Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security – Every Developer’s Responsibility

Security – Every Developer’s Responsibility

Fast tagtäglich werden neue Hacks und Datendiebstähle bekannt. Und niemand ist vor ihnen sicher: große Industrieunternehmen, globale Technologiekonzerne, Finanzinstutionen, Behörden; selbst IT-Sicherheitsdienstleister und den deutschen Bundestag hat es schon getroffen. Besorgnis erregend dabei ist, dass oft immer noch erfolgreich Angriffe benutzt werden, gegen die es längst bekannte und einfach zu implementierende Gegenmaßnahmen gibt. Ein Großteil der Sicherheitsprobleme lassen sich dabei auf Fehler im Design und in der Implementierung zurückführen. In diesem Vortrag von Christoph Iserlohn geht es um die relevanten Grundlagen von Security und um die Frage, warum gerade Entwickler eine besondere Verantwortung tragen.

innoQ Deutschland GmbH

March 15, 2016
Tweet

More Decks by innoQ Deutschland GmbH

Other Decks in Technology

Transcript

  1. Law

  2. #include <sodium.h> int main(void) { if (sodium_init() == -1) {

    return 1; } const unsigned char message[] = "The quick brown fox jumps over the lazy dog"; int message_len = sizeof message; int encrypted_len= message_len + crypto_secretbox_MACBYTES; unsigned char nonce[crypto_secretbox_NONCEBYTES]; unsigned char key[crypto_secretbox_KEYBYTES]; unsigned char encrypted[encrypted_len]; unsigned char plain[message_len]; randombytes_buf(nonce, sizeof nonce); randombytes_buf(key, sizeof key); crypto_secretbox_easy(encrypted, message, message_len, nonce, key); if (crypto_secretbox_open_easy(plain, encrypted, encrypted_len, nonce, key) != 0) { printf("Message has been forged!"); return 1; } printf("Message to encrypt: %s\nCiphertext: ", message); for(int i = 0; i < ciphertext_len; i++) { printf("%02x", ciphertext[i]); } printf("\nDecrypted message: %s\n", decrypted); }
  3. #include <openssl/conf.h> #include <openssl/evp.h> #include <openssl/err.h> #include <string.h> int main

    (void) { unsigned char *key = (unsigned char *)"01234567890123456789012345678901"; unsigned char *iv = (unsigned char *)"01234567890123456"; unsigned char *plain = (unsigned char *)"The quick brown fox jumps over the lazy dog"; unsigned char ciphertext[128]; unsigned char decryptedtext[128]; int decryptedtext_len, ciphertext_len; ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); OPENSSL_config(NULL); ciphertext_len = encrypt(plain, strlen ((char *)plain), key, iv, ciphertext); printf("Ciphertext is:\n"); BIO_dump_fp (stdout, (const char *)ciphertext, ciphertext_len); decryptedtext_len = decrypt(ciphertext, ciphertext_len, key, iv, decryptedtext); decryptedtext[decryptedtext_len] = '\0'; printf("Decrypted text is:\n"); printf("%s\n", decryptedtext); EVP_cleanup(); ERR_free_strings(); }
  4. libcrypto - continued int encrypt(unsigned char *plaintext, int plaintext_len, unsigned

    char *key, unsigned char *iv, unsigned char *ciphertext) { EVP_CIPHER_CTX *ctx; int len; int ciphertext_len; if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors(); if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) handleErrors(); if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len)) handleErrors(); ciphertext_len = len; if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len)) handleErrors(); ciphertext_len += len; EVP_CIPHER_CTX_free(ctx); return ciphertext_len; }
  5. libcrypto - continued int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned

    char *key, unsigned char *iv, unsigned char *plaintext) { EVP_CIPHER_CTX *ctx; int len; int plaintext_len; if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors(); if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) handleErrors(); if(1 != EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len)) handleErrors(); plaintext_len = len; if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, &len)) handleErrors(); plaintext_len += len; EVP_CIPHER_CTX_free(ctx); return plaintext_len; }
  6. // Create a trust manager that does not validate certificate

    chains TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) {} public void checkServerTrusted(X509Certificate[] certs, String authType) {} }}; // Install the all-trusting trust manager final SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); // Create all-trusting host name verifier HostnameVerifier allHostsValid = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; // Install the all-trusting host verifier HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);