For many years, I had entirely given up on ever understanding the anything about cryptography. However, I’ve since learned it’s not nearly as hard as I thought to understand many of the important concepts. In this talk, I’ll take you through some of the underlying principles of modern applications of cryptography. We’ll talk about our goals, the parts are involved, and how to prevent and understand common vulnerabilities. This’ll help you to make better choices when you implement crypto in your products, and will improve your understanding of how crypto is applied to things you already use.

1. Everything I always
wanted to know about
crypto but never thought
I’d understand
= = = ( P R E - T I T L E ) = = =

2. R
B
G
Y
Hello there, 16:9
I am a test slide to make sure everything looks good.

3. Everything I always
wanted to know about
crypto but never thought
I’d understand
S A S H A R O M I J N
S A S H A @ M X S A S H A . E U
@ M X S A S H

4. S A S H A R O M I J N
@ M X S A S H
S A S H A @ M X S A S H A . E U
S H E / H E R

5. 1 Compute n = pq.
• n is used as the modulus for both the public and private keys. Its length, usually expressed in
bits, is the key length.
2 Compute φ(n) = φ(p)φ(q) = (p − 1)(q − 1) = n - (p + q -1), where φ is Euler's totient function. This
value is kept private.
3 Choose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1; i.e., e and φ(n) are coprime.
• e is released as the public key exponent.
• e having a short bit-length and small Hamming weight results in more efficient encryption –
most commonly 216 + 1 = 65,537. However, much smaller values of e (such as 3) have been
shown to be less secure in some settings.[5]
4 Determine d as d ≡ e−1 (mod φ(n)); i.e., d is the modular multiplicative inverse of e (modulo φ(n)).
• This is more clearly stated as: solve for d given d⋅e ≡ 1 (mod φ(n))
• This is often computed using the extended Euclidean algorithm. Using the pseudocode in the
Modular integers section, inputs a and n correspond to e and φ(n), respectively.
• d is kept as the private key exponent.

7. @mxsashsasha@mxsasha.eu
(read as single line)

8. @mxsashsasha@mxsasha.eu
ibhknebufk'bjhsn
hifk'durtfcbu
(read as single line)

9. @mxsashsasha@mxsasha.eu
SINGLE BYTE XOR CIPHER
ibhknebufk'bjhsnhifk'durtfcbu

10. @mxsashsasha@mxsasha.eu
SINGLE BYTE XOR CIPHER
ibhknebufk'bjhsnhifk'durtfcbu

11. @mxsashsasha@mxsasha.eu
SINGLE BYTE XOR CIPHER
ibhknebufk'bjhsnhifk'durtfcbu
k

12. @mxsashsasha@mxsasha.eu
SINGLE BYTE XOR CIPHER
ibhknebufk'bjhsnhifk'durtfcbu
k

13. @mxsashsasha@mxsasha.eu
SINGLE BYTE XOR CIPHER
ibhknebufk'bjhsnhifk'durtfcbu
k
neoliberal emotional crusader

14. @mxsashsasha@mxsasha.eu
SINGLE BYTE XOR CIPHER
ibhknebufk'bjhsnhifk'durtfcbu
k
'i' / 0x69 / 0b01101001
k = 0x07 / 0b00000111
neoliberal emotional crusader

15. @mxsashsasha@mxsasha.eu
SINGLE BYTE XOR CIPHER
ibhknebufk'bjhsnhifk'durtfcbu
k
'i' / 0x69 / 0b01101001
k = 0x07 / 0b00000111
'n' / 0x6e / 0b01101110
neoliberal emotional crusader

16. @mxsashsasha@mxsasha.eu
ESSENTIAL PROPERTIES
Security must not depend on secrecy of
chosen algorithm or parameters - only key1

17. @mxsashsasha@mxsasha.eu
ESSENTIAL PROPERTIES
2
Ciphertext close to random and no hint to
structure of cleartext
Security must not depend on secrecy of
chosen algorithm or parameters - only key1

18. @mxsashsasha@mxsasha.eu
ESSENTIAL PROPERTIES
2
If cleartext changes slightly, ciphertext
changes dramatically3
Ciphertext close to random and no hint to
structure of cleartext
Security must not depend on secrecy of
chosen algorithm or parameters - only key1

19. @mxsashsasha@mxsasha.eu
ESSENTIAL PROPERTIES
2
If cleartext changes slightly, ciphertext
changes dramatically3
Capturing a cleartext with ciphertext
must not divulge key info4
Ciphertext close to random and no hint to
structure of cleartext
Security must not depend on secrecy of
chosen algorithm or parameters - only key1

20. @mxsashsasha@mxsasha.eu
ESSENTIAL PROPERTIES
2
If cleartext changes slightly, ciphertext
changes dramatically3
Capturing a cleartext with ciphertext
must not divulge key info4
Ciphertext close to random and no hint to
structure of cleartext
Security must not depend on secrecy of
chosen algorithm or parameters - only key1
~No faster method than full
bruteforce attack5

21. @mxsashsasha@mxsasha.eu
Advanced
Encryption
Standard
(AES) (2001)

22. @mxsashsasha@mxsasha.eu
BLOCK CIPHERS
16 bytes cleartext

23. @mxsashsasha@mxsasha.eu
BLOCK CIPHERS
16 bytes cleartext
16 bytes ciphertext
AES enc
128/192/256
bits key

24. @mxsashsasha@mxsasha.eu
AES ROUNDS

25. @mxsashsasha@mxsasha.eu
AES ROUNDS

26. @mxsashsasha@mxsasha.eu
AES ROUNDS

27. @mxsashsasha@mxsasha.eu
AES ROUNDS

28. @mxsashsasha@mxsasha.eu
BLOCK CIPHERS
16 bytes cleartext
16 bytes ciphertext
AES enc
128/192/256
bits key

29. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
16b cleartxt
16b ciphertxt
AES enck

30. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
16b cleartxt
16b ciphertxt
AES enck
16b cleartxt
16b ciphertxt
AES enck

31. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
Electronic code book (ECB)
16b cleartxt
16b ciphertxt
AES enck
16b cleartxt
16b ciphertxt
AES enck

32. https://commons.wikimedia.org/wiki/File:Tux_ecb.jpg

33. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
Cipher block chaining (CBC)
16b cleartxt
16b ciphertxt
AES enck
16b cleartxt
16b ciphertxt
AES enck

34. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
Cipher block chaining (CBC)
16b cleartxt
16b ciphertxt
AES enck
16b cleartxt
16b ciphertxt
AES enck
IV

35. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
Cipher block chaining (CBC)
16b cleartxt
16b ciphertxt
AES enck
16b cleartxt
16b ciphertxt
AES enck
IV

36. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
Cipher block chaining (CBC)
16b cleartxt
16b ciphertxt
AES enck
16b cleartxt
16b ciphertxt
AES enck
IV

37. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
Counter mode (CTR)
nonce + 000002
16b ciphertxt
AES enck
nonce + 000001
16b ciphertxt
AES enck

38. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
Counter mode (CTR)
nonce + 000002
16b ciphertxt
AES enck
nonce + 000001
16b ciphertxt
AES enck
16B
plain

39. @mxsashsasha@mxsasha.eu
BLOCK CIPHER MODE
Counter mode (CTR)
nonce + 000002
16b ciphertxt
AES enck
nonce + 000001
16b ciphertxt
AES enck
16B
plain
16B
plain

40. http://imgur.com/a/6nIWB#1

41. @mxsashsasha@mxsasha.eu

42. @mxsashsasha@mxsasha.eu
>>> from Crypto.Cipher import AES

43. @mxsashsasha@mxsasha.eu
>>> from Crypto.Cipher import AES
>>> cleartext = 'PURPLE CROCODILE’
>>> key = os.urandom(16)

44. @mxsashsasha@mxsasha.eu
>>> from Crypto.Cipher import AES
>>> cleartext = 'PURPLE CROCODILE’
>>> key = os.urandom(16)
>>> ciphertext = AES.new(key, AES.MODE_ECB)
.encrypt(cleartext)
>>> ciphertext
b'Dx1cDx8e4x1fx8d(xbdxf9yxabx94x14x02xf2'

45. @mxsashsasha@mxsasha.eu
>>> from Crypto.Cipher import AES
>>> cleartext = 'PURPLE CROCODILE’
>>> key = os.urandom(16)
>>> ciphertext = AES.new(key, AES.MODE_ECB)
.encrypt(cleartext)
>>> ciphertext
b'Dx1cDx8e4x1fx8d(xbdxf9yxabx94x14x02xf2'
>>> AES.new(key, AES.MODE_ECB)
.decrypt(ciphertext)
b'PURPLE CROCODILE’

46. @mxsashsasha@mxsasha.eu
>>> from Crypto.Cipher import AES
>>> cleartext = 'PURPLE CROCODILE’
>>> key = os.urandom(16)
>>> ciphertext = AES.new(key, AES.MODE_ECB)
.encrypt(cleartext)
>>> ciphertext
b'Dx1cDx8e4x1fx8d(xbdxf9yxabx94x14x02xf2'
>>> AES.new(key, AES.MODE_ECB)
.decrypt(ciphertext)
b'PURPLE CROCODILE’
>>> AES.new('xxxxxxxxxxxxxxxx', AES.MODE_ECB)
.decrypt(ciphertext)
b"C_@x0ed#x07xffxb50x19xd4'(3xcf"

47. @mxsashsasha@mxsasha.eu
CBC DECRYPTION
16b cleartxt
16b ciphertxt
AES deck
16b cleartxt
16b ciphertxt
AES deck

48. @mxsashsasha@mxsasha.eu
CBC DECRYPTION
16b cleartxt
16b ciphertxt
AES deck
16b cleartxt
16b ciphertxt
AES deck
0→1

49. @mxsashsasha@mxsasha.eu
CBC DECRYPTION
16b cleartxt
16b ciphertxt
AES deck
16b cleartxt
16b ciphertxt
AES deck
0→1
<garbage>

50. @mxsashsasha@mxsasha.eu
CBC DECRYPTION
16b cleartxt
16b ciphertxt
AES deck
16b cleartxt
16b ciphertxt
AES deck
0→1
0→1
<garbage>

51. @mxsashsasha@mxsasha.eu
Hashing and
authentication

52. @mxsashsasha@mxsasha.eu
CRYPTOGRAPHIC HASHING
purple SHA-2
65e41a235a7fabc751a4dbdea081
810e203ae323f703451c423c1ede
purplf SHA-2
7c2da082cb27371197eeea108675
4250eb4742c63bff8fbad6a53332
purpl SHA-2
01ef04256fd0f350158f0f84f4e1
a5d1df29ebebf26dc5a1f53413f5

53. @mxsashsasha@mxsasha.eu
GOOD CRYPTOGRAPHIC HASHES
Hash calculation is fast and
requires few resources***1

54. @mxsashsasha@mxsasha.eu
GOOD CRYPTOGRAPHIC HASHES
2
Unfeasible to calculate the original input
based on the hash
Hash calculation is fast and
requires few resources***1

55. @mxsashsasha@mxsasha.eu
GOOD CRYPTOGRAPHIC HASHES
2
Small changes in input lead to large
changes in hash output3
Unfeasible to calculate the original input
based on the hash
Hash calculation is fast and
requires few resources***1

56. @mxsashsasha@mxsasha.eu
GOOD CRYPTOGRAPHIC HASHES
2
Small changes in input lead to large
changes in hash output3
Same input always leads
to same hash4
Unfeasible to calculate the original input
based on the hash
Hash calculation is fast and
requires few resources***1

57. @mxsashsasha@mxsasha.eu
GOOD CRYPTOGRAPHIC HASHES
2
Small changes in input lead to large
changes in hash output3
Same input always leads
to same hash4
Unfeasible to calculate the original input
based on the hash
Hash calculation is fast and
requires few resources***1
Unfeasible to find two messages
with the same hash (collisions)5

58. @mxsashsasha@mxsasha.eu
USELESS HASHING
cleartext
cipher
text
AES-CBC
enc
k
SHA-2
message
IV

59. @mxsashsasha@mxsasha.eu
HMAC
cleartext
cipher
text
AES-CBC
enc
k
HMAC-
SHA-2
message
IV k

60. @mxsashsasha@mxsasha.eu
Galois-Counter mode (GCM)

61. @mxsashsasha@mxsasha.eu
Symmetric
ciphers:
Same key for
encrypt and decrypt

62. @mxsashsasha@mxsasha.eu
Asymmetric
ciphers:
Different key for
encrypt and decrypt

63. @mxsashsasha@mxsasha.eu
RSA EXAMPLE
cleartext
Claire
Alice

64. @mxsashsasha@mxsasha.eu
RSA EXAMPLE
RSA
encrypt
cleartext
Claire
Alice

65. @mxsashsasha@mxsasha.eu
RSA EXAMPLE
RSA
encrypt
Alice’s
public key
cleartext
Claire
Alice

66. @mxsashsasha@mxsasha.eu
RSA EXAMPLE
RSA
encrypt
RSA
decrypt
Alice’s
public key
cleartext
Claire
Alice

67. @mxsashsasha@mxsasha.eu
RSA EXAMPLE
RSA
encrypt
RSA
decrypt
Alice’s
public key
Alice’s
private key
cleartext
Claire
Alice

68. @mxsashsasha@mxsasha.eu
RSA EXAMPLE
RSA
encrypt
RSA
decrypt
Alice’s
public key
Alice’s
private key
cleartext
Claire
Alice
cleartext

69. @mxsashsasha@mxsasha.eu
NAIVE KEY EXCHANGE
RSA
encrypt
RSA
decrypt
Alice’s
public key
Alice’s
private key
symmetric key
Claire
Alice
symmetric key
AES

70. @mxsashsasha@mxsasha.eu
NAIVE KEY EXCHANGE
RSA
encrypt
RSA
decrypt
Alice’s
public key
Alice’s
private key
symmetric key
Claire
Alice
symmetric key
AES

71. @mxsashsasha@mxsasha.eu
NAIVE KEY EXCHANGE
RSA
encrypt
RSA
decrypt
Alice’s
public key
Alice’s
private key
symmetric key
Claire
Alice
symmetric key
AES

72. @mxsashsasha@mxsasha.eu
DH KEY EXCHANGE
Diffie-
Hellman
Alice pub
Claire
Claire prv
65e41a
235a7…
Diffie-
Hellman
Claire pub
Alice
Alice prv
65e41a
235a7…
random
random

73. @mxsashsasha@mxsasha.eu
DH:
same parameters
EDH/DHE:
different parameters (ephemeral)

74. @mxsashsasha@mxsasha.eu
Elliptic curve
cryptography
(e.g. ECDHE)

75. @mxsashsasha@mxsasha.eu
Trust

76. @mxsashsasha@mxsasha.eu
MITM SENSITIVITY
Alice
Claire Alice

77. @mxsashsasha@mxsasha.eu
MITM SENSITIVITY
Alice
Claire Alice
Alice

78. @mxsashsasha@mxsasha.eu
MITM SENSITIVITY
RSA
encrypt
Alice
Claire Alice
Alice
msg
encrypted
for Alice

79. @mxsashsasha@mxsasha.eu
MITM SENSITIVITY
RSA
encrypt
Alice
Claire Alice
Alice
msg
encrypted
for Alice
msg
encrypted
for Alice

80. @mxsashsasha@mxsasha.eu
MITM
Alice
Claire AliceEmmy

81. @mxsashsasha@mxsasha.eu
MITM
Alice
Claire Alice
Alice
Emmy

82. @mxsashsasha@mxsasha.eu
MITM
Alice
Claire Alice
Alice
Emmy
Emmy

83. @mxsashsasha@mxsasha.eu
MITM
Alice
Claire Alice
Emmy Alice
Emmy
Emmy

84. @mxsashsasha@mxsasha.eu
MITM
RSA
encrypt
Alice
Claire Alice
Emmy Alice
Emmy
msg
encrypted
for Emmy
Emmy

85. @mxsashsasha@mxsasha.eu
MITM
RSA
encrypt
Alice
Claire Alice
Emmy Alice
Emmy
msg
encrypted
for Emmy
decrypt and
re-encrypt
for Alice
Emmy

86. @mxsashsasha@mxsasha.eu
MITM
RSA
encrypt
Alice
Claire Alice
Emmy
msg
encrypted
for Alice
Alice
Emmy
msg
encrypted
for Emmy
decrypt and
re-encrypt
for Alice
Emmy

87. @mxsashsasha@mxsasha.eu
RSA SIGNATURES
RSA sign
Certificate Authority
privkey
pubkey
mxsasha.eu cert
mxsasha.eu

88. @mxsashsasha@mxsasha.eu
CERTIFICATE CHAIN
mxsasha.euLet’s Encrypt
Authority X3
DST root
CA X3
(Public Key Infrastructure / PKI)
signedsignedtrusts

89. @mxsashsasha@mxsasha.eu
SSL
TLS

90. @mxsashsasha@mxsasha.eu
SSL/TLS HISTORY
SSLv1: never published
SSLv2: 1994, awful
SSLv3: 1995, complete new design, obsolete
TLS 1.0: 1999, minor differences
TLS 1.1: 2006, hardening
TLS 1.2: 2008, authenticated encryption
and extensions
TLS 1.3: 2018, mandatory FS & authenticated
encryption, and other security hardening

91. @mxsashsasha@mxsasha.eu
TLS CIPHER SUITES
TLS_RSA_WITH_AES_128_CBC_SHA
TLS
RSA key exchange (shared secret
exchange)
RSA authentication
AES-128 encryption in CBC mode
SHA1 MAC

92. @mxsashsasha@mxsasha.eu
TLS CIPHER SUITES
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS
Elliptic curve ephemeral Diffie-
Hellman key exchange (FS!)
RSA authentication
AES-128 encryption in GCM mode
SHA256 PRF

93. @mxsashsasha@mxsasha.eu
TLS CIPHER SUITES
TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5
TLS
Diffie-Hellman key exchange (no FS!)
No authentication
RC4 encryption with 40 bits
MD5 MAC

94. @mxsashsasha@mxsasha.eu
What you
should use

95. @mxsashsasha@mxsasha.eu
TLS CONFIGURATION
https://www.ssllabs.com/ssltest/

96. @mxsashsasha@mxsasha.eu
SYMMETRIC CRYPTO IN YOUR CODE
https://github.com/fernet/
https://cryptography.io/en/latest/fernet/
AES-256-GCM + argon2id/bcrypt/scrypt/pbkdf2
or

97. @mxsashsasha@mxsasha.eu
ASYMMETRIC CRYPTO IN YOUR CODE
???????????
or

98. @mxsashsasha@mxsasha.eu
COMMON ERRORS
Failure to consider wide range of threats,
and/or recovery options1

99. @mxsashsasha@mxsasha.eu
COMMON ERRORS
2
Failure to authenticate (no MAC, MAC not
checked, certificate chain not checked)
Failure to consider wide range of threats,
and/or recovery options1

100. @mxsashsasha@mxsasha.eu
COMMON ERRORS
2
Confusing authentication and
confidentiality3
Failure to authenticate (no MAC, MAC not
checked, certificate chain not checked)
Failure to consider wide range of threats,
and/or recovery options1

101. @mxsashsasha@mxsasha.eu
COMMON ERRORS
2
Confusing authentication and
confidentiality3
Improper key handling (no KDF, key
not stored securely)4
Failure to authenticate (no MAC, MAC not
checked, certificate chain not checked)
Failure to consider wide range of threats,
and/or recovery options1

102. @mxsashsasha@mxsasha.eu
COMMON ERRORS
2
Confusing authentication and
confidentiality3
Improper key handling (no KDF, key
not stored securely)4
Failure to authenticate (no MAC, MAC not
checked, certificate chain not checked)
Failure to consider wide range of threats,
and/or recovery options1
Side channel vulnerabilities
(timing, errors, compression)5

103. @mxsashsasha@mxsasha.eu
CRYPTO CHALLENGES
https://cryptopals.com/

105. Thank you :)
C RY P T O PA L S . C O M
C RY P T O G R A P H Y. I O
S S L L A B S . C O M / S S LT E S T
“ B U L L E T P R O O F S S L A N D T L S ”
S A S H A R O M I J N
S A S H A @ M X S A S H A . E U
@ M X S A S H