Adam Englander - Tales from the Crypt. A Crypto Primer - BSides San Diego 2017

uh 3 o' I I got to say this is the most people I've ever had a conference or crypto I'm in the right place and it's not the first one of the morning either so I appreciate the be um this talk is kale from the cryp cryptography primary um I'm Adam engber um and if you want to say things about my presentation there Twitter an um so who am I uh I'm a senior engineer at iovation uh which is a broad security company uh I'm an iot Enthusiast I love building little things and talk with people about how they have teral security for them uh and I am a national junior basketball girls coach or division one which is uh truly my

passion so who I'm not I am not an official security researcher U I work for a company um that is a security company so I have to understand a lot of the stuff but it's not my job I'm not a cryptographer because I don't have a PhD in mathematics um and again I'm not a mathematician um that said you don't have to be any of these things to understand how crypto works and which is what my talk is really cool um because what we're going to discuss is some of the common methods and terms using cryptography um maybe a little more familiar to this crowd um and specifically an application all and one of the things that I found is I

was in ftech for seven years and I was using crypto wrong um because it wasn't really what we did right it was something we had to do and we were PCI Compliant and we passed all of our specifications but if somebody ever grabbed a hold of our stuff and really really wanted it they would have had it um because we're doing some things really really terribly and I didn't learn that until I came to a security company where had to actually uh learn how to do encryption and learn how to properly do digital signatures and learn what was acceptable what wasn't acceptable what's hackable what's not hackable uh so we'll talk a little bit about that um for those of you who don't

know um cryptography from ACC to Wikipedia is a practice in studying techniques for secure communication in the presence of third parties called adversaries this fortunately I don't have fix Point adversaries here some plac you um what do that actually mean and what that means is cryptography obscures data in a way that's difficult and costly to duplicate in Reverse um there's probably been a couple talks um thought of this one definitely at the at some of the other uh eiz conferences on uh rainbow tables and the super easy ways to go crack people's passwords um we have it at work right we have a little machine that we just we get a password list we'll throw it on it just

to see where things are because we hate passwords uh and we're trying to eradicate them uh so we like to try and find out just how bad they are and how bad people's passs are um but we still have to use them unfortunately like the world still has passwords and the world will have passwords for a while and we don't want to get into the whole Biometrics thing how dangerous that is um and saving your data right against attackers is super super important um if someone gets a hold of your data right your last your last defense is that they can't actually do with it or they won't be able to do it in your lifetime anyway

uh which is important and it brings us to the difference between good cryptography and bad cryptography so um how many people know what entropy is almost half um good cryptography has a high level of entropy um the Inc that means that it's very difficult to predict the data as far as kind of recognizing patterns um which is super important and a lot of what I'm going to talk about today is um how you can use you can use the exact same functionality and the same algorithms and you can get very very low levels of entropy it's not what you want to do U it's not going to protect you because entropy is important because all

data has patterns um as researchers you know right that uh you're going to have certain people are going to have same have of username same have of password passwords uh you will probably know um that up until I believe 8 years ago the middle social security number was where you got your soci security card um and so there are pieces of that are going to be more um in a soci security number that are going to be more prevalent the first number a particular first number is going to be more prevalent on a birth date a particular number is going to be more prevalent um there's going to be more ones uh you know 31-day months that

are going to be in there so there's certain patterns that show up in data s people's names letters that are used things like that and even just in kind of arbitrary data if you do enough research and you see it up data you can recognize patterns right we bu all these systems to go recognize patterns and they do them really really well uh and that can be used against you on your data uh so it's super important that you when you encrypt data or you're creating key derivations that they don't have recognizable patterns so this is uh this is from Wikipedia we have this office so this is tux and this is an encrypted version of

tux right uh 7 years ago that was considered secure right you can absolutely tell that that is TX that is a terrible level of ENT right there are patterns that are distinguishable um because I can guess by looking at it that everything all you know you can tell what pieces are the same color that's not what you want so how do you increase entropy right right and that's a big one and and the way to do it is you um mix in it's a very long thing to say crypto clap cryptographically secure pseudo random D um and that's another um and when you do that in most cryptography in the form of an initialization Vector for Block U

ciphers or you use it as a salt so if you're doing uh uh key generation or password hatching as most people call it um you also increase entropy with uh feedback loops um so an example of a feedback loop um is cyer blockchain so what you can see here is reason you're creating entropy is you're starting off with an initialization Vector so you reason that you have an initialization Vector for two reasons one is because you have to start sub right the algorithm has a way to act and it doesn't have data it's not comp part um the reason for it is that if you do it correctly that initialization Vector is random data cryptographically secure pseudo random

data so that even if you have the same value that you're encrypting it is different every time you encrypt it um so what it does it takes your plain text your initialization Vector it does an exor for that um and uses that with the key and the encryption uh Cipher it comes out with Cipher text and it takes the the resulting cyer Tex and that is your next initialization vector and it performs the same thing over and over and over and over and what that does is it ensures that it all looks different the reason that this looks so bad is because it doesn't actually do a feedback with it just uses that same functionality to

encrypt the same thing every time with the same ke so every every white comes out the same every black comes out the same every yellow comes out the same so when you use uh Cypher block chaining you get that right there is no way you could ever possibly know that talk and unfortunately most libraries that is not the default if you're if you're doing software development what is the default is um so one of the things that I try and do is I try and go around and tell people here's what not to do when you're when you're developing using cryptography um because the languages don't tell you in their documentation uh and I was doing um

that's called electronic cookbook B example and I was doing that for a long time uh and it's very very bad and I was also using static keys because I didn't understand entropy and that was very bad and there's localized versus local entropy so when you're using a feedback Cypher feedback uh what you're doing there is you are creating local entropy so that each block if you even if the value is the same the encrypted value comes out different but there's Global entropy as well making sure that if you encrypt the same uh if you encrypt the same data twice it comes out with two different values if you have the same password and you key derivate uh you

stretch the key and you hash that twice it's different because as we all know right top 10 passwords we could find if we could go into a database and go find oh this same hash value shows up in here 3,000 times that's one of the top 100 so I'm just going to bruteforce that I'll get those if every one of those is completely different then that's a much more difficult case so cryptography types um there's basically two types there's symmetric key cryptography uh which is where you have a secret that you share um or it's just you um reading your own encryption uh or asymmetric key cryptography which is private public key Pairs and then there's cryptography

applications and there's some other cryptography applications but the ones I'm really going to talk about are going to be kind of common day-to-day stuff which is encryption uh digital signatures and key derivation so encryption is prot protecting data that needs to be recalled and to me that's a very important distinction um until I started working at iovation which was actually at that time launch key um I had never thought that if I don't need to actually recall the value then I can just hash it and then it's a little more like even I don't know what the value is which makes it a little more secure at least internally um and one of the places that

we do that is emails telephone numbers uh we don't email people so you're fairly safe on our side uh but we do need an email to if you uh need to wake another device there's things that you need to do that need to provide the email well if you provide it to us and it matches the hash that's fine now we know the email we sent off we don't store it um and I would say uh at least consider something like that if you don't need to know what the data is that's what you keep it secret it's just not knowing what it is not being able to reverse it U but encryption allows to be reversed and

it's reverse be decryption uh digital signatures are used to verify the authenticity of the data um how useful that is in certain situations is very different you probably downloaded something and said says use this Shaw to make sure that it's the same but you got the same website you download from so one's pone the other one's probably pone to um but that's basically what it's doing is it's um verifying the authenticity uh and in cryptography gets a little more um than just a Shaw where you're doing hmax using a secret where you can verify that um they cannot be reversed but they can be reproduced for verification uh and then there's key derivation and most people call this password

hashing um and I try not to passord hashing very often unless people look very confused because that means people think that they can use sha one sha 256 and md5 for password hashing um it is scary to me how many people use standard hash for passs um if everyone remembers the uh I'll try to remember that crazy uh cheating site they got two years ago Ashley Madison right so Ashley Madison they had they did their passwords right they used bcrypt on the passwords but they created this thing for the website for the API that actually used a shot 256 of the username of the limiter and the password play that's how they got everybody's password when they got haed um it just

kind of blows my mind sometimes um so I try and just keep it from actually think what password key deration um and it cannot be reversed and it is computationally expensive by Design um you can if if you have a Shaw 256 password uh I believe using what is it 10 ec2 instes you can break it in like s minutes right um a giant list so where key derivation changes that is it just iterates iterates iterates and iterates over and over and over and over and over again take up as much time as depending on the uh uh on the function taking up as much time as much memory as it can to make it

just really hard for you to just improve foring um which is pretty so on on the symmetric key side I'm going to talk a little about what's kind of different between symmetric key and and asymmetric key and there's advantages and disadvantages to both uh and a lot of times we actually use both at the same time um and I'll kind of talk about a little bit too so symetric key could talky uses shared Secrets which is super easy but it's a shared secret right you're giving out the keys to the kingdom to someone um which is inherently uh sketchy um you have to have a whole lot of trust and they're not going to I you can be as secure as

you want but if you head out that secret to somebody else then how secure that uh a lot of times it's it's okay internally it's up to you to decide what's okay for you um but that is the problem with a shared secret is it shared uh it uses Cipher alls against blocks or streams and most implantations use a block even if you're doing streaming you're probably streaming chunks and you're probably encrypting those chunks and the reason for that is that stream ciphers use almost no resources so they actually doing difficult functions so they're very easy to crack um so you don't see a lot of stream snipers out there anymore because they in make

things less we're talking about blockchaining we'll talk about block modes um do not use electronic hook book do not use electronic hook book do not use electronic cookbook it sounds really cool um and it each ECB sounds just like CBC they all have the same like sounding vowels which is awesome um but do not use ECB that's the other head tox that you can see U because it does not have a cyer feedback mode again do not usec me um so Cipher blockchaining uh the entire message is required for decryption so you'll find that most uh most implementations are probably a really good candidate for CDC uh because it is supported everywhere um there's some newer stuff

out there that I'm really not going to talk about with elliptical curves and um all this kind of nice stuff that may or may not be supported by your library um but Cypher blockchaining is basically supported everywhere and um because it has a feedback mode it's particular feedback mode um the entire message is required if you're missing a piece you get nothing um which is the beauty of it is that you have to be able to decrypt the whole message you can't just um you can't get to the end without the beginning or the middle or anything in between um and the full Cipher text block is used to see the next block which is differentiators so there's some

different feedback back modes and those are differentiated by what layer they're actually creating feedback because sometimes you don't want it to actually need the whole message so we saw this already and I kind of went through it we're basically a calization vector build the cyer Tex feeds that back into as the initialization Vector with the pl text and goes again so every part of the first block is needed for the second part for to create the second part so next one is cyer feedback um and it's considered a self- synchronizing screen so if you miss part of the data you can pick it up again and the reason for that um is in the feedback mode so in this feedback

mode um what you see is that you take the plane text and it goes under the encryption um the initialization Vector used at the beginning and it exor your with the encrypted vector so you don't need the because of this you can actually start again once you miss a piece right so you're still getting uh you're still getting your entropy because they're changing as they go along to the feedback mode but you don't need the first message to be able to decrypt the last message so if you're doing video streaming and you're encrypting that or if you're streaming large amounts of data this is probably something that will um be more attuned to that because if you get if you lose a

packet you don't lose the whole thing um if you're transferring large pieces of data you probably want the whole thing and you want it accurate but if you need to be able to um have something where you can have a disconnect for a while but keep going uh Cipher feedback mode might be more uh you're liking and then there's output mode and is differentiator is um the entire message is needed for uh decryption um Cipher text block is used as the for the next BL which is not correct that's a bad slide so um on this one which you see is You' got basically the same thing is that you are encrypting the previous block so you've

got the result of the previous block back encrypts that and then moves to the next one and does the key there so it's actually the encrypted IV that's being used for the X instead of the entire packet so um this disadvantages is that well one advantage that you can actually pregenerate um your encryption so if you're going to be streaming out data and you're concerned about latency you can actually regen the entire piece and then exore it with an actual PL text and then ship it out so it is inherently less secure because of that um but again there are some kind of there you have to decide which more important is the ability for Speed or resumption more

important than the ability to or the level of encryption um but this is tends to be used but like I said you need zero latency on your encryption uh and you want to make sure that you can uh so you just basically pregenerate your encryption stream exort as it's going out and you've got the encrypted value um which also means that you can pre-generate the other side too which is as long as you know the initialization Vector you can start building it before you start receiving data any questions about any of those I go through them really quickly what's the difference between this one and the last one it looks the same so the big difference here is is

that this one you're only encrypting your initialization vector and then the encrypted initialization Vector it does not touch the plane text at all so you're never encrypting your text to the other one the other one after you get the encrypted text but it doesn't it doesn't actually use the uh the full Cipher text to the feedback so you can start over you can start from here and go end but you're actually encrypting the data but it's at a point where you can recreate it if you pick it up in the middle there there's subtle differences um and the and this one's just kind of the really odd one where you can just pregenerate your entire piece you're

going to do the encryption with and just EXO your data as you're shipping it out and then it comes out cryp on the other side which is really odd that answer your question yeah okay any other questions about the feedback modes we get the digital signatures or anything on the encryption side before we get into digital signatures yeah so all these codes are used practically in Practical applications or C most applications use CVC because you're I mean unless you have uh streaming data that you're okay to miss a so if you let's say you've got Telemetry data coming from remote satellite or whatever the case maybe a water tower a pump out the middle of

nowhere it's spitting out data that you want encrypted if you miss a piece of that eh whatever you know I'll just I'll pick it up when I get it back um and then there are specific ones where you need to be able to shift data very quickly where you just you can both sides can pregenerate the encrypted side and then just match it up for encryption and decryption on the other side so um I don't know of a whole lot of places we're really using um uh output feedback but that's basically what it's for it's for zero latency because there's you know as we all know the reason cryptography exists because it's computationally expensive right and so if you can do the

computationally expensive stuff and not do that in real time you can pre-make your computation and then spit everything else quickly you can probably do more you can do a higher level encryption um without creating any latency of your system so they're they're in use in the real world um I don't I've never seen an actual implementation of this but I have seen for the uh when you're setting data streams in chunks is where you could use the output it's been forever since I've taken heximal map that you are using XO right you are saying X all right and I forget what what there's ands and or yeah there's xand and X or sure yeah I'm pretty sure that's next

yeah it's been a long time since I've had a look at diagrams like that too so so it's doing it's doing basically um B comparisons against the uh the binary B it's awesome uh and if you ever want to find out exactly what that does um like the greatest place to ever look for this stuff is where I stole this picture from is Wikipedia it's amazing the amount of information if you want to find out the equations if you want to be a mathematician and you want to be a cryptographer um it took me like six readings to get through most of them before it actually suned in what it actually did because they're that HP in

a so if you want to get super deep you can do that cool all right question about cryptography cryptography is really the hard stuff so digital signatures um in symmetric key cryptography um these are hash based message authentication codes um it's basically hashing combined with the key um and you should always use because so who understands about hash cisions okay so um depending on the size of your data you will likely need to use a high level sha you can't use N5 because there's too many collisions sha one there's usually too many commission delions but it depends um and shot6 right now is going to give you Fe reliably uniqueness because what you don't want to do in a digital signature

is you never want to have two pieces of data with the same signature because that defeats the purpose uh which is why you can't use M51 um and if you're doing against a fairly large set of data then because you're taking you know a a two Meg file and you're turning it into 32 48 64 btes the likelihood of collision gets higher so the larger your data the larger you want your hash to be um to avoid Collision so somebody can't find a way to adjust your data very quickly and then impersonate it if they uh if they figure out your key um because again it's a signature it can be it can't be undone but it can be

assigned so they can basically when you're sending a message and you want to determine authenticity uh a signature you don't want someone to be able to do a man of midle attack why not your signature regenerate some some data really quickly to find it and ship it off and the best way to do that is uh shot6 better that makes sense cool all right so asymmetric key cryptography it gets even weirder um so RSA is basically uh common and available and what almost everyone uses for uh a c uh it uses very large Prime editors so large is really hard in the iot world to generate them uh or store them so that's why you find a lot of problems with

cryptography in uh world uh they are very computationally expensive to generate um and encrypting using asymmetric e cryptography is again very expensive um but the upside is it uses key pairs to protect the secret um and what that means is you get a public private key pair and each one can do certain things each one has enough information to do certain things so a private key can do everything so it it has enough information to encrypt decrypt sign and verify which are the the four things you can do with public key encryption that we're talking about at least the public key doesn't have enough information to do anything except for encrypt and verify signature sounds like Voodoo but it's

100% true and you can actually go look up the go to Wikipedia look it up um so there's just a piece of data that's missing but it's a not to verify that the data that was signed with a public with a private key can be verified with a public key and you can encrypt something that you cannot decrypt with a public key and only the the private key can decrypt it crazy wor stuff but that's the amazing magic about public private Keys uh which is why they're used Everywhere by the way so if you've ever done TLS right you do that with a public private key negotiation to uh use dippy Helman to try and get a common key pair that

neither one knows what the other one is until you finally get it it's never transmitted and then you do APS encryption um but all of our lives are protected by RSA um if you're doing SSH you're probably doing it through RSA right public private key you got your public key that you register put the put your private key locally put the public key on the server you log in and does cryp um so py size and hashing algorithms are super important um P size is super important for everything um but RSA um if you you guys probably know but uh so Google recently basically if you did not have a certificate with a 2048 key or

larger um said your it get a little warning and then finally a little red Bomb your site is not secure uh because a 1024 key is not secure you can Brute Force ATT 10 24 ke um 2048 key you can't brute force today right but uh in a couple years you'll be able to Brute Force 248 um the size of like you are talking about an integer that is 2K right that's a prime not just integer a prime number that is uh 2 K uh that's a very large number so um what we try and do is we try and use 4096 where we can but try and do that on a Android device you

you'll be waiting for 5 minutes which is unfortunate uh so some devices don't support large Keys very well but they'll all do 2048 and if you can't do 2048 You' got to really think about your security protocol because you're going to have problems because 1024 is really helpful um and when you're doing your your half signatures um sha one for RSA is cons safe because of the way that they do it um but 256 is always going to be better it's just always going to be better 128 um RSA has data limitations so here's where it gets kind of 32 so RSA can only encrypt or sign data up to the length of the key size it just does one

operation right um it's doesn't have blocks it just has one chunk of data uh when you do a signature it's going to do the hash first if it's too long and then it signs the hash um but you'll also often find that you use mixed cryptography so you'll use RSA for your key in your IV to encrypt that and pass those along uh with symmetric key craphy so uh one of the things that we do the iovation is for all of our Communications is we generate a random key and IV for AES we encrypt that using RSA and we ship the whole thing along um so CU if you also if you've ever seen how large a one

character encryption is of um a 496 key it's 496 right so it's a very large piece of data um for one bik right um so AES makes that smaller um and the only thing that you've got you have problems running into is with your your keys are going to be a little large when you're encrypting those uh but that is works really really well and if someone intercepts your data if your private key gets compromised they'll only be able to determine the keys and the IVs for that data um and if they get one key I it's not going to work with the other data um padding so most cryptography padding is just something to add the extra bytes

so that you can have an entire block and that you can do the encryption that's the whole reason for pattern is because when you're doing a you're doing encryption you have to have a block the size of your key to the XO so it will just you pad it however you want to do you pad an Al use pk7 all kinds of crazy padding schemes that you can do but they're basically inconsequential not the case in RSA RSA padding is where it creates entropy so it does pseudo random padding to create your entropy since you're not providing initialization vectors so that everything gets encrypted differently every time you do it it does that with padding so it generates your entropy

using padding so it's important that you use the right padding if you're doing RSA most libraries are going to default pkcs1 version 1.5 do not use it do not use it do not use it it is not cryptically secure um what you want is the optimal asymmetric encryption pattern which is O it's been around for almost a decade um and still nobody uses it so please please please if you want your data to be secure U please use OA padding when you're using RSA any questions about a symmetric key function okay um key derivation functions AKA password so I'll say it again only use key derivation functions never use standard passing functions like md5 or shop or

pass my MacBook could BR Force an md5 in no time a gigantic database it could BR force a gigantic database in no time sha one it takeen a day or two um and if I had an array it would take it if I had some gpus it take me all time some AC just uh it's not something that you want to do you may find it in your organizations all right when I was acquired I was a gast to find out the security company was using a shot to pass work um and with the with the explanations well it's Legacy um and it doesn't matter if it's Legacy it's bad you should fix it right

so never never never use uh sh and so and the reason you want to use py derivation is these inject salt for entropy um it iterates to increase the cost uh and some of them create cost via threads in memory um specifically that being um argon 2 uh and bigger is better so one of the questions I get asked is like well how how many times should I iterate as many as you can as many as you can do do it before your users will just think something's wrong right I believe it's perfectly acceptable to Hash a password for half a second half a second is a lot of iterations um and that's what you want

to do you want a lot of iterations right you want to protect that password um so bigger is always better U bigger passwords with the exception of U I mean bcrypt has 42 character password or 42 character limit uh the others do not have limit um one of the things that really just irritates me to no end is when someone says your character must be between 8 and 16 characters why you're creating a hash and it's always the same size why do you care how big my password is why what that tells me is you're not doing it right because you care what the size of the data which you're probably crypting and I'm going to

get um so bigger is always better allow people to make giant giant passwords right I try to make 64 character ROM passwords whenever I can um because I'm Paro um so which key derivation function should you use so argon 2i is the hottest thing on the planet it's been around for a couple years um which scare people because it's only been around for a couple years so it hasn't been gone through the standard vetting process of being around forever um but it is a very very very cool uh product and the reason that it's so cool is that it uses memory and threads so what it what it does is it actually make sure that the memory

that it processes is too large for one register in your CPU so it it goes through the process of making sure that you have to really really work to deal with this um and it's going to Spa threads so that you can't just um put it on a GPU box that doesn't deal with the threads very well where everything has X One thread so it's uh they won the password competition uh two years ago and nothing has uh has unseated it at this point uh so I guess it's your decision on which is more important to you um scrypt is definitely preferred um for password hashing I get the arguments for people about this a lot um but

because it just allows you to um make up for automatically make up for how fast your CPUs can go uh is a little better um B Crypt is acceptable uh it's certainly with the right number of iterations uh it is very very hard to crack uh as we all found out for Ashley Madison because once they got past the top 100 all the all the password just gave up it's like yeah it's too hard it's bcrypt I I don't care um U pbkdf2 can be used in a pinch um one of the things that pbkdf2 doesn't do that some of that the other ones do is they will um store with it their information about how many iterations

that it has so if you want to increase your iterations you can do that and not have to upgrade everybody until they cized password because the salt and the U the salt iterations are inside of the actual cryp or the hash value so you don't have to know what it is you can figure out what is there so it without having to create you know three database entries or having to put that yourself it just does it for you is pretty standard as well libraries to handle it um and kind of my pitch is no passwords are best so if if you have an application and uh you have the opportunity not to write your own

password when you're writing your application do that um use an Lev system that is secure use something other than storing your own passwords because uh this crowd's probably a little different most crowds I talk to you are not Security Experts so uh being Security Experts you probably want as little footprint as you can of data that you have to be so uh share the data with different systems that people are managing and monitoring all the time and not stuck in some myql database somewhere that you never even pay attention to or God forbid a SQL database um so any questions about heat derivation functions yeah when it comes to keys do you run into export restrictions and

things like that Al so the keys there um if you're talking about RSA you are talking about size restrictions so uh I think pass 248 believe it is now um especially if you're if you're using Java you have to get the extended uh or is it the unlimited strength encryption uh stuff for that so yeah there are export restrictions but I believe those are only two like Iran China and a few others and there may be people here who know that the legal part better than me but that was a question that I actually brought about this as we were moving into Europe and they said no it's not a problem there it's just unfriendly

Nations you can't export the KE and they probably so steal yourself right right right and they can just say why no I'm not from Iran I down it so there good any other questions no questions St what I get wrong there's always someone who tells me do something wrong nobody has any questions about my findings okay you guys are the needy Crow uh well it is ending a little bit early cuz I expect more questions this usually gets a lot of questions so if you if you think you're like imposing to ask questions don't like you're imposing to ask questions okay so I have uh giveaway

so B question um so if uh if this flew by pretty quick um and you have uh anything so I think I went through this as well already um so recommendations uh my personal recommendation is use asymmet encryption uh if you're not just encrypting your own data and reading your own data giving somebody else a shared secret it's a terrible idea who do you trust I don't trust anybody right and you should so and uh this room is probably less trusting most of the places I talk so please uh consider using asymmetric key encryption um you'll you'll you'll be happy about it later um and then if you are moving data and you have large

amounts of data or you need faster CP um then you want to use AES random AES keys and IDs um for transfer using RSA to encrypt it um please be sure to use cryptographically secure random number generators right um the Rand function on most uh on most development languages is not cryptographically secure it is pseudo random um and all pseudo Randomness is who who knows what pseudo Randomness is all right so pseudo Randomness means that I have a defined list of values and I'm going to go through them in order but where I start nobody knows uh unless you're using a Time based uh uh a Time based generator which rammed on most operating systems and on

most development languages is going to use time so you can actually guess where it's going to start based on what time it is you don't want to use that what you want to use is you want to use something that's using uh either a a random generator that's physical um or on Linux uh you want to use Dev random uh Dev random uses all kind of machine fuzzer as far as like what's the current you know what's the current speed of CPU what's the temperature of the CPU uses all the information it can gather uh from the machine itself which is individual to that machine to try and add more entropy into determining where it's going to start random list

so um make sure that your pseudo random generators are cryptographically secure that's super important when you're generating IVs when you're generating ke's all that type of stuff it's super super important to make sure you the RO random um and then use bcrypt script Aron 2i for passwords um don't use hashing dou P kf2 if you can avoid it um strength the minimum is ADS 256 CVC depending on your machine um and you'll probably able to find this if you do a quick uh Google for your processor family and uh AES uh it'll tell you that 512 is faster than 256 because on some machines because the way that they're built interally as512 is actually faster

than as26 which um and make sure that when you're doing your hmac that you do a sha 256 uh RSA like we talked about was uh 2048 minimum really really really really want to use a 496 key you really do um but you can get away with the 2048 currently uh and make sure that you use pkcs1 O8 padding do not use pkcs V1 pkcs1 v15 it is not cryptographically secure uh and then make sure you're using an RSA shot6 has for your password and hash until it hurts hash until it hurts hash until it hurts really really really really really um you owe it to everyone out there and yourselves to make sure the people hash until it hurts because I

don't think twice when it takes a half a second for a web page to load I really don't if all that time is doing hashing I'm I'm a good hand so that's all that I have if anybody has any more questions my company uh my organization is migrating from Sha one to sha 2 currently the system Engineers are responsible for that build I was I was very glad it didn't go into the cyber security people cuz I didn't know what I was doing with that but could you explain what the difference is between sha one is that just for password protection going I I hope not um sha should never used for pass protection so

the difference between sha one um and sha two uh which is actually the 128 256 bit uh hash is that your hash size is twice the size so instead of being 128 bits it is 256 bits which means you're going to have fewer collisions um so if you're trying to sign data or determine U that one large file is the same as another or one piece of data is the same as another one you can you can hash those to figure that out for a fingerprint but if you're using it for passwords you're still a I promise you you're still an M there are people in this room that can crack every password that you've got in matter

of minutes I promise you and it's a scary thing because there are a lot of companies are in exactly that same situation where they're using shop passwords um because at one time it was considered okay but that was a while ago so you should ask those people what they want to do move from shot one to shot two for and make sure it's not you want use uh in rest other questions okay so I'm 4 minutes early so um then you you got to St so they're giving out prizes um for stuff so who else asked a question I remember remember you asked a question anybody else ask a question that I forgot something you get over do you have any recommended

I don't think phography looks like cryptography I mean honestly I I don't um I'm not a cryptographer um but if you if you you're looking to get in depth I I check out Wikipedia it is ridiculously there's so much on it I mean I guess it's you know it's it's a it's a data store built by Engineers right so there there's a ton of information on cryptography pictures and equations if you want to get back on to like one of these nice learning sites and try and figure out your math again because that's what I had to do there a like I I took differential equations but I remember this crap so I had to

actually go take a course to remind myself how to read the uh actually read the computations but yeah I would check out Wikipedia just start with whichever encryption you want to look into and it we'll kind of get into okay you can look at Bruce Schneider's appli crypto that one does sound familiar heting nard exploitation also has like a primer on how to start awesome any other questions yeah any uh particular Library you recommend so so what I particularly recommend is um something that's going to be regularly updated um and is uh is reviewed by the people in this room so um popular libraries like open usell um although it has had its problems in the last two years uh it's

at least beded um there are python seems to be popular here I do python professionally for for a living um and there are like I'd say at least 10 different cryptography libraries that do their own crypto and I would say no um like I said open cell has its problem from when the problem's found the problem's patched immediately and it's set out so um you're probably safe using that uh I know in PHP they're actually getting rid of Mt Crypt and just using openfl in Java uh and Android development there's bouncy castle and spongy Castle um those are actually they have a version of bouncy castle that is now fips compliant for those of you who know

what fips compliant is um and I don't know when the doet world to be perfectly honest I don't I actually have do done I have no idea how to do it uh and actually if you use for node.js it uses open SSL so just use the it's actually built into the the standard library for the crypto stuff um you'd have to get for password hashing they only offer pbkdf2 uh but you can there's plenty of libraries out there for and good libraries out there for bcrypt script any other questions cool I appreciate you coming and listen to ram on about crypto