Upload
jeff-lambert
View
616
Download
3
Embed Size (px)
Citation preview
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
The need for applications to speak in encryptedmessages is no longer an after-thought it is
a requirement
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
What is End-to-End Encryption?
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
A method of communicating where only theauthorized users can read the messages
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
This method is used by apps like WhatsApp & Signal
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
It prevents man-in-the-middle attacks
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
If done right, you need physical accessto read the communications
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Even if an ISP is asked to supply a customerscommunications, it will only appear as..
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
The recent WikiLeaks show that even.. The CIA could not break End-to-End Encryption
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
They had to create malware that “uses” the app onyour phone in order to read the messages.
Or
Keyloggers that capture the message as youenter it into the program before it is encrypted
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
So how do we implement this?
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
We want our system to be as secure as possible
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
We don't want to store our keys somewherethey can be hacked/stolen. They need to be
generated and one-time use only.
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Give Me Your Keys!!!
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
When encrypting our messages, we also don'twant to know the password. They need to be
generated and one-time use only.
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
We want to use the strongest encryption available
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Not SHA-1 ;)
Thanks Google!
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
We want to sign our message so weknow it was not tampered with during transit.
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
We don't want someone monitoring our networktraffic to easily recognize the format of our
messages. The structure should be random.
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
What are some of options we have?
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Option 01:
JSON Web Tokens
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Output:
Our Code:
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Our payload is encrypted into a small packet
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
We can use different algorithms
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
There are too many constants, even when thepayload and secret are different
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
This is partly because the header containsinformation about what algorithm
is used and the type of token
So it will remain constant if these are the same
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
The separator is always a period
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
The secret is embedded into our code
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Is there a better way?
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Option 02:
blanket
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Output:
Our Code:
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Our outputs are more randomized than in JWT
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
The secret is generated for us and destroyed after use
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Our separator could be more random
It is currently a random three digit number
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
The message size is much bigger
vs
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
In JSON Web Tokens (JWT)
Even with a new secret, parts of the message structure and output are always the same
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
In blanket
Our secret is random and the output is always different,
even with the same input
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Things We Can Improve
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
We can randomize the size and location of theseparator to further disguise the
structure of our messages
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
We can use a hardware secret generator
Like YubiKey or Embedded Chips
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Over time our own sequence, even though morerandom, could be discovered. So we should
constantly improve our own code and think of ways to break it
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
Nothing is ever “secure enough”!
End-to-End Encryption in Distributed Applications
@jeffinkoguru – [email protected]
For more information you can visit..
github.com/jpadilla/pyjwt
or
github.com/JeffinkoGuru/blanket