SlideShare a Scribd company logo

Practical Cryptography and Security Concepts for Developers

Download as PPTX, PDF
Gökhan Şengün
Gökhan Şengün

SC Turkey - Presentation on 10 May

Software
1 of 67
DEVOPS Zirvesi 2017 Practical Cryptography and Security Concepts for Developers Gökhan Şengün Ar-Ge Yeni Ürün Geliştirme Müdürü @gokhansengun gokhansengun@gmail.com www.gokhansengun.com
DEVOPS Zirvesi 2017 Practical Cryptography and Security Concepts for Developers
DEVOPS Zirvesi 2017 Agenda Motivation and History Cryptographic Hash Functions Secure Storage of Secrets Symmetric Encryption Asymmetric Encryption PKI and Digital Signatures Techniques and Use Cases
DEVOPS Zirvesi 2017 !! DISCLAIMER !! I am neither a cryptographist nor a security professional, just a curious coder who implemented several techniques that will be discussed in the talk. Please consult to a security professional in implementing any of the techniques mentioned.
DEVOPS Zirvesi 2017 Motivation And History
DEVOPS Zirvesi 2017 Scope and Aim of the Talk Understanding the basics of the cryptography in order to understand practical implementations Learning the concepts and the techniques Learning how they apply to our daily lives Not about understanding how the techniques implemented mathematically We will just call mathematical background as “magic” and do not enter that territory Motivation and History
DEVOPS Zirvesi 2017 History Cryptography is 4000 years old Julius Caesar (BC 100) used it too Today what is known as Caesar Cipher or Shift Cipher Motivation and History https://learncryptography.com/classical-encryption/caesar-cipher
DEVOPS Zirvesi 2017 History Ceaser Cipher was ok until people find out how it works Then emerged Substitution Cipher Motivation and History http://www.stealthcopter.com/blog/2009/12/python-cryptography-substitution-cipher-improving-on-the-caesar-cipher/
DEVOPS Zirvesi 2017 History Substitution Cipher was also ok until again people find out how it works Then emerged Vigenere Cipher Motivation and History Message: THIS IS ONLY A TEST Key: CRYPTCRYPTCRYPTCRYP Encryption: VYFGSKIXCFNOXPSVVPH
DEVOPS Zirvesi 2017 Some Useful Functions Provided by Cryptography Confidentiality Integrity Authenticity Non-Reputability These will help us classify problems and match with solutions Motivation and History
DEVOPS Zirvesi 2017 Cryptographic Hash Functions
DEVOPS Zirvesi 2017 Popular Hash Functions MD5 SHA1 SHA256 SHA512 Example Cryptographic Hash Functions “SC Turkey” SHA-1 98bdf215e96120c968120700ee4952c9fc5b40a7 20 Bytes
DEVOPS Zirvesi 2017 Summary Verify authenticity of a piece of data Produce a fixed-length (a few bytes) output called “checksum” or “digest” irrespective of the input data length Impossible to retrieve original data just looking at the output Generate different output for different data Generate the same output for the same data Cryptographic Hash Functions
DEVOPS Zirvesi 2017 Conversion of the Checksum (Digest) data Checksums are binary and they are GENERALLY converted to Hex like below Cryptographic Hash Functions
DEVOPS Zirvesi 2017 Authenticity of Data Use Case #1: You downloaded an ISO file (Ubuntu 16.04.1) via Torrent or an insecure medium You would like to make sure that the file is not altered by someone else Demo Cryptographic Hash Functions
DEVOPS Zirvesi 2017 Authenticity of Data Use Case #2: (DO NOT USE IN PRODUCTION) You want to keep user’s password in the DB to use in authenticating your users But you do not want to store it directly So you store password’s hash in the DB Every time the user is logging in, you compare the hash of provided password and the one in DB Cryptographic Hash Functions
DEVOPS Zirvesi 2017 Authenticity of Data Other Use Cases: Git uses SHA-1 hashes of the objects (blob, commit, tree) to ID them You can calculate hashes of your caches in order to evict and update them You can calculate hashes to version your data just like how Git does Cryptographic Hash Functions
DEVOPS Zirvesi 2017 Authenticity of Data – The Risk The Rainbow Tables Precomputed tables for reversing Cryptographic Hash Functions So do not just hash the passwords and keep them in the DB. LinkedIn made this mistake in 2012 and 167M password hashes leaked 117M of 167M could be cracked Cryptographic Hash Functions
DEVOPS Zirvesi 2017 Hash Collusion Cryptographic Hash Functions promise NOT to produce same output for different input. Hash Collusion occurs if they do not keep their promise :-) Hash algorithm is considered broken if a Hash Collusion is found MD5 was broken for years (since 2007) SHA-1 was broken on 23 Feb 2017!! It required 6610 years of processor time to do it Cryptographic Hash Functions
DEVOPS Zirvesi 2017 Hashed Message Authentication Code (HMAC) What if we would like to carry the checksum with the message itself? Cryptographic Hash Functions
DEVOPS Zirvesi 2017 HMAC – Sending a Message Cryptographic Hash Functions Graphics From: https://docstore.mik.ua/orelly/other/puis3rd/0596003234_puis3-chp-7-sect-4.html
DEVOPS Zirvesi 2017 HMAC – Validating a Message Cryptographic Hash Functions Graphics From: https://docstore.mik.ua/orelly/other/puis3rd/0596003234_puis3-chp-7-sect-4.html
DEVOPS Zirvesi 2017 Hashed Message Authentication Code (HMACs) Meaningful if the data Transmitted is constantly changing is not confidential integrity is important Use case example: NTP (Network Time Protocol) – time sent in plain text but its authenticity is checked Shared HMAC key needs to be “somehow” shared between parties Cryptographic Hash Functions
DEVOPS Zirvesi 2017 Secure Storage of Secrets (e.g. Password)
DEVOPS Zirvesi 2017 Summary We have shown that taking the hash of the secrets (e.g. password) and keep it in the DB was not a good idea It has never been a good idea and had LinkedIn embarrassed for years since 2012 So what should be the way to go? Secure Storage of Secrets
DEVOPS Zirvesi 2017 Options Option #1: Keep secret (password) in plain text Pros/Cons: This is definitely not an option When an attacker breaches the database (by SQL injection or any other way), s/he can retrieve all of your passwords Secure Storage of Secrets
DEVOPS Zirvesi 2017 Options Option #2: Encrypt passwords with a symmetric key in storing and retrieving Pros/Cons: Passwords are not in plain text When the database and the secret key are breached, all of the passwords could be cracked It is very difficult to keep the secret key really secret and safe Secure Storage of Secrets
DEVOPS Zirvesi 2017 Options Option #3: Use hashing function on the password but now multiple times (like 1000 times) Hash = sha1(sha1(sha1(…))) Pros/Cons: Passwords are not in plain text Still vulnerable to rainbow attacks Secure Storage of Secrets
DEVOPS Zirvesi 2017 Options Option #4: Salting Secure Storage of Secrets
DEVOPS Zirvesi 2017 Options Option #4: Salted Hashes (depiction) Secure Storage of Secrets Password Salt Cryptographic Hash Function d1d3ec2e6f20fd420d50e2642992841d833 8a314b8ea157c9e18477aaef226ab
DEVOPS Zirvesi 2017 Options Option #4: Use hashing function with a salt in addition to the password Pros/Cons: Passwords are not in plain text Salted hashing produce different hashes even for the same passwords Safe against rainbow attack but not that good against brute force attack Modern GPUs can calculate billions of hashes per second Secure Storage of Secrets
DEVOPS Zirvesi 2017 Options Option #5: Make salted hashes secure by iterations (like 1000), Password Based Key Derivation Functions (PBKDF2) Pros/Cons: Passwords are not in plain text One of the state of the art secure methods in the town Requires lots and lots of CPU cycles Could be used for DOS attacks Secure Storage of Secrets
DEVOPS Zirvesi 2017 Options Option #5: PBKDF2 (depiction) Secure Storage of Secrets Salt # of iteration PBKDF2 d1d3ec2e6f20fd420d50e2642992841d833 8a314b8ea157c9e18477aaef226ab Password
DEVOPS Zirvesi 2017 PBKDF2 is fine but how many iterations are secure? Moore’s Law: Overall processing power of computers will double every two years So your iterations should be doubled every two years Example: AspNetCore.Identity uses a default value of 1000 for PBKDF2 as per Rfc2898 https://github.com/aspnet/Identity/blob/5480aa182bad3fb3b729a0169d0462873331e306/src/Microsoft.AspNetCor e.Identity/PasswordHasher.cs#L113 Secure Storage of Secrets
DEVOPS Zirvesi 2017 Symmetric- Key Encryption
DEVOPS Zirvesi 2017 Summary An encryption system in which the sender and receiver of a message shares a single, common key that can encrypt and decrypt the message Symmetric-Key Encryption http://etutorials.org/Networking/Wireless+lan+security/Chapter+2.+Basic+Security+Mechanics+and+Mechanisms/Security+Mechanics/
DEVOPS Zirvesi 2017 Characteristics Also called Secret Key Encryption Provides very fast and secure encryption Key sharing (distribution) is a big problem Communication is cracked as a whole if the key is compromised Key size relates to the strength of the algorithm Types DES (Data Encryption Standard) Triple DES AES (Advanced Encryption Standard) Symmetric-Key Encryption
DEVOPS Zirvesi 2017 Asymmetric-Key Encryption
DEVOPS Zirvesi 2017 Summary An encryption system having a pair of keys where the data encrypted with one key can only be decrypted with the other Asymmetric-Key Encryption https://msdn.microsoft.com/en-us/library/ff647097.aspx
DEVOPS Zirvesi 2017 Characteristics Also called Public Key Cryptography Attempts to solve biggest problem of Symmetric-Key Encryption namely Key Sharing (distribution) Both parties have a private and public keys where public key is distributed to anyone and private key remains secret Provides slow but secure encryption Not feasible to be used alone in encrypted communication due to expensive nature usually closes the gap of Symmetric-Key Encryption Asymmetric-Key Encryption
DEVOPS Zirvesi 2017 Types RSA (Rivest, Shamir, Adelman) Cryptosystem ElGamal Cryptosystem Elliptic Curve Cryptography RSA is the widely known and used one Each party generates a pair of keys (public and private) RSA is based on the practical difficulty of factoring the product of two large prime numbers Asymmetric-Key Encryption
DEVOPS Zirvesi 2017 PKI and Digital Signatures
DEVOPS Zirvesi 2017 Summary A public key infrastructure (PKI) supports Distributing public encryption keys Identifying public encryption keys Securing exchange of data over untrusted networks (such as the Internet) Verifying the identity of the other party PKI (Public Key Infrastructure)
DEVOPS Zirvesi 2017 Distributing public encryption keys Identifying public encryption keys Securing exchange of data over untrusted networks (such as the Internet) Verifying the identity of the other party PKI (Public Key Infrastructure)
DEVOPS Zirvesi 2017 Digital Signatures – Summary Provides Integrity and Non-Reputability Just like HMACs but with Asymmetric Keys (so no problem with distributing the secret key) Remember how it was with HMAC first below PKI (Public Key Infrastructure) https://msdn.microsoft.com/en-us/library/ff647097.aspx
DEVOPS Zirvesi 2017 Creating a Digital Signature PKI (Public Key Infrastructure) https://www.signinghub.com/oldelectronic-signatures-draft/
DEVOPS Zirvesi 2017 Verifying a Digital Signature PKI (Public Key Infrastructure) https://www.signinghub.com/oldelectronic-signatures-draft/
DEVOPS Zirvesi 2017 Digital Certificates – Summary Provides Authenticity, simple but the missing feature CA (Certification Authorities) guarantees the validity of information in the certificate by signing it Digital Certificates contains Public Key of the identity for which the certificate is issued Therefore solving the key distribution problem PKI (Public Key Infrastructure)
DEVOPS Zirvesi 2017 Obtaining a Digital Certificate PKI (Public Key Infrastructure) https://msdn.microsoft.com/en-us/library/ff647097.aspx
DEVOPS Zirvesi 2017 Verifying a Digital Certificate (Chain) PKI (Public Key Infrastructure) https://sites.google.com/site/ddmwsst/digital-certificates
DEVOPS Zirvesi 2017 Techniques and Use Cases
DEVOPS Zirvesi 2017 HTTPS HTTPS is nothing but plain HTTP with SSL/TLS handshake Any TCP-based protocol can be secured with SSL/TLS Examples: HTTPS, FTPS, SMTPS, NTPS So let’s look at SSL and SSL Handshake Techniques and Use Cases
DEVOPS Zirvesi 2017 SSL/TLS SSL/TLS is secure handshake protocol that provides encryption on the transport (TCP) layer Provides Confidentiality and Data Integrity SSL (Secure Socket Layer) is superseded by TLS (Transport Layer Security) SSL is still referred to in docs and APIs although obsoleted long time ago If somebody says SSL, s/he is probably meaning TLS Techniques and Use Cases
DEVOPS Zirvesi 2017 SSL/TLS Handshake Techniques and Use Cases
DEVOPS Zirvesi 2017 Cipher Suites A collection of symmetric and asymmetric encryption algorithms grouped together to be used in determining common set of a suite Techniques and Use Cases
DEVOPS Zirvesi 2017 HTTP – MITM (Man in the Middle) Attack Techniques and Use Cases
DEVOPS Zirvesi 2017 HTTP – MITM Attack Examples Great China DDoSed Github Tunusia Telco recorded Facebook passwords in login page Your ISP (telco) for AKK (Adil Kullanım Kotası) message Free WiFi hotspots using “Captive Portals” Yourself when using a HTTP proxy like Fiddler, Burp Suite Your employer if using a corporate HTTP proxy Techniques and Use Cases
DEVOPS Zirvesi 2017 HTTPS – Why is it important? Confidentiality Communication is private Integrity No intermediary can modify the content Authenticity Client may validate server’s identity Server may validate client’s identity (Not used) So HTTPS everything - Techniques and Use Cases
DEVOPS Zirvesi 2017 HTTPS – Any disadvantages? Requires more CPU cycles (< %2) Increase page load time (due to SSL negotiation < %3) Obsolete with HTTP/2 adoption Techniques and Use Cases
DEVOPS Zirvesi 2017 Let’s Encrypt Digital certificates are issued for free (sponsored) Need to demonstrate the control over the domain Uses Certbot to issue and auto-renew certs Certificates issued for only 3 months https://certbot.eff.org https://github.com/certbot/certbot Techniques and Use Cases
DEVOPS Zirvesi 2017 Self-signed Certificates Techniques and Use Cases
DEVOPS Zirvesi 2017 Self-signed Certificates Certificate is signed by own private key hence self- signed Best for development Beneficial in internal use where certificate stores of computers are reachable Beneficial in an isolated network Might loose value after Let’s Encrypt adoption Very easy to generate with OpenSSL Just provide X.509 attributes in the CSR Demo Techniques and Use Cases
DEVOPS Zirvesi 2017 SSL/TLS Tools OpenSSL A full-blown crypto library Also includes a TLS api https://badssl.com Observe browser behaviors on SSL/TLS vulnerabilities https://www.ssllabs.com/ssltest/ Analysis on your SSL Techniques and Use Cases
DEVOPS Zirvesi 2017 SSH (Secure SHell) Techniques and Use Cases http://sebastien.saunier.me/blog/2015/05/10/github-public-key-authentication.html
DEVOPS Zirvesi 2017 VPN Stands for Virtual Private Network Creates an encrypted tunnel between two points on the insecure medium (internet) IPSec VPNs provide Network Layer (IP) Security IPSec VPNs may require 3rd party HW and/or SW to work which provide additional security SSL VPNs rely on browser capability, everybody has browsers so everybody has client SW Techniques and Use Cases
DEVOPS Zirvesi 2017 Perfect Forward Secrecy What if all the SSL/TLS traffic is recorded for years and after the private key is obtained All the traffic could be decrypted Perfect Forward Secrecy attempts to solve this by using ephemeral private keys and rotate them time to time to overcome this issue Good old Diffie-Hellman key exchange algorithm to the rescue RSA private key could still be used in accomplishing authenticity while DH is used for determining the shared secret Techniques and Use Cases
DEVOPS Zirvesi 2017 THANKS

Recommended

Cryptography - RSA and ECDSA
Cryptography - RSA and ECDSACryptography - RSA and ECDSA
Cryptography - RSA and ECDSAAPNIC
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructurewebhostingguy
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
Master thesis 14023164
Master thesis 14023164Master thesis 14023164
Master thesis 14023164Thivya Devaraj
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve LambInformation Security Awareness Group
 

Recommended

Cryptography - RSA and ECDSA
Cryptography - RSA and ECDSACryptography - RSA and ECDSA
Cryptography - RSA and ECDSAAPNIC
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructurewebhostingguy
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
Master thesis 14023164
Master thesis 14023164Master thesis 14023164
Master thesis 14023164Thivya Devaraj
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve LambInformation Security Awareness Group
 
IRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption TechniquesIRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption TechniquesIRJET Journal
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - OverviewMohammed Adam
 
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextRSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextYekini Nureni
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Technology, Process, and Strategy
Technology, Process, and StrategyTechnology, Process, and Strategy
Technology, Process, and Strategyereddick
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
Arm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsArm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsOmegapoint Academy
 
Designing software with security in mind
Designing software with security in mindDesigning software with security in mind
Designing software with security in mindOmegapoint Academy
 
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractkey aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractSanjana Yemajala
 
Designing software with security in mind?
Designing software with security in mind?Designing software with security in mind?
Designing software with security in mind?Omegapoint Academy
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Bletchley
BletchleyBletchley
BletchleyDiogo Mónica
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage Adz91 Digital Ads Pvt Ltd
 
Pgp
PgpPgp
PgpReham Maher El-Safarini
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Pgp
PgpPgp
PgpAbhishek Kesharwani
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
Secure deduplicaton with efficient and reliable convergent
Secure deduplicaton with efficient and reliable convergentSecure deduplicaton with efficient and reliable convergent
Secure deduplicaton with efficient and reliable convergentJayakrishnan U
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia PotapenkoFwdays
 
Web cryptography javascript
Web cryptography javascriptWeb cryptography javascript
Web cryptography javascriptJose Manuel Ortega Candel
 

More Related Content

What's hot

IRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption TechniquesIRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption TechniquesIRJET Journal
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - OverviewMohammed Adam
 
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextRSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextYekini Nureni
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Technology, Process, and Strategy
Technology, Process, and StrategyTechnology, Process, and Strategy
Technology, Process, and Strategyereddick
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
Arm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsArm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsOmegapoint Academy
 
Designing software with security in mind
Designing software with security in mindDesigning software with security in mind
Designing software with security in mindOmegapoint Academy
 
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractkey aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractSanjana Yemajala
 
Designing software with security in mind?
Designing software with security in mind?Designing software with security in mind?
Designing software with security in mind?Omegapoint Academy
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage Adz91 Digital Ads Pvt Ltd
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
Secure deduplicaton with efficient and reliable convergent
Secure deduplicaton with efficient and reliable convergentSecure deduplicaton with efficient and reliable convergent
Secure deduplicaton with efficient and reliable convergentJayakrishnan U
 

What's hot (20)

IRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption TechniquesIRJET- Comparative Analysis of Encryption Techniques
IRJET- Comparative Analysis of Encryption Techniques
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - Overview
 
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextRSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Technology, Process, and Strategy
Technology, Process, and StrategyTechnology, Process, and Strategy
Technology, Process, and Strategy
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164
 
Arm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsArm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trolls
 
Designing software with security in mind
Designing software with security in mindDesigning software with security in mind
Designing software with security in mind
 
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstractkey aggregate cryptosystem for scalable data sharing in cloud storage abstract
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
 
Designing software with security in mind?
Designing software with security in mind?Designing software with security in mind?
Designing software with security in mind?
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
Bletchley
BletchleyBletchley
Bletchley
 
Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage Key aggregate cryptosystem for scalable data sharing in cloud storage
Key aggregate cryptosystem for scalable data sharing in cloud storage
 
Pgp
PgpPgp
Pgp
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Pgp
PgpPgp
Pgp
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)
 
Secure deduplicaton with efficient and reliable convergent
Secure deduplicaton with efficient and reliable convergentSecure deduplicaton with efficient and reliable convergent
Secure deduplicaton with efficient and reliable convergent
 

Similar to Practical Cryptography and Security Concepts for Developers

"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia PotapenkoFwdays
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiNathan Winters
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Passwords & security
Passwords & securityPasswords & security
Passwords & securityPer Thorsheim
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.pptUskuMusku1
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Building a fence around your Hadoop cluster
Building a fence around your Hadoop clusterBuilding a fence around your Hadoop cluster
Building a fence around your Hadoop clusterlarsfrancke
 
Implementation of De-Duplication Algorithm
Implementation of De-Duplication AlgorithmImplementation of De-Duplication Algorithm
Implementation of De-Duplication AlgorithmIRJET Journal
 
Encrypted Negative Password using for Authentication
Encrypted Negative Password using for AuthenticationEncrypted Negative Password using for Authentication
Encrypted Negative Password using for Authenticationijtsrd
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything elseVlad Garbuz
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon
 
iaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databasesiaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databasesIaetsd Iaetsd
 

Similar to Practical Cryptography and Security Concepts for Developers (20)

"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 
Web cryptography javascript
Web cryptography javascriptWeb cryptography javascript
Web cryptography javascript
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pki
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Passwords & security
Passwords & securityPasswords & security
Passwords & security
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Building a fence around your Hadoop cluster
Building a fence around your Hadoop clusterBuilding a fence around your Hadoop cluster
Building a fence around your Hadoop cluster
 
Implementation of De-Duplication Algorithm
Implementation of De-Duplication AlgorithmImplementation of De-Duplication Algorithm
Implementation of De-Duplication Algorithm
 
Encrypted Negative Password using for Authentication
Encrypted Negative Password using for AuthenticationEncrypted Negative Password using for Authentication
Encrypted Negative Password using for Authentication
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
 
iaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databasesiaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databases
 

Recently uploaded

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 

Recently uploaded (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 

Practical Cryptography and Security Concepts for Developers

  • 1. DEVOPS Zirvesi 2017 Practical Cryptography and Security Concepts for Developers Gökhan Şengün Ar-Ge Yeni Ürün Geliştirme Müdürü @gokhansengun gokhansengun@gmail.com www.gokhansengun.com
  • 3. DEVOPS Zirvesi 2017 Agenda Motivation and History Cryptographic Hash Functions Secure Storage of Secrets Symmetric Encryption Asymmetric Encryption PKI and Digital Signatures Techniques and Use Cases
  • 4. DEVOPS Zirvesi 2017 !! DISCLAIMER !! I am neither a cryptographist nor a security professional, just a curious coder who implemented several techniques that will be discussed in the talk. Please consult to a security professional in implementing any of the techniques mentioned.
  • 6. DEVOPS Zirvesi 2017 Scope and Aim of the Talk Understanding the basics of the cryptography in order to understand practical implementations Learning the concepts and the techniques Learning how they apply to our daily lives Not about understanding how the techniques implemented mathematically We will just call mathematical background as “magic” and do not enter that territory Motivation and History
  • 7. DEVOPS Zirvesi 2017 History Cryptography is 4000 years old Julius Caesar (BC 100) used it too Today what is known as Caesar Cipher or Shift Cipher Motivation and History https://learncryptography.com/classical-encryption/caesar-cipher
  • 8. DEVOPS Zirvesi 2017 History Ceaser Cipher was ok until people find out how it works Then emerged Substitution Cipher Motivation and History http://www.stealthcopter.com/blog/2009/12/python-cryptography-substitution-cipher-improving-on-the-caesar-cipher/
  • 9. DEVOPS Zirvesi 2017 History Substitution Cipher was also ok until again people find out how it works Then emerged Vigenere Cipher Motivation and History Message: THIS IS ONLY A TEST Key: CRYPTCRYPTCRYPTCRYP Encryption: VYFGSKIXCFNOXPSVVPH
  • 10. DEVOPS Zirvesi 2017 Some Useful Functions Provided by Cryptography Confidentiality Integrity Authenticity Non-Reputability These will help us classify problems and match with solutions Motivation and History
  • 12. DEVOPS Zirvesi 2017 Popular Hash Functions MD5 SHA1 SHA256 SHA512 Example Cryptographic Hash Functions “SC Turkey” SHA-1 98bdf215e96120c968120700ee4952c9fc5b40a7 20 Bytes
  • 13. DEVOPS Zirvesi 2017 Summary Verify authenticity of a piece of data Produce a fixed-length (a few bytes) output called “checksum” or “digest” irrespective of the input data length Impossible to retrieve original data just looking at the output Generate different output for different data Generate the same output for the same data Cryptographic Hash Functions
  • 14. DEVOPS Zirvesi 2017 Conversion of the Checksum (Digest) data Checksums are binary and they are GENERALLY converted to Hex like below Cryptographic Hash Functions
  • 15. DEVOPS Zirvesi 2017 Authenticity of Data Use Case #1: You downloaded an ISO file (Ubuntu 16.04.1) via Torrent or an insecure medium You would like to make sure that the file is not altered by someone else Demo Cryptographic Hash Functions
  • 16. DEVOPS Zirvesi 2017 Authenticity of Data Use Case #2: (DO NOT USE IN PRODUCTION) You want to keep user’s password in the DB to use in authenticating your users But you do not want to store it directly So you store password’s hash in the DB Every time the user is logging in, you compare the hash of provided password and the one in DB Cryptographic Hash Functions
  • 17. DEVOPS Zirvesi 2017 Authenticity of Data Other Use Cases: Git uses SHA-1 hashes of the objects (blob, commit, tree) to ID them You can calculate hashes of your caches in order to evict and update them You can calculate hashes to version your data just like how Git does Cryptographic Hash Functions
  • 18. DEVOPS Zirvesi 2017 Authenticity of Data – The Risk The Rainbow Tables Precomputed tables for reversing Cryptographic Hash Functions So do not just hash the passwords and keep them in the DB. LinkedIn made this mistake in 2012 and 167M password hashes leaked 117M of 167M could be cracked Cryptographic Hash Functions
  • 19. DEVOPS Zirvesi 2017 Hash Collusion Cryptographic Hash Functions promise NOT to produce same output for different input. Hash Collusion occurs if they do not keep their promise :-) Hash algorithm is considered broken if a Hash Collusion is found MD5 was broken for years (since 2007) SHA-1 was broken on 23 Feb 2017!! It required 6610 years of processor time to do it Cryptographic Hash Functions
  • 20. DEVOPS Zirvesi 2017 Hashed Message Authentication Code (HMAC) What if we would like to carry the checksum with the message itself? Cryptographic Hash Functions
  • 21. DEVOPS Zirvesi 2017 HMAC – Sending a Message Cryptographic Hash Functions Graphics From: https://docstore.mik.ua/orelly/other/puis3rd/0596003234_puis3-chp-7-sect-4.html
  • 22. DEVOPS Zirvesi 2017 HMAC – Validating a Message Cryptographic Hash Functions Graphics From: https://docstore.mik.ua/orelly/other/puis3rd/0596003234_puis3-chp-7-sect-4.html
  • 23. DEVOPS Zirvesi 2017 Hashed Message Authentication Code (HMACs) Meaningful if the data Transmitted is constantly changing is not confidential integrity is important Use case example: NTP (Network Time Protocol) – time sent in plain text but its authenticity is checked Shared HMAC key needs to be “somehow” shared between parties Cryptographic Hash Functions
  • 24. DEVOPS Zirvesi 2017 Secure Storage of Secrets (e.g. Password)
  • 25. DEVOPS Zirvesi 2017 Summary We have shown that taking the hash of the secrets (e.g. password) and keep it in the DB was not a good idea It has never been a good idea and had LinkedIn embarrassed for years since 2012 So what should be the way to go? Secure Storage of Secrets
  • 26. DEVOPS Zirvesi 2017 Options Option #1: Keep secret (password) in plain text Pros/Cons: This is definitely not an option When an attacker breaches the database (by SQL injection or any other way), s/he can retrieve all of your passwords Secure Storage of Secrets
  • 27. DEVOPS Zirvesi 2017 Options Option #2: Encrypt passwords with a symmetric key in storing and retrieving Pros/Cons: Passwords are not in plain text When the database and the secret key are breached, all of the passwords could be cracked It is very difficult to keep the secret key really secret and safe Secure Storage of Secrets
  • 28. DEVOPS Zirvesi 2017 Options Option #3: Use hashing function on the password but now multiple times (like 1000 times) Hash = sha1(sha1(sha1(…))) Pros/Cons: Passwords are not in plain text Still vulnerable to rainbow attacks Secure Storage of Secrets
  • 29. DEVOPS Zirvesi 2017 Options Option #4: Salting Secure Storage of Secrets
  • 30. DEVOPS Zirvesi 2017 Options Option #4: Salted Hashes (depiction) Secure Storage of Secrets Password Salt Cryptographic Hash Function d1d3ec2e6f20fd420d50e2642992841d833 8a314b8ea157c9e18477aaef226ab
  • 31. DEVOPS Zirvesi 2017 Options Option #4: Use hashing function with a salt in addition to the password Pros/Cons: Passwords are not in plain text Salted hashing produce different hashes even for the same passwords Safe against rainbow attack but not that good against brute force attack Modern GPUs can calculate billions of hashes per second Secure Storage of Secrets
  • 32. DEVOPS Zirvesi 2017 Options Option #5: Make salted hashes secure by iterations (like 1000), Password Based Key Derivation Functions (PBKDF2) Pros/Cons: Passwords are not in plain text One of the state of the art secure methods in the town Requires lots and lots of CPU cycles Could be used for DOS attacks Secure Storage of Secrets
  • 33. DEVOPS Zirvesi 2017 Options Option #5: PBKDF2 (depiction) Secure Storage of Secrets Salt # of iteration PBKDF2 d1d3ec2e6f20fd420d50e2642992841d833 8a314b8ea157c9e18477aaef226ab Password
  • 34. DEVOPS Zirvesi 2017 PBKDF2 is fine but how many iterations are secure? Moore’s Law: Overall processing power of computers will double every two years So your iterations should be doubled every two years Example: AspNetCore.Identity uses a default value of 1000 for PBKDF2 as per Rfc2898 https://github.com/aspnet/Identity/blob/5480aa182bad3fb3b729a0169d0462873331e306/src/Microsoft.AspNetCor e.Identity/PasswordHasher.cs#L113 Secure Storage of Secrets
  • 36. DEVOPS Zirvesi 2017 Summary An encryption system in which the sender and receiver of a message shares a single, common key that can encrypt and decrypt the message Symmetric-Key Encryption http://etutorials.org/Networking/Wireless+lan+security/Chapter+2.+Basic+Security+Mechanics+and+Mechanisms/Security+Mechanics/
  • 37. DEVOPS Zirvesi 2017 Characteristics Also called Secret Key Encryption Provides very fast and secure encryption Key sharing (distribution) is a big problem Communication is cracked as a whole if the key is compromised Key size relates to the strength of the algorithm Types DES (Data Encryption Standard) Triple DES AES (Advanced Encryption Standard) Symmetric-Key Encryption
  • 39. DEVOPS Zirvesi 2017 Summary An encryption system having a pair of keys where the data encrypted with one key can only be decrypted with the other Asymmetric-Key Encryption https://msdn.microsoft.com/en-us/library/ff647097.aspx
  • 40. DEVOPS Zirvesi 2017 Characteristics Also called Public Key Cryptography Attempts to solve biggest problem of Symmetric-Key Encryption namely Key Sharing (distribution) Both parties have a private and public keys where public key is distributed to anyone and private key remains secret Provides slow but secure encryption Not feasible to be used alone in encrypted communication due to expensive nature usually closes the gap of Symmetric-Key Encryption Asymmetric-Key Encryption
  • 41. DEVOPS Zirvesi 2017 Types RSA (Rivest, Shamir, Adelman) Cryptosystem ElGamal Cryptosystem Elliptic Curve Cryptography RSA is the widely known and used one Each party generates a pair of keys (public and private) RSA is based on the practical difficulty of factoring the product of two large prime numbers Asymmetric-Key Encryption
  • 42. DEVOPS Zirvesi 2017 PKI and Digital Signatures
  • 43. DEVOPS Zirvesi 2017 Summary A public key infrastructure (PKI) supports Distributing public encryption keys Identifying public encryption keys Securing exchange of data over untrusted networks (such as the Internet) Verifying the identity of the other party PKI (Public Key Infrastructure)
  • 44. DEVOPS Zirvesi 2017 Distributing public encryption keys Identifying public encryption keys Securing exchange of data over untrusted networks (such as the Internet) Verifying the identity of the other party PKI (Public Key Infrastructure)
  • 45. DEVOPS Zirvesi 2017 Digital Signatures – Summary Provides Integrity and Non-Reputability Just like HMACs but with Asymmetric Keys (so no problem with distributing the secret key) Remember how it was with HMAC first below PKI (Public Key Infrastructure) https://msdn.microsoft.com/en-us/library/ff647097.aspx
  • 46. DEVOPS Zirvesi 2017 Creating a Digital Signature PKI (Public Key Infrastructure) https://www.signinghub.com/oldelectronic-signatures-draft/
  • 47. DEVOPS Zirvesi 2017 Verifying a Digital Signature PKI (Public Key Infrastructure) https://www.signinghub.com/oldelectronic-signatures-draft/
  • 48. DEVOPS Zirvesi 2017 Digital Certificates – Summary Provides Authenticity, simple but the missing feature CA (Certification Authorities) guarantees the validity of information in the certificate by signing it Digital Certificates contains Public Key of the identity for which the certificate is issued Therefore solving the key distribution problem PKI (Public Key Infrastructure)
  • 49. DEVOPS Zirvesi 2017 Obtaining a Digital Certificate PKI (Public Key Infrastructure) https://msdn.microsoft.com/en-us/library/ff647097.aspx
  • 50. DEVOPS Zirvesi 2017 Verifying a Digital Certificate (Chain) PKI (Public Key Infrastructure) https://sites.google.com/site/ddmwsst/digital-certificates
  • 52. DEVOPS Zirvesi 2017 HTTPS HTTPS is nothing but plain HTTP with SSL/TLS handshake Any TCP-based protocol can be secured with SSL/TLS Examples: HTTPS, FTPS, SMTPS, NTPS So let’s look at SSL and SSL Handshake Techniques and Use Cases
  • 53. DEVOPS Zirvesi 2017 SSL/TLS SSL/TLS is secure handshake protocol that provides encryption on the transport (TCP) layer Provides Confidentiality and Data Integrity SSL (Secure Socket Layer) is superseded by TLS (Transport Layer Security) SSL is still referred to in docs and APIs although obsoleted long time ago If somebody says SSL, s/he is probably meaning TLS Techniques and Use Cases
  • 54. DEVOPS Zirvesi 2017 SSL/TLS Handshake Techniques and Use Cases
  • 55. DEVOPS Zirvesi 2017 Cipher Suites A collection of symmetric and asymmetric encryption algorithms grouped together to be used in determining common set of a suite Techniques and Use Cases
  • 56. DEVOPS Zirvesi 2017 HTTP – MITM (Man in the Middle) Attack Techniques and Use Cases
  • 57. DEVOPS Zirvesi 2017 HTTP – MITM Attack Examples Great China DDoSed Github Tunusia Telco recorded Facebook passwords in login page Your ISP (telco) for AKK (Adil Kullanım Kotası) message Free WiFi hotspots using “Captive Portals” Yourself when using a HTTP proxy like Fiddler, Burp Suite Your employer if using a corporate HTTP proxy Techniques and Use Cases
  • 58. DEVOPS Zirvesi 2017 HTTPS – Why is it important? Confidentiality Communication is private Integrity No intermediary can modify the content Authenticity Client may validate server’s identity Server may validate client’s identity (Not used) So HTTPS everything - Techniques and Use Cases
  • 59. DEVOPS Zirvesi 2017 HTTPS – Any disadvantages? Requires more CPU cycles (< %2) Increase page load time (due to SSL negotiation < %3) Obsolete with HTTP/2 adoption Techniques and Use Cases
  • 60. DEVOPS Zirvesi 2017 Let’s Encrypt Digital certificates are issued for free (sponsored) Need to demonstrate the control over the domain Uses Certbot to issue and auto-renew certs Certificates issued for only 3 months https://certbot.eff.org https://github.com/certbot/certbot Techniques and Use Cases
  • 61. DEVOPS Zirvesi 2017 Self-signed Certificates Techniques and Use Cases
  • 62. DEVOPS Zirvesi 2017 Self-signed Certificates Certificate is signed by own private key hence self- signed Best for development Beneficial in internal use where certificate stores of computers are reachable Beneficial in an isolated network Might loose value after Let’s Encrypt adoption Very easy to generate with OpenSSL Just provide X.509 attributes in the CSR Demo Techniques and Use Cases
  • 63. DEVOPS Zirvesi 2017 SSL/TLS Tools OpenSSL A full-blown crypto library Also includes a TLS api https://badssl.com Observe browser behaviors on SSL/TLS vulnerabilities https://www.ssllabs.com/ssltest/ Analysis on your SSL Techniques and Use Cases
  • 64. DEVOPS Zirvesi 2017 SSH (Secure SHell) Techniques and Use Cases http://sebastien.saunier.me/blog/2015/05/10/github-public-key-authentication.html
  • 65. DEVOPS Zirvesi 2017 VPN Stands for Virtual Private Network Creates an encrypted tunnel between two points on the insecure medium (internet) IPSec VPNs provide Network Layer (IP) Security IPSec VPNs may require 3rd party HW and/or SW to work which provide additional security SSL VPNs rely on browser capability, everybody has browsers so everybody has client SW Techniques and Use Cases
  • 66. DEVOPS Zirvesi 2017 Perfect Forward Secrecy What if all the SSL/TLS traffic is recorded for years and after the private key is obtained All the traffic could be decrypted Perfect Forward Secrecy attempts to solve this by using ephemeral private keys and rotate them time to time to overcome this issue Good old Diffie-Hellman key exchange algorithm to the rescue RSA private key could still be used in accomplishing authenticity while DH is used for determining the shared secret Techniques and Use Cases

Editor's Notes

  1. 1. Openssl can produce the hex version directly echo -n "SC Turkey" | openssl dgst -sha1 -binary 2. Openssl produce binary data too echo -n "SC Turkey" | openssl dgst -sha1 -hex
  2. 1. Go to below path where Ubuntu 16.04.1 ISO is located /Users/gsengun/Desktop/Work/PackerFiles/packer_cache 2. Run below command to check the checksum openssl sha1 <file_name> 3. Check the checksum from http://old-releases.ubuntu.com/releases/16.04.1/
  3. Show rainbow table links (http://project-rainbowcrack.com/table.htm) Calculate the hash of password in the terminal echo -n "mypassword" | openssl dgst -md5 -hex 2. Go to https://md5.gromweb.com/ and reverse the password
  4. Demo on Nginx self signed certificate
  5. Demo on Nginx self signed certificate