SlideShare ist ein Scribd-Unternehmen logo

Encryption: It's For More Than Just Password - tek13

John Congdon
John Congdon

This presentation was given at php|tek13. It covers today's best practices for password hashing, and encryption techniques.

TechnologieBildung
1 von 93
Downloaden Sie, um offline zu lesen
ENCRYPTION It’s For MoreThan Just Passwords 1Thursday, May 16, 13
JOHN CONGDON 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com •FaxBurner.com 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com •FaxBurner.com •I Am Not A Cryptographer 2Thursday, May 16, 13
Hashing Encryption Today’s Discussion Points 3Thursday, May 16, 13
Plain Text $username = $_POST[‘username’]; $password = $_POST[‘password’]; $user = getUserByUserName($username); if ($user->password == $password) { $valid = true; } else { $valid = false; } 4Thursday, May 16, 13
Plain Text: Vulnerabilities SQL-Injection gives you every users password 5Thursday, May 16, 13
Cryptographic Hashing 6Thursday, May 16, 13
Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. 6Thursday, May 16, 13
Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. H A S H “message” “digest” 6Thursday, May 16, 13
Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 6Thursday, May 16, 13
Cryptographic Hashing: One Way 7Thursday, May 16, 13
Cryptographic Hashing: One Way H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 7Thursday, May 16, 13
Cryptographic Hashing: One Way H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 7Thursday, May 16, 13
Cryptographic Hashing: Algorithms <?php print_r(hash_algos()); ?> Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha224 [5] => sha256 [6] => sha384 [7] => sha512 [8] => ripemd128 [9] => ripemd160 [10] => ripemd256 [11] => ripemd320 [12] => whirlpool [13] => tiger128,3 [14] => tiger160,3 [15] => tiger192,3 [16] => tiger128,4 [17] => tiger160,4 [18] => tiger192,4 [19] => snefru [20] => snefru256 [21] => gost [22] => adler32 [23] => crc32 [24] => crc32b [25] => salsa10 [26] => salsa20 [27] => haval128,3 [28] => haval160,3 [29] => haval192,3 [30] => haval224,3 [31] => haval256,3 [32] => haval128,4 [33] => haval160,4 [34] => haval192,4 [35] => haval224,4 [36] => haval256,4 [37] => haval128,5 [38] => haval160,5 [39] => haval192,5 [40] => haval224,5 [41] => haval256,5 ) 8Thursday, May 16, 13
Cryptographic Hashing: Vulnerabilities SQL-Injection gives you every users hashed password 9Thursday, May 16, 13
Cryptographic Hashing: Vulnerabilities 10Thursday, May 16, 13
Rainbow Table Example: Searched for a Hash 11Thursday, May 16, 13
Rainbow Table Example: Searched for a Hash 11Thursday, May 16, 13
Cryptographic Hashing: Vulnerabilities 12Thursday, May 16, 13
Salting Cryptographic Hashes 13Thursday, May 16, 13
Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. 13Thursday, May 16, 13
Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. $hash = md5(‘RAND_SALT’ . $_POST[‘password’]); 13Thursday, May 16, 13
Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. $hash = md5(‘RAND_SALT’ . $_POST[‘password’]); RAND_SALT must come from a cryptographically secure source. Not From (rand, mt_rand, or uniqid) Use (/dev/urandom, mcrypt, openssl) 13Thursday, May 16, 13
Today’s Best Practice: BCrypt 14Thursday, May 16, 13
Today’s Best Practice: BCrypt •Slower by design 14Thursday, May 16, 13
Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) 14Thursday, May 16, 13
Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) •Should be configured to take 0.25 to 0.50 a second 14Thursday, May 16, 13
Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) •Should be configured to take 0.25 to 0.50 a second •Start with a cost of 10, use higher if possible 14Thursday, May 16, 13
PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php 15Thursday, May 16, 13
PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php 16Thursday, May 16, 13
PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php array password_get_info(string $hash) Returns 3 elements algorithm: Constant value algoName: bcrypt options: the options provided to password_hash Array ( [algo] => 1 [algoName] => bcrypt [options] => Array ( [cost] => 11 ) ) 17Thursday, May 16, 13
PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php boolean password_needs_rehash ( string $hash , string $algo [, string $options ] ) Assuming password_verify was successful above: if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) { $user->password = password_hash($password....); $user->update(); } 18Thursday, May 16, 13
I Lied: PHP >= 5.3.7 Password Hashing API https://github.com/ircmaxell/password_compat A forward compatible password API implementation that will work until you are ready to upgrade to 5.5. This will work for all versions of PHP that has the $2y fix. Upgrading to 5.5 will not break your current code if you use this library. 19Thursday, May 16, 13
Example: Creating a user <?php require 'password.php'; $hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT); if ($hash === false) { //handle this error case somehow... } $user = Model_User::createNewUser($_POST[‘username’]); $user->setPassword($hash); $user->update(); 20Thursday, May 16, 13
Example: Logging a user in <?php require 'password.php'; $user = Model_User::getUserByUserName($_POST[‘username’]); if (password_verify($_POST[‘password’], $user->password)) { return true; } else { die(“Invalid credentials”); } 21Thursday, May 16, 13
Example: Logging a user in and checking for rehash ... $user = Model_User::getUserByUserName($_POST[‘username’]); if (password_verify($_POST[‘password’], $user->password)) { if (password_needs_rehash($user->password, $algo, $options)) { $hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT, $options); $user->setPassword($hash); $user->update(); } ... 22Thursday, May 16, 13
http://blog.ircmaxell.com/2013/01/password-storage-talk-at-php-benelux-13.html Want More? Get Statistics Here One of my favorite data points from Anthony’s slides 23Thursday, May 16, 13
Questions on Password Hashing? 24Thursday, May 16, 13
More Than Just Passwords 25Thursday, May 16, 13
More Than Just Passwords We may store more sensitive data than just passwords. 25Thursday, May 16, 13
More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. 25Thursday, May 16, 13
More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. Decryption makes original value usable by us. 25Thursday, May 16, 13
More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. Decryption makes original value usable by us. •Credit Card Info •Social Security Numbers •Date of Birth •Personally Identifiable Information 25Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there alternative solutions? 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there alternative solutions? Example: Credit card companies usually offer a token solution. 26Thursday, May 16, 13
Symmetric vs Asymmetric 27Thursday, May 16, 13
Symmetric vs Asymmetric Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand 27Thursday, May 16, 13
Symmetric vs Asymmetric Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand Asymmetric Two keys (Public & Private) Encryption/Decryption Public key encrypts Private key decrypts Signing/Verifying Private key signs Public key verifies 27Thursday, May 16, 13
Common Asymmetric Uses SSH Keys HTTPS / SSL PGP: Pretty Good Privacy Email Files Really any message 28Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors • Similar to SALT in hashing (It’s not a secret) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors • Similar to SALT in hashing (It’s not a secret) • Must be random per encrypted text 29Thursday, May 16, 13
Example: Encrypt using crypt $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $message = ‘My Credit Card Number is 4123123412341234’; $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM); $cipher = mcrypt_encrypt( MCRYPT_BLOWFISH, $crypt_key, $message, MCRYPT_MODE_CBC, $iv ); 30Thursday, May 16, 13
HMAC: Hash-based Message Authentication Code Using a separate key, this will give us a signature letting us know that the data has not been tampered with. When Encrypting: Always encrypt first, and then get signature of the CipherText. Store it with your InitializationVector and CipherText. When Decrypting: Always verify signature first, and then decrypt if matched. 31Thursday, May 16, 13
Example: Using HMAC $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $hmac = hash_hmac(‘sha512’, $cipher_text, $hmac_key); //Store it with your encrypted data $encrypted = base64_encode($iv . $cipher . $hmac); 32Thursday, May 16, 13
Example: Decrypt using HMAC and crypt $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC); $encrypted = base64_decode($encrypted); $iv = substr($encrypted, 0, $iv_size); $hmac = substr($encrypted, -64); $cipher = substr($encrypted, $iv_size, -64); if ($hmac != hash_hmac(‘sha512’, $cipher, $hmac_key)) { return false; } $message = mcrypt_decrypt( MCRYPT_BLOWFISH, $crypt_key, $cipher, MCRYPT_MODE_CBC, $iv ); 33Thursday, May 16, 13
Use a Library http://phpseclib.sourceforge.net/ They’ve done the hard parts, save yourself the headache and just use it. It’s even PHP4+ compatible, so no excuses. 34Thursday, May 16, 13
Example: Using phpseclib 35Thursday, May 16, 13
Example: Using phpseclib $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $message = ‘My Credit Card Number is 4123123412341234’; require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $des = new Crypt_DES(); $des->setKey($crypt_key); $cipher = $des->encrypt($message); $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $hmac = bin2hex($hash->hash($cipher)); 35Thursday, May 16, 13
Example: Using phpseclib $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $message = ‘My Credit Card Number is 4123123412341234’; require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $des = new Crypt_DES(); $des->setKey($crypt_key); $cipher = $des->encrypt($message); $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $hmac = bin2hex($hash->hash($cipher)); require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $verify_hmac = bin2hex($hash->hash($ciph if ($verify_hmac == $hmac) { $des = new Crypt_DES(); $des->setKey($crypt_key); $message = $des->decrypt($cipher); } 35Thursday, May 16, 13
Encryption !== Protection Data obtained through SQL Injection attacks or other non system penetration attacks should be relatively secure. For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of system security, will disclose the key to the attacker, leaving ALL encryption useless. Apache environment variable, memory, config files, password entered during system startup, do not keep the key private. 36Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! There is no such thing as 100% secure. 37Thursday, May 16, 13
Other Things To Consider 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. •Think about restricting requests per second 38Thursday, May 16, 13
Other Things To Consider Paranoid about password safety? Consider encrypting the hash. Renders SQL-Injection and rainbow tables/brute force useless. •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. •Think about restricting requests per second 38Thursday, May 16, 13
Credits I’ve learned a lot while preparing this presentation. Thanks especially to Anthony Ferrara (@ircmaxell) http://blog.ircmaxell.com 39Thursday, May 16, 13
Questions? 40Thursday, May 16, 13
JOHN CONGDON PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
JOHN CONGDON •twitter: @johncongdon PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
JOHN CONGDON •twitter: @johncongdon •email: john@johncongdon.com PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
JOHN CONGDON •twitter: @johncongdon •email: john@johncongdon.com •irc: freednode.net (#sdphp) PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13

Empfohlen

Ashley E. Beal - Resume 2016
Ashley E. Beal - Resume 2016Ashley E. Beal - Resume 2016
Ashley E. Beal - Resume 2016Ashley Beal, PHR
 
WAF Year in Review FNL A4
WAF Year in Review FNL A4WAF Year in Review FNL A4
WAF Year in Review FNL A4Deanna Titzler
 
AllBits presentation - Security in Theory
AllBits presentation - Security in TheoryAllBits presentation - Security in Theory
AllBits presentation - Security in TheoryAllBits BVBA (freelancer)
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
Key management
Key managementKey management
Key managementSujata Regoti
 
Hashing
HashingHashing
HashingBitcoin Association of Australia
 
Release with confidence
Release with confidenceRelease with confidence
Release with confidenceJohn Congdon
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsJohn Congdon
 

Empfohlen

Ashley E. Beal - Resume 2016
Ashley E. Beal - Resume 2016Ashley E. Beal - Resume 2016
Ashley E. Beal - Resume 2016Ashley Beal, PHR
 
WAF Year in Review FNL A4
WAF Year in Review FNL A4WAF Year in Review FNL A4
WAF Year in Review FNL A4Deanna Titzler
 
AllBits presentation - Security in Theory
AllBits presentation - Security in TheoryAllBits presentation - Security in Theory
AllBits presentation - Security in TheoryAllBits BVBA (freelancer)
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
Key management
Key managementKey management
Key managementSujata Regoti
 
Hashing
HashingHashing
HashingBitcoin Association of Australia
 
Release with confidence
Release with confidenceRelease with confidence
Release with confidenceJohn Congdon
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsJohn Congdon
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Empfohlen

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Encryption: It's For More Than Just Password - tek13

  • 1. ENCRYPTION It’s For MoreThan Just Passwords 1Thursday, May 16, 13
  • 3. JOHN CONGDON •PHP Developer Since 2003 2Thursday, May 16, 13
  • 4. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer 2Thursday, May 16, 13
  • 5. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online 2Thursday, May 16, 13
  • 6. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com 2Thursday, May 16, 13
  • 7. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com 2Thursday, May 16, 13
  • 8. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com •FaxBurner.com 2Thursday, May 16, 13
  • 9. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com •FaxBurner.com •I Am Not A Cryptographer 2Thursday, May 16, 13
  • 11. Plain Text $username = $_POST[‘username’]; $password = $_POST[‘password’]; $user = getUserByUserName($username); if ($user->password == $password) { $valid = true; } else { $valid = false; } 4Thursday, May 16, 13
  • 12. Plain Text: Vulnerabilities SQL-Injection gives you every users password 5Thursday, May 16, 13
  • 14. Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. 6Thursday, May 16, 13
  • 15. Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. H A S H “message” “digest” 6Thursday, May 16, 13
  • 16. Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 6Thursday, May 16, 13
  • 17. Cryptographic Hashing: One Way 7Thursday, May 16, 13
  • 18. Cryptographic Hashing: One Way H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 7Thursday, May 16, 13
  • 19. Cryptographic Hashing: One Way H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 7Thursday, May 16, 13
  • 20. Cryptographic Hashing: Algorithms <?php print_r(hash_algos()); ?> Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha224 [5] => sha256 [6] => sha384 [7] => sha512 [8] => ripemd128 [9] => ripemd160 [10] => ripemd256 [11] => ripemd320 [12] => whirlpool [13] => tiger128,3 [14] => tiger160,3 [15] => tiger192,3 [16] => tiger128,4 [17] => tiger160,4 [18] => tiger192,4 [19] => snefru [20] => snefru256 [21] => gost [22] => adler32 [23] => crc32 [24] => crc32b [25] => salsa10 [26] => salsa20 [27] => haval128,3 [28] => haval160,3 [29] => haval192,3 [30] => haval224,3 [31] => haval256,3 [32] => haval128,4 [33] => haval160,4 [34] => haval192,4 [35] => haval224,4 [36] => haval256,4 [37] => haval128,5 [38] => haval160,5 [39] => haval192,5 [40] => haval224,5 [41] => haval256,5 ) 8Thursday, May 16, 13
  • 21. Cryptographic Hashing: Vulnerabilities SQL-Injection gives you every users hashed password 9Thursday, May 16, 13
  • 23. Rainbow Table Example: Searched for a Hash 11Thursday, May 16, 13
  • 24. Rainbow Table Example: Searched for a Hash 11Thursday, May 16, 13
  • 27. Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. 13Thursday, May 16, 13
  • 28. Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. $hash = md5(‘RAND_SALT’ . $_POST[‘password’]); 13Thursday, May 16, 13
  • 29. Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. $hash = md5(‘RAND_SALT’ . $_POST[‘password’]); RAND_SALT must come from a cryptographically secure source. Not From (rand, mt_rand, or uniqid) Use (/dev/urandom, mcrypt, openssl) 13Thursday, May 16, 13
  • 30. Today’s Best Practice: BCrypt 14Thursday, May 16, 13
  • 31. Today’s Best Practice: BCrypt •Slower by design 14Thursday, May 16, 13
  • 32. Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) 14Thursday, May 16, 13
  • 33. Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) •Should be configured to take 0.25 to 0.50 a second 14Thursday, May 16, 13
  • 34. Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) •Should be configured to take 0.25 to 0.50 a second •Start with a cost of 10, use higher if possible 14Thursday, May 16, 13
  • 35. PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php 15Thursday, May 16, 13
  • 36. PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php 16Thursday, May 16, 13
  • 37. PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php array password_get_info(string $hash) Returns 3 elements algorithm: Constant value algoName: bcrypt options: the options provided to password_hash Array ( [algo] => 1 [algoName] => bcrypt [options] => Array ( [cost] => 11 ) ) 17Thursday, May 16, 13
  • 38. PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php boolean password_needs_rehash ( string $hash , string $algo [, string $options ] ) Assuming password_verify was successful above: if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) { $user->password = password_hash($password....); $user->update(); } 18Thursday, May 16, 13
  • 39. I Lied: PHP >= 5.3.7 Password Hashing API https://github.com/ircmaxell/password_compat A forward compatible password API implementation that will work until you are ready to upgrade to 5.5. This will work for all versions of PHP that has the $2y fix. Upgrading to 5.5 will not break your current code if you use this library. 19Thursday, May 16, 13
  • 40. Example: Creating a user <?php require 'password.php'; $hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT); if ($hash === false) { //handle this error case somehow... } $user = Model_User::createNewUser($_POST[‘username’]); $user->setPassword($hash); $user->update(); 20Thursday, May 16, 13
  • 41. Example: Logging a user in <?php require 'password.php'; $user = Model_User::getUserByUserName($_POST[‘username’]); if (password_verify($_POST[‘password’], $user->password)) { return true; } else { die(“Invalid credentials”); } 21Thursday, May 16, 13
  • 42. Example: Logging a user in and checking for rehash ... $user = Model_User::getUserByUserName($_POST[‘username’]); if (password_verify($_POST[‘password’], $user->password)) { if (password_needs_rehash($user->password, $algo, $options)) { $hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT, $options); $user->setPassword($hash); $user->update(); } ... 22Thursday, May 16, 13
  • 43. http://blog.ircmaxell.com/2013/01/password-storage-talk-at-php-benelux-13.html Want More? Get Statistics Here One of my favorite data points from Anthony’s slides 23Thursday, May 16, 13
  • 45. More Than Just Passwords 25Thursday, May 16, 13
  • 46. More Than Just Passwords We may store more sensitive data than just passwords. 25Thursday, May 16, 13
  • 47. More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. 25Thursday, May 16, 13
  • 48. More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. Decryption makes original value usable by us. 25Thursday, May 16, 13
  • 49. More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. Decryption makes original value usable by us. •Credit Card Info •Social Security Numbers •Date of Birth •Personally Identifiable Information 25Thursday, May 16, 13
  • 50. AVOID ENCRYPTION AT ALL COSTS! 26Thursday, May 16, 13
  • 51. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. 26Thursday, May 16, 13
  • 52. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. 26Thursday, May 16, 13
  • 53. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? 26Thursday, May 16, 13
  • 54. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there alternative solutions? 26Thursday, May 16, 13
  • 55. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there alternative solutions? Example: Credit card companies usually offer a token solution. 26Thursday, May 16, 13
  • 57. Symmetric vs Asymmetric Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand 27Thursday, May 16, 13
  • 58. Symmetric vs Asymmetric Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand Asymmetric Two keys (Public & Private) Encryption/Decryption Public key encrypts Private key decrypts Signing/Verifying Private key signs Public key verifies 27Thursday, May 16, 13
  • 59. Common Asymmetric Uses SSH Keys HTTPS / SSL PGP: Pretty Good Privacy Email Files Really any message 28Thursday, May 16, 13
  • 60. Keys, Ciphers, Modes, and Initialization Vectors Oh My! 29Thursday, May 16, 13
  • 61. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) 29Thursday, May 16, 13
  • 62. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers 29Thursday, May 16, 13
  • 63. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) 29Thursday, May 16, 13
  • 64. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes 29Thursday, May 16, 13
  • 65. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) 29Thursday, May 16, 13
  • 66. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) 29Thursday, May 16, 13
  • 67. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) 29Thursday, May 16, 13
  • 68. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors 29Thursday, May 16, 13
  • 69. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors • Similar to SALT in hashing (It’s not a secret) 29Thursday, May 16, 13
  • 70. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors • Similar to SALT in hashing (It’s not a secret) • Must be random per encrypted text 29Thursday, May 16, 13
  • 71. Example: Encrypt using crypt $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $message = ‘My Credit Card Number is 4123123412341234’; $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM); $cipher = mcrypt_encrypt( MCRYPT_BLOWFISH, $crypt_key, $message, MCRYPT_MODE_CBC, $iv ); 30Thursday, May 16, 13
  • 72. HMAC: Hash-based Message Authentication Code Using a separate key, this will give us a signature letting us know that the data has not been tampered with. When Encrypting: Always encrypt first, and then get signature of the CipherText. Store it with your InitializationVector and CipherText. When Decrypting: Always verify signature first, and then decrypt if matched. 31Thursday, May 16, 13
  • 73. Example: Using HMAC $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $hmac = hash_hmac(‘sha512’, $cipher_text, $hmac_key); //Store it with your encrypted data $encrypted = base64_encode($iv . $cipher . $hmac); 32Thursday, May 16, 13
  • 74. Example: Decrypt using HMAC and crypt $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC); $encrypted = base64_decode($encrypted); $iv = substr($encrypted, 0, $iv_size); $hmac = substr($encrypted, -64); $cipher = substr($encrypted, $iv_size, -64); if ($hmac != hash_hmac(‘sha512’, $cipher, $hmac_key)) { return false; } $message = mcrypt_decrypt( MCRYPT_BLOWFISH, $crypt_key, $cipher, MCRYPT_MODE_CBC, $iv ); 33Thursday, May 16, 13
  • 75. Use a Library http://phpseclib.sourceforge.net/ They’ve done the hard parts, save yourself the headache and just use it. It’s even PHP4+ compatible, so no excuses. 34Thursday, May 16, 13
  • 77. Example: Using phpseclib $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $message = ‘My Credit Card Number is 4123123412341234’; require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $des = new Crypt_DES(); $des->setKey($crypt_key); $cipher = $des->encrypt($message); $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $hmac = bin2hex($hash->hash($cipher)); 35Thursday, May 16, 13
  • 78. Example: Using phpseclib $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $message = ‘My Credit Card Number is 4123123412341234’; require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $des = new Crypt_DES(); $des->setKey($crypt_key); $cipher = $des->encrypt($message); $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $hmac = bin2hex($hash->hash($cipher)); require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $verify_hmac = bin2hex($hash->hash($ciph if ($verify_hmac == $hmac) { $des = new Crypt_DES(); $des->setKey($crypt_key); $message = $des->decrypt($cipher); } 35Thursday, May 16, 13
  • 79. Encryption !== Protection Data obtained through SQL Injection attacks or other non system penetration attacks should be relatively secure. For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of system security, will disclose the key to the attacker, leaving ALL encryption useless. Apache environment variable, memory, config files, password entered during system startup, do not keep the key private. 36Thursday, May 16, 13
  • 80. AVOID ENCRYPTION AT ALL COSTS! There is no such thing as 100% secure. 37Thursday, May 16, 13
  • 81. Other Things To Consider 38Thursday, May 16, 13
  • 82. Other Things To Consider •Encrypt / decrypt on a separate server. 38Thursday, May 16, 13
  • 83. Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. 38Thursday, May 16, 13
  • 84. Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. 38Thursday, May 16, 13
  • 85. Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. 38Thursday, May 16, 13
  • 86. Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. •Think about restricting requests per second 38Thursday, May 16, 13
  • 87. Other Things To Consider Paranoid about password safety? Consider encrypting the hash. Renders SQL-Injection and rainbow tables/brute force useless. •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. •Think about restricting requests per second 38Thursday, May 16, 13
  • 88. Credits I’ve learned a lot while preparing this presentation. Thanks especially to Anthony Ferrara (@ircmaxell) http://blog.ircmaxell.com 39Thursday, May 16, 13
  • 90. JOHN CONGDON PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
  • 91. JOHN CONGDON •twitter: @johncongdon PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
  • 92. JOHN CONGDON •twitter: @johncongdon •email: john@johncongdon.com PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
  • 93. JOHN CONGDON •twitter: @johncongdon •email: john@johncongdon.com •irc: freednode.net (#sdphp) PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13