Top Banner
Robert Boedigheimer @boedie Cryptography 101
22

Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

Sep 09, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

RobertBoedigheimer@boedie

Cryptography101

Page 2: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Webdevelopersince1995• PluralsightAuthor• 3rd DegreeBlackBelt,TaeKwonDo• MicrosoftMVP• ProgressDeveloperExpert- Fiddler

[email protected]• @boedie• weblogs.asp.net/boedie

AboutMe

Page 3: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Cryptographyisthescienceofkeepingmessagessecure• WhyCryptography?▫ Confidentiality – protectdatafrombeingread▫ Integrity– verifythatdatawasnotmodified▫ Authentication– identifyandvalidateauser▫ Non-repudiation– sendercannotdenylaterthathesentamessage

• System.Security.Cryptography

Background

Page 4: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Whatisyourgoal?(Confidentiality,etc.)• Howmuchisdataworth?• Howlongdoesitneedtobesecured?• Whataretheprimarythreats?▫ Intransit▫ Accessconfigurationfiles▫ Dumpofmemory▫ Modifypages▫ Reverseengineerassemblies▫ …• Companysecuritypolicies?• Regulatorycompliance?• Layereddefenses,howmanyareenough?

• Don’twriteown!!

Considerations

Page 5: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• …Cng▫ WrapperaroundCryptographyNextGeneration(CNG)

� Activedevelopment,newerOSrequired• …CryptoServiceProvider▫ WrapperaroundWindowsCryptographyAPI(CAPI)

� NolongerdevelopingbutavailableonolderOS• …Managed▫ Writtenentirelyinmanagedcode▫ Need.NETframework▫ NotFIPScompliant

• https://tinyurl.com/o2zgbjk

.NETClassSuffixes

Page 6: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

HashFunctions• One-wayfunction– easytocomputebutsignificantlyhardertoreverse• Hashfunction– convertsavariablelengthinputtoafixedlength▫ Createsa“datafingerprint”(digest)▫ Oktosee,don’tletitbetamperedwith▫ Becarefulwhenlimitedvaluerange!

Page 7: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• AbstractbaseHashAlgorithm▫ MD5(128bithash)▫ SHA(SecureHashAlgorithm)

� SHA-1(160bithash)� SHA-2

� SHA256� SHA384� SHA512

▫ KeyedHashAlgorithm� HMACSHA1(upto512)� MACTripleDES

(subsetofderivedclassesshown)

HashAlgorithms

Page 8: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Goalistoprotectintegrity ofquerystring• UseaHash-basedMessageAuthenticationCode(HMAC)▫ Computethehashofaquerystring whenconstructed▫ Validatequerystring wasnotmodifiedbycomputinghashwithquerystringandcomparingtooriginalhash▫ Usesakeytoensurethatattackercouldnotcreateownvalidhash

TamperproofQuerystrings

Page 9: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Consideredbestpracticeforpasswordssincetheycannotberetrieved• Usedforauthentication

• Commonattackagainsthashedpasswordsis“dictionaryattack”▫ Pre-computethehashvaluesofanentiredictionary,comparehashedvaluestohashedpasswordtolookformatches

HashedPasswords

Page 10: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Addsomeuniquerandomdatatoeachpassword• Greatlyincreasesworkrequiredtomountadictionaryattackagainstallpasswords,needtopre-computedictionaryhashvaluesforallsaltvalues

• NOTE:Thisdoesnothingtoincreasesecurityforanindividualpasswordifsaltiseasilyfound!(Add“randomdata”todothis…)

SaltedPasswords

Page 11: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Computepowerconstantlyincreasing,sobruteforceattacksagainsthashfunctionsarepossible• Adda“workfactor”tothecalculationbasedonanumberofiterations▫ Setiterationstogetacceptabletimeforlogin

• Rfc2898DeriveBytes

PBKDF2(Password-BasedKeyDerivationFunction2)

Page 12: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Plaintext– originaldata• Encryption– processofobscuringdata• Ciphertext – encrypteddata• Decryption– processtorecoveroriginaldata

• Cipher– algorithmforperformingencryptionanddecryption

Terminology

Page 13: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

SymmetricAlgorithms• Encryptionanddecryptionusethesame(secret)key• Primaryattackis“bruteforce”keysearch,tryallpossiblekeys• Keydistributionisdifficult

• AbstractclassSymmetricAlgorithm▫ Rijndael (AES)▫ DES▫ TripleDES

Page 14: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• .NETsymmetricalgorithmsare“blockciphers”• Padding– dataaddedtofilltoblocksize▫ Zeros▫ PKC27▫ ISO10126

• Mode▫ ECB▫ CBC (recommend)

• IV(InitializationVector)▫ Randomdatausedtoseedfirstblock▫ Doesnotneedtobesecret▫ Neverreuse,alwaysuniqueforeachsetofdata!

SymmetricAlgorithms(cont.)

Page 15: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Utilizestwocomplimentarykeys(publickeyandprivatekey)• Generally1,000timesslowerthansymmetricalgorithms• Oftenuseasymmetrictoencrypta“session”symmetrickey

• AbstractclassAsymmetricAlgorithm▫ RSA▫ DSA(digitalsignaturesonly)▫ ECDiffieHellman

AsymmetricAlgorithms

Page 16: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• GenerateanRSAkeypair▫ Storeonlythepublickeyonwebservers▫ Storetheprivatekeyonaninternalsecuredsystemthatneedsthedata• Meantforsmallamountsofdata

WebsiteEncryptingSafely

Page 17: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Providesintegrityandnon-repudiation• Hashthecontentsofamessage,signit(encrypt)withsendersprivatekey

• Bydefault,doesnotprovideconfidentiality,canencryptwithreceiverspublickeybeforesigning

DigitalSignatures

Page 18: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Certificate(reliesonasymmetricencryption)▫ Server’spublic keyisdigitallysignedbyaCertificateAuthority(CA)• Browserknows“well-known”CA’sandwilltrustcertificatessignedbythem

• TLShandshake▫ Browsergetsservercertificate▫ Browserchoosessymmetrickeytoencrypttraffic,encryptswithserver’spublickey

HTTPS

Page 19: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Keysizes▫ Tradeoffperformanceandsecurity▫ SymmetricAESuse256bits▫ AsymmetricRSAuse2048or4096• Keystorage▫ Hardcodedstringsarevisibleifuseadisassembler(likeILDASM)▫ Encrypted<appSetting>sectionofweb.config▫ Splitkeyincode,registry,andconfig files

KeySizesandStorage

Page 20: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Don’twriteown!

• Usetrustedalgorithmsandimplementations▫ https://tinyurl.com/o2zgbjk• Usehashingtovalidatetheintegrityofdataortoprovebothknowthesamesecret• Usesymmetricalgorithmsunlesshavespecialneedsforasymmetric(digitalsignatures,keyexchange,etc)• Knowthreats,choosethepropercountermeasures

Summary

Page 21: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

• Pluralsight– IntroductiontoCryptography▫ https://tinyurl.com/kkn3coq

• AppliedCryptography- BruceSchneier• CryptographyEngineering– Ferguson,Schneier,Kohno• UnderstandingCryptography– Paar,Pelzl

• TheCodeBook– SimonSingh• TheCode-Breakers– Kahn

Resources

Page 22: Cryptography 101 - Ilm · •Cryptography is the science of keeping messages secure •Why Cryptography? Confidentiality–protect data from being read Integrity –verify that data

[email protected]• @boedie• weblogs.asp.net/boedie

• Codeandslides- https://tinyurl.com/ybygpvdz

Questions