Explore a comprehensive cryptography primer in this 52-minute conference talk by Adam Englander from iovation. Gain a working understanding of common cryptographic terms, methodologies, and algorithms, focusing on encryption, digital signatures, and hashing. Learn how to properly secure user credentials and sensitive data by comparing and contrasting cryptographic strengths and randomness. Discover the key drivers for choosing appropriate cryptography techniques, including the importance of computational cost, entropy, and secure pseudo-random number generators. Delve into symmetric and asymmetric key cryptography, understanding their differences and applications. Examine the significance of padding, key derivation functions, and hashing algorithms in enhancing security. Benefit from Englander's 25 years of experience in building communities and applications, as he shares insights on fighting virtual crime and increasing awareness of threats facing the computer science community.
Tales from the Crypt - A Cryptography Primer
Overview
Syllabus
Intro
What To Expect 0 • Gain a working understanding of common terms used in cryptography. Understand the key drivers for choosing cryptography methodologies, algorithms and strengths. Know which PHP modules to use.
How Secret is Secret? Asymmetric Encryption is more secret than Symmetric Encryption. No shared secrets. How predictable is your secret? Who has access to your secrets? Secrets encrypted at rest? Those secrets? Are your secrets encrypted in transit?
Computational Cost Complexity of algorithm increases cost. • Key length increases cost. Some algorithms specifically target memory and thread utilization to increase cost. Feedback loops increase cost.
Achieving Maximum Entropy • Use Cryptographically Secure Pseudo-Random Number Generators (CSPANG). Salts add global randomness to hashing. Feedback loops add local randomness to block ciphers. • Initialization Vectors add global randomness to block ciphers. Some ciphers introduce randomness with padding
Symmetric Key Cryptography uses shared secrets Asymmetric Key Cryptography uses private/ public key pairs
Symmetric Key Cryptography Shared secrets • Lower computation costs than most asymmetric algorithms for same key size Uses algorithms against blocks or streams of data Most implementations will use block as stream ciphers use less resources making them less secure
(HMAC) Hashing combined with key SHA-256 or better is preferred to ensure uniqueness
Asymmetric Key Cryptography RSA and DSA are available in PHP. Use RSA Uses very large prime integers Very computationally expensive • Uses key pairs to protect secret
length of the key size Signatures use hashing Crypto often mixed with symmetric key cryptography
Padding is how RSA creates additional entropy • Use Optimal Asymmetric Encryption Padding (OAEP) Do not use PKCS1-V1_5 as it is no longer considered cryptographically secure
Always use Key Derivation Functions like bcrypt and PBKDF2 If you are currently using MD5 or SHA for hashing, use a random salted with your hash now and a key derivation function soon.
argon2i is the new hotness scrypt is preferred bcrypt is acceptable
Disclaimers 0 Although every app is different, commonalities exist across most applications I am only recommending what I know and have vetted directly or indirectly via my work experience If you think you are different, ask yourself if the advantages outweigh the risks
Taught by
Linux Foundation
