The document discusses various methods of cracking salted password hashes, including determining the hashing algorithm used based on hash length, brute forcing hashes when the salt is known, and exploiting situations where the salt is constant rather than random to facilitate cracking multiple hashes. It provides examples of insecure password hashing implementations and advises using unique random salts with each hashed password for proper security.
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
The CAP theorem is widely known for distributed systems, but it's not the only tradeoff you should be aware of. For datastores, there is also the FAB theory and just like with the CAP theorem you can only pick two:
Fast: Results are real-time or near real-time instead of batch-oriented.
Accurate: Answers are exact and don't have a margin of error.
Big: You require horizontal scaling and need to distribute your data.
While Fast and Big are relatively easy to understand, Accurate is a bit harder to picture. This talk shows some concrete examples of accuracy tradeoffs Elasticsearch can take for terms aggregations, cardinality aggregations with HyperLogLog++, and the IDF part of the full-text search. Or how to trade some speed or the distribution for more accuracy.
Hashing Considerations In Web ApplicationsIslam Heggo
Practical best practices for securing and hashing user's passwords. Protecting authentication through avoiding most common mistakes. Given examples in PHP through illustrating password_hash(), openssl_random_pseudo_bytes(), crypt(), mcrypt_create_iv(), md5(), sha1()
The document discusses JSON Web Tokens (JWTs), which can be used for authentication and authorization in applications. JWTs consist of JSON objects that are used to share security information between parties as a JSON Web Token. They can contain claims about an entity (e.g. user) and are signed to protect the claims from being altered. The document provides examples of using JWTs to authorize API requests by encoding, transmitting, and verifying JWTs on the client and server side.
Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018Codemotion
The CAP theorem is widely known for distributed systems, but it's not the only tradeoff you should be aware of. For datastores there is also the FAB theory and just like with the CAP theorem you can only pick two: fast, accurate, big. While Fast and Big are relatively easy to understand, Accurate is a bit harder to picture. This talk shows some concrete examples of accuracy tradeoffs Elasticsearch can take for terms aggregations, cardinality aggregations with HyperLogLog++, and the IDF part of full-text search. Or how to trade some speed or the distribution for more accuracy.
From banking details to glimpses of passwords, there are lots valuable data elements on your screen. Unfortunately, as far as Apple’s Mac is concerned this information is up for grabs to whoever gets there first. This is due to the lack of protections surrounding the pixel grabbing API’s of the operating system. With ease of access to computer vision libraries and services, attackers can track screens at scale to pick out only the useful information.
Apple ships a screen capture utility to make it easy for the user to take screenshots. In this presentation, we will lift the bonnet of this utility to learn about the API’s surrounding screen grabbing. Armed with the knowledge, we will explore discovered malware that takes screenshots. Then, we will build better, stealthier malware as an educational exercise. And finally, we will explore some options for improving security of the operating system so that the user can continue enjoying the convenience of taking screenshots but malware would have to work harder.
The document discusses various methods of cracking salted password hashes, including determining the hashing algorithm used based on hash length, brute forcing hashes when the salt is known, and exploiting situations where the salt is constant rather than random to facilitate cracking multiple hashes. It provides examples of insecure password hashing implementations and advises using unique random salts with each hashed password for proper security.
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
The CAP theorem is widely known for distributed systems, but it's not the only tradeoff you should be aware of. For datastores, there is also the FAB theory and just like with the CAP theorem you can only pick two:
Fast: Results are real-time or near real-time instead of batch-oriented.
Accurate: Answers are exact and don't have a margin of error.
Big: You require horizontal scaling and need to distribute your data.
While Fast and Big are relatively easy to understand, Accurate is a bit harder to picture. This talk shows some concrete examples of accuracy tradeoffs Elasticsearch can take for terms aggregations, cardinality aggregations with HyperLogLog++, and the IDF part of the full-text search. Or how to trade some speed or the distribution for more accuracy.
Hashing Considerations In Web ApplicationsIslam Heggo
Practical best practices for securing and hashing user's passwords. Protecting authentication through avoiding most common mistakes. Given examples in PHP through illustrating password_hash(), openssl_random_pseudo_bytes(), crypt(), mcrypt_create_iv(), md5(), sha1()
The document discusses JSON Web Tokens (JWTs), which can be used for authentication and authorization in applications. JWTs consist of JSON objects that are used to share security information between parties as a JSON Web Token. They can contain claims about an entity (e.g. user) and are signed to protect the claims from being altered. The document provides examples of using JWTs to authorize API requests by encoding, transmitting, and verifying JWTs on the client and server side.
Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018Codemotion
The CAP theorem is widely known for distributed systems, but it's not the only tradeoff you should be aware of. For datastores there is also the FAB theory and just like with the CAP theorem you can only pick two: fast, accurate, big. While Fast and Big are relatively easy to understand, Accurate is a bit harder to picture. This talk shows some concrete examples of accuracy tradeoffs Elasticsearch can take for terms aggregations, cardinality aggregations with HyperLogLog++, and the IDF part of full-text search. Or how to trade some speed or the distribution for more accuracy.
From banking details to glimpses of passwords, there are lots valuable data elements on your screen. Unfortunately, as far as Apple’s Mac is concerned this information is up for grabs to whoever gets there first. This is due to the lack of protections surrounding the pixel grabbing API’s of the operating system. With ease of access to computer vision libraries and services, attackers can track screens at scale to pick out only the useful information.
Apple ships a screen capture utility to make it easy for the user to take screenshots. In this presentation, we will lift the bonnet of this utility to learn about the API’s surrounding screen grabbing. Armed with the knowledge, we will explore discovered malware that takes screenshots. Then, we will build better, stealthier malware as an educational exercise. And finally, we will explore some options for improving security of the operating system so that the user can continue enjoying the convenience of taking screenshots but malware would have to work harder.
JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs can be signed to provide proof of authenticity and integrity, and encrypted to provide confidentiality. A JWT typically contains header, payload, and signature. The payload holds claims about an entity and is digitally signed to protect integrity. JWTs can be passed in HTML and HTTP environments and used from lightweight clients.
This document provides an introduction and overview of the Python programming language. It discusses Python's major data types like lists, strings, tuples and dictionaries. It also covers Python versions, development environments, the interactive shell, and string and list methods. Common operations on lists like indexing, slicing and mutable methods are demonstrated. The document serves as a starting point for learning Python.
We use tokens to identify resources and try to ensure data security in insecure environments, however the management of these tokens can get quite complex. When we have distributed environments things are harder to deal with. Come to the magical world of JSON Web Tokens and make your life simpler!
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But cryptography means security? Absolutely not, especially if developers do not,especially if developers do not use it properly. In this talk I would like to present some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
The document discusses how to not be afraid of differences in terraform plan outputs. It begins with an introduction and concludes that differences in terraform plan outputs should not be scary if you read the outputs carefully. It then provides a detailed example of a difference in security group rules to demonstrate how to interpret what will be added and removed. The example makes it clear that differences only reflect what will change and that the intended behavior can be understood from the plan output. The document advocates reading plan outputs rather than fearing them.
HTTP cookie hijacking in the wild: security and privacy implicationsPriyanka Aash
The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and work address and visited websites from Google, Bing and Baidu expose the user's complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively), and almost every website exposes the user's name and email address. Ad networks like Doubleclick can also reveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore multiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our university's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for our hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as the EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed. The privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking.
(Source: Black Hat USA 2016, Las Vegas)
This document contains the code for a blood bank management system implemented as a doubly linked list in C++. It defines a node struct to store donor data and a blood class to implement linked list functions like insertion, deletion, searching by blood group or age, and displaying the list. The main function contains a menu loop to call the different blood class functions like insert, display, count donors, delete by position, etc. It also includes a logo class to display an intro screen and handle login functionality.
This document discusses tuning MongoDB performance. It covers tuning queries using the database profiler and explain commands to analyze slow queries. It also covers tuning system configurations like Linux settings, disk I/O, and memory to optimize MongoDB performance. Topics include setting ulimits, IO scheduler, filesystem options, and more. References to MongoDB and Linux tuning documentation are also provided.
The document discusses best practices for securely implementing cryptography and discusses common cryptography algorithms and implementations such as hashing, symmetric encryption, asymmetric encryption, and password hashing. It emphasizes using proven implementations like those in Django and OpenSSL and enabling HTTPS to securely transmit data. The document also cautions that securely managing cryptographic keys is critical for encryption to provide security.
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...MongoDB
Proximus is one of the biggest Telecom companies in the Belgian market. This year the company began developing a new IoT network using LoRaWan technology. The talk will detail our development team’s search for a database suited to meet the needs of our IoT project, the selection and implementation of MongoDB as a database, as well as well as how we built a system for storing a variety of sensor data with high throughput by leveraging sleepy.mongoose. The talk will also discuss how different decisions around data storage impact applications in regards to both performance and total cost.
Riak at The NYC Cloud Computing Meetup Groupsiculars
Riak is a distributed key-value store inspired by Dynamo. It is homogeneous, with a single key space and is distributed and replicated across nodes. Riak aims to provide predictable scalability and high availability while allowing for some flexibility in consistency versus availability tradeoffs. It uses a ring topology and vector clocks to manage data distribution and conflict resolution. Riak supports schemaless data storage and provides features like links for basic graph capabilities and map/reduce functions for querying data.
Building Your First Data Science Applicatino in MongoDBMongoDB
Speaker: Robyn Allen, Software Engineer, Central Inventions
Level: 100 (Beginner)
Track: Tutorials
To provide a hands-on opportunity to work with real data, this session will center around a web-hosted quiz application which helps students practice math and memorize vocabulary. After experimenting with a small demonstration dataset (generated by each individual during the workshop), attendees will be guided through working with an anonymized dataset in MongoDB. No prior MongoDB experience is required but attendees are expected to download and install MongoDB Community Edition (available for free from mongodb.com) and have a working Python 3 environment of their choice (e.g., IDLE, free from python.org) installed on a laptop they bring to the workshop.
Prerequisites:
Attendees are expected to bring a laptop with the following software installed:
MongoDB 3.4.x Community Edition
The text editor or IDE of their choice
A working Python 3 environment of their choice
No prior MongoDB experience is required.
What You Will Learn:
- How to load a CSV file into MongoDB using mongoimport and then write queries (using the Mongo shell) to ensure the data appears as expected. Attendees will use a demo version of an online quiz app to generate a small data file of raw session data (which can be accessed via http://strawnoodle.com/api/testdata after logging in to the demo app and answering one or more quiz questions about MongoDB). After studying how the demo app stores session data, attendees will practice using mongoimport to import anonymized session data (provided during the workshop) into MongoDB.
- How to use the aggregation pipeline (in PyMongo) to implement more complicated queries and gain insights from data. Because the sample dataset contains data from a variety of users of different skill levels, queries can be designed which reveal summary statistics for the anonymous user cohort or specific performance of individual users. Participants will receive instruction in using MongoDB aggregation pipelines in order to write powerful, efficient queries with very few lines of code.
- How to write queries to analyze sample data from an online quiz app. Once the sample data has been loaded into MongoDB, participants will be guided in writing basic queries to examine the sample data. Participants will have an opportunity to write queries in the Mongo shell and in Python in order to familiarize themselves with syntax variations and key ideas. Participants will learn how to implement CRUD operations in PyMongo.
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...Dev2Dev
This document discusses functional programming and the use of lenses in Haskell. It begins with an overview of functional programming concepts like higher-order functions, lambdas, immutability and recursion. It then demonstrates how to define algebraic data types and use lenses to update nested data in a functional way. Lenses provide getters and setters to access and modify nested fields without mutating the original data. The document provides examples of using lenses to update passwords in nested user data types. It also describes how to compose lenses and use them in state monads to model real-world scenarios like updating a conference application. Finally, it briefly discusses lenses in other languages like Scala, JavaScript and C++.
Don’t Get Lost in Translation for Serializing Data StructuresChristopher Brown
The current solutions for mapping data to java objects come in many shapes and sizes, with JSON leading as the most familiar and “coolest” solution. Yes, JSON is very readable, convenient, and offers great support libraries like GSON and Jackson, but these options don’t always get the job done. Accessing and parsing serialized data is a common source of runtime inefficiency within applications, and this delay can crush your app’s overall user experience. How can you bypass this inefficiency? Google’s FlatBuffer library is the answer. FlatBuffers are similar to Google’s Protocol Buffers, but with one key differentiator: the ability to access serialized data without parsing or unpacking it first. Imagine a serialization process with no temporary objects, no additional allocation, and no copying. Join us for a deep dive into Google’s FlatBuffers library to learn more about the advantages of using FlatBuffers and what makes it different from other commonly used libraries.
Top 10 F5 iRules to migrate to a modern load balancing platformAvi Networks
With the advent of automation, iRules have become an artifact of the past. Especially when the most commonly deployed F5 iRules such as HTTP redirects, content switching, or logging, require custom scripting. It can be a huge pain for an IT team to train staff on convoluted syntax and manual conversions. Avi eliminates most iRules (#iRulesNoMore) – basic or advanced – with native point-and-click functionalities.
Watch this webinar to learn:
- How over 75% of F5 iRules can be accommodated by native point-and-click features
- Top 10 iRules that can be migrated to native policies on the Avi Vantage Platform
- How advanced and custom use cases are easily configured with Avi’s DataScript
Full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-2
MongoDB - Back to Basics - La tua prima ApplicazioneMassimo Brignoli
Eccoci alla seconda puntata della serie Back to Basics edizione 2017. Vedremo come sviluppare un'applicazione con MongoDB studiando come interagire con la base dati. Vedremo come fare le query, creare un indice e studiarne il piano di esecuzione
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017BookNet Canada
This document provides an overview of the basic tools and techniques used for digital rights management (DRM), including symmetric and asymmetric encryption, hashing, digital signatures, and certificates. It explains how ciphers, hashes, public/private key pairs, and certificates work and are used together to provide authentication, integrity, and non-repudiation for securing digital content and communications. Specific examples are given to illustrate symmetric encryption, digital signatures, and the certificate signing request process.
This presentation is showing how to use the Aggregation Framework, the powerful aggregation language of MongoDB. Using some real data coming from the USA Census, we will discover the most important operations.
The document provides an introduction to encryption basics including symmetric and asymmetric encryption. It explains how symmetric encryption works with Alice and Bob sharing a password to encrypt and decrypt messages. It also explains how asymmetric encryption works with Alice using Bob's public key to encrypt a message that only Bob can decrypt with his private key. The document recommends tools for encrypting email, disks, and browsing privately including Thunderbird, TrueCrypt, and Tor. It discusses some challenges with encryption including managing keys and speeds with Tor. The overall purpose is to educate about the importance of encryption for privacy.
End-to-end encryption provides stronger security than HTTPS alone. It encrypts messages on the sender's device before transmission so that only the recipient can decrypt it with their private key, rather than data being encrypted in transit only. BunkerMail uses this method, generating unique AES keys for each message and attachment, encrypting the keys with the recipient's RSA public key so only they can decrypt it, ensuring the information is accessible by the end users and not others like servers.
JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs can be signed to provide proof of authenticity and integrity, and encrypted to provide confidentiality. A JWT typically contains header, payload, and signature. The payload holds claims about an entity and is digitally signed to protect integrity. JWTs can be passed in HTML and HTTP environments and used from lightweight clients.
This document provides an introduction and overview of the Python programming language. It discusses Python's major data types like lists, strings, tuples and dictionaries. It also covers Python versions, development environments, the interactive shell, and string and list methods. Common operations on lists like indexing, slicing and mutable methods are demonstrated. The document serves as a starting point for learning Python.
We use tokens to identify resources and try to ensure data security in insecure environments, however the management of these tokens can get quite complex. When we have distributed environments things are harder to deal with. Come to the magical world of JSON Web Tokens and make your life simpler!
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But cryptography means security? Absolutely not, especially if developers do not,especially if developers do not use it properly. In this talk I would like to present some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
The document discusses how to not be afraid of differences in terraform plan outputs. It begins with an introduction and concludes that differences in terraform plan outputs should not be scary if you read the outputs carefully. It then provides a detailed example of a difference in security group rules to demonstrate how to interpret what will be added and removed. The example makes it clear that differences only reflect what will change and that the intended behavior can be understood from the plan output. The document advocates reading plan outputs rather than fearing them.
HTTP cookie hijacking in the wild: security and privacy implicationsPriyanka Aash
The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and work address and visited websites from Google, Bing and Baidu expose the user's complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively), and almost every website exposes the user's name and email address. Ad networks like Doubleclick can also reveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore multiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our university's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for our hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as the EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed. The privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking.
(Source: Black Hat USA 2016, Las Vegas)
This document contains the code for a blood bank management system implemented as a doubly linked list in C++. It defines a node struct to store donor data and a blood class to implement linked list functions like insertion, deletion, searching by blood group or age, and displaying the list. The main function contains a menu loop to call the different blood class functions like insert, display, count donors, delete by position, etc. It also includes a logo class to display an intro screen and handle login functionality.
This document discusses tuning MongoDB performance. It covers tuning queries using the database profiler and explain commands to analyze slow queries. It also covers tuning system configurations like Linux settings, disk I/O, and memory to optimize MongoDB performance. Topics include setting ulimits, IO scheduler, filesystem options, and more. References to MongoDB and Linux tuning documentation are also provided.
The document discusses best practices for securely implementing cryptography and discusses common cryptography algorithms and implementations such as hashing, symmetric encryption, asymmetric encryption, and password hashing. It emphasizes using proven implementations like those in Django and OpenSSL and enabling HTTPS to securely transmit data. The document also cautions that securely managing cryptographic keys is critical for encryption to provide security.
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...MongoDB
Proximus is one of the biggest Telecom companies in the Belgian market. This year the company began developing a new IoT network using LoRaWan technology. The talk will detail our development team’s search for a database suited to meet the needs of our IoT project, the selection and implementation of MongoDB as a database, as well as well as how we built a system for storing a variety of sensor data with high throughput by leveraging sleepy.mongoose. The talk will also discuss how different decisions around data storage impact applications in regards to both performance and total cost.
Riak at The NYC Cloud Computing Meetup Groupsiculars
Riak is a distributed key-value store inspired by Dynamo. It is homogeneous, with a single key space and is distributed and replicated across nodes. Riak aims to provide predictable scalability and high availability while allowing for some flexibility in consistency versus availability tradeoffs. It uses a ring topology and vector clocks to manage data distribution and conflict resolution. Riak supports schemaless data storage and provides features like links for basic graph capabilities and map/reduce functions for querying data.
Building Your First Data Science Applicatino in MongoDBMongoDB
Speaker: Robyn Allen, Software Engineer, Central Inventions
Level: 100 (Beginner)
Track: Tutorials
To provide a hands-on opportunity to work with real data, this session will center around a web-hosted quiz application which helps students practice math and memorize vocabulary. After experimenting with a small demonstration dataset (generated by each individual during the workshop), attendees will be guided through working with an anonymized dataset in MongoDB. No prior MongoDB experience is required but attendees are expected to download and install MongoDB Community Edition (available for free from mongodb.com) and have a working Python 3 environment of their choice (e.g., IDLE, free from python.org) installed on a laptop they bring to the workshop.
Prerequisites:
Attendees are expected to bring a laptop with the following software installed:
MongoDB 3.4.x Community Edition
The text editor or IDE of their choice
A working Python 3 environment of their choice
No prior MongoDB experience is required.
What You Will Learn:
- How to load a CSV file into MongoDB using mongoimport and then write queries (using the Mongo shell) to ensure the data appears as expected. Attendees will use a demo version of an online quiz app to generate a small data file of raw session data (which can be accessed via http://strawnoodle.com/api/testdata after logging in to the demo app and answering one or more quiz questions about MongoDB). After studying how the demo app stores session data, attendees will practice using mongoimport to import anonymized session data (provided during the workshop) into MongoDB.
- How to use the aggregation pipeline (in PyMongo) to implement more complicated queries and gain insights from data. Because the sample dataset contains data from a variety of users of different skill levels, queries can be designed which reveal summary statistics for the anonymous user cohort or specific performance of individual users. Participants will receive instruction in using MongoDB aggregation pipelines in order to write powerful, efficient queries with very few lines of code.
- How to write queries to analyze sample data from an online quiz app. Once the sample data has been loaded into MongoDB, participants will be guided in writing basic queries to examine the sample data. Participants will have an opportunity to write queries in the Mongo shell and in Python in order to familiarize themselves with syntax variations and key ideas. Participants will learn how to implement CRUD operations in PyMongo.
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...Dev2Dev
This document discusses functional programming and the use of lenses in Haskell. It begins with an overview of functional programming concepts like higher-order functions, lambdas, immutability and recursion. It then demonstrates how to define algebraic data types and use lenses to update nested data in a functional way. Lenses provide getters and setters to access and modify nested fields without mutating the original data. The document provides examples of using lenses to update passwords in nested user data types. It also describes how to compose lenses and use them in state monads to model real-world scenarios like updating a conference application. Finally, it briefly discusses lenses in other languages like Scala, JavaScript and C++.
Don’t Get Lost in Translation for Serializing Data StructuresChristopher Brown
The current solutions for mapping data to java objects come in many shapes and sizes, with JSON leading as the most familiar and “coolest” solution. Yes, JSON is very readable, convenient, and offers great support libraries like GSON and Jackson, but these options don’t always get the job done. Accessing and parsing serialized data is a common source of runtime inefficiency within applications, and this delay can crush your app’s overall user experience. How can you bypass this inefficiency? Google’s FlatBuffer library is the answer. FlatBuffers are similar to Google’s Protocol Buffers, but with one key differentiator: the ability to access serialized data without parsing or unpacking it first. Imagine a serialization process with no temporary objects, no additional allocation, and no copying. Join us for a deep dive into Google’s FlatBuffers library to learn more about the advantages of using FlatBuffers and what makes it different from other commonly used libraries.
Top 10 F5 iRules to migrate to a modern load balancing platformAvi Networks
With the advent of automation, iRules have become an artifact of the past. Especially when the most commonly deployed F5 iRules such as HTTP redirects, content switching, or logging, require custom scripting. It can be a huge pain for an IT team to train staff on convoluted syntax and manual conversions. Avi eliminates most iRules (#iRulesNoMore) – basic or advanced – with native point-and-click functionalities.
Watch this webinar to learn:
- How over 75% of F5 iRules can be accommodated by native point-and-click features
- Top 10 iRules that can be migrated to native policies on the Avi Vantage Platform
- How advanced and custom use cases are easily configured with Avi’s DataScript
Full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-2
MongoDB - Back to Basics - La tua prima ApplicazioneMassimo Brignoli
Eccoci alla seconda puntata della serie Back to Basics edizione 2017. Vedremo come sviluppare un'applicazione con MongoDB studiando come interagire con la base dati. Vedremo come fare le query, creare un indice e studiarne il piano di esecuzione
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017BookNet Canada
This document provides an overview of the basic tools and techniques used for digital rights management (DRM), including symmetric and asymmetric encryption, hashing, digital signatures, and certificates. It explains how ciphers, hashes, public/private key pairs, and certificates work and are used together to provide authentication, integrity, and non-repudiation for securing digital content and communications. Specific examples are given to illustrate symmetric encryption, digital signatures, and the certificate signing request process.
This presentation is showing how to use the Aggregation Framework, the powerful aggregation language of MongoDB. Using some real data coming from the USA Census, we will discover the most important operations.
The document provides an introduction to encryption basics including symmetric and asymmetric encryption. It explains how symmetric encryption works with Alice and Bob sharing a password to encrypt and decrypt messages. It also explains how asymmetric encryption works with Alice using Bob's public key to encrypt a message that only Bob can decrypt with his private key. The document recommends tools for encrypting email, disks, and browsing privately including Thunderbird, TrueCrypt, and Tor. It discusses some challenges with encryption including managing keys and speeds with Tor. The overall purpose is to educate about the importance of encryption for privacy.
End-to-end encryption provides stronger security than HTTPS alone. It encrypts messages on the sender's device before transmission so that only the recipient can decrypt it with their private key, rather than data being encrypted in transit only. BunkerMail uses this method, generating unique AES keys for each message and attachment, encrypting the keys with the recipient's RSA public key so only they can decrypt it, ensuring the information is accessible by the end users and not others like servers.
1) End-to-end encryption protects communications by encrypting messages in a way that only the sender and recipient can access, not intermediate servers or other third parties.
2) Currently, most email services like Gmail can be accessed by system administrators and is sent in clear text, similar to sending a postcard through the mail system.
3) With end-to-end encryption, messages are encrypted like placing the message in a locked safe that only the intended recipient can open, providing privacy and security from threats of surveillance, hacking and other attacks.
Security in PHP Applications: An absolute must!Mark Niebergall
Security in PHP Applications: An absolute must!
Is you application secure? What does securely written code look like? In this presentation we will talk about what it takes to make a PHP application be written securely. We will focus on secure coding practices and discuss vulnerabilities that must be addressed, including SQL injection, XSS, user authentication and authorization, data validation, and data integrity. There will be example code and working examples to show you what works and what doesn't. We will also discuss how to bake security into system development life cycle and how to convince management that security issues must be addressed. You will come out of this presentation ready to become the Security Hero you've always wanted to be!
Simulated Analysis and Enhancement of Blowfish Algorithmiosrjce
This paper represents or analyzes the security of system based on Blowfish. Blowfish mainly focuses
on the encrypt and decrypt techniques and algorithms apply for cryptanalysis. It describe the algorithms for
encryption as well as decryption algorithms and also give the sufficient description of key generation, key
expansion, function and working principle of Blowfish cipher with proper explanations. Taking the current era,
Most of the famous systems which offer security for a network or web or to a data are vulnerability to attacks and
they are broken at some point of time by effective cryptanalysis methods, irrespective of its complex algorithmic
design. In the general, today’s cryptography world is bounded to an interpretive of following any one or multi
encryption scheme and that too for a single iteration on a single file only. This is evident in the maximum of the
encryption-decryption cases. It also describes the comparisons between older blowfish and enhances blowfish. It
also shows enhance Blowfish algorithm for encryption and decryption of data. It is also give the proper simulated
analysis of encryption and decryption time for different file formats using a windows application. It describe
feature of application and its process and efficiency as well as calculation of time and throughput.
WhatsApp encrypts messages using the RC4 protocol and obtains a hash from either a user's IMEI number on Android or MAC address on iPhone. However, WhatsApp initially sends some identifying information such as a user's phone number in plain text, which could allow others to intercept this data on unsecured networks. It is recommended to use a VPN when sending WhatsApp messages on public Wi-Fi networks to help prevent this type of interception.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Gregor kopf , bernhard brehm. deniability in messaging protocolsYury Chemerkin
The document discusses the properties of deniability and secure function evaluation in the Off-the-Record (OTR) messaging protocol and similar cryptographic protocols, examining how OTR provides confidentiality, integrity, authentication, forward secrecy, and strong deniability through frequent rekeying and publishing of old MAC keys between parties.
Review on Whatsapp's End to End encryption and Facebook integrationGovindarrajan NV
The presentation deals with the latest updates of whatsapp with the end to end encryption and Facebook integration explained in a very detailed manner from the basics with advantages and disadvantages.
The document discusses WhatsApp's implementation of end-to-end encryption to secure messages between users. It describes how WhatsApp previously sent messages in plaintext but now uses the Signal Protocol and public/private keys to encrypt messages between clients. Keys include identity keys, pre keys, and one-time pre keys. Messages are encrypted with randomly generated message keys. Users can verify keys by comparing numeric fingerprints to ensure message integrity. The end result is that third parties like WhatsApp cannot access the contents of messages or calls between users.
The document discusses symmetric key cryptography. It begins with an introduction to cryptography and encryption techniques like substitution ciphers. It then covers symmetric encryption in more detail, explaining block ciphers like DES and AES, as well as modes of operation like ECB, CBC, and OFB. It provides an example Java implementation of AES encryption and decryption. It also briefly covers stream ciphers like RC4 and the concept of steganography.
This document discusses different types of symmetric key cryptography. It describes stream ciphers and block ciphers as the two main classifications. Stream ciphers combine plaintext with a pseudorandom cipher stream using XOR, while block ciphers encrypt fixed-length blocks. Example stream ciphers include RC4 and A5/1, while example block ciphers are DES, 3DES, and AES. The document provides details on the algorithms, components, and workings of these various symmetric key cryptography methods.
Public key cryptography uses asymmetric encryption with two related keys - a public key and a private key. The public key can be shared openly but the private key is kept secret. When Alice wants to send a confidential message to Bob, she encrypts it with Bob's public key. Only Bob can decrypt it using his private key. Public key infrastructure involves policies and technologies for issuing, managing, and revoking digital certificates that bind public keys to identities. Popular public key algorithms like RSA are based on the difficulty of factoring large prime numbers.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
Public key cryptography uses key pairs - a public key and a private key - to encrypt and decrypt messages. The public key can be shared widely, while the private key is kept secret. This allows users to securely share encrypted messages without having to first share secret keys. Common applications of public key cryptography include public key encryption and digital signatures.
Symmetric encryption uses a shared secret key between the sender and receiver to encrypt and decrypt messages. It is faster than asymmetric encryption but requires secure key exchange. Asymmetric encryption uses separate public and private keys, where the public key is used to encrypt and the private key decrypts, allowing secure communication without pre-shared keys. Common symmetric algorithms are AES and DES, while asymmetric algorithms include RSA, Diffie-Hellman, and ECDSA.
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
php complete reference with database concepts for beginners is generally useful for those who want to start the career as a php developer. given each and every information right from the scratch to understand for the beginners and students as well. I hope this will help you a lot for the beginners to start the career.
The document discusses testing PHP applications using SimpleTest, Selenium IDE, and CakePHP. It provides an overview of these testing tools and frameworks and recommends them for testing PHP applications.
The document summarizes HHVM, a virtual machine for executing PHP code. Some key points:
- HHVM is a drop-in replacement for PHP that compiles PHP to bytecode and uses a just-in-time (JIT) compiler to optimize for performance.
- It supports most PHP syntax and features like Hack which adds type hints. It also has its own features like async functions, user attributes, and XHP for building components with XHTML syntax.
- HHVM is faster than PHP due to its JIT compiler which performs type inference and compiles hot code paths to native machine code. Benchmark tests show significant performance improvements over PHP for applications like Magento and Symfony.
This document discusses common security anti-patterns and cargo cult programming practices related to cryptography. It describes how using cryptographic primitives incorrectly or for the wrong purposes can significantly weaken security. For example, using non-cryptographic random number generators, reusing initialization vectors, or rolling your own encryption when libraries are available. The document advocates identifying true security goals, using the correct cryptographic primitive, and relying on proven libraries instead of writing custom crypto code whenever possible.
The document discusses various web security topics such as hashing, encryption, HTTPS, SQL injection, command injection, and file upload attacks.
It explains that hashing provides one-way encryption and can be used to securely store passwords. Encryption is reversible and requires keys. HTTPS uses asymmetric encryption to securely transmit symmetric keys. SQL injection occurs when unvalidated user input is inserted into SQL queries. Command injection allows execution of arbitrary system commands. File upload attacks may allow execution of uploaded code.
Passwords are often reused and breached, exposing users to risk. While hashing passwords provides some protection, attackers can still crack passwords using GPUs, ASICs, and password lists from previous breaches. Public-key cryptography avoids sending passwords over networks but early approaches were still vulnerable. New password-authenticated key exchange (PAKE) protocols use blinding techniques and oblivious transfers to allow password-derived keys while preventing offline cracking. Implementation requires integration with operating systems and browsers, but proof-of-concepts demonstrate the potential to significantly improve password security.
This document provides an introduction and overview of PHP, including:
- PHP allows developers to create dynamic web content that interacts with databases.
- It covers PHP syntax, variables, operators, decision making and looping statements, arrays, strings, and getting/posting data.
- The final section discusses using MySQL database with PHP, including data definition language, data manipulation language, and queries. It also mentions installing Wamp server for local development.
PHP 7 – What changed internally? (Forum PHP 2015)Nikita Popov
One of the main selling points of PHP 7 is greatly improved performance, with many real-world applications now running twice as fast… But where do these improvements come from?
At the core of PHP 7 lies an engine rewrite with focus on improving memory usage and performance. This talk provides an overview of the most significant changes, briefly covering everything from data structure changes, over enhancements in the executor, to the new compiler implementation.
Get Your Insecure PostgreSQL Passwords to SCRAMJonathan Katz
Passwords: they just seem to work. You connect to your PostgreSQL database and you are prompted for your password. You type in the correct character combination, and presto! you're in, safe and sound.
But what if I told you that all was not as it seemed. What if I told you there was a better, safer way to use passwords with PostgreSQL? What if I told you it was imperative that you upgraded, too?
PostgreSQL 10 introduced SCRAM (Salted Challenge Response Authentication Mechanism), introduced in RFC 5802, as a way to securely authenticate passwords. The SCRAM algorithm lets a client and server validate a password without ever sending the password, whether plaintext or a hashed form of it, to each other, using a series of cryptographic methods.
In this talk, we will look at:
* A history of the evolution of password storage and authentication in PostgreSQL
* How SCRAM works with a step-by-step deep dive into the algorithm (and convince you why you need to upgrade!)
* SCRAM channel binding, which helps prevent MITM attacks during authentication
* How to safely set and modify your passwords, as well as how to upgrade to SCRAM-SHA-256 (which we will do live!)
all of which will be explained by some adorable elephants and hippos!
At the end of this talk, you will understand how SCRAM works, how to ensure your PostgreSQL drivers supports it, how to upgrade your passwords to using SCRAM-SHA-256, and why you want to tell other PostgreSQL password mechanisms to SCRAM!
How does cryptography work? by Jeroen OomsAjay Ohri
This document provides a conceptual introduction to cryptographic methods. It explains that cryptography works by using the XOR operator and one-time pads or stream ciphers to encrypt messages. With one-time pads, a message is XOR'd with random data and can only be decrypted by someone with the pad. Stream ciphers generate pseudo-random streams from a key and nonce to encrypt messages. Public-key encryption uses Diffie-Hellman key exchange to allow parties to establish a shared secret to encrypt messages.
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMJonathan Katz
Jonathan S. Katz gave a talk on safely protecting passwords in PostgreSQL. He discussed:
- The evolution of password management in PostgreSQL, from storing passwords in plain text to using md5 hashes to modern SCRAM authentication.
- How plain text and md5 password storage are insecure as passwords can be intercepted or cracked.
- The SCRAM authentication standard which allows two parties to verify they know a secret without exchanging the secret directly.
- How PostgreSQL implements SCRAM-SHA-256 to generate a secure verifier from the password and authenticate users with random salts and iterations to secure against brute force attacks.
The slower the stronger a story of password hash migrationOWASP
Did you know that a single modern GPU is able to compute almost 20 billion MD5 hashes in a second? That’s why we need SLOW hashing algorithms!
This talk is a case study of a successful migration of www.ocado.com customer password hashes. I will not only show you the “why”, “what” and “how”, but also what was problematic, what went wrong and how we dealt with it.
I will talk about slow hashing algorithms - such as Argon2, PBKDF2, BCrypt or SCrypt - and compare them to other popular hashing algorithms - like MD5 or SHA1. Next, I will tell you a story of hashes which took about 80 ms to compute - not slow enough, fairly easy to crack. I will show you what our password hashing code looks like and I will guide you through our migration plan, describing in detail how we executed it, and what problems we encountered on the way.
Static analysis tools checks PHP code without running them. Fully automated, they bring expertise to review the code, enforce good practices when programming, keep code ready for the next PHP version. PHP 7 has developed tremendously our capacity to audit code. Thanks to AST and return types, it is possible to go deeper and prevent more bugs. During this session, we'll review the current state of static analysis tools, learn what they can find for us, and how to integrate it in the development cycle: security bugs, migration incompatibilities, and directives recommendations. Simply said, better PHP coding.
Drupal enthusiasts in Chennai are coordination with IEEE organized a 3 day workshop. The Workshop introduced Drupal to students. Over 125 students participated this training program.
Secure password storing with saltedpasswords in TYPO3Steffen Gebert
This document discusses securely storing passwords in TYPO3 using the saltedpasswords extension. It begins by explaining the risks of storing passwords in cleartext and introduces hashing and salting as more secure alternatives. The saltedpasswords extension implements salted hashing methods like MD5 and Blowfish. The document covers installing and configuring the extension, ensuring compatibility with existing passwords, and provides background on password hashing formats.
HHVM is a virtual machine for executing PHP code designed to be faster than traditional PHP implementations. It uses just-in-time (JIT) compilation to convert PHP bytecode into machine-optimized code during execution. This allows HHVM to approach the performance of C/C++ applications. It is open source software developed by Facebook as a drop-in replacement for PHP that can boost performance for popular PHP frameworks and applications.
PHP is a server-side scripting language commonly used for web development. This document provides an overview of PHP, including what it is, what it can do, why it's useful, and basic PHP syntax and features like variables, arrays, forms, and functions. It also provides instructions on setting up a local PHP development environment using XAMPP.
Similar to Encryption: It's For More Than Just Passwords (20)
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
5. JOHN CONGDON
• PHP Since 2003
• SDPHP Organizer
• Developer for
Networx Online
6. JOHN CONGDON
• PHP Since 2003
• SDPHP Organizer
• Developer for
Networx Online
• PhoneBurner.com
7. JOHN CONGDON
• PHP Since 2003
• SDPHP Organizer
• Developer for
Networx Online
• PhoneBurner.com
• MeetingBurner.com
8. JOHN CONGDON
• PHP Since 2003
• SDPHP Organizer
• Developer for
Networx Online
• PhoneBurner.com
• MeetingBurner.com
• FaxBurner.com
9. JOHN CONGDON
• PHP Since 2003
• SDPHP Organizer
• Developer for
Networx Online
• PhoneBurner.com
• MeetingBurner.com
• FaxBurner.com
• I am not a
cryptographer
16. CRYPTOGRAPHIC HASHING
Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block
of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change
to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
17. CRYPTOGRAPHIC HASHING
Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block
of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change
to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASH
18. CRYPTOGRAPHIC HASHING
Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block
of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change
to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASHMessage
19. CRYPTOGRAPHIC HASHING
Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block
of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change
to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASH DigestMessage
20. CRYPTOGRAPHIC HASHING
Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block
of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change
to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASH
DigestMessage
21. CRYPTOGRAPHIC HASHING
Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block
of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change
to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASH
DigestMessage
1abcb33beeb811dca15f0ac3e47b88d9unicorn
22. CRYPTOGRAPHIC HASHING
Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block
of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change
to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASH
DigestMessage
1abcb33beeb811dca15f0ac3e47b88d9unicorn
23. MD5 EXAMPLE
$username = $_POST['username'];
$password = $_POST['password'];
$user = getUserByUsername($username);
$authenticated = false;
if ($user->password == md5($password)) {
$authenticated = true;
}
*example only: not meant to be used
24. MD5 EXAMPLE
$username = $_POST['username'];
$password = $_POST['password'];
$user = getUserByUsername($username);
$authenticated = false;
if ($user->password == md5($password)) {
$authenticated = true;
}
*example only: not meant to be used
32. ADDING SALT
In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or
passphrase.[1]The primary function of salts is to defend against dictionary attacks versus a list of password hashes and
against pre-computed rainbow table attacks.
33. ADDING SALT
In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or
passphrase.[1]The primary function of salts is to defend against dictionary attacks versus a list of password hashes and
against pre-computed rainbow table attacks.
$hash = md5('RAND_SALT' . $password);
34. ADDING SALT
In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or
passphrase.[1]The primary function of salts is to defend against dictionary attacks versus a list of password hashes and
against pre-computed rainbow table attacks.
$hash = md5('RAND_SALT' . $password);
RAND_SALT must come from a cryptographically secure
source.
Do not use (rand, mt_rand, uniqid)
Do use (/dev/urandom, mcrypt, openssl)
35. $username = $_POST['username'];
$password = $_POST['password'];
$user = getUserByUsername($username);
$authenticated = false;
if ($user->password == md5($user->salt . $password))
{
$authenticated = true;
}
*example only: not meant to be used
MD5+SALT EXAMPLE
40. USE TODAY'S STANDARDS
Currently: BCrypt
• Slower by design
• Configurable to help withstand the test of time
• Should be configured to take 0.25 to 0.50 seconds
• Start with a cost of 10, use higher if possible
https://github.com/johncongdon/bcrypt-cost-finder
41. PHP 5.5 Password Hashing API
http://www.php.net/manual/en/ref.password.php
48. I Lied: Available in PHP >= 5.3.7
https://github.com/ircmaxell/password_compat
A forward compatible password API implementation that
will work until you are ready to upgrade to 5.5. This will
work for all versions of PHP that has the $2y fix.
Upgrading to 5.5 will not break your current code if you
use this library.
49. Want More? Get Statistics Here
http://blog.ircmaxell.com/2013/01/password-storage-talk-at-php-benelux-13.html
54. AVOID ENCRYPTION AT ALL COSTS!
Clarification:
Avoid storing any data that you need to encrypt.
55. AVOID ENCRYPTION AT ALL COSTS!
Clarification:
Avoid storing any data that you need to encrypt.
Before deciding to collect and store this information,
ask yourself why you need it.
56. AVOID ENCRYPTION AT ALL COSTS!
Clarification:
Avoid storing any data that you need to encrypt.
Before deciding to collect and store this information,
ask yourself why you need it.
Is the risk of potentially leaking this information worth the reward?
57. AVOID ENCRYPTION AT ALL COSTS!
Clarification:
Avoid storing any data that you need to encrypt.
Before deciding to collect and store this information,
ask yourself why you need it.
Is the risk of potentially leaking this information worth the reward?
Are there any alternative solutions available to you?
58. AVOID ENCRYPTION AT ALL COSTS!
Clarification:
Avoid storing any data that you need to encrypt.
Before deciding to collect and store this information,
ask yourself why you need it.
Is the risk of potentially leaking this information worth the reward?
Are there any alternative solutions available to you?
Example: Credit card companies usually offer a token solution
61. SYMMETRIC VS ASYMMETRIC
Symmetric
Only one shared key
Same key encrypts and decrypts
Easiest to understand
Asymmetric
Two keys (Public and Private)
Encryption/Decryption
Public key encrypts
Private key decrypts
Signing/Verifying
Private key signs
Public key verifies
65. KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
66. KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
67. KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes
68. KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes
Determines how the key stream is used (never cross them)
69. KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes
Determines how the key stream is used (never cross them)
Avoid ECB (Electronic Code Book)
70. KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes
Determines how the key stream is used (never cross them)
Avoid ECB (Electronic Code Book)
Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
71. KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes
Determines how the key stream is used (never cross them)
Avoid ECB (Electronic Code Book)
Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
Initialization Vectors
72. KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes
Determines how the key stream is used (never cross them)
Avoid ECB (Electronic Code Book)
Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
Initialization Vectors
Similar to SALT in hashing (It's not a secret)
73. KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes
Determines how the key stream is used (never cross them)
Avoid ECB (Electronic Code Book)
Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
Initialization Vectors
Similar to SALT in hashing (It's not a secret)
Must be random per encrypted text
74. EXAMPLE: ENCRYPT USING CRYPT
$crypt_key = 'MySecretKey';
$message = "Do not tell my boss, but I did xyz";
$iv_size = mcrypt_get_iv_size(
MCRYPT_BLOWFISH,
MCRYPT_MODE_CBC
);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);
$cipher = mcrypt_encrypt(
MCRYPT_BLOWFISH,
$crypt_key,
$message,
MCRYPT_MODE_CBC,
$iv
);
76. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the
encryption. We can use this to ensure that the data has
not been tampered with.
77. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the
encryption. We can use this to ensure that the data has
not been tampered with.
When encrypting:
78. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the
encryption. We can use this to ensure that the data has
not been tampered with.
When encrypting:
Always encrypt first, and then get the signature of
the Cipher Text.
79. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the
encryption. We can use this to ensure that the data has
not been tampered with.
When encrypting:
Always encrypt first, and then get the signature of
the Cipher Text.
Store the signature with your IV and Cipher Text.
80. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the
encryption. We can use this to ensure that the data has
not been tampered with.
When encrypting:
Always encrypt first, and then get the signature of
the Cipher Text.
Store the signature with your IV and Cipher Text.
When Decrypting:
81. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the
encryption. We can use this to ensure that the data has
not been tampered with.
When encrypting:
Always encrypt first, and then get the signature of
the Cipher Text.
Store the signature with your IV and Cipher Text.
When Decrypting:
Always verify the signature first, and then decrypt if
successful.
82. EXAMPLE: USING HMAC
$crypt_key = 'MySecretKey';
$hmac_key = 'HashingKey';
$hmac = hash_hmac('sha512', $cipher, $hmac_key);
//Store it with your encrypted data
$encoded_data = base64_encode($iv . $cipher . $hmac);
83. $decoded_data = base64_decode($encoded_data);
$iv = substr($decoded_data, 0, $iv_size);
$hmac = substr($decoded_data, -128);
$cipher = substr($decoded_data, $iv_size, -128);
if ($hmac != hash_hmac('sha512', $cipher, $hmac_key))
{
throw new Exception('HMAC does not match');
}
$message = mcrypt_decrypt(
MCRYPT_BLOWFISH,
$crypt_key,
$cipher,
MCRYPT_MODE_CBC,
$iv
);
EXAMPLE: DECRYPTING USING HMAC
95. ENCRYPTION !== PROTECTION
Data obtained through SQL Injection attacks
should be relatively secure.
For us to encrypt/decrypt, we must have
access to the key. Therefore, any breach of
the system will disclose the key to the
attacker, leaving ALL encryption useless.
96. ENCRYPTION !== PROTECTION
Data obtained through SQL Injection attacks
should be relatively secure.
For us to encrypt/decrypt, we must have
access to the key. Therefore, any breach of
the system will disclose the key to the
attacker, leaving ALL encryption useless.
Apache environment variable, memory,
config files, password entered during
system start, etc... do not keep the key
private.
99. OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server
100. OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server
• More overhead and complexity
101. OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server
• More overhead and complexity
• Any server breach can still decrypt
data
102. OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server
• More overhead and complexity
• Any server breach can still decrypt
data
• With enough thought and monitoring,
you can kill the decryption server to
limit the damage done
103. OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server
• More overhead and complexity
• Any server breach can still decrypt
data
• With enough thought and monitoring,
you can kill the decryption server to
limit the damage done
• Think about restricting requests per
second
104. OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server
• More overhead and complexity
• Any server breach can still decrypt
data
• With enough thought and monitoring,
you can kill the decryption server to
limit the damage done
• Think about restricting requests per
second
Paranoid about password safety? Consider encrypting the
hash. Renders SQL Injection and rainbow tables/brute force
mostly useless without the key.
106. OTHER THINGS TO CONSIDER
Do you need access to the user's information without
them on the system?
107. OTHER THINGS TO CONSIDER
Do you need access to the user's information without
them on the system?
If your user must be present, then consider making
them partially responsible for the security. Have them
use a second password or passphrase that you can add
to your key to use in the encryption.
108. FINAL WORDS...
I've learned a ton while preparing this presentation.
Thanks especially to Anthony Ferrara (@ircmaxell)
http://blog.ircmaxell.com