Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crypto 101 (en)
Search
Oliver Milke
June 18, 2018
Technology
310
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Crypto 101 (en)
Oliver Milke
June 18, 2018
More Decks by Oliver Milke
See All by Oliver Milke
Crypto 101
omilke
2
900
Jenkins Pipelines in Continuous Action
omilke
0
96
Jenkins Pipelines in Continuous Action (english)
omilke
0
69
4 Kids - Nachwuchsförderung unter der Lupe
omilke
0
63
Other Decks in Technology
See All in Technology
DMM.com 購入改善推進チーム におけるCodeRabbitを用いた レビューフロー改善の一例
ysknsid25
1
520
はじめてのWDM
miyukichi_ospf
1
120
Docker Desktop不要の時代が来る? WSL標準の「wslc」で Linuxコンテナを動かしてみた.
ueponx
0
800
ポストモーテム! DDoSからサイトは守れた。 でもビジネスは守れなかった。
bengo4com
0
1.8k
GuardrailからGovernanceへ~AIエージェント運用の次の課題~
sbspsy
1
220
環境凍結という Toil を倒す -セルフサービス型 Ephemeral テスト環境の 設計と実践
shirouz
1
1.5k
Compose 新機能総まとめ / What's New in Jetpack Compose
yanzm
0
150
プライバシー保護の理論と実践
lycorptech_jp
PRO
1
250
インフラ寄りSREでも 開発に踏み出せる〜境界を越えてユーザー体験に向き合いたい〜
sansantech
PRO
0
2.5k
“ID沼入口” - 基本とセキュリティから始める、考え続けるためのID管理技術勉強会 告知&イントロ
ritou
0
440
Amazon EVS で VCF 9.0 / 9.1 のサポート開始まとめ
mtoyoda
0
280
Agentic AI 時代のテスト手法: Kiro とはじめるプロパティベーステスト (AWS Summit Japan 2026 | DEV212)
ymhiroki
0
220
Featured
See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.8k
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
4
2.9k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
davidcarrasco
0
180
Rebuilding a faster, lazier Slack
samanthasiow
85
9.6k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
190
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
230
23k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8.2k
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
1
260
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Claude Code のすすめ
schroneko
67
230k
Transcript
@OliverMilke @cloudogu
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 Cipher Suites 4
Developers? 1 Dev Ops? 2
Terms / Concepts • Things I stumbled over myself •
Practise-oriented, not from Scratch Crypto is hard to get right • Dutch Election Security Talk
• > 10 years of Software Development • Crypto and
Security for Mobile Online Services @VW • Software Craftsman @Cloudogu EcoSystem • JUG Ostfalen • Fitness / Freeletics Oliver Milke Software Craftsman https://stackoverflow.com/users/2108 919/omilke https://twitter.com/OliverMilke http://oliver-milke.de/ https://github.com/omilke
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 Cipher Suites 4
Cryptology Security Cryptography Cryptanalysis … Awareness Processes
https://www.xkcd.com/538/
Confidentiality Integrity Authenticity
SQL encrypted? Authorization: Basic d2lraTpwZWRpYQ== Security through secrecy
of the keys • not secrecy of algorithm • Opposite: Security By Obscurity
Symmetric Encryption • 1 key for encryption / decryption •
fast • Stream Cipher • Block Cipher • Various modes of operation • AES − Rijndael Cipher Cryptographic Hash • One-way function • Resistance to collions • MD*, SHA-*, bCyrpt
Digital Signature • Asymmetrically encrypted hash Asymmetric Encryption • 2
inverse keys (Key Pair) • Operations can be reversed with the other keys • slow
Cryptographically Secure Pseudo-Random Number Generator • True randomness by a
machine? • Nonces • Protection against Replay
one-way functions • „forwards“ easy • „backwards“ hard as in
computationally complex Examples • Multiplication of large primes − RSA • Modular exponentiation − Diffie-Hellman, ElGamal − finite fields / elliptic curves • AES
Specification Implementation Side Channel Attacks
https://www.xkcd.com/936/
Storing for authentication ? Salt • Individual for each password
Pepper • Common for all passwords ! Argon2 PBKDF2 sCrypt / bCrypt
One-way function Integrity can be verified Insecure transmission
• Exchanging original and hash is possible 1010001 Hash
Hash Insecure transmission • Exchanging requires secret H-MAC +
Shared Secret Integrity and Authenticity • Proves knowledge of secret 1010001 0110000
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates …or: what is a Trust Anchor? 3 Cipher Suites 4
Server Client
Intermediate Certificate Server Certificate Certificate Authority (CA) Root Certificate Client
Server
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 ECDHE-ECDSA-AES256-GCM-SHA384 …or: what is a Cipher Suite? 4
Connection is encrypted But how? TLS handshake for agreeing
on Cipher Suite ? ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ECDHE-ECDSA-AES256-GCM-SHA384 ✓
Encrypted connection • AES256-GCM-SHA384 But which key? • ECDHE-ECDSA-AES256-GCM-SHA384
Encrypted connection • AES256-GCM-SHA384 • Key Exchange via ECDHE
But is it the expected service? • ECDHE-ECDSA-AES256-GCM-SHA384
Crypto-System with employed primitves • constants describing details Depending
on the protocol • Example is TLS 1.2 • TLS 1.3 employs different concepts
None
Storing passwords ? Mobile Online Services ?
Crypto Lib (bCrypt) http://www.bouncycastle.org/java.html Password Policy http://www.passay.org/ (formerly vt-password)
Password Hashing security.stackexchange.com Thread OWASP Password Storage Cheat Sheet
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet OWASP Forgot Password Cheat Sheet https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
Qualys SSL Lab Server Test https://www.ssllabs.com/ssltest/ ! Mozilla Config Generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ! Bruce Schneier https://www.schneier.com/ Security Assessment https://www.keylength.com/
Thank you feedback plz Get in touch • https://twitter.com/OliverMilke •
http://oliver-milke.de/ •
[email protected]
• https://cloudogu.com/en/blog/Crypto-101