building encrypted apis with https and paillier
TRANSCRIPT
![Page 1: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/1.jpg)
Building Encrypted APIswith
HTTPS and Paillier
Nick Doiron - @mapmeld~30 min + questions
![Page 2: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/2.jpg)
About meTraveling web dev and mapmaker
Some useful things:
One Laptop per Child, Code for America,Myanmar 2015 election API
Some useless things:
Fortran.io, GitJK
(can answer Qs in Spanish… maybe)
![Page 3: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/3.jpg)
What’s so special about HTTPS?HTTP is easy to track, intercept, modify, or forge
HTTPS encrypts page’s
- URL (beyond subdomain.domain.com)- content
An HTTPS certificate shows that the content was encrypted by the domain(no modifying / forgery)
Forward secrecy: compromised key can’t decode old sessions (iOS mandatory)
HTTPS critical for news, political sites: https://securethe.news/sites/
![Page 4: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/4.jpg)
![Page 5: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/5.jpg)
Some JS won’t run without HTTPS
Web crypto API (OpenPGP.js)
getUserMedia (camera/mic)
![Page 6: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/6.jpg)
Where do certs come from?
![Page 7: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/7.jpg)
Certificate Authorities (and uber-authorities)
![Page 8: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/8.jpg)
Team started in 2012: FREE HTTPS ON DEMAND
Public beta in December 2015 - over 24 million in one year!
![Page 9: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/9.jpg)
LetsEncrypt: can I do it?- github.com/certbot/certbot, written in Python, maintained with EFF
- you could have a big impact on online security, by helping out this repo
- ./certbot-auto CLI- No wildcard domains- Easier if you run in sudo- Apache or Nginx auto-setups (you should be using one already)- Also does renewals
![Page 10: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/10.jpg)
Checking your HTTPS settingsSSL Labs: grades your HTTPS security on several settings
![Page 11: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/11.jpg)
OverEncrypt
Hacker News bait - Security beyond LetsEncrypt Defaults
Apache/Nginx config
- Is this necessary?- ‘Stormchaser’
- Steps reviewableon SSL Labs
![Page 12: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/12.jpg)
Must-Staple
OCSP Stapling = standard to publicly notify when revoking certificates
Must-Staple tells browser to always check that the cert has not been revoked
LetsEncrypt supports it, but does not auto-enable
![Page 13: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/13.jpg)
Certificate Transparency
Mostly forward-thinking and not fully used today
LetsEncrypt posts every cert issued, on https://crt.sh
Goal is to notice unusual and distrust non-public certs
More info: https://certificate-transparency.org
![Page 14: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/14.jpg)
Public Key Pinning
WARNING: this can brick your entire domain
Tells browsers to only allow certs with a certain SHA256 hash
I recommend current cert + root cert (renewal gives you a brand new cert and hash)But then you are tied to LetsEncrypt :-\
![Page 15: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/15.jpg)
Allow Preload
Used on major websites, governments, etc
Most major browsers have a list of expected certs for these websites, you can apply
Avoids attacks on cert authorities, first-time users
![Page 16: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/16.jpg)
OverEncrypt CLI
I’m developing a CLI to recommend or make these changes automatically
https://github.com/mapmeld/overencrypt
Python Nginx-config-parser broke on my settings (?)
![Page 17: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/17.jpg)
General Tips
and future notes
And you can start
living in the future NOW
![Page 18: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/18.jpg)
UUID - don’t use sequential IDs
![Page 19: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/19.jpg)
Future: Quantum Computers and BoringSSL
BoringSSL:
- initially created by Google to avoid sketchy OpenSSL code
- recently testing ‘A New Hope’- Ring Learning With Errors > Lattice-based
Encryption > Post-Quantum Encryption
![Page 20: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/20.jpg)
Future: Homomorphic Encryption
What if I could send you encrypted data and numbers,
and you could run code / operations on it,
without ever decrypting it?
1st fully-homomorphic algorithm in 2009
Potential for e-voting, private medical data, exchange rates, searching encrypted data
![Page 21: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/21.jpg)
Crypto-GeoFence project
Uses partially-homomorphic encryption called Paillier cryptosystem
Check if client’s latitude / longitude is in the target area
- don’t reveal client location to server- don’t reveal target area to client
github.com/Georeactor/crypto-geofence
![Page 22: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/22.jpg)
Crypto-GeoFence
pip install phe (partially-homomorphic encryption)
![Page 23: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/23.jpg)
X > Left_Border&&X > Right_Border
X > Left_Border&&X < Right_Border
![Page 24: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/24.jpg)
Crypto-GeoFence
Calculate distance to sides
Randomize
Client can decrypt if it is inside the box
![Page 25: Building Encrypted APIs with HTTPS and Paillier](https://reader031.vdocuments.site/reader031/viewer/2022022112/58ad20e51a28ab50728b5c77/html5/thumbnails/25.jpg)
Thank you - Muchas gracias - Questions?Nick Doiron - @mapmeld