View
616
Download
3
Category
Preview:
Citation preview
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Hi, I'm Jeff
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The need for applications to speak in encryptedmessages is no longer an after-thought it is
a requirement
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
What is End-to-End Encryption?
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
A method of communicating where only theauthorized users can read the messages
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
This method is used by apps like WhatsApp & Signal
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
It prevents man-in-the-middle attacks
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
If done right, you need physical accessto read the communications
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Even if an ISP is asked to supply a customerscommunications, it will only appear as..
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The recent WikiLeaks show that even.. The CIA could not break End-to-End Encryption
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
They had to create malware that “uses” the app onyour phone in order to read the messages.
Or
Keyloggers that capture the message as youenter it into the program before it is encrypted
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
So how do we implement this?
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We want our system to be as secure as possible
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We don't want to store our keys somewherethey can be hacked/stolen. They need to be
generated and one-time use only.
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Give Me Your Keys!!!
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
When encrypting our messages, we also don'twant to know the password. They need to be
generated and one-time use only.
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We want to use the strongest encryption available
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Not SHA-1 ;)
Thanks Google!
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We want to sign our message so weknow it was not tampered with during transit.
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We don't want someone monitoring our networktraffic to easily recognize the format of our
messages. The structure should be random.
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
What are some of options we have?
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Option 01:
JSON Web Tokens
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Output:
Our Code:
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The Benefits
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Our payload is encrypted into a small packet
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We can use different algorithms
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The Problems
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
There are too many constants, even when thepayload and secret are different
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
This is partly because the header containsinformation about what algorithm
is used and the type of token
So it will remain constant if these are the same
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The separator is always a period
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The secret is embedded into our code
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Is there a better way?
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Option 02:
blanket
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Output:
Our Code:
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The Benefits
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Our outputs are more randomized than in JWT
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The secret is generated for us and destroyed after use
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The Problems
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Our separator could be more random
It is currently a random three digit number
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The message size is much bigger
vs
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The Differences
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
In JSON Web Tokens (JWT)
Even with a new secret, parts of the message structure and output are always the same
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
In blanket
Our secret is random and the output is always different,
even with the same input
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Things We Can Improve
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We can randomize the size and location of theseparator to further disguise the
structure of our messages
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We can use a hardware secret generator
Like YubiKey or Embedded Chips
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Over time our own sequence, even though morerandom, could be discovered. So we should
constantly improve our own code and think of ways to break it
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Nothing is ever “secure enough”!
End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
For more information you can visit..
github.com/jpadilla/pyjwt
or
github.com/JeffinkoGuru/blanket
Recommended