on how public/private key encryption and digital signatures work. It describes the SSL/TLS handshake process and issues that can occur with validating certificates if they are not properly signed by a trusted certificate authority. It discusses the DigiNotar security breach in 2011 where unauthorized certificates were issued, compromising trust in that certificate authority. It provides tips on debugging SSL/TLS issues in Java applications and with openssl/curl.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Top 9 Trends in Cybersecurity for 2024.pptxdevvsandy
Security and risk management (SRM) leaders face disruptions on technological, organizational, and human fronts. Preparation and pragmatic execution are key for dealing with these disruptions and providing the right cybersecurity program.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
Mobile app Development Services | Drona InfotechDrona Infotech
Drona Infotech is one of the Best Mobile App Development Company In Noida Maintenance and ongoing support. mobile app development Services can help you maintain and support your app after it has been launched. This includes fixing bugs, adding new features, and keeping your app up-to-date with the latest
Visit Us For :
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
3. Finalized! January 2017
WebCrypto API
- W3C
JavaScript API for performing basic cryptographic
operations in web applications, such as hashing,
signature generation and verification, and encryption
and decryption.
@erniewturner
7. Subtle Crypto
window.crypto.subtle.*
@erniewturner
It is named SubtleCrypto to reflect the fact that many of these algorithms
have subtle usage requirements in order to provide the required
algorithmic security guarantees. -W3C
It is named SubtleCrypto to reflect the fact that many of these algorithms
have subtle usage requirements in order to provide the required
algorithmic security guarantees. -W3C
8. Subtle Crypto
Developers making use of the SubtleCrypto interface are expected to be aware of
the security concerns associated with both the design and implementation of the
various algorithms provided. The raw algorithms are provided in order to allow
developers maximum flexibility in implementing a variety of protocols and
applications, each of which may represent the composition and security parameters
in a unique manner that necessitate the use of the raw algorithms.
-MDN
@erniewturner
9. Subtle Crypto
Methods are generic and take crypto algorithms as strings or objects
Nearly all operations return Promises
Only available over HTTPS
@erniewturner
33. function encryptData(secretData: string, passwo
const dataAsBytes = UTF8.encode(secretData);
const passwordAsBytes = UTF8.encode(password)
}
Data to Encrypt
byte array form
User Passcode
in binary formbyte array form
34. User Password Import Key User Passcode
Crypto Key
importKey
@erniewturner
byte array form
74. Important Notes
Key derivation will not fail if user enters wrong password
PBKDF2 Iterations must be the same on encrypt as on decrypt
There is no “forgot password” support
@erniewturner
There is no way to feature detect which algorithms are supported