Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crypto 101 by Laurens Van Houtven
Search
PyCon 2013
March 16, 2013
Programming
10
1.4k
Crypto 101 by Laurens Van Houtven
PyCon 2013
March 16, 2013
Tweet
Share
More Decks by PyCon 2013
See All by PyCon 2013
Bayesian statistics made simple by Allen Downey
pyconslides
32
6.3k
Python for Humans
pyconslides
40
6.6k
Contribute with me! Getting started with the tools of free software development by Jessica McKellar
pyconslides
11
2k
ApplePy: An Apple ][ emulator in Python by James Tauber
pyconslides
3
1.5k
Use curses, don't swear by Sean Zicari
pyconslides
2
1.4k
Namespaces in Python by Eric Snow
pyconslides
9
1.8k
Internationalization and Localization Done Right by Ruchi Varshney
pyconslides
9
1.1k
"Good Enough" is good enough! by Alex Martelli
pyconslides
13
2.5k
Plover: Thought to Text at 240 WPM by Mirabai Knight
pyconslides
1
1.2k
Other Decks in Programming
See All in Programming
StarlingMonkeyを触ってみた話 - 2024冬
syumai
3
280
わたしの星のままで一番星になる ~ 出産を機にSIerからEC事業会社に転職した話 ~
kimura_m_29
0
190
[JAWS-UG横浜 #76] イケてるアップデートを宇宙いち早く紹介するよ!
maroon1st
0
500
各クラウドサービスにおける.NETの対応と見解
ymd65536
0
160
バグを見つけた?それAppleに直してもらおう!
uetyo
0
180
Semantic Kernelのネイティブプラグインで知識拡張をしてみる
tomokusaba
0
180
Go の GC の不得意な部分を克服したい
taiyow
3
830
nekko cloudにおけるProxmox VE利用事例
irumaru
3
450
テストコードのガイドライン 〜作成から運用まで〜
riku929hr
5
910
Асинхронность неизбежна: как мы проектировали сервис уведомлений
lamodatech
0
930
MCP with Cloudflare Workers
yusukebe
2
220
これでLambdaが不要に?!Step FunctionsのJSONata対応について
iwatatomoya
2
3.7k
Featured
See All Featured
Faster Mobile Websites
deanohume
305
30k
A Philosophy of Restraint
colly
203
16k
Designing on Purpose - Digital PM Summit 2013
jponch
116
7k
Building Applications with DynamoDB
mza
91
6.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
The Language of Interfaces
destraynor
154
24k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
17
2.3k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2k
Bash Introduction
62gerente
609
210k
Transcript
Crypto 101 @lvh
@lvh
[email protected]
None
None
None
POST /quantum HTTP/1.1
None
Lightning Talk Version
In motion: TLS
At rest: GPG
(Py)NaCl KeyCzar cryptlib
If you are typing the letters A-E-S into your code,
you’re doing it wrong.
DES: extra wrong MD5, SHA: maybe wrong
Why stay?
Recognizing wrong stuff still matters
Understanding stuff still matters
None
None
xor
1 ^ 0 == 1 0 ^ 1 == 1
1 ^ 1 == 0 0 ^ 0 == 0
Invert? Input Output
Invert: yes (1) Input: 1 Output: 0
Invert: no (0) Input: 1 Output: 1
One-time Pad
1110010101010110 1010100000111101 0100101010101010 ...
OTP crypto XWCVPR
Perfect secrecy
0? 1? 1
1? 0? 1
None
None
None
Victory!
len(one_time_pad)
== len(all_data_ever)
== very_big_number
Exchange?
Ciphers
Block Ciphers
Block Cipher Key abc XYZ Ciphertext Same fixed size Plaintext
Fixed size
P C
Random permutation
000: 001 001: 010 010: 111 011: 000 100: 110
101: 011 110: 100 111: 101
x, C(k, x) vs y, C(k, y)
P C
AES
Blowfish/Twofish
DES/3DES
Victory!
“Hello”
with open(“x.jpg”) as f: send(f, you)
Block Cipher
len(message) > block_size
aes.block_size == 128 (16 bytes)
Stream Ciphers
Native stream ciphers
RC4
Salsa20 ChaCha20
Implemented as construction with block ciphers
abcdefghijklmnopqrstuvw C k C k C k C k C
k C k C k { { { { { { { { C k padding KEGASVTPCFDRUWBOJNMHXQIL { { { { { { { {
ECB
plaintext chunk ciphertext chunk
None
None
None
None
Replay Attacks
None
None
Block Cipher Modes of Operation
ECB, (P)CBC, CFB, OFB, CTR
ECB, (P)CBC, CFB, OFB, CTR
CBC
Most common in the wild
BEAST
CTR
{nonce}{count:08d}
D501320200000000 D501320200000001 D501320200000002 Nonce Count . . .
C k C k D501320200000000, D501320200000001, ... D1DC4D1FE3679212, 0FD25C7B1CF46485, ...
D1DC4D1FE3679212 0FD25C7B1CF46485 ...
Keystream
Pseudo-OTP
GCM, EAX, OCB, IAPM, CCM, CWC
GCM, EAX, OCB, IAPM, CCM, CWC
PATENT PENDING
Victory!
None
Key exchange?
In person?
None
O(n2)
Diffie-Hellman Key Exchange
None
= +
= + +
- =
Internet Me You
None
+ = + =
None
None
+ = + =
= + + + +
Victory!
None
Cease fire! ZSTAMUTJMEFFILH Cease fire!
Attack at dawn! HUWKEMMQTXMR Attack at dawn!
Authenticity
sender == expected_sender
message == expected_message
Encryption without authentication
Almost certainly wrong
Attackers don’t need to decrypt to modify
Cryptographic hash functions
lorem ipsum 358d846c39 digest (state) fixed size message arbitrary size
Hash Function
lorem ipsum 358d846c39 Hash Function
lorem ipsum 358d846c39 Hash Function
lorem python 358d846c39 lorem ipsum 358d846c39 Hash Function Hash Function
lorem python 358d846c39 lorem ipsum 358d846c39 Hash Function Hash Function
That’s it.
H(x) can be used to compute H(f(x))
Extension attacks
hf = HF(“hello pycon\n”) hf.update(“how are you”) hf.hexdigest()
hf = HF(state=your_hash) hf.update(my_string) hf.hexdigest()
my_string = “\nI am not attending, because I have switched
to PHP”
Payment processor
MD5(secret + amount)
$12.00: “1200”
hf = HF(state=your_hash) hf.update(“0” * 12) hf.hexdigest()
bwall/HashPump
SHA-3 era: fixed (SHA-3, BLAKE2)
SHA-256, SHA-3 (both are fine)
BLAKE2
MAC
H(x) can be used to compute H(f(x))
MAC(k, x) says nothing about MAC(k, f(x))
MAC(k, x) says nothing about MAC(k, y)
HMAC
hmac(k, hf, msg)
import hmac
Password storage
CHFs are WRONG
password 45ed8f8c31 Hash Function
Brute force?
None
ATI HD 5970, 2GB 5.6e9 MD5/s 2.3e9 SHA2/s
None
SHA-3?
lorem ipsum 358d846c39 Hash Function
SHA-2-256: 14 cpb SHA-3-256: 11 cpb (Intel Ivy Bridge/Sandy Bridge)
Salts?
Dictionary attacks
KDFs should be hard to compute
bcrypt (tunably) time-hard
scrypt time- and space-hard
Sender authentication?
None
Public key Cryptography
None
None
None
Key generation
me me you you
me you
Encryption
PK Enc you hello world BXUWD VWQEF
Decryption
PK Dec you hello world BXUWD VWQEF you
Signing
Anyone can use my public key
How do I know you’re you?
PK Dec you Signature HF(m) you
PK Enc you Signature HF(m)
RSA
Victory!
“me” == actually me?
Chains of signatures
I don’t trust you.
But X trusts you.
And I trust X.
So I trust you.
GPG key signing
SSL
TLS
None
version, ciphersuites, ...
Key exchange method (RSA, DH, ...)
Signing algorithm (RSA, DSA, ECDSA)
Bulk encryption algorithm (AES-CBC, RC4...)
MAC algorithm (HMAC-{MD5, SHA2})
version, ciphersuites, ...
✓
RSA Enc srvr random secret OUTDX BHXUS
OUTDXBHXUS
RSA Dec srvr random secret OUTDX BHXUS srvr
random secret AES MAC random secret AES MAC
MAC
None
Encrypted + Authenticated
✓
None
CAs
...
None
valid vs trustworthy?
valid vs trustworthy?
What if I plant a root cert?
sslbump
ICAP/eCAP
lvh/minitrue
Questions?
Timing attacks
Side-channel
Implementation, not theory
None
None
None
None
None
provided == password
compare length
compare byte by byte
“abc” == “xyz”
“abc” == “ayz”
“abc” == “abz”
len(alpha) ** len(pw)
X * X * X * .... len(alpha) possibilities len(pwd)
times
k * len(alpha) * len(pw) possibilities measurements characters
More TLS
Client certificates
Ephemeral Diffie-Hellman
Elliptic Curves ECDH/ECDSA