SlideShare a Scribd company logo
Data Encryption
Recap
Thomas Kim
Security &
Encryption
• Priority of security ‘was’ low than features
• There is NO 100% secure
• Security is not just cost, it is everything and
everywhere
• Encryption is the minimum defence, when
other security fails
• Encryption is minimum requirement for
any services or apps
Common
Terminology
• Number of Keys : Symmetric vs. Asymmetric
• Data Processing Unit : Stream vs. Block
• Data Recovery Capability : One Way vs. Both
Way
Hash
Functions
• Turn arbitrary size of input to fixed size of
output
• Guaranteed same output for same input
• It is fast, used for fast search as hash table
• Digest : output of hashing
Hash
Collision
• h(M) = H
• h() : hash function
• M : input
• H : hash (digest)
• Collision: different input,
same hash (MD5, SHA1)
Requirement of
Encrypting
Hash Function
• Pre-image Resistance
• 2nd Pre-image Resistance
• Collision Resistance
Pre-image
Resistance
With given hash H, difficult to find out original
input
h(M) = H
H = ‘aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d’
M = ‘hello’
2nd Pre-image
Resistance
With given (M), ensure there is no other
input (M`) to have the same h
h(M) = H
H = ‘aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d’
M = ‘hello’, M`=?
Collision
Resistance
• Ensure mathematically ‘nearly’ impossible
to have two M and M` that has same h
• Finding arbitrary M1, M2 that produce the
same h
• Stability of hash measured to the half of
the bit size of the algorithm (SHA1 =
80bit, SHA256 = 128bit)
Rainbow
Attack
• A type of Brute-force attack
• Using pre-calculated rainbow table to
match result H
• If H is the same, then M is out of the
rainbow table
• Prevent the attack by adding salt
Hashing
Algorithms
• MD5, SHA1, SHA2 (SHA256, SHA384, SHA512)
• MD5 (128bit) : not secure
• SHA1(160bit) : not recommended as long term
key (i.e. digital signature, used as one and only
algorithm for password encryption), still OK for
transient keys (session, git commit hash)
Symmetric-key
Algorithm
• One secret key for encryption and
decryption
• DES, 3DES, AES, IDEA, RC4, RC5
• Speedy and Easy to implement
• Hard to transfer secret keys each
other
• Key management is even harder
n(n-1)/2
Stream
Cipher
•Make a symmetric key
•Bit-wise XOR
•RC4, AS/2
•Speedy, no longer used
Block
Cipher
• encrypt/decrypt by data block
• symmetric algorithm
• DES : not recommended
• AES : adopted by NIST, 128/192/256
• Camellia : used for TLS session
• implementations by size of block
and key length
https://www.youtube.com/watch?v=gP4PqVGudtg
Padding
• Input data is NOT always the
multiples of block size
(i.e.) PKCS7/PKCS5 Padding : if lack
of 3 bytes, put 03 03 03
Mode of
Operations
• Define the rules between each blocks
• ECB, CBC, CFR, etc.
Mode of Operation
ECB
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
• Electronic Code Book
• No mode of operations
• Each block can be
encrypted/decrypted
• Critical issues (guess input)
• Shouldn’t be used with
symmetric key encryption
(i.e. AES/ECB NOT secure)
Mode of Operation
CBC
• Cipher Block Chaining
• Enhanced security
• Uses previous block as input to
produce the next block
• For 1st block, use IV
(Initialization Vector), hard to
guess
• Recommended for symmetric
key encryption (AES/CBC)
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
CBC
private static final String key = "aesEncryptionKey"; // 16 bytes
private static final String IV = "encryptionIntVec"; // 16 bytes
private static final String UTF8 = "UTF-8";
public static String encrypt(String value) {
try {
IvParameterSpec iv = new IvParameterSpec(IV.getBytes(UTF8));
SecretKeySpec spec = new SecretKeySpec(key.getBytes(UTF8), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, spec, iv);
byte[] encrypted = cipher.doFinal(value.getBytes());
return Base64.encodeBase64String(encrypted);
}
catch (Exception ex) {
ex.printStackTrace();
}
return null;
}
• Key : should be loaded
from secure storage
• IV : secure random value
• Key, IV are required for
encryption/decryption
Comparison
: Mode of Operations
•ECB
•CBC
ECB CBC
Original
PBKDF2
• Password Based Key Derivation Function 2
• Widely used for user password encryption
• Prevent brute-force attack by iteration (key
stretching)
1. Generate random key based on password
2. Adding salt
3. Iterate enough times to produce hash
Public Key
Encryption
• Asymmetric Key Algorithm
• Encrypt with Public Key
• Decrypt with Private Key
• Resolve the Difficulty of Key Sharing
• Used for
- Authentication
- Non-Repudiation
- Digital Signature
Public Key
Cryptography
RSA
• Rivest, Shamir, Adleman
• uses HUGE prime numbers as keys
• Much calculation, slow
ECDSA
• Elliptic Curve Digital Signature Algorithm
• Bitcoin
DSA
• Digital Signature Algorithm
13 = A * B
A=? and B=?
472,882,027 = A * B
A=? and B=?
Key
Exchange
• Key agreement
- Procedure to get agreement on key exchange
- Diffie-Hellman Algorithm (SSH, SSL)
(https://www.youtube.com/watch?v=wLFztjQDdzI)))
• Key Encipherment
- RSA Algorithm
1. Receiver generate symmetric key
2. Encrypt the symmetric key with sender’s public key
3. Transfer to the sender
SSL
TLS
• Session Key: symmetric key for a session
• SSL Hands-shake: key exchange procedure for SSL session
(Diffie-Hellman)
• SSL uses symmetric key (session key) throughout the session
• Session key cache for speed up
• TLS 1.2/1.3
• Excessive session timeout NOT recommended
PGP
• Pretty Good Privacy
• 1991 by Phil Zimmermann
• Used for Email Encryption
• Public Key Repository (http://pgp.mit.edu)
• GPG Tools
• Lack of Certified Authority
CA
Certificate Authority
SSL
Certificate
SSL certificate issued by CA
• Public Key Certificate
• CA certify ownership of Public Key
• CA sign Public Key by its own Private Key
• validate SSL certificate by CA public key on establishing SSL session
• start to trust owner of SSL certificate certified by a CA
• Verification Domain Ownership by certificate chain
Self-Signed SSL Certificate
• certified by its own CA
• NO trust from browsers
Authentication
vs.
Authorization
Authentication
• validate a user (or entity) is right one
• By password, biometry (fingerprint, face/palm/
iris scan, voice signature), smart card, OTP, etc.
Authorization
• Decide whether allow or not (permission)
• Authentication followed by Authorization
HSM
Hardware Security Module
• Security Compliance
• Embedded circuit (or software) to perform
cryptographic calculation
• Key management
• No access of key from outside
• Self destroy keys on unauthorized
disassemble attempts*
• Keep information safe
• Cloud-based HSM available (AWS, Azure,
etc.)
Rules of
Thumb
PLEASE DON’T DO
• DO NOT try to invent new encryption algorithm by yourself
• DO NOT use AES/ECB, instead AES/CBC
• DO NOT save AES Keys and IVs as file
• DO NOT use Self-signed certificate (if possible)
PLEASE DO
• PBKDF2 for user password
• Use salt on one way hashing to avoid rainbow attack
• Use key stretching (hash iteration) to avoid brute-force attack
• Consider key strength and hash iteration based on life of data and importance
• Use HSM for Super sensitive data
Thanks
Q/A

More Related Content

Similar to Encryption Recap: A Refresher on Key Concepts

Cryptography101
Cryptography101Cryptography101
Cryptography101
NCC Group
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
Michel Schudel
 
Cryptography is the art and science of securing communication and data by con...
Cryptography is the art and science of securing communication and data by con...Cryptography is the art and science of securing communication and data by con...
Cryptography is the art and science of securing communication and data by con...
kalojo7178
 
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4  CRYPTOGRAPHIC SYSTEMS.pptxUNIT 4  CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
ssuserd5e356
 
Key management
Key managementKey management
Key management
Brandon Byungyong Jo
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
Michel Schudel
 
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 -  UnlimitedEdited.pptxCompTIASecPLUS-Part6 -  UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
mohedkhadar60
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authentication
Mohammed Adam
 
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
Sam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
Sam Bowne
 
Cryptography for Everyone
Cryptography for EveryoneCryptography for Everyone
Cryptography for Everyone
Serkan Yıldırım
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
antitree
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
tcloudcomputing-tw
 
Introduction to Cryptography.pptx
Introduction to Cryptography.pptxIntroduction to Cryptography.pptx
Introduction to Cryptography.pptx
ssuser62852e
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting Data
Red Gate Software
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 

Similar to Encryption Recap: A Refresher on Key Concepts (20)

Cryptography101
Cryptography101Cryptography101
Cryptography101
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
 
Cryptography is the art and science of securing communication and data by con...
Cryptography is the art and science of securing communication and data by con...Cryptography is the art and science of securing communication and data by con...
Cryptography is the art and science of securing communication and data by con...
 
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4  CRYPTOGRAPHIC SYSTEMS.pptxUNIT 4  CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
 
Key management
Key managementKey management
Key management
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
 
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 -  UnlimitedEdited.pptxCompTIASecPLUS-Part6 -  UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authentication
 
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
Cryptography for Everyone
Cryptography for EveryoneCryptography for Everyone
Cryptography for Everyone
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
 
Introduction to Cryptography.pptx
Introduction to Cryptography.pptxIntroduction to Cryptography.pptx
Introduction to Cryptography.pptx
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
 
Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting Data
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
 

Recently uploaded

Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
Lecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptxLecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptx
TaghreedAltamimi
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative AnalysisOdoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Envertis Software Solutions
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Top 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptxTop 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptx
devvsandy
 
zOS Mainframe JES2-JES3 JCL-JECL Differences
zOS Mainframe JES2-JES3 JCL-JECL DifferenceszOS Mainframe JES2-JES3 JCL-JECL Differences
zOS Mainframe JES2-JES3 JCL-JECL Differences
YousufSait3
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 

Recently uploaded (20)

Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
Lecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptxLecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptx
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative AnalysisOdoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Top 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptxTop 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptx
 
zOS Mainframe JES2-JES3 JCL-JECL Differences
zOS Mainframe JES2-JES3 JCL-JECL DifferenceszOS Mainframe JES2-JES3 JCL-JECL Differences
zOS Mainframe JES2-JES3 JCL-JECL Differences
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 

Encryption Recap: A Refresher on Key Concepts

  • 2. Security & Encryption • Priority of security ‘was’ low than features • There is NO 100% secure • Security is not just cost, it is everything and everywhere • Encryption is the minimum defence, when other security fails • Encryption is minimum requirement for any services or apps
  • 3. Common Terminology • Number of Keys : Symmetric vs. Asymmetric • Data Processing Unit : Stream vs. Block • Data Recovery Capability : One Way vs. Both Way
  • 4. Hash Functions • Turn arbitrary size of input to fixed size of output • Guaranteed same output for same input • It is fast, used for fast search as hash table • Digest : output of hashing
  • 5. Hash Collision • h(M) = H • h() : hash function • M : input • H : hash (digest) • Collision: different input, same hash (MD5, SHA1)
  • 6. Requirement of Encrypting Hash Function • Pre-image Resistance • 2nd Pre-image Resistance • Collision Resistance
  • 7. Pre-image Resistance With given hash H, difficult to find out original input h(M) = H H = ‘aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d’ M = ‘hello’
  • 8. 2nd Pre-image Resistance With given (M), ensure there is no other input (M`) to have the same h h(M) = H H = ‘aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d’ M = ‘hello’, M`=?
  • 9. Collision Resistance • Ensure mathematically ‘nearly’ impossible to have two M and M` that has same h • Finding arbitrary M1, M2 that produce the same h • Stability of hash measured to the half of the bit size of the algorithm (SHA1 = 80bit, SHA256 = 128bit)
  • 10. Rainbow Attack • A type of Brute-force attack • Using pre-calculated rainbow table to match result H • If H is the same, then M is out of the rainbow table • Prevent the attack by adding salt
  • 11. Hashing Algorithms • MD5, SHA1, SHA2 (SHA256, SHA384, SHA512) • MD5 (128bit) : not secure • SHA1(160bit) : not recommended as long term key (i.e. digital signature, used as one and only algorithm for password encryption), still OK for transient keys (session, git commit hash)
  • 12. Symmetric-key Algorithm • One secret key for encryption and decryption • DES, 3DES, AES, IDEA, RC4, RC5 • Speedy and Easy to implement • Hard to transfer secret keys each other • Key management is even harder n(n-1)/2
  • 13. Stream Cipher •Make a symmetric key •Bit-wise XOR •RC4, AS/2 •Speedy, no longer used
  • 14. Block Cipher • encrypt/decrypt by data block • symmetric algorithm • DES : not recommended • AES : adopted by NIST, 128/192/256 • Camellia : used for TLS session • implementations by size of block and key length https://www.youtube.com/watch?v=gP4PqVGudtg
  • 15. Padding • Input data is NOT always the multiples of block size (i.e.) PKCS7/PKCS5 Padding : if lack of 3 bytes, put 03 03 03
  • 16. Mode of Operations • Define the rules between each blocks • ECB, CBC, CFR, etc.
  • 17. Mode of Operation ECB https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation • Electronic Code Book • No mode of operations • Each block can be encrypted/decrypted • Critical issues (guess input) • Shouldn’t be used with symmetric key encryption (i.e. AES/ECB NOT secure)
  • 18. Mode of Operation CBC • Cipher Block Chaining • Enhanced security • Uses previous block as input to produce the next block • For 1st block, use IV (Initialization Vector), hard to guess • Recommended for symmetric key encryption (AES/CBC) https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
  • 19. CBC private static final String key = "aesEncryptionKey"; // 16 bytes private static final String IV = "encryptionIntVec"; // 16 bytes private static final String UTF8 = "UTF-8"; public static String encrypt(String value) { try { IvParameterSpec iv = new IvParameterSpec(IV.getBytes(UTF8)); SecretKeySpec spec = new SecretKeySpec(key.getBytes(UTF8), "AES"); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, spec, iv); byte[] encrypted = cipher.doFinal(value.getBytes()); return Base64.encodeBase64String(encrypted); } catch (Exception ex) { ex.printStackTrace(); } return null; } • Key : should be loaded from secure storage • IV : secure random value • Key, IV are required for encryption/decryption
  • 20. Comparison : Mode of Operations •ECB •CBC ECB CBC Original
  • 21. PBKDF2 • Password Based Key Derivation Function 2 • Widely used for user password encryption • Prevent brute-force attack by iteration (key stretching) 1. Generate random key based on password 2. Adding salt 3. Iterate enough times to produce hash
  • 22. Public Key Encryption • Asymmetric Key Algorithm • Encrypt with Public Key • Decrypt with Private Key • Resolve the Difficulty of Key Sharing • Used for - Authentication - Non-Repudiation - Digital Signature
  • 23. Public Key Cryptography RSA • Rivest, Shamir, Adleman • uses HUGE prime numbers as keys • Much calculation, slow ECDSA • Elliptic Curve Digital Signature Algorithm • Bitcoin DSA • Digital Signature Algorithm 13 = A * B A=? and B=? 472,882,027 = A * B A=? and B=?
  • 24. Key Exchange • Key agreement - Procedure to get agreement on key exchange - Diffie-Hellman Algorithm (SSH, SSL) (https://www.youtube.com/watch?v=wLFztjQDdzI))) • Key Encipherment - RSA Algorithm 1. Receiver generate symmetric key 2. Encrypt the symmetric key with sender’s public key 3. Transfer to the sender
  • 25. SSL TLS • Session Key: symmetric key for a session • SSL Hands-shake: key exchange procedure for SSL session (Diffie-Hellman) • SSL uses symmetric key (session key) throughout the session • Session key cache for speed up • TLS 1.2/1.3 • Excessive session timeout NOT recommended
  • 26. PGP • Pretty Good Privacy • 1991 by Phil Zimmermann • Used for Email Encryption • Public Key Repository (http://pgp.mit.edu) • GPG Tools • Lack of Certified Authority
  • 27. CA Certificate Authority SSL Certificate SSL certificate issued by CA • Public Key Certificate • CA certify ownership of Public Key • CA sign Public Key by its own Private Key • validate SSL certificate by CA public key on establishing SSL session • start to trust owner of SSL certificate certified by a CA • Verification Domain Ownership by certificate chain Self-Signed SSL Certificate • certified by its own CA • NO trust from browsers
  • 28. Authentication vs. Authorization Authentication • validate a user (or entity) is right one • By password, biometry (fingerprint, face/palm/ iris scan, voice signature), smart card, OTP, etc. Authorization • Decide whether allow or not (permission) • Authentication followed by Authorization
  • 29. HSM Hardware Security Module • Security Compliance • Embedded circuit (or software) to perform cryptographic calculation • Key management • No access of key from outside • Self destroy keys on unauthorized disassemble attempts* • Keep information safe • Cloud-based HSM available (AWS, Azure, etc.)
  • 30. Rules of Thumb PLEASE DON’T DO • DO NOT try to invent new encryption algorithm by yourself • DO NOT use AES/ECB, instead AES/CBC • DO NOT save AES Keys and IVs as file • DO NOT use Self-signed certificate (if possible) PLEASE DO • PBKDF2 for user password • Use salt on one way hashing to avoid rainbow attack • Use key stretching (hash iteration) to avoid brute-force attack • Consider key strength and hash iteration based on life of data and importance • Use HSM for Super sensitive data