cryptography 101 - ilmcryptography 101 author: jason erdahl created date: 10/2/2018 8:41:44 pm
TRANSCRIPT
![Page 1: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/1.jpg)
RobertBoedigheimer@boedie
Cryptography101
![Page 2: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/2.jpg)
• Webdevelopersince1995• PluralsightAuthor• 3rd DegreeBlackBelt,TaeKwonDo• MicrosoftMVP• ProgressDeveloperExpert- Fiddler
• [email protected]• @boedie• weblogs.asp.net/boedie
AboutMe
![Page 3: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/3.jpg)
• Cryptographyisthescienceofkeepingmessagessecure• WhyCryptography?▫ Confidentiality – protectdatafrombeingread▫ Integrity– verifythatdatawasnotmodified▫ Authentication– identifyandvalidateauser▫ Non-repudiation– sendercannotdenylaterthathesentamessage
• System.Security.Cryptography
Background
![Page 4: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/4.jpg)
• Whatisyourgoal?(Confidentiality,etc.)• Howmuchisdataworth?• Howlongdoesitneedtobesecured?• Whataretheprimarythreats?▫ Intransit▫ Accessconfigurationfiles▫ Dumpofmemory▫ Modifypages▫ Reverseengineerassemblies▫ …• Companysecuritypolicies?• Regulatorycompliance?• Layereddefenses,howmanyareenough?
• Don’twriteown!!
Considerations
![Page 5: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/5.jpg)
• …Cng▫ WrapperaroundCryptographyNextGeneration(CNG)
� Activedevelopment,newerOSrequired• …CryptoServiceProvider▫ WrapperaroundWindowsCryptographyAPI(CAPI)
� NolongerdevelopingbutavailableonolderOS• …Managed▫ Writtenentirelyinmanagedcode▫ Need.NETframework▫ NotFIPScompliant
• https://tinyurl.com/o2zgbjk
.NETClassSuffixes
![Page 6: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/6.jpg)
HashFunctions• One-wayfunction– easytocomputebutsignificantlyhardertoreverse• Hashfunction– convertsavariablelengthinputtoafixedlength▫ Createsa“datafingerprint”(digest)▫ Oktosee,don’tletitbetamperedwith▫ Becarefulwhenlimitedvaluerange!
![Page 7: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/7.jpg)
• AbstractbaseHashAlgorithm▫ MD5(128bithash)▫ SHA(SecureHashAlgorithm)
� SHA-1(160bithash)� SHA-2
� SHA256� SHA384� SHA512
▫ KeyedHashAlgorithm� HMACSHA1(upto512)� MACTripleDES
(subsetofderivedclassesshown)
HashAlgorithms
![Page 8: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/8.jpg)
• Goalistoprotectintegrity ofquerystring• UseaHash-basedMessageAuthenticationCode(HMAC)▫ Computethehashofaquerystring whenconstructed▫ Validatequerystring wasnotmodifiedbycomputinghashwithquerystringandcomparingtooriginalhash▫ Usesakeytoensurethatattackercouldnotcreateownvalidhash
TamperproofQuerystrings
![Page 9: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/9.jpg)
• Consideredbestpracticeforpasswordssincetheycannotberetrieved• Usedforauthentication
• Commonattackagainsthashedpasswordsis“dictionaryattack”▫ Pre-computethehashvaluesofanentiredictionary,comparehashedvaluestohashedpasswordtolookformatches
HashedPasswords
![Page 10: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/10.jpg)
• Addsomeuniquerandomdatatoeachpassword• Greatlyincreasesworkrequiredtomountadictionaryattackagainstallpasswords,needtopre-computedictionaryhashvaluesforallsaltvalues
• NOTE:Thisdoesnothingtoincreasesecurityforanindividualpasswordifsaltiseasilyfound!(Add“randomdata”todothis…)
SaltedPasswords
![Page 11: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/11.jpg)
• Computepowerconstantlyincreasing,sobruteforceattacksagainsthashfunctionsarepossible• Adda“workfactor”tothecalculationbasedonanumberofiterations▫ Setiterationstogetacceptabletimeforlogin
• Rfc2898DeriveBytes
PBKDF2(Password-BasedKeyDerivationFunction2)
![Page 12: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/12.jpg)
• Plaintext– originaldata• Encryption– processofobscuringdata• Ciphertext – encrypteddata• Decryption– processtorecoveroriginaldata
• Cipher– algorithmforperformingencryptionanddecryption
Terminology
![Page 13: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/13.jpg)
SymmetricAlgorithms• Encryptionanddecryptionusethesame(secret)key• Primaryattackis“bruteforce”keysearch,tryallpossiblekeys• Keydistributionisdifficult
• AbstractclassSymmetricAlgorithm▫ Rijndael (AES)▫ DES▫ TripleDES
![Page 14: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/14.jpg)
• .NETsymmetricalgorithmsare“blockciphers”• Padding– dataaddedtofilltoblocksize▫ Zeros▫ PKC27▫ ISO10126
• Mode▫ ECB▫ CBC (recommend)
• IV(InitializationVector)▫ Randomdatausedtoseedfirstblock▫ Doesnotneedtobesecret▫ Neverreuse,alwaysuniqueforeachsetofdata!
SymmetricAlgorithms(cont.)
![Page 15: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/15.jpg)
• Utilizestwocomplimentarykeys(publickeyandprivatekey)• Generally1,000timesslowerthansymmetricalgorithms• Oftenuseasymmetrictoencrypta“session”symmetrickey
• AbstractclassAsymmetricAlgorithm▫ RSA▫ DSA(digitalsignaturesonly)▫ ECDiffieHellman
AsymmetricAlgorithms
![Page 16: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/16.jpg)
• GenerateanRSAkeypair▫ Storeonlythepublickeyonwebservers▫ Storetheprivatekeyonaninternalsecuredsystemthatneedsthedata• Meantforsmallamountsofdata
WebsiteEncryptingSafely
![Page 17: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/17.jpg)
• Providesintegrityandnon-repudiation• Hashthecontentsofamessage,signit(encrypt)withsendersprivatekey
• Bydefault,doesnotprovideconfidentiality,canencryptwithreceiverspublickeybeforesigning
DigitalSignatures
![Page 18: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/18.jpg)
• Certificate(reliesonasymmetricencryption)▫ Server’spublic keyisdigitallysignedbyaCertificateAuthority(CA)• Browserknows“well-known”CA’sandwilltrustcertificatessignedbythem
• TLShandshake▫ Browsergetsservercertificate▫ Browserchoosessymmetrickeytoencrypttraffic,encryptswithserver’spublickey
HTTPS
![Page 19: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/19.jpg)
• Keysizes▫ Tradeoffperformanceandsecurity▫ SymmetricAESuse256bits▫ AsymmetricRSAuse2048or4096• Keystorage▫ Hardcodedstringsarevisibleifuseadisassembler(likeILDASM)▫ Encrypted<appSetting>sectionofweb.config▫ Splitkeyincode,registry,andconfig files
KeySizesandStorage
![Page 20: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/20.jpg)
• Don’twriteown!
• Usetrustedalgorithmsandimplementations▫ https://tinyurl.com/o2zgbjk• Usehashingtovalidatetheintegrityofdataortoprovebothknowthesamesecret• Usesymmetricalgorithmsunlesshavespecialneedsforasymmetric(digitalsignatures,keyexchange,etc)• Knowthreats,choosethepropercountermeasures
Summary
![Page 21: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/21.jpg)
• Pluralsight– IntroductiontoCryptography▫ https://tinyurl.com/kkn3coq
• AppliedCryptography- BruceSchneier• CryptographyEngineering– Ferguson,Schneier,Kohno• UnderstandingCryptography– Paar,Pelzl
• TheCodeBook– SimonSingh• TheCode-Breakers– Kahn
Resources
![Page 22: Cryptography 101 - IlmCryptography 101 Author: Jason Erdahl Created Date: 10/2/2018 8:41:44 PM](https://reader033.vdocuments.site/reader033/viewer/2022060518/604b1c7e06c4723d2d1b0bb4/html5/thumbnails/22.jpg)
• [email protected]• @boedie• weblogs.asp.net/boedie
• Codeandslides- https://tinyurl.com/ybygpvdz
Questions