SlideShare uma empresa Scribd logo

Whispered secrets

Eleanor McHugh
Eleanor McHugh

An introduction to secrecy and privacy in software system design with code examples in Go demonstrating secure transport techniques with https, tcp/tls and encrypted udp.

Tecnologia
1 de 62
Baixar para ler offline
Whispered Secrets @feyeleanor
this is supposed to be a talk about code but you need to understand why you need that code we’ll examine some of it later in this talk but the following resources go into more detail some are in Ruby but should translate easily to Go
slideshare://feyeleanor
http://leanpub.com/GoNotebook
we all have secrets and those secrets matter to us that’s what makes them secrets software should keep our secrets
some secrets are awful conspiracy infidelity criminality
some secrets are banal bank account numbers embarrassing incidents sexual preferences
secrecy should be absolute our tech must protect the awful otherwise it can’t protect the banal
but there are laws we must comply with these assist the legitimate reject the illegitimate
secrecy ——> privacy
privacy is not absolute privacy requires mutual trust mutual trust is a contract and contracts can be broken
who now trusts Ashley-Madison?
today’s topic is applied paranoia
paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} A mental condition characterized by delusions of persecution, unwarranted jealousy, or exaggerated self-importance, typically worked into an organized system. It may be an aspect of chronic personality disorder, of drug abuse, or of a serious condition such as schizophrenia in which the person loses touch with reality. Unjustified suspicion and mistrust of other people: mild paranoia afflicts all prime ministers
paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} The perfectly reasonable belief that someone, somewhere is watching your online behaviour with malicious and/or voyeuristic intent. It may be a result of reading a Hacking Exposed or Hacking for Dummies publication, experiencing the fallout from identity theft, or shopping with bitcoin. Justified suspicion and mistrust of other people: chronic paranoia afflicts all information security professionals accute paranoia afflicts the victims of hacking
we have to trust governments governments are privileged if they don’t trust us they can hurt us and there’s not much we can do about it
our users have to trust us network services are privileged they store secrets with real-life value users have no way of knowing how well
but who can we trust? technology bars the gates but people have to monitor them
encrypt all transports
encrypt all transports • establish a secure channel by exchanging public keys • and check their validity against trusted certificates (SSL, TLS, etc.) • as an added measure pin these certificates (like SSH pins keys) • then exchange symmetric keys for a private secure channel • change these keys frequently (cheap cipher streams) • and pin each distinct message to a distinct key (one-time pads)
https
package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/28
package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/29
package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/30
tcp/tls server
package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/32
package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/33
package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/34
tcp/tls client
package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: true, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/36
package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: false, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/37
package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: true, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/38
udp/aes server
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/40
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/41
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/42
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/43
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/44
udp/aes client
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/46
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/47
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/48
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/49
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/50
udp/rsa server
package main import . "bytes" import "crypto/rsa" import "encoding/gob" import "net" func main() { HELLO_WORLD := []byte("Hello World") RSA_LABEL := []byte("served") Serve(":1025", func(c *net.UDPConn, a *net.UDPAddr, b []byte) { var key rsa.PublicKey if e := gob.NewDecoder(NewBuffer(b)).Decode(&key); e == nil { if m, e := Encrypt(&key, HELLO_WORLD, RSA_LABEL); e == nil { c.WriteToUDP(m, a) } } return }) } func Encrypt(key *rsa.PublicKey, m, l []byte) ([]byte, error) { return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, m, l) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } go for the would-be network programmer http://slides.games-with-brains.net/52
package main import . "bytes" import "crypto/rsa" import "encoding/gob" import "net" func main() { HELLO_WORLD := []byte("Hello World") RSA_LABEL := []byte("served") Serve(":1025", func(c *net.UDPConn, a *net.UDPAddr, b []byte) { var key rsa.PublicKey if e := gob.NewDecoder(NewBuffer(b)).Decode(&key); e == nil { if m, e := Encrypt(&key, HELLO_WORLD, RSA_LABEL); e == nil { c.WriteToUDP(m, a) } } return }) } func Encrypt(key *rsa.PublicKey, m, l []byte) ([]byte, error) { return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, m, l) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } go for the would-be network programmer http://slides.games-with-brains.net/53
udp/rsa client
package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/55
package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/56
package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/57
aes + rsa —> hybrid crypto
encrypt all passwords • accept unicode to expand the symbol space • hash every new password before it’s submitted • always use a cryptograpically secure hash (HMAC) • and a fresh HMAC key for each password (which you must store) • salt the resulting hash when you receive it (and store the salt) • then hash again before storing in your database
require two-factor authentication • have the user submit their password over a secure channel • then send them a confirmation code out-of-band • that’s an agreed trust anchor acting as a shared secret • the confirmation code should be big enough to generate a HMAC • and only the HMAC should be submitted • now you have two secure channels based on shared secrets
encrypt all storage • secured transport is useless without secured data stores • encrypt all sensitive fields - that probably means all fields • and store HMACs for desired search terms • otherwise you black box is secure but unsearchable • make sure you use different roles for reading, writing and searching • that’s right, your datastore is also a set of secure streams
anchor trust internally • establish your own certificate authority • assign fine-grained roles to different components (microservices) • and minimise your threat surface (regular code audits, security logs) • never deploy without a full security audit • and make those deployments immutable • security audits (like QA) are best done by third parties

Recomendados

Whispered secrets
Whispered secretsWhispered secrets
Whispered secretsEleanor McHugh
 
Encrypt all transports
Encrypt all transportsEncrypt all transports
Encrypt all transportsEleanor McHugh
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and CEleanor McHugh
 
Abusing text/template for data transformation
Abusing text/template for data transformationAbusing text/template for data transformation
Abusing text/template for data transformationArnaud Porterie
 
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIThe Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIEleanor McHugh
 
Implementing Software Machines in C and Go
Implementing Software Machines in C and GoImplementing Software Machines in C and Go
Implementing Software Machines in C and GoEleanor McHugh
 
Go a crash course
Go a crash courseGo a crash course
Go a crash courseEleanor McHugh
 
Go for the paranoid network programmer
Go for the paranoid network programmerGo for the paranoid network programmer
Go for the paranoid network programmerEleanor McHugh
 

Recomendados

Whispered secrets
Whispered secretsWhispered secrets
Whispered secretsEleanor McHugh
 
Encrypt all transports
Encrypt all transportsEncrypt all transports
Encrypt all transportsEleanor McHugh
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and CEleanor McHugh
 
Abusing text/template for data transformation
Abusing text/template for data transformationAbusing text/template for data transformation
Abusing text/template for data transformationArnaud Porterie
 
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIThe Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIEleanor McHugh
 
Implementing Software Machines in C and Go
Implementing Software Machines in C and GoImplementing Software Machines in C and Go
Implementing Software Machines in C and GoEleanor McHugh
 
Go a crash course
Go a crash courseGo a crash course
Go a crash courseEleanor McHugh
 
Go for the paranoid network programmer
Go for the paranoid network programmerGo for the paranoid network programmer
Go for the paranoid network programmerEleanor McHugh
 
The Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveThe Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveEleanor McHugh
 
Binomial heap
Binomial heapBinomial heap
Binomial heapKalpana Vijayaraghavan
 
Go for the would be network programmer
Go for the would be network programmerGo for the would be network programmer
Go for the would be network programmerEleanor McHugh
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giantsIan Barber
 
Usp
UspUsp
Usppreethamnaik92
 
C++ Lambda and concurrency
C++ Lambda and concurrencyC++ Lambda and concurrency
C++ Lambda and concurrency명신 김
 
part2
part2part2
part2Cameron White
 
Distributed Data Structures
Distributed Data StructuresDistributed Data Structures
Distributed Data StructuresPDX Web & Design
 
Introducing to Asynchronous Programming
Introducing to Asynchronous ProgrammingIntroducing to Asynchronous Programming
Introducing to Asynchronous ProgrammingАлександр Федоров
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab FileKandarp Tiwari
 
Implementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxImplementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxEleanor McHugh
 
Assignment no39
Assignment no39Assignment no39
Assignment no39Jay Patel
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
Rust
RustRust
RustChih-Hsuan Kuo
 
Introduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineIntroduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineMovel
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild WorldDaniel-Constantin Mierla
 
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014Fantix King 王川
 
Torturing the PHP interpreter
Torturing the PHP interpreterTorturing the PHP interpreter
Torturing the PHP interpreterLogicaltrust pl
 
C++ L08-Classes Part1
C++ L08-Classes Part1C++ L08-Classes Part1
C++ L08-Classes Part1Mohammad Shaker
 
Going Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoGoing Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoEleanor McHugh
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled PresentationWilliams Hernandez
 
Biografía steven jobs
Biografía steven jobsBiografía steven jobs
Biografía steven jobsJessy Lokis
 

Mais conteúdo relacionado

Mais procurados

The Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveThe Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveEleanor McHugh
 
Go for the would be network programmer
Go for the would be network programmerGo for the would be network programmer
Go for the would be network programmerEleanor McHugh
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giantsIan Barber
 
C++ Lambda and concurrency
C++ Lambda and concurrencyC++ Lambda and concurrency
C++ Lambda and concurrency명신 김
 
Distributed Data Structures
Distributed Data StructuresDistributed Data Structures
Distributed Data StructuresPDX Web & Design
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab FileKandarp Tiwari
 
Implementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxImplementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxEleanor McHugh
 
Assignment no39
Assignment no39Assignment no39
Assignment no39Jay Patel
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
Introduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineIntroduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineMovel
 
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014Fantix King 王川
 
Torturing the PHP interpreter
Torturing the PHP interpreterTorturing the PHP interpreter
Torturing the PHP interpreterLogicaltrust pl
 
Going Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoGoing Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoEleanor McHugh
 

Mais procurados (20)

The Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveThe Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's Perspective
 
Binomial heap
Binomial heapBinomial heap
Binomial heap
 
Go for the would be network programmer
Go for the would be network programmerGo for the would be network programmer
Go for the would be network programmer
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giants
 
Usp
UspUsp
Usp
 
C++ Lambda and concurrency
C++ Lambda and concurrencyC++ Lambda and concurrency
C++ Lambda and concurrency
 
part2
part2part2
part2
 
Distributed Data Structures
Distributed Data StructuresDistributed Data Structures
Distributed Data Structures
 
Introducing to Asynchronous Programming
Introducing to Asynchronous ProgrammingIntroducing to Asynchronous Programming
Introducing to Asynchronous Programming
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab File
 
Implementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxImplementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 redux
 
Assignment no39
Assignment no39Assignment no39
Assignment no39
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit
 
Rust
RustRust
Rust
 
Introduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineIntroduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy Cresine
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
 
Torturing the PHP interpreter
Torturing the PHP interpreterTorturing the PHP interpreter
Torturing the PHP interpreter
 
C++ L08-Classes Part1
C++ L08-Classes Part1C++ L08-Classes Part1
C++ L08-Classes Part1
 
Going Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoGoing Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with Go
 

Destaque

Biografía steven jobs
Biografía steven jobsBiografía steven jobs
Biografía steven jobsJessy Lokis
 
Global Telecommunications, Hyderabad, Telecommunication Devices
Global Telecommunications, Hyderabad, Telecommunication DevicesGlobal Telecommunications, Hyderabad, Telecommunication Devices
Global Telecommunications, Hyderabad, Telecommunication DevicesIndiaMART InterMESH Limited
 
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on DemandLinux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on DemandLeostream
 
Communication and role of social media in pakistan's election 2013
Communication and role of social media in pakistan's election 2013Communication and role of social media in pakistan's election 2013
Communication and role of social media in pakistan's election 2013Muhammad Assad Fahim Khan
 
Jeffrey Selorm Dzata_Mechanical Engineer
Jeffrey Selorm Dzata_Mechanical Engineer Jeffrey Selorm Dzata_Mechanical Engineer
Jeffrey Selorm Dzata_Mechanical Engineer Jeffrey Dzata
 
ドリコムの分析環境とデータサイエンス活用事例
ドリコムの分析環境とデータサイエンス活用事例ドリコムの分析環境とデータサイエンス活用事例
ドリコムの分析環境とデータサイエンス活用事例Yohei Sato
 
Clase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
Clase 10 enfermedades_infectocontagiosas_de_origen_bacterianoClase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
Clase 10 enfermedades_infectocontagiosas_de_origen_bacterianomarta fajardo
 

Destaque (13)

Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
 
Biografía steven jobs
Biografía steven jobsBiografía steven jobs
Biografía steven jobs
 
Awards 2015 - deVere Group
Awards 2015 - deVere GroupAwards 2015 - deVere Group
Awards 2015 - deVere Group
 
Global Telecommunications, Hyderabad, Telecommunication Devices
Global Telecommunications, Hyderabad, Telecommunication DevicesGlobal Telecommunications, Hyderabad, Telecommunication Devices
Global Telecommunications, Hyderabad, Telecommunication Devices
 
B.E. CERTIFICATE
B.E. CERTIFICATEB.E. CERTIFICATE
B.E. CERTIFICATE
 
エクセル統計の使い方(分散分析編)
エクセル統計の使い方(分散分析編)エクセル統計の使い方(分散分析編)
エクセル統計の使い方(分散分析編)
 
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on DemandLinux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
 
Communication and role of social media in pakistan's election 2013
Communication and role of social media in pakistan's election 2013Communication and role of social media in pakistan's election 2013
Communication and role of social media in pakistan's election 2013
 
Tokyo r30 anova_part2
Tokyo r30 anova_part2Tokyo r30 anova_part2
Tokyo r30 anova_part2
 
Jeffrey Selorm Dzata_Mechanical Engineer
Jeffrey Selorm Dzata_Mechanical Engineer Jeffrey Selorm Dzata_Mechanical Engineer
Jeffrey Selorm Dzata_Mechanical Engineer
 
ドリコムの分析環境とデータサイエンス活用事例
ドリコムの分析環境とデータサイエンス活用事例ドリコムの分析環境とデータサイエンス活用事例
ドリコムの分析環境とデータサイエンス活用事例
 
The Game Life Cycle & Game Analytics: What metrics matter when?
The Game Life Cycle & Game Analytics: What metrics matter when? The Game Life Cycle & Game Analytics: What metrics matter when?
The Game Life Cycle & Game Analytics: What metrics matter when?
 
Clase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
Clase 10 enfermedades_infectocontagiosas_de_origen_bacterianoClase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
Clase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
 

Semelhante a Whispered secrets

OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)Shteryana Shopova
 
Leap Ahead with Redis 6.2
Leap Ahead with Redis 6.2Leap Ahead with Redis 6.2
Leap Ahead with Redis 6.2VMware Tanzu
 
SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingDavid Evans
 
Python postgre sql a wonderful wedding
Python postgre sql a wonderful weddingPython postgre sql a wonderful wedding
Python postgre sql a wonderful weddingStéphane Wirtel
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Siouxnikomatsakis
 
So I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdfSo I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdfezonesolutions
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsDigitalOcean
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.pptINTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.pptsenthilnathans25
 
Introduction to source{d} Engine and source{d} Lookout
Introduction to source{d} Engine and source{d} Lookout Introduction to source{d} Engine and source{d} Lookout
Introduction to source{d} Engine and source{d} Lookout source{d}
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in rubyHiroshi Nakamura
 
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdfIT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdfDhanuskarSankar1
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityFred Posner
 
神に近づくx/net/context (Finding God with x/net/context)
神に近づくx/net/context (Finding God with x/net/context)神に近づくx/net/context (Finding God with x/net/context)
神に近づくx/net/context (Finding God with x/net/context)guregu
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 

Semelhante a Whispered secrets (20)

OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)
 
Leap Ahead with Redis 6.2
Leap Ahead with Redis 6.2Leap Ahead with Redis 6.2
Leap Ahead with Redis 6.2
 
SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and Scheduling
 
Python postgre sql a wonderful wedding
Python postgre sql a wonderful weddingPython postgre sql a wonderful wedding
Python postgre sql a wonderful wedding
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Sioux
 
So I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdfSo I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdf
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking Needs
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
sockets_intro.ppt
sockets_intro.pptsockets_intro.ppt
sockets_intro.ppt
 
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.pptINTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
 
Introduction to source{d} Engine and source{d} Lookout
Introduction to source{d} Engine and source{d} Lookout Introduction to source{d} Engine and source{d} Lookout
Introduction to source{d} Engine and source{d} Lookout
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
 
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdfIT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and Security
 
神に近づくx/net/context (Finding God with x/net/context)
神に近づくx/net/context (Finding God with x/net/context)神に近づくx/net/context (Finding God with x/net/context)
神に近づくx/net/context (Finding God with x/net/context)
 
Sockets intro
Sockets introSockets intro
Sockets intro
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)
 

Mais de Eleanor McHugh

[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdfEleanor McHugh
 
Generics, Reflection, and Efficient Collections
Generics, Reflection, and Efficient CollectionsGenerics, Reflection, and Efficient Collections
Generics, Reflection, and Efficient CollectionsEleanor McHugh
 
The Relevance of Liveness - Biometrics and Data Integrity
The Relevance of Liveness - Biometrics and Data IntegrityThe Relevance of Liveness - Biometrics and Data Integrity
The Relevance of Liveness - Biometrics and Data IntegrityEleanor McHugh
 
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]Eleanor McHugh
 
Go for the paranoid network programmer, 3rd edition
Go for the paranoid network programmer, 3rd editionGo for the paranoid network programmer, 3rd edition
Go for the paranoid network programmer, 3rd editionEleanor McHugh
 
An introduction to functional programming with Go [redux]
An introduction to functional programming with Go [redux]An introduction to functional programming with Go [redux]
An introduction to functional programming with Go [redux]Eleanor McHugh
 
An introduction to functional programming with go
An introduction to functional programming with goAn introduction to functional programming with go
An introduction to functional programming with goEleanor McHugh
 
Identity & trust in Monitored Spaces
Identity & trust in Monitored SpacesIdentity & trust in Monitored Spaces
Identity & trust in Monitored SpacesEleanor McHugh
 
Don't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignDon't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignEleanor McHugh
 
Don't ask, don't tell the virtues of privacy by design
Don't ask, don't tell the virtues of privacy by designDon't ask, don't tell the virtues of privacy by design
Don't ask, don't tell the virtues of privacy by designEleanor McHugh
 
Anonymity, identity, trust
Anonymity, identity, trustAnonymity, identity, trust
Anonymity, identity, trustEleanor McHugh
 
Going Loopy - Adventures in Iteration with Google Go
Going Loopy - Adventures in Iteration with Google GoGoing Loopy - Adventures in Iteration with Google Go
Going Loopy - Adventures in Iteration with Google GoEleanor McHugh
 
Distributed Ledgers: Anonymity & Immutability at Scale
Distributed Ledgers: Anonymity & Immutability at ScaleDistributed Ledgers: Anonymity & Immutability at Scale
Distributed Ledgers: Anonymity & Immutability at ScaleEleanor McHugh
 
Go for the paranoid network programmer, 2nd edition
Go for the paranoid network programmer, 2nd editionGo for the paranoid network programmer, 2nd edition
Go for the paranoid network programmer, 2nd editionEleanor McHugh
 
Finding a useful outlet for my many Adventures in go
Finding a useful outlet for my many Adventures in goFinding a useful outlet for my many Adventures in go
Finding a useful outlet for my many Adventures in goEleanor McHugh
 
Anonymity, trust, accountability
Anonymity, trust, accountabilityAnonymity, trust, accountability
Anonymity, trust, accountabilityEleanor McHugh
 
Implementing Virtual Machines in Go & C
Implementing Virtual Machines in Go & CImplementing Virtual Machines in Go & C
Implementing Virtual Machines in Go & CEleanor McHugh
 
Implementing Virtual Machines in Ruby & C
Implementing Virtual Machines in Ruby & CImplementing Virtual Machines in Ruby & C
Implementing Virtual Machines in Ruby & CEleanor McHugh
 
Privacy is always a requirement
Privacy is always a requirementPrivacy is always a requirement
Privacy is always a requirementEleanor McHugh
 

Mais de Eleanor McHugh (20)

[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf
 
Generics, Reflection, and Efficient Collections
Generics, Reflection, and Efficient CollectionsGenerics, Reflection, and Efficient Collections
Generics, Reflection, and Efficient Collections
 
The Relevance of Liveness - Biometrics and Data Integrity
The Relevance of Liveness - Biometrics and Data IntegrityThe Relevance of Liveness - Biometrics and Data Integrity
The Relevance of Liveness - Biometrics and Data Integrity
 
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
 
Go for the paranoid network programmer, 3rd edition
Go for the paranoid network programmer, 3rd editionGo for the paranoid network programmer, 3rd edition
Go for the paranoid network programmer, 3rd edition
 
An introduction to functional programming with Go [redux]
An introduction to functional programming with Go [redux]An introduction to functional programming with Go [redux]
An introduction to functional programming with Go [redux]
 
An introduction to functional programming with go
An introduction to functional programming with goAn introduction to functional programming with go
An introduction to functional programming with go
 
Identity & trust in Monitored Spaces
Identity & trust in Monitored SpacesIdentity & trust in Monitored Spaces
Identity & trust in Monitored Spaces
 
Don't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignDon't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By Design
 
Don't ask, don't tell the virtues of privacy by design
Don't ask, don't tell the virtues of privacy by designDon't ask, don't tell the virtues of privacy by design
Don't ask, don't tell the virtues of privacy by design
 
Anonymity, identity, trust
Anonymity, identity, trustAnonymity, identity, trust
Anonymity, identity, trust
 
Going Loopy - Adventures in Iteration with Google Go
Going Loopy - Adventures in Iteration with Google GoGoing Loopy - Adventures in Iteration with Google Go
Going Loopy - Adventures in Iteration with Google Go
 
Distributed Ledgers: Anonymity & Immutability at Scale
Distributed Ledgers: Anonymity & Immutability at ScaleDistributed Ledgers: Anonymity & Immutability at Scale
Distributed Ledgers: Anonymity & Immutability at Scale
 
Hello Go
Hello GoHello Go
Hello Go
 
Go for the paranoid network programmer, 2nd edition
Go for the paranoid network programmer, 2nd editionGo for the paranoid network programmer, 2nd edition
Go for the paranoid network programmer, 2nd edition
 
Finding a useful outlet for my many Adventures in go
Finding a useful outlet for my many Adventures in goFinding a useful outlet for my many Adventures in go
Finding a useful outlet for my many Adventures in go
 
Anonymity, trust, accountability
Anonymity, trust, accountabilityAnonymity, trust, accountability
Anonymity, trust, accountability
 
Implementing Virtual Machines in Go & C
Implementing Virtual Machines in Go & CImplementing Virtual Machines in Go & C
Implementing Virtual Machines in Go & C
 
Implementing Virtual Machines in Ruby & C
Implementing Virtual Machines in Ruby & CImplementing Virtual Machines in Ruby & C
Implementing Virtual Machines in Ruby & C
 
Privacy is always a requirement
Privacy is always a requirementPrivacy is always a requirement
Privacy is always a requirement
 

Último

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 

Último (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Whispered secrets

  • 2. this is supposed to be a talk about code but you need to understand why you need that code we’ll examine some of it later in this talk but the following resources go into more detail some are in Ruby but should translate easily to Go
  • 5. we all have secrets and those secrets matter to us that’s what makes them secrets software should keep our secrets
  • 6. some secrets are awful conspiracy infidelity criminality
  • 7. some secrets are banal bank account numbers embarrassing incidents sexual preferences
  • 8. secrecy should be absolute our tech must protect the awful otherwise it can’t protect the banal
  • 9. but there are laws we must comply with these assist the legitimate reject the illegitimate
  • 11. privacy is not absolute privacy requires mutual trust mutual trust is a contract and contracts can be broken
  • 12. who now trusts Ashley-Madison?
  • 13. today’s topic is applied paranoia
  • 14. paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} A mental condition characterized by delusions of persecution, unwarranted jealousy, or exaggerated self-importance, typically worked into an organized system. It may be an aspect of chronic personality disorder, of drug abuse, or of a serious condition such as schizophrenia in which the person loses touch with reality. Unjustified suspicion and mistrust of other people: mild paranoia afflicts all prime ministers
  • 15.
  • 16.
  • 17.
  • 18. paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} The perfectly reasonable belief that someone, somewhere is watching your online behaviour with malicious and/or voyeuristic intent. It may be a result of reading a Hacking Exposed or Hacking for Dummies publication, experiencing the fallout from identity theft, or shopping with bitcoin. Justified suspicion and mistrust of other people: chronic paranoia afflicts all information security professionals accute paranoia afflicts the victims of hacking
  • 19.
  • 20. we have to trust governments governments are privileged if they don’t trust us they can hurt us and there’s not much we can do about it
  • 21.
  • 22. our users have to trust us network services are privileged they store secrets with real-life value users have no way of knowing how well
  • 23. but who can we trust? technology bars the gates but people have to monitor them
  • 24.
  • 26. encrypt all transports • establish a secure channel by exchanging public keys • and check their validity against trusted certificates (SSL, TLS, etc.) • as an added measure pin these certificates (like SSH pins keys) • then exchange symmetric keys for a private secure channel • change these keys frequently (cheap cipher streams) • and pin each distinct message to a distinct key (one-time pads)
  • 27. https
  • 28. package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/28
  • 29. package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/29
  • 30. package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/30
  • 32. package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/32
  • 33. package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/33
  • 34. package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/34
  • 36. package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: true, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/36
  • 37. package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: false, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/37
  • 38. package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: true, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/38
  • 40. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/40
  • 41. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/41
  • 42. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/42
  • 43. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/43
  • 44. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/44
  • 46. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/46
  • 47. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/47
  • 48. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/48
  • 49. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/49
  • 50. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/50
  • 52. package main import . "bytes" import "crypto/rsa" import "encoding/gob" import "net" func main() { HELLO_WORLD := []byte("Hello World") RSA_LABEL := []byte("served") Serve(":1025", func(c *net.UDPConn, a *net.UDPAddr, b []byte) { var key rsa.PublicKey if e := gob.NewDecoder(NewBuffer(b)).Decode(&key); e == nil { if m, e := Encrypt(&key, HELLO_WORLD, RSA_LABEL); e == nil { c.WriteToUDP(m, a) } } return }) } func Encrypt(key *rsa.PublicKey, m, l []byte) ([]byte, error) { return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, m, l) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } go for the would-be network programmer http://slides.games-with-brains.net/52
  • 53. package main import . "bytes" import "crypto/rsa" import "encoding/gob" import "net" func main() { HELLO_WORLD := []byte("Hello World") RSA_LABEL := []byte("served") Serve(":1025", func(c *net.UDPConn, a *net.UDPAddr, b []byte) { var key rsa.PublicKey if e := gob.NewDecoder(NewBuffer(b)).Decode(&key); e == nil { if m, e := Encrypt(&key, HELLO_WORLD, RSA_LABEL); e == nil { c.WriteToUDP(m, a) } } return }) } func Encrypt(key *rsa.PublicKey, m, l []byte) ([]byte, error) { return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, m, l) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } go for the would-be network programmer http://slides.games-with-brains.net/53
  • 55. package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/55
  • 56. package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/56
  • 57. package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/57
  • 58. aes + rsa —> hybrid crypto
  • 59. encrypt all passwords • accept unicode to expand the symbol space • hash every new password before it’s submitted • always use a cryptograpically secure hash (HMAC) • and a fresh HMAC key for each password (which you must store) • salt the resulting hash when you receive it (and store the salt) • then hash again before storing in your database
  • 60. require two-factor authentication • have the user submit their password over a secure channel • then send them a confirmation code out-of-band • that’s an agreed trust anchor acting as a shared secret • the confirmation code should be big enough to generate a HMAC • and only the HMAC should be submitted • now you have two secure channels based on shared secrets
  • 61. encrypt all storage • secured transport is useless without secured data stores • encrypt all sensitive fields - that probably means all fields • and store HMACs for desired search terms • otherwise you black box is secure but unsearchable • make sure you use different roles for reading, writing and searching • that’s right, your datastore is also a set of secure streams
  • 62. anchor trust internally • establish your own certificate authority • assign fine-grained roles to different components (microservices) • and minimise your threat surface (regular code audits, security logs) • never deploy without a full security audit • and make those deployments immutable • security audits (like QA) are best done by third parties