Top Banner
Cryptography for [web]app developers Sean Comeau
16
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Cryptography for [web]app developers

Cryptography for [web]app developers

Sean Comeau

Page 2: Cryptography for [web]app developers

Who am I

• Security and crypto enthusiast

• Not a professional cryptographer

• Can probably judge whether or not your project requires professional advice

Page 3: Cryptography for [web]app developers

Why should you care?

Page 4: Cryptography for [web]app developers

What crypto can and can't do

Encryption /Confidentiality

Authentication /Integrity

Identification /Authenticity

Page 5: Cryptography for [web]app developers

Talk Outline

• One-way hash functions

• Private key cryptography

• Public key cryptography

• Digital signatures

• Secure pseudorandom number generation

Page 6: Cryptography for [web]app developers

Hash functions

• md5("hello") = 5d41402abc4b2a76b9719d911017c592

• sha1("hello") = aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d

• sha256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Page 7: Cryptography for [web]app developers

Ideal hash functions

• easy to compute the hash value for any given message

• infeasible to generate a message that has a given hash

• infeasible to modify a message without changing the hash

• infeasible to find two different messages with the same hash

Page 8: Cryptography for [web]app developers

Leakage of our secrets (monthly)

Page 9: Cryptography for [web]app developers

Private Key Crypto

• Cleartext = the unencrypted, readable data we care about.

• Ciphertext = the message after encryption, the data the adversary gets to see.

• Key = the secret required to encrypt and decrypt the message

• Encryption: ciphertext = f(key, cleartext)

• Decryption: cleartext = f(key, ciphertext)

Page 10: Cryptography for [web]app developers

Block vs. Stream

o Avoid stream ciphers.

Use AES with 256 bit keys. It’s a block cipher.

Page 11: Cryptography for [web]app developers

Modes of Operation

XTS for file systems

CTR mode for anything else

Page 12: Cryptography for [web]app developers

Public Key Crypto

• Use RSA

• Use 4096 bit keys

• Great for securely logging things

• Just use GnuPG

• If you can’t just use GnuPG, get help

• Just need key agreement? Curve25519

Page 13: Cryptography for [web]app developers

Asymmetric Digital Signatures

Page 14: Cryptography for [web]app developers

Symmetric Digital Signatures

Page 15: Cryptography for [web]app developers

Random

Page 16: Cryptography for [web]app developers

Questions?