Encryption Recap: A Refresher on Key Concepts
DO and DON'T for developers
A while ago, I had chance to collect information and share this PDF summarizing common encryption terminology within my teams. This covers algorithms, and best practices that many developers may find helpful as a refresher or intro. Let me know if any part needs further explanation.
How to do Cryptography right in Android Part OneArash Ramez
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
Youtube playlist:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gJgHWhKrIhS-L05xHVCPh2
gist:
https://gist.github.com/aramezx
Cryptography 101 for_java_developers, Fall 2019Michel Schudel
So you’re logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you’re not at all surprised that, security wise, everything’s hunky dory…
The amount of cryptography to make all this happen is staggering. In order to appreciate and understand what goes on under the hood, as a developer, it’s really important to dive into the key concepts of cryptography.
In this session, we discover what cryptography actually is, and will use the JCA (Java Cryptography API) en JCE (Java Cryptography Extensions) in the JDK to explain and demo key concepts such as:
– Message digests (hashing)
– Encryption, both symmetric and asymmetric
– Digital signatures, both symmetric and asymmetric
Furthermore, we’ll show how these concepts find their way into a variety of practical applications such as:
– https and certificates
– salted password checking
– block chain technology
After this session, you’ll have a better understanding of basic cryptography, its applications, and how to use the cryptography APIs in Java.
How to do Cryptography right in Android Part OneArash Ramez
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
Youtube playlist:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gJgHWhKrIhS-L05xHVCPh2
gist:
https://gist.github.com/aramezx
Cryptography 101 for_java_developers, Fall 2019Michel Schudel
So you’re logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you’re not at all surprised that, security wise, everything’s hunky dory…
The amount of cryptography to make all this happen is staggering. In order to appreciate and understand what goes on under the hood, as a developer, it’s really important to dive into the key concepts of cryptography.
In this session, we discover what cryptography actually is, and will use the JCA (Java Cryptography API) en JCE (Java Cryptography Extensions) in the JDK to explain and demo key concepts such as:
– Message digests (hashing)
– Encryption, both symmetric and asymmetric
– Digital signatures, both symmetric and asymmetric
Furthermore, we’ll show how these concepts find their way into a variety of practical applications such as:
– https and certificates
– salted password checking
– block chain technology
After this session, you’ll have a better understanding of basic cryptography, its applications, and how to use the cryptography APIs in Java.
Cryptography is the art and science of securing communication and data by con...kalojo7178
Cryptography is the art and science of securing communication and data by converting plain text into unintelligible ciphertext. It's an essential aspect of cybersecurity and privacy, used in various fields such as finance, government, military, and everyday online communication.
At its core, cryptography relies on algorithms and mathematical principles to encrypt and decrypt data securely. There are two main types of cryptographic techniques: symmetric and asymmetric encryption.
1. **Symmetric Encryption**: In symmetric encryption, the same key is used for both encryption and decryption. It's faster and more efficient for large volumes of data. Algorithms like AES (Advanced Encryption Standard) are commonly used for symmetric encryption.
2. **Asymmetric Encryption**: Also known as public-key cryptography, asymmetric encryption uses a pair of keys - public and private. The public key is used for encryption, while the private key is used for decryption. RSA and Elliptic Curve Cryptography (ECC) are popular asymmetric encryption algorithms.
Cryptography serves several crucial purposes:
- **Confidentiality**: It ensures that only authorized parties can access the information.
- **Integrity**: It verifies that the information has not been altered or tampered with during transmission.
- **Authentication**: It confirms the identity of the communicating parties.
- **Non-repudiation**: It prevents the sender from denying the authenticity of the message.
Cryptography also faces challenges, such as the rise of quantum computing which poses a threat to traditional cryptographic methods, prompting the development of quantum-resistant algorithms.
Overall, cryptography plays a vital role in protecting sensitive information in today's digital world, enabling secure communication and transactions over the internet.
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
So you're logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you're not at all surprised that, security wise, everything's hunky dory...
Ever wondered about the amount of cryptography begin used here? No? Let's dive into the key concepts of cryptography then, and see how the JDK supports this using the standard cryptography API's: JCA (Java Cryptography Architecture) and JCE (Java Cryptography Extension)! We'll be exploring message digests, encryption, and digital signatures, and see how they'are used in password checks, https, and block chain technology.
After this session, you'll have a better understanding of basic cryptography, its applications, and how to use the cryptography APIs in Java.
For a college course -- CNIT 140: "Cryptography for Computer Networks" at City College San Francisco
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
This is the presentation that I presented in Sony Istanbul to developers, BAs, QAs. In this presentation, you can find the explanations about basic terminology for Cryptography that is used in daily life.
In Hadoop in Taiwan 2013 event, engineer of TCloud Computing presented the security concepts and features of Hadoop, how to script Crypto API, configuration details and future development.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
More Related Content
Similar to Encryption Recap: A Refresher on Key Concepts
Cryptography is the art and science of securing communication and data by con...kalojo7178
Cryptography is the art and science of securing communication and data by converting plain text into unintelligible ciphertext. It's an essential aspect of cybersecurity and privacy, used in various fields such as finance, government, military, and everyday online communication.
At its core, cryptography relies on algorithms and mathematical principles to encrypt and decrypt data securely. There are two main types of cryptographic techniques: symmetric and asymmetric encryption.
1. **Symmetric Encryption**: In symmetric encryption, the same key is used for both encryption and decryption. It's faster and more efficient for large volumes of data. Algorithms like AES (Advanced Encryption Standard) are commonly used for symmetric encryption.
2. **Asymmetric Encryption**: Also known as public-key cryptography, asymmetric encryption uses a pair of keys - public and private. The public key is used for encryption, while the private key is used for decryption. RSA and Elliptic Curve Cryptography (ECC) are popular asymmetric encryption algorithms.
Cryptography serves several crucial purposes:
- **Confidentiality**: It ensures that only authorized parties can access the information.
- **Integrity**: It verifies that the information has not been altered or tampered with during transmission.
- **Authentication**: It confirms the identity of the communicating parties.
- **Non-repudiation**: It prevents the sender from denying the authenticity of the message.
Cryptography also faces challenges, such as the rise of quantum computing which poses a threat to traditional cryptographic methods, prompting the development of quantum-resistant algorithms.
Overall, cryptography plays a vital role in protecting sensitive information in today's digital world, enabling secure communication and transactions over the internet.
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
So you're logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you're not at all surprised that, security wise, everything's hunky dory...
Ever wondered about the amount of cryptography begin used here? No? Let's dive into the key concepts of cryptography then, and see how the JDK supports this using the standard cryptography API's: JCA (Java Cryptography Architecture) and JCE (Java Cryptography Extension)! We'll be exploring message digests, encryption, and digital signatures, and see how they'are used in password checks, https, and block chain technology.
After this session, you'll have a better understanding of basic cryptography, its applications, and how to use the cryptography APIs in Java.
For a college course -- CNIT 140: "Cryptography for Computer Networks" at City College San Francisco
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
This is the presentation that I presented in Sony Istanbul to developers, BAs, QAs. In this presentation, you can find the explanations about basic terminology for Cryptography that is used in daily life.
In Hadoop in Taiwan 2013 event, engineer of TCloud Computing presented the security concepts and features of Hadoop, how to script Crypto API, configuration details and future development.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
2. Security &
Encryption
• Priority of security ‘was’ low than features
• There is NO 100% secure
• Security is not just cost, it is everything and
everywhere
• Encryption is the minimum defence, when
other security fails
• Encryption is minimum requirement for
any services or apps
3. Common
Terminology
• Number of Keys : Symmetric vs. Asymmetric
• Data Processing Unit : Stream vs. Block
• Data Recovery Capability : One Way vs. Both
Way
4. Hash
Functions
• Turn arbitrary size of input to fixed size of
output
• Guaranteed same output for same input
• It is fast, used for fast search as hash table
• Digest : output of hashing
5. Hash
Collision
• h(M) = H
• h() : hash function
• M : input
• H : hash (digest)
• Collision: different input,
same hash (MD5, SHA1)
8. 2nd Pre-image
Resistance
With given (M), ensure there is no other
input (M`) to have the same h
h(M) = H
H = ‘aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d’
M = ‘hello’, M`=?
9. Collision
Resistance
• Ensure mathematically ‘nearly’ impossible
to have two M and M` that has same h
• Finding arbitrary M1, M2 that produce the
same h
• Stability of hash measured to the half of
the bit size of the algorithm (SHA1 =
80bit, SHA256 = 128bit)
10. Rainbow
Attack
• A type of Brute-force attack
• Using pre-calculated rainbow table to
match result H
• If H is the same, then M is out of the
rainbow table
• Prevent the attack by adding salt
11. Hashing
Algorithms
• MD5, SHA1, SHA2 (SHA256, SHA384, SHA512)
• MD5 (128bit) : not secure
• SHA1(160bit) : not recommended as long term
key (i.e. digital signature, used as one and only
algorithm for password encryption), still OK for
transient keys (session, git commit hash)
12. Symmetric-key
Algorithm
• One secret key for encryption and
decryption
• DES, 3DES, AES, IDEA, RC4, RC5
• Speedy and Easy to implement
• Hard to transfer secret keys each
other
• Key management is even harder
n(n-1)/2
14. Block
Cipher
• encrypt/decrypt by data block
• symmetric algorithm
• DES : not recommended
• AES : adopted by NIST, 128/192/256
• Camellia : used for TLS session
• implementations by size of block
and key length
https://www.youtube.com/watch?v=gP4PqVGudtg
15. Padding
• Input data is NOT always the
multiples of block size
(i.e.) PKCS7/PKCS5 Padding : if lack
of 3 bytes, put 03 03 03
18. Mode of Operation
CBC
• Cipher Block Chaining
• Enhanced security
• Uses previous block as input to
produce the next block
• For 1st block, use IV
(Initialization Vector), hard to
guess
• Recommended for symmetric
key encryption (AES/CBC)
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
19. CBC
private static final String key = "aesEncryptionKey"; // 16 bytes
private static final String IV = "encryptionIntVec"; // 16 bytes
private static final String UTF8 = "UTF-8";
public static String encrypt(String value) {
try {
IvParameterSpec iv = new IvParameterSpec(IV.getBytes(UTF8));
SecretKeySpec spec = new SecretKeySpec(key.getBytes(UTF8), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, spec, iv);
byte[] encrypted = cipher.doFinal(value.getBytes());
return Base64.encodeBase64String(encrypted);
}
catch (Exception ex) {
ex.printStackTrace();
}
return null;
}
• Key : should be loaded
from secure storage
• IV : secure random value
• Key, IV are required for
encryption/decryption
21. PBKDF2
• Password Based Key Derivation Function 2
• Widely used for user password encryption
• Prevent brute-force attack by iteration (key
stretching)
1. Generate random key based on password
2. Adding salt
3. Iterate enough times to produce hash
22. Public Key
Encryption
• Asymmetric Key Algorithm
• Encrypt with Public Key
• Decrypt with Private Key
• Resolve the Difficulty of Key Sharing
• Used for
- Authentication
- Non-Repudiation
- Digital Signature
23. Public Key
Cryptography
RSA
• Rivest, Shamir, Adleman
• uses HUGE prime numbers as keys
• Much calculation, slow
ECDSA
• Elliptic Curve Digital Signature Algorithm
• Bitcoin
DSA
• Digital Signature Algorithm
13 = A * B
A=? and B=?
472,882,027 = A * B
A=? and B=?
24. Key
Exchange
• Key agreement
- Procedure to get agreement on key exchange
- Diffie-Hellman Algorithm (SSH, SSL)
(https://www.youtube.com/watch?v=wLFztjQDdzI)))
• Key Encipherment
- RSA Algorithm
1. Receiver generate symmetric key
2. Encrypt the symmetric key with sender’s public key
3. Transfer to the sender
25. SSL
TLS
• Session Key: symmetric key for a session
• SSL Hands-shake: key exchange procedure for SSL session
(Diffie-Hellman)
• SSL uses symmetric key (session key) throughout the session
• Session key cache for speed up
• TLS 1.2/1.3
• Excessive session timeout NOT recommended
26. PGP
• Pretty Good Privacy
• 1991 by Phil Zimmermann
• Used for Email Encryption
• Public Key Repository (http://pgp.mit.edu)
• GPG Tools
• Lack of Certified Authority
27. CA
Certificate Authority
SSL
Certificate
SSL certificate issued by CA
• Public Key Certificate
• CA certify ownership of Public Key
• CA sign Public Key by its own Private Key
• validate SSL certificate by CA public key on establishing SSL session
• start to trust owner of SSL certificate certified by a CA
• Verification Domain Ownership by certificate chain
Self-Signed SSL Certificate
• certified by its own CA
• NO trust from browsers
28. Authentication
vs.
Authorization
Authentication
• validate a user (or entity) is right one
• By password, biometry (fingerprint, face/palm/
iris scan, voice signature), smart card, OTP, etc.
Authorization
• Decide whether allow or not (permission)
• Authentication followed by Authorization
29. HSM
Hardware Security Module
• Security Compliance
• Embedded circuit (or software) to perform
cryptographic calculation
• Key management
• No access of key from outside
• Self destroy keys on unauthorized
disassemble attempts*
• Keep information safe
• Cloud-based HSM available (AWS, Azure,
etc.)
30. Rules of
Thumb
PLEASE DON’T DO
• DO NOT try to invent new encryption algorithm by yourself
• DO NOT use AES/ECB, instead AES/CBC
• DO NOT save AES Keys and IVs as file
• DO NOT use Self-signed certificate (if possible)
PLEASE DO
• PBKDF2 for user password
• Use salt on one way hashing to avoid rainbow attack
• Use key stretching (hash iteration) to avoid brute-force attack
• Consider key strength and hash iteration based on life of data and importance
• Use HSM for Super sensitive data