SlideShare uma empresa Scribd logo

Why You Need Cryptography - Junade Ali at PHP Warwickshire

Transferir como PPTX, PDF
Junade Ali
Junade Ali

This is an introduction to cryptography talk I did at PHP Warwickshire. It was largely focussed at a PHP developer audience, hence the large focus on one-way cryptography. For more info see: https://northernoptic.com/2015/10/29/why-you-need-cryptography-junade-ali-at-php-warwickshire

Tecnologia
1 de 38
Why You Need Cryptography Junade Ali (@IcyApril)
What You Need To Know About Cryptography Junade Ali (@IcyApril)
Back to Basics
This is a login form.
How do you store a password in a database?
You hash it of course! • Hashes are one-way cryptographic functions. Maps any data to a fixed length string. • The hash should be non-invertible, it is infeasible to turn the hash back into the input. • On a good algorithm, the Avalanche Effect means if you alter the input slightly, the output is completely different. This makes it harder to guess the input.
But how…? • Use a key derivation function like PBKDF2 or BCrypt. • That way the crypto is handled for you, preventing homebrew insecure crypto. • Some would argue BCrypt is better than PBKDF2 because it can’t be GPU accelerated.
PHP Password Functions • PHP 5.5.0 made things easy: • password_hash - to hash passwords • password_verify - Check a password matches the hash • password_needs_rehash - check if a hash matches the algorithm supplied
Homebrew Crypto is Bad • You’re probably not a cryptographer. • Real key derivation functions are peer reviewed by mathematicians, cryptographers, computer scientists; professional and amateur alike. • Complicated code doesn’t provide better security. Byte shuffling adds no security, neither does base64 encoding.
-Kerckhoffs's principle “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”
-Shannon's maxim "one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them"
-in layman’s terms A strong cryptosystem is strong regardless of whether the algorithm is known to the attacker.
Why We Salt • Let’s hash a password without a salt: • echo sha1(“p4$$w0rd”); • 6c067b3288c1b5c791afa04e12fb013ed2e84d10
Rainbow Tables Rainbow Tables are precomputed hashes. Table from sha1.wisetock.com.
Dictionary Attack • Rainbow Tables help you do Dictionary Attacks quicker. • You simply check if an unsalted hash appears in a pre-computed database of hashes. • If the hash is the same for every hash in the algorithm you can simply pre-compute a database of hashes using known passwords with that salt.
The Caveat… • If a user’s password is not in any publicly known database of pre-computed hashes, it is secure from Rainbow Tables. • Hence one reason why you should use strong unique passwords.
Therefore… • We hash our passwords. • We salt our hashes. • We use a unique salt for each password we hash. • This is easily handled by the password_hash function in PHP.
Hashes have other uses • Hashes aren’t great for just for key derivation. • One other use is in file integrity validation, this is particularly useful in SSL/TLS certificates.
A Ideal Hash Algorithm • A hash must be easy to compute. • It must be impractical to turn the hash back into the original input (non-invertible). • The hash does not have two inputs which lead to the same (collision resistance).
Collision Resistance • Where h() is a hash function, a collision is where h(A) = h(B), but A ≠ B. • Where two different inputs produce the same hash. • They are inevitable given the pigeonhole principle.
Pigeonhole Principle • Given a hash is a fixed length string there are only a finite number of variations. • On the other hand the input can be infinitely long. • Therefore there must be more than one input which has the same hash output. • I.e. A collision is inevitable.
The Birthday Problem • The chance of 2 people having the same birthday reaches 100% when you have 366 people according to the Pigeonhole Principle. • However the probability reaches 99% with just 57 people.
The Birthday Problem The probability of two people with the same birthday.
The Birthday Attack • The Birthday Problem can be used to find hash collisions where amount of possible hashes (pigeonholes) are limited. • Yuval’s Birthday Attack highlights this.
Yuval’s Birthday Attack • Let n be the bit-length of a hash output. • With 2n/2 different permutations of the original message compared to 2n/2 different permutations of a forged message; you should expect to find a collision.
TLS (very basic overview) • Server has a CipherSuite ordering. • Client submits a list of supported ciphers and server chooses the highest shared cipher (note SSLHonorCipherOrder in Apache or ssl_prefer_server_ciphers in Nginx). • Certificate Chain, root certificates sign intermediaries which eventually sign a site. Server sends this certificate. • Key exchange protocol to share keys for symmetric encryption (quicker than asymmetric). • Integrity check using Message Authentication Code.
Best Practice with TLS • Disabling SSL protocols (and only enabling TLS), note POODLE on SSLv3. • HSTS (Strict Transport Security), enforced TLS with cached time period. Mitigates SSLStrip by Moxie Marlinspike. • Forward Secrecy setting ciphers that support it to be preferred. • Qualys SSLLabs tests are a good idea.
Symmetric Encryption • Caesar Cipher. Simple offsets, easy to brute force. • DES. Proceeded AES, insecure in a lot of applications. • Rijndael (AES), TwoFish, Serpent.
Plausible Deniability • Stenography is the practice is hiding one file within another. • The Rubberhose File System was written by Julian Assange, Suelette Dreyfus, and Ralf Weinmann. • Available in VeraCrypt, the successor to TrueCrypt. • Uses the random padding data surrounding an encrypted volume to create alternative encrypted volumes. • Can be cascaded. • Initially designed for third world dictatorships, but found a use in the UK due to RIPA.
Asymmetric Encryption • Diffie-Hellman Key Exchange. Malcolm J. Williamson at GCHQ had already conceived this a year earlier. • RSA. Named after Ron Rivest, Adi Shamir, and Leonard Adleman but was discovered by Clifford Cocks and James H. Ellis at GCHQ 3 years earlier. • ECC (Elliptic Curve Cryptography). Entered wide use in 2004/2005.
Trapdoor Functions • Asymmetric encryption uses Trapdoor Functions. • Easy to compute one way, hard the other way. • For example it is easy to multiply 2 prime numbers together, harder to find the prime factors.
RSA Revision • Select two prime numbers p & q. • n = pq. This is the modulus. • φ = (p-1)(q-1). This is the totient. • Calculate integer e where 1 < e < φ and the greatest common divisor of e and φ is 1. • Calculate integer d where 1 < d < φ and the congruency relation ed ≡ 1(mod φ) is satisfied. • Public key is n & e whereas the the private key is n & d.
RSA Revision • Basic encrypt: me mod n • Basic decrypt: cd mod n • Fermat’s Little Theorem underlies this. • In real life padding is used. • Note: Mod is the modulo operator (% or the fmod function in PHP).
The Problem • RSA and Diffie-Hellman rely on the Discrete Logarithm Problem being difficult to solve. • RSA relies less heavily on the Discrete Log Problem than Diffie-Hellman does. • If a discrete logarithm can be computed easily, these forms of cryptography face an issue.
–Alex Stamos, CTO of Artemis in 2013 “Our conclusion is there is a small but definite chance that RSA and classic Diffie-Hellman will not be usable for encryption purposes in four to five years”
Concluding with ECC ECC provides the only viable and reasonable alternative to RSA and Diffie-Hellman so far.
ECC • Consists of points satisfying the equation: y2=x3+ax+b • Faster (over 20 times!) than RSA. • Already has a Digital Signature alternative to RSA called ECDSA. • But ECDSA does require a good source of entropy, a decent source of (pseudo)random numbers is required. • No mathematical proof of security. Question of whether one-way functions truly exist is open.
https://ju.je/cryptointro • A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography (Nick Sullivan): https://blog.cloudflare.com/a-relatively-easy-to- understand-primer-on-elliptic-curve- cryptography/ • Guide to Elliptic Curve Cryptography: http://math.boisestate.edu/~liljanab/MATH508/Gu ideEllipticCurveCryptography.PDF

Recomendados

Workshop: Refactoring Legacy PHP: The Complete Guide
Workshop: Refactoring Legacy PHP: The Complete Guide Workshop: Refactoring Legacy PHP: The Complete Guide
Workshop: Refactoring Legacy PHP: The Complete Guide
Junade Ali
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 

Recomendados

Workshop: Refactoring Legacy PHP: The Complete Guide
Workshop: Refactoring Legacy PHP: The Complete Guide Workshop: Refactoring Legacy PHP: The Complete Guide
Workshop: Refactoring Legacy PHP: The Complete Guide
Junade Ali
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 

Mais conteúdo relacionado

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Último (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Destaque

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Saba Software
 

Destaque (20)

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 

Why You Need Cryptography - Junade Ali at PHP Warwickshire

  • 2. What You Need To Know About Cryptography Junade Ali (@IcyApril)
  • 4. This is a login form.
  • 5. How do you store a password in a database?
  • 6. You hash it of course! • Hashes are one-way cryptographic functions. Maps any data to a fixed length string. • The hash should be non-invertible, it is infeasible to turn the hash back into the input. • On a good algorithm, the Avalanche Effect means if you alter the input slightly, the output is completely different. This makes it harder to guess the input.
  • 7. But how…? • Use a key derivation function like PBKDF2 or BCrypt. • That way the crypto is handled for you, preventing homebrew insecure crypto. • Some would argue BCrypt is better than PBKDF2 because it can’t be GPU accelerated.
  • 8. PHP Password Functions • PHP 5.5.0 made things easy: • password_hash - to hash passwords • password_verify - Check a password matches the hash • password_needs_rehash - check if a hash matches the algorithm supplied
  • 9. Homebrew Crypto is Bad • You’re probably not a cryptographer. • Real key derivation functions are peer reviewed by mathematicians, cryptographers, computer scientists; professional and amateur alike. • Complicated code doesn’t provide better security. Byte shuffling adds no security, neither does base64 encoding.
  • 10. -Kerckhoffs's principle “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”
  • 11. -Shannon's maxim "one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them"
  • 12. -in layman’s terms A strong cryptosystem is strong regardless of whether the algorithm is known to the attacker.
  • 13. Why We Salt • Let’s hash a password without a salt: • echo sha1(“p4$$w0rd”); • 6c067b3288c1b5c791afa04e12fb013ed2e84d10
  • 14. Rainbow Tables Rainbow Tables are precomputed hashes. Table from sha1.wisetock.com.
  • 15. Dictionary Attack • Rainbow Tables help you do Dictionary Attacks quicker. • You simply check if an unsalted hash appears in a pre-computed database of hashes. • If the hash is the same for every hash in the algorithm you can simply pre-compute a database of hashes using known passwords with that salt.
  • 16. The Caveat… • If a user’s password is not in any publicly known database of pre-computed hashes, it is secure from Rainbow Tables. • Hence one reason why you should use strong unique passwords.
  • 17. Therefore… • We hash our passwords. • We salt our hashes. • We use a unique salt for each password we hash. • This is easily handled by the password_hash function in PHP.
  • 18. Hashes have other uses • Hashes aren’t great for just for key derivation. • One other use is in file integrity validation, this is particularly useful in SSL/TLS certificates.
  • 19. A Ideal Hash Algorithm • A hash must be easy to compute. • It must be impractical to turn the hash back into the original input (non-invertible). • The hash does not have two inputs which lead to the same (collision resistance).
  • 20. Collision Resistance • Where h() is a hash function, a collision is where h(A) = h(B), but A ≠ B. • Where two different inputs produce the same hash. • They are inevitable given the pigeonhole principle.
  • 21. Pigeonhole Principle • Given a hash is a fixed length string there are only a finite number of variations. • On the other hand the input can be infinitely long. • Therefore there must be more than one input which has the same hash output. • I.e. A collision is inevitable.
  • 22. The Birthday Problem • The chance of 2 people having the same birthday reaches 100% when you have 366 people according to the Pigeonhole Principle. • However the probability reaches 99% with just 57 people.
  • 23. The Birthday Problem The probability of two people with the same birthday.
  • 24. The Birthday Attack • The Birthday Problem can be used to find hash collisions where amount of possible hashes (pigeonholes) are limited. • Yuval’s Birthday Attack highlights this.
  • 25. Yuval’s Birthday Attack • Let n be the bit-length of a hash output. • With 2n/2 different permutations of the original message compared to 2n/2 different permutations of a forged message; you should expect to find a collision.
  • 26. TLS (very basic overview) • Server has a CipherSuite ordering. • Client submits a list of supported ciphers and server chooses the highest shared cipher (note SSLHonorCipherOrder in Apache or ssl_prefer_server_ciphers in Nginx). • Certificate Chain, root certificates sign intermediaries which eventually sign a site. Server sends this certificate. • Key exchange protocol to share keys for symmetric encryption (quicker than asymmetric). • Integrity check using Message Authentication Code.
  • 27. Best Practice with TLS • Disabling SSL protocols (and only enabling TLS), note POODLE on SSLv3. • HSTS (Strict Transport Security), enforced TLS with cached time period. Mitigates SSLStrip by Moxie Marlinspike. • Forward Secrecy setting ciphers that support it to be preferred. • Qualys SSLLabs tests are a good idea.
  • 28. Symmetric Encryption • Caesar Cipher. Simple offsets, easy to brute force. • DES. Proceeded AES, insecure in a lot of applications. • Rijndael (AES), TwoFish, Serpent.
  • 29. Plausible Deniability • Stenography is the practice is hiding one file within another. • The Rubberhose File System was written by Julian Assange, Suelette Dreyfus, and Ralf Weinmann. • Available in VeraCrypt, the successor to TrueCrypt. • Uses the random padding data surrounding an encrypted volume to create alternative encrypted volumes. • Can be cascaded. • Initially designed for third world dictatorships, but found a use in the UK due to RIPA.
  • 30. Asymmetric Encryption • Diffie-Hellman Key Exchange. Malcolm J. Williamson at GCHQ had already conceived this a year earlier. • RSA. Named after Ron Rivest, Adi Shamir, and Leonard Adleman but was discovered by Clifford Cocks and James H. Ellis at GCHQ 3 years earlier. • ECC (Elliptic Curve Cryptography). Entered wide use in 2004/2005.
  • 31. Trapdoor Functions • Asymmetric encryption uses Trapdoor Functions. • Easy to compute one way, hard the other way. • For example it is easy to multiply 2 prime numbers together, harder to find the prime factors.
  • 32. RSA Revision • Select two prime numbers p & q. • n = pq. This is the modulus. • φ = (p-1)(q-1). This is the totient. • Calculate integer e where 1 < e < φ and the greatest common divisor of e and φ is 1. • Calculate integer d where 1 < d < φ and the congruency relation ed ≡ 1(mod φ) is satisfied. • Public key is n & e whereas the the private key is n & d.
  • 33. RSA Revision • Basic encrypt: me mod n • Basic decrypt: cd mod n • Fermat’s Little Theorem underlies this. • In real life padding is used. • Note: Mod is the modulo operator (% or the fmod function in PHP).
  • 34. The Problem • RSA and Diffie-Hellman rely on the Discrete Logarithm Problem being difficult to solve. • RSA relies less heavily on the Discrete Log Problem than Diffie-Hellman does. • If a discrete logarithm can be computed easily, these forms of cryptography face an issue.
  • 35. –Alex Stamos, CTO of Artemis in 2013 “Our conclusion is there is a small but definite chance that RSA and classic Diffie-Hellman will not be usable for encryption purposes in four to five years”
  • 36. Concluding with ECC ECC provides the only viable and reasonable alternative to RSA and Diffie-Hellman so far.
  • 37. ECC • Consists of points satisfying the equation: y2=x3+ax+b • Faster (over 20 times!) than RSA. • Already has a Digital Signature alternative to RSA called ECDSA. • But ECDSA does require a good source of entropy, a decent source of (pseudo)random numbers is required. • No mathematical proof of security. Question of whether one-way functions truly exist is open.
  • 38. https://ju.je/cryptointro • A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography (Nick Sullivan): https://blog.cloudflare.com/a-relatively-easy-to- understand-primer-on-elliptic-curve- cryptography/ • Guide to Elliptic Curve Cryptography: http://math.boisestate.edu/~liljanab/MATH508/Gu ideEllipticCurveCryptography.PDF