Click here to load reader

Cryptography for [web]app developers

  • View

  • Download

Embed Size (px)

Text of Cryptography for [web]app developers

Cryptography for [web]app developers

Cryptography for [web]app developersSean ComeauWho am ISecurity and crypto enthusiastNot a professional cryptographerCan probably judge whether or not your project requires professional advice

Why should you care?

What crypto can and can't doEncryption /ConfidentialityAuthentication /Integrity Identification /Authenticity

Talk OutlineOne-way hash functionsPrivate key cryptographyPublic key cryptographyDigital signaturesSecure pseudorandom number generation

Hash functionsmd5("hello") = 5d41402abc4b2a76b9719d911017c592sha1("hello") = aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434dsha256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Ideal hash functionseasy to compute the hash value for any given messageinfeasible to generate a message that has a given hashinfeasible to modify a message without changing the hashinfeasible to find two different messages with the same hash

Leakage of our secrets (monthly)

Private Key CryptoCleartext = the unencrypted, readable data we care about.Ciphertext = the message after encryption, the data the adversary gets to see.Key = the secret required to encrypt and decrypt the messageEncryption: ciphertext = f(key, cleartext)Decryption: cleartext = f(key, ciphertext)Block vs. StreamAvoid stream ciphers.Use AES with 256 bit keys. Its a block cipher.Modes of OperationXTS for file systemsCTR mode for anything else

Public Key CryptoUse RSAUse 4096 bit keysGreat for securely logging thingsJust use GnuPGIf you cant just use GnuPG, get helpJust need key agreement? Curve25519

Asymmetric Digital Signatures

Symmetric Digital Signatures