Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Cryptography in 20 Fast Minutes

September 2013 NH @Alpha_Loft Web Dev meetup presentation. Feel free to reuse under a Creative Commons 3.0 Attribution License
by

Ted Pennings

on 27 January 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Cryptography in 20 Fast Minutes

Cryptography in 20 Fast Minutes
Agenda
Overview of Concerns

Effective Algorithms

Common Missteps


My Goal
Help with design & build of applications
Help in thinking about NSA-Snowden document leaks
Integrity
Is the file received the same as the file sent?

More than completeness --
Tampering resistance

Hashes handle this (aka digests).

Authentication
This is often the most complex part of crypto! I'm only touching on it.

Did the data originate from the person who claims to have sent it?

Approaches
Passwords - but there are issues
Public / private keys
OAuth

Related
SSL Certificates
Digital Signatures
Algorithms
This is the code part!

Hash algorithms

Encryption algorithms
Symmetric
Asymmetric
Key Question
Will you to access the original, secret data again?
Almost always, yes.


But! with passwords, users re-enter them every time, so you can store them in a different, "one-way' format.
Fundamentally, they are one-way:
password123 => ef92b778bafe771...

ef92b778bafe771... does not necessarily bring you back to password123
Confidentiality
Passwords and keys

Trade secrets and IP

Regulated data: credit cards, HIPAA

Personal Information: yours, or what your company knows about users
Concerns
Effectively cryptography helps with

Confidentiality
This file's contents are secret.

Authentication
Bob actually sent this file.

Integrity
This file has not been modified since Bob sent it.
Common Missteps
Not using a salt with hash algorithms

Keys not kept secret

Using a weak / broken algorithm (MD5, RC4, DES, Blowfish)

Not using a block chaining mode (CBC/CTR/etc) with AES/3DES
Encryption
Useful for
Confidentiality of two-way data
Authentication (asymmetric)

"symmetric ciphers"
AES-128, AES-256 or 3DES
Require a chaining mode like CBC, CTR, OFB, etc; actual algo: AES-256-CTR

"asymmetric ciphers" - less prevalent
RSA, DSA, Diffie-Hellman, Elliptic Curve
Serious questions about NSA role in Elliptic Curve crypto
Hash Algorithms
Good algorithms
SHA-1, SHA-256 and SHA-512
bcrypt

Use them for
Integrity
Confidentiality of one-way data (passwords)

Consider
Using many rounds (SHA-*) or high cost factor (bcrypt)
Salting data before hashing

MD5 is broken (as is CRC- anything)

STORE THE KEY SOMEWHERE SAFE
More information
Lookup Bruce Schneier. Trust him. Read schneier.com and maybe buy Applied Cryptography.

Wikipedia is surprisingly accurate... and includes lots of recent breaks.

Stay up to date with dependencies, like Rails, Java or PHP
Thank you!

http://ted.pennin.gs / @thesleepyvegan
Full transcript