Does your application transmit customer information? Are there fields of sensitive customer data stored in your DB? Can your application be used on insecure networks? If so, you need a working knowledge of encryption and how to leverage Open Source APIs and libraries to make securing your data as easy as possible. Encryption is quickly becoming a developer’s new frontier of responsibility in many data-centric applications.
In today’s data-sensitive and news-sensationalizing world, don’t become the next headline by an inadvertent release of private customer or company data. Secure your persisted, transmitted and in-memory data and learn the terminology you’ll need to navigate the ecosystem of symmetric and public/private key encryption.
18. Caesar Cipher
Z M S R
A N T S if encrypted with ROT(-1)
19. Caesar Cipher
Z M S R
A N T S if encrypted with ROT(-1)
B O U T if encrypted with ROT(-2)
20. /**
* A naively simple rotation cipher implementation.
* USAGE: groovy RotateWord.groovy <yourword>
*/
public class RotateWord {
/**
* Rotate one character by the specified amount
*/
private static char rotateChar(char c, int rotationAmount) {
//a == 97, z == 122
int num = (int)c
int rotated = num + rotationAmount
int adjusted
//Handle roll-around wrapping
21. /**
* A naively simple rotation cipher implementation.
* USAGE: groovy RotateWord.groovy <yourword>
*/
public class RotateWord {
/**
* Rotate one character by the specified amount
*/
private static char rotateChar(char c, int rotationAmount) {
//a == 97, z == 122
int num = (int)c
int rotated = num + rotationAmount
int adjusted
//Handle roll-around wrapping
if (rotated > 122)
adjusted = rotated - 26
else if (rotated < 97)
adjusted = rotated + 26
else
adjusted = rotated
22. */
public class RotateWord {
/**
* Rotate one character by the specified amount
*/
private static char rotateChar(char c, int rotationAmount) {
//a == 97, z == 122
int num = (int)c
int rotated = num + rotationAmount
int adjusted
//Handle roll-around wrapping
if (rotated > 122)
adjusted = rotated - 26
else if (rotated < 97)
adjusted = rotated + 26
else
adjusted = rotated
char adjustedChar = (char)adjusted
return adjustedChar
}
/**
23. */
private static char rotateChar(char c, int rotationAmount) {
//a == 97, z == 122
int num = (int)c
int rotated = num + rotationAmount
int adjusted
//Handle roll-around wrapping
if (rotated > 122)
adjusted = rotated - 26
else if (rotated < 97)
adjusted = rotated + 26
else
adjusted = rotated
char adjustedChar = (char)adjusted
return adjustedChar
}
/**
* Rotate the entire String by the specified rotation amount.
*/
public static String rotateAllChars(String plainText, int rotationAmount) {
String encodedMessage = ""
24. else if (rotated < 97)
adjusted = rotated + 26
else
adjusted = rotated
char adjustedChar = (char)adjusted
return adjustedChar
}
/**
* Rotate the entire String by the specified rotation amount.
*/
public static String rotateAllChars(String plainText, int rotationAmount) {
String encodedMessage = ""
//Loop through each character in the plaintext
for (int i = 0; i < plainText.length(); i++) {
//TODO: Improve to handle upper and lower case letters
char c = plainText.toLowerCase().charAt(i)
encodedMessage += rotateChar(c, rotationAmount)
}
return encodedMessage
}
25. char adjustedChar = (char)adjusted
return adjustedChar
}
/**
* Rotate the entire String by the specified rotation amount.
*/
public static String rotateAllChars(String plainText, int rotationAmount) {
String encodedMessage = ""
//Loop through each character in the plaintext
for (int i = 0; i < plainText.length(); i++) {
//TODO: Improve to handle upper and lower case letters
char c = plainText.toLowerCase().charAt(i)
encodedMessage += rotateChar(c, rotationAmount)
}
return encodedMessage
}
public static void main (String[] args) {
String originalword = args[0]
println "Rot(-3) Word: " + rotateAllChars(originalword, -3)
36. Java Cryptography Extension
known as JCE
included in all JREs Since Java 1.2
Pluggable provider architecture
37. Java Cryptography Extension
known as JCE
included in all JREs Since Java 1.2
Pluggable provider architecture
JCE extends Java Cryptography
Architecture (JCA)
54. SecureRandom
! java.security.SecureRandom
! Cryptographically strong random
number generator (RNG)
! “Unable to distinguish from a true
random source”
55. package com.ambientideas;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random number.
*/
public class SecureRandomNumber
{
public static void main( String[] args ) throws
NoSuchAlgorithmException
{
//Do the expensive one time setup of the
// random number generator instance
56. import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random number.
*/
public class SecureRandomNumber
{
public static void main( String[] args ) throws
NoSuchAlgorithmException
{
//Do the expensive one time setup of the
// random number generator instance
SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
//Get the next random number
String randomNum = new Integer( prng.nextInt() ).toString();
System.out.println("Random number: " + randomNum);
}
}
57. * a more expensive, but cryptographically secure random number.
*/
public class SecureRandomNumber
{
public static void main( String[] args ) throws
NoSuchAlgorithmException
{
//Do the expensive one time setup of the
// random number generator instance
SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
//Get the next random number
String randomNum = new Integer( prng.nextInt() ).toString();
System.out.println("Random number: " + randomNum);
}
}
60. What is a Digest?
! Small set of bytes representing a
large message
! Small change in message = large
change in digest
! Integrity check for large data
! Password storage mechanism
64. System.out.println("Message1 SHA1 digest: "
+ shaAndBase64Encode(message1));
System.out.println("Message2 SHA1 digest: "
+ shaAndBase64Encode(message2));
}
/**
* Helper function to both SHA-1 hash and
* base64 encode the resulting bytes to a String
*/
public static String shaAndBase64Encode(String message)
throws NoSuchAlgorithmException {
MessageDigest sha = MessageDigest.getInstance("SHA-1");
//Salt could be applied here
//Integer salt = <some random number generator>
//sha.update(salt.getBytes());
byte[] digest = sha.digest(message.getBytes());
return new sun.misc.BASE64Encoder().encode(digest);
}
}
65. *
* Demonstrate that very similar messages
* have radically different hashes.
*/
public class MessageDigestSHA
{
public static void main( String[] args )
throws NoSuchAlgorithmException
{
//Set up the message to be encoded
String message1 = "Four score and seven years ago";
String message2 = "Four score and seven tears ago";
System.out.println("Message1 SHA1 digest: "
+ shaAndBase64Encode(message1));
System.out.println("Message2 SHA1 digest: "
+ shaAndBase64Encode(message2));
}
/**
* Helper function to both SHA-1 hash and
* base64 encode the resulting bytes to a String
*/
public static String shaAndBase64Encode(String message)
throws NoSuchAlgorithmException {
MessageDigest sha = MessageDigest.getInstance("SHA-1");
66. Input
String message1 = "Four score and seven years ago";
String message2 = "Four score and seven tears ago";
Result
Message1 SHA1 digest: DmCJIg4Bq/xpGIxVXxo3IB0vo38=
Message2 SHA1 digest: oaLHt8tr31ttngCDjyYuWowF5Mc=
69. Creating a keystore
keytool -genkeypair -keyalg RSA -keysize 2048 -
keystore myapp.keystore
Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
[Unknown]: Matthew McCullough
What is the name of your organizational unit?
[Unknown]: Consulting
What is the name of your organization?
[Unknown]: Ambient Ideas, LLC
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: Colorado
What is the two-letter country code for this unit?
[Unknown]: US
70. keytool -genkeypair -keyalg RSA -keysize 2048 -
Creating a keystore
keystore myapp.keystore
Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
[Unknown]: Matthew McCullough
What is the name of your organizational unit?
[Unknown]: Consulting
What is the name of your organization?
[Unknown]: Ambient Ideas, LLC
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: Colorado
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Matthew McCullough, OU=Consulting, O="Ambient
Ideas, LLC", L=Denver, ST=Colorado, C=US correct?
[no]: yes
Enter key password for <mykey>
! (RETURN if same as keystore password):
71. Using a keystore
java -Djavax.net.ssl.keyStore=keystore
-Djavax.net.ssl.keyStorePassword=y3$1t1s
ServerApp
Using a Truststore
java -Djavax.net.ssl.trustStore=truststore
-Djavax.net.ssl.trustStorePassword=tru$tM3
ClientApp
73. JSSE
! Java Secure Socket Extension
! Built on top of JCE
! Specific to networking
! Standard as of JRE 1.4
! Implementations of
! Secure Sockets Layer (SSL) 2.0 and 3.0
! Transport Layer Security (TLS) 1.0
75. JAAS
! Java Authentication and
Authorization Service
! Single sign on helper
! Supports biometric, smartcard
devices
! Adds “user” control
(above code control)
79. Symmetric Problems
! Keys vulnerable to capture
! Eavesdropping on future
communications after key
compromise
! Key distribution challenges
! Triangular number key growth
84. AES
! Advanced Encryption Standard
! Government standard
! Rijndael algorithm
(Joan Daemen, Vincent Rijmen)
! 4 years of evaluation
! Final in December 2000
! Very Secure
! block cipher
85. import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import sun.misc.BASE64Encoder;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random number.
*/
public class SymmetricEncrypt
{
public static void main( String[] args )
throws NoSuchAlgorithmException, NoSuchProviderException,
NoSuchPaddingException, InvalidKeyException,
IllegalBlockSizeException, BadPaddingException
{
final String message1 = "Four score and seven years ago";
86. import sun.misc.BASE64Encoder;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random number.
*/
public class SymmetricEncrypt
{
public static void main( String[] args )
throws NoSuchAlgorithmException, NoSuchProviderException,
NoSuchPaddingException, InvalidKeyException,
IllegalBlockSizeException, BadPaddingException
{
final String message1 = "Four score and seven years ago";
//Build a new encryption key
final KeyGenerator keyGen = KeyGenerator.getInstance("DESede");
keyGen.init(168);
final SecretKey desKey = keyGen.generateKey();
//Set up the cipher
final Cipher desCipher = Cipher.getInstance("DESede/ECB/PKCS5Padding");
//////////////////////////////////////
//Put the cipher in encryption mode
desCipher.init(Cipher.ENCRYPT_MODE, desKey);
//Encrypt and output the base64 data
byte[] clearText = message1.getBytes();
byte[] encryptedBytes = desCipher.doFinal(clearText);
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
87. {
final String message1 = "Four score and seven years ago";
//Build a new encryption key
final KeyGenerator keyGen = KeyGenerator.getInstance("DESede");
keyGen.init(168);
final SecretKey desKey = keyGen.generateKey();
//Set up the cipher
final Cipher desCipher = Cipher.getInstance("DESede/ECB/PKCS5Padding");
//////////////////////////////////////
//Put the cipher in encryption mode
desCipher.init(Cipher.ENCRYPT_MODE, desKey);
//Encrypt and output the base64 data
byte[] clearText = message1.getBytes();
byte[] encryptedBytes = desCipher.doFinal(clearText);
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
System.out.println("Encrypted text: " + base64Encrypted);
//////////////////////////////////////
//Put the cipher in decryption mode
desCipher.init(Cipher.DECRYPT_MODE, desKey);
//Decrypt and output the original string
byte[] decryptedBytes = desCipher.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
88. //Set up the cipher
final Cipher desCipher = Cipher.getInstance("DESede/ECB/PKCS5Padding");
//////////////////////////////////////
//Put the cipher in encryption mode
desCipher.init(Cipher.ENCRYPT_MODE, desKey);
//Encrypt and output the base64 data
byte[] clearText = message1.getBytes();
byte[] encryptedBytes = desCipher.doFinal(clearText);
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
System.out.println("Encrypted text: " + base64Encrypted);
//////////////////////////////////////
//Put the cipher in decryption mode
desCipher.init(Cipher.DECRYPT_MODE, desKey);
//Decrypt and output the original string
byte[] decryptedBytes = desCipher.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
89. Input
String message1 = "Four score and seven years ago";
Result
Encrypted text: P0FT6N3XXrohtsz7OLh3FGYY0wErkPIur1DP6Csbj4g=
Decrypted text: Four score and seven years ago
96. RSA
! Ron Rivest, Adi Shamir, Leonard
Adleman
! Published in 1978
! M.I.T. Patented in 1983
! Patent Expired in 2000
97. import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import sun.misc.BASE64Encoder;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random
number.
98. {
public static void main( String[] args ) throws
NoSuchAlgorithmException, NoSuchProviderException,
IOException, NoSuchPaddingException, InvalidKeyException,
IllegalBlockSizeException, BadPaddingException
{
final String message1 = "Four score and seven years ago";
// Generate the Key Pair
final KeyPairGenerator keyGen =
KeyPairGenerator.getInstance("RSA");
final SecureRandom random =
SecureRandom.getInstance("SHA1PRNG", "SUN");
keyGen.initialize(1024, random);
KeyPair pair = keyGen.generateKeyPair();
final PrivateKey privKey = pair.getPrivate();
final PublicKey pubKey = pair.getPublic();
//Encrypt using the private key
Cipher rsa = Cipher.getInstance("RSA/ECB/PKCS1Padding");
rsa.init(Cipher.ENCRYPT_MODE, privKey);
byte[] encryptedBytes = rsa.doFinal(message1.getBytes());
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
99. keyGen.initialize(1024, random);
KeyPair pair = keyGen.generateKeyPair();
final PrivateKey privKey = pair.getPrivate();
final PublicKey pubKey = pair.getPublic();
//Encrypt using the private key
Cipher rsa = Cipher.getInstance("RSA/ECB/PKCS1Padding");
rsa.init(Cipher.ENCRYPT_MODE, privKey);
byte[] encryptedBytes = rsa.doFinal(message1.getBytes());
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
System.out.println("Encrypted text: " + base64Encrypted);
//Decrypt using the private key
rsa.init(Cipher.DECRYPT_MODE, pubKey);
byte[] decryptedBytes = rsa.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
100. final PrivateKey privKey = pair.getPrivate();
final PublicKey pubKey = pair.getPublic();
//Encrypt using the private key
Cipher rsa = Cipher.getInstance("RSA/ECB/PKCS1Padding");
rsa.init(Cipher.ENCRYPT_MODE, privKey);
byte[] encryptedBytes = rsa.doFinal(message1.getBytes());
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
System.out.println("Encrypted text: " + base64Encrypted);
//Decrypt using the private key
rsa.init(Cipher.DECRYPT_MODE, pubKey);
byte[] decryptedBytes = rsa.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
101. Input
String message1 = "Four score and seven years ago";
Result
Encrypted text: A8Is+4r7sDn28fD6IQvZiR5JxPs/vh7UnXrF38acJt6R/
ARisj/zLtC7Xn6iJgNQPhc16wkVZhCF
em7oNoim+ooTUDDZQ+E3qP6y/
DZJGkLBoZuZVLeLAW1LUtHSzduRUOg1uMynJz14wxzwfV8wfRwf
atpySkOhGqWS63bPNRs=
Decrypted text: Four score and seven years ago
115. TJ Maxx
! $1 billon USD final cost
! 45 million credit card
numbers stolen
116. riticized the
s have c
“
Many secur
strength o
ity expert
f WEP enc
2
ry
m
ption. WEP
ost recent
001, and st month
cracked in archers la
w
ly
as initially
broken by
G erman rese
ord inary
usin g an three
top in under
lap
seconds et UK
— Tom Espiner, ZDN
”
130. ENCRYPTION B O O T C AM P
ted
sion comple
security mis
@matthewmccull
#EncryptBC
matthewm@ambientideas.com
http://ambientideas.com/blog
http://speakerrate.com/matthew.mccullough
140. Steganography
! High signal to noise
ratio
! Slow
but
! Inconspicuous
141. Cracks in the News
! Thomas Jefferson letter
! London Tube Oyster cards
! GSM
! Iraq drone video feeds
! Pacemakers
! Zune
! WPA
! Blue-ray
! DVD
! Skype
! Windows Vista BitLocker
142. Encryption & The Law
! Encryption considered a
munition under
international law
! 1999 Relaxation of
rules
143. Digital Signatures
! Hash with Private Key
! Public Private Key Systems
! Public Key Infrastructure (PKI)
144. Breakthroughs
! IBM
! Statistics on encrypted data
! No compromise on security or
anonymity
145. Keys
! Clickers/Tokens
! One Time Pads (paper)
146. Misc
! Message Digests == Hash?
! Certificates (x509 v3)
! Digital signatures
! Just means hashing a message, then signing
the hash with the private key
! Later verified by decrypting the hash with
the public key, then re-running the hash
and comparing the two hashes.
! Block vs Stream ciphers
152. SECURITY
What’s ON THE J
your po VM
sition?
Friday, January 15, 2010 2
153. HACK ATT
EMPTS PE
R >3 00,00 D AY
0
Friday, January 15, 2010 3
154. TING? not
ENCRayP robably
ss
Y
p
ic
statist
Friday, January 15, 2010 4
155. ?
RIEDbe
WOR
You should
Friday, January 15, 2010 5
156. Matthew McCullough
@matthewmccull
#EncryptBC
http://speakerrate.com/matthew.mccullough
Friday, January 15, 2010 6
157. ANCIENT HISTORY
Everything old is new again
Friday, January 15, 2010 7
158. Recipient
or
Storage
ht
Sig ur
ed
ain
c
bs
O
ts
Pl
en
o nt
C
Sensitive
Data
Friday, January 15, 2010 8
Craziest idea ever! Everyone knows you need to keep secret
information hidden in a body cavity and physically transport it to the
recipient. All the movies do that.
159. er
ll ov
“I’m a ew
n
thisryption
enc ff boss”
stu
Friday, January 15, 2010 9
Even though we make minor adjustments, they are often seeded by our
predecessors.
Even encryption is over old with a fresh coat of paint
160. 44 B.C.
That’s 2,054 years ago...
Friday, January 15, 2010 10
161. Julius Caesar
Friday, January 15, 2010 11
And even the Egyptians before him were trying math for encryption.
http://www.amazon.com/Code-Book-Science-Secrecy-Cryptography/
dp/0385495323/ref=sr_1_7?
ie=UTF8&s=books&qid=1263535206&sr=8-7
162. Caesar Cipher
a.k.a.
ROT(2)
Shift Cipher
A B C D E F G
A B C D E F G
Friday, January 15, 2010 12
163. Caesar Cipher
Rotation
= Integer
Rot(x)
Friday, January 15, 2010 13
164. Caesar Cipher
Encrypted Word
Z M S R
A N T S if encrypted with ROT(-1)
B O U T if encrypted with ROT(-2)
30s 25s 20s 15s 10s 5s Stop
Friday, January 15, 2010 14
This is not an eye test at your optometrist
English dictionary attack would be a good approach.
ANTS and BOUT are solutions [ROT(+1) and ROT(+2)]
165. /**
* A naively simple rotation cipher implementation.
* USAGE: groovy RotateWord.groovy <yourword>
*/
public class RotateWord {
/**
* Rotate one character by the specified amount
*/
private static char rotateChar(char c, int rotationAmount) {
//a == 97, z == 122
int num = (int)c
int rotated = num + rotationAmount
int adjusted
//Handle roll-around wrapping
Friday, January=>rotated - 26
if (rotated 122)
adjusted
15, 2010 15
else if (rotated < 97)
Look at how much effort it is to write even the simplest cipher (Caesar)
adjusted = rotated + 26
else
implementation ourselves.adjusted = rotated
char adjustedChar = (char)adjusted
return adjustedChar
}
/**
* Rotate the entire String by the specified rotation amount.
*/
public static String rotateAllChars(String plainText, int rotationAmount) {
String encodedMessage = ""
//Loop through each character in the plaintext
for (int i = 0; i < plainText.length(); i++) {
//TODO: Improve to handle upper and lower case letters
char c = plainText.toLowerCase().charAt(i)
encodedMessage += rotateChar(c, rotationAmount)
}
166. > groovy RotateWord.groovy ants
Rot(-3) Word: xkqp
Rot(-2) Word: ylrq
Rot(-1) Word: zmsr
Original Word: ants
Rot(1) Word: bout
Rot(2) Word: cpvu
Rot(3) Word: dqwv
Friday, January 15, 2010 16
Think about the combinatoric and steganographic possibilities.
167. BROKEN
Perfectly safe data is a myth
Friday, January 15, 2010 17
168. Compromised
! Every algorithm is
vulnerable
! crack by brute force
! Crack by rainbow tables
! Function of time + money
+ hardware
Friday, January 15, 2010 18
169. $2000
Whic
h wo
uld
0 you
$50 hit?
Friday, January 15, 2010 19
Go into a jewelry store.
Two possible storage containers to hit. Your informant has told you
how much is in each.
4X as much in the safe as in the wooden box.
170. $10,000
Now
whic
h wo
uld
0 you
$5 hit?
Friday, January 15, 2010 20
Now the jewelry box contains 1/200th what the safe does. Would you
still hit the wooden box?
171. JCE PRIMER
The world of Java crypto
Friday, January 15, 2010 21
172. Java Cryptography Extension
known as JCE
included in all JREs Since Java 1.2
Pluggable provider architecture
JCE extends Java Cryptography
Architecture (JCA)
Friday, January 15, 2010 22
173. JCE Providers
! Default Sun JRE providers
! SUN
! SunJCE
! SunJSSE
! SunRsaSign
! Bouncycastle provider
! Adds AES capabilities
Friday, January 15, 2010 23
174. Registering a Provider
! Static
! <java-home>/lib/security/java.security
! security.provider.n=masterClassName
Friday, January 15, 2010 24
175. Registering a Provider
! Dynamic
! java.security.Security class
! addProvider()
! insertProviderAt()
! not persistent across VM instances
Friday, January 15, 2010 25
Can only be done by "trusted" programs with the appropriate privilege
176. EnCryption & the
Law
country borders stop bits
Friday, January 15, 2010 26
178. JCE Strength
! Strong strength included in all
JREs
! Unlimited strength is a separate
download available based on US export
rules
Friday, January 15, 2010 28
181. Worldwide Policy
// File: default_local.policy
// Some countries have import limits on crypto strength.
// This policy file is worldwide importable.
grant {
permission javax.crypto.CryptoPermission "DES", 64;
permission javax.crypto.CryptoPermission "DESede", *;
permission javax.crypto.CryptoPermission "RC2", 128,
"javax.crypto.spec.RC2ParameterSpec", 128;
permission javax.crypto.CryptoPermission "RC4", 128;
permission javax.crypto.CryptoPermission "RC5", 128,
"javax.crypto.spec.RC5ParameterSpec", *, 12, *;
permission javax.crypto.CryptoPermission "RSA", 2048;
permission javax.crypto.CryptoPermission *, 128;
};
Friday, January 15, 2010 31
182. Max Key Sizes
Algorithm Max Key Size
DES 64
DESede 168
3des
RC2 128
RC4 128
RC5 128
RSA 2048
Others 128
Friday, January 15, 2010 32
http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/
JCERefGuide.html#AppE
183. Key Size & Security
1024 bit RSA
Asymmetric
Key Size
160 bit DES
Symmetric
Key Size
112 bits
128 bits
Security Security
Friday, January 15, 2010 33
Speed is 1000x slower on asymmetric
184. Random
Numbers
Seed the machine
Friday, January 15, 2010 34
185. SecureRandom
! java.security.SecureRandom
! Cryptographically strong random
number generator (RNG)
! “Unable to distinguish from a true
random source”
Friday, January 15, 2010 35
A cryptographically strong random number generator passes all statistical tests
that run in polynomial time asymptotically. It will pass any statistical test for
randomness that does not require an exponentially increasing to infinite amount
of time to run. All such polynomial time statistical tests will be unable to
distinguish the random number generator from a true random source.
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#Concepts
http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
186. package com.ambientideas;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random number.
*/
public class SecureRandomNumber
{
public static void main( String[] args ) throws
NoSuchAlgorithmException
{
//Do the expensive one time setup of the
// random number generator instance
Friday, January 15, 2010 = SecureRandom.getInstance("SHA1PRNG");
SecureRandom prng 36
//Get the next random number
String randomNum = new Integer( prng.nextInt() ).toString();
System.out.println("Random number: " + randomNum);
}
}
187. import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random number.
*/
public class SecureRandomNumber
{
public static void main( String[] args ) throws
NoSuchAlgorithmException
{
//Do the expensive one time setup of the
// random number generator instance
SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
//Get the next random number
String randomNum = new Integer( prng.nextInt() ).toString();
System.out.println("Random number: " + randomNum);
}
}
Friday, January 15, 2010 37
188. * Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random number.
*/
public class SecureRandomNumber
{
public static void main( String[] args ) throws
NoSuchAlgorithmException
{
//Do the expensive one time setup of the
// random number generator instance
SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
//Get the next random number
String randomNum = new Integer( prng.nextInt() ).toString();
System.out.println("Random number: " + randomNum);
}
}
Friday, January 15, 2010 38
189. Result
Random number: 1633471380
Friday, January 15, 2010 39
190. Digests &
Hashes
One way functions
Friday, January 15, 2010 40
191. What is a Digest?
! Small set of bytes representing a
large message
! Small change in message = large
change in digest
! Integrity check for large data
! Password storage mechanism
Friday, January 15, 2010 41
OWASP says passwords should never be stored in plaintext
http://www.owasp.org/index.php/Hashing_Java
193. MessageDigest
!
!
MD5
U. S. Department of Homeland
Security said MD5
"considered cryptographically broken
and unsuitable for further use"
Friday, January 15, 2010 43
http://en.wikipedia.org/wiki/MD5
195. System.out.println("Message1 SHA1 digest: "
+ shaAndBase64Encode(message1));
System.out.println("Message2 SHA1 digest: "
+ shaAndBase64Encode(message2));
}
/**
* Helper function to both SHA-1 hash and
* base64 encode the resulting bytes to a String
*/
public static String shaAndBase64Encode(String message)
throws NoSuchAlgorithmException {
MessageDigest sha = MessageDigest.getInstance("SHA-1");
//Salt could be applied here
//Integer salt = <some random number generator>
//sha.update(salt.getBytes());
byte[] digest = sha.digest(message.getBytes());
return new sun.misc.BASE64Encoder().encode(digest);
}
}
Friday, January 15, 2010 45
196. * Digest a string message via SHA1.
*
* Demonstrate that very similar messages
* have radically different hashes.
*/
public class MessageDigestSHA
{
public static void main( String[] args )
throws NoSuchAlgorithmException
{
//Set up the message to be encoded
String message1 = "Four score and seven years ago";
String message2 = "Four score and seven tears ago";
System.out.println("Message1 SHA1 digest: "
+ shaAndBase64Encode(message1));
System.out.println("Message2 SHA1 digest: "
+ shaAndBase64Encode(message2));
}
/**
* Helper function to both SHA-1 hash and
* base64 encode the resulting bytes to a String
*/
public static String shaAndBase64Encode(String message)
throws NoSuchAlgorithmException {
MessageDigest sha = MessageDigest.getInstance("SHA-1");
Friday, January 15, 2010 46
//Salt could be applied here
//Integer salt = <some random number generator>
//sha.update(salt.getBytes());
byte[] digest = sha.digest(message.getBytes());
return new sun.misc.BASE64Encoder().encode(digest);
}
}
197. Input
String message1 = "Four score and seven years ago";
String message2 = "Four score and seven tears ago";
Result
Message1 SHA1 digest: DmCJIg4Bq/xpGIxVXxo3IB0vo38=
Message2 SHA1 digest: oaLHt8tr31ttngCDjyYuWowF5Mc=
Friday, January 15, 2010 47
200. Creating a keystore
keytool -genkeypair -keyalg RSA -keysize 2048 -
keystore myapp.keystore
Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
[Unknown]: Matthew McCullough
What is the name of your organizational unit?
[Unknown]: Consulting
What is the name of your organization?
[Unknown]: Ambient Ideas, LLC
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: Colorado
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Matthew McCullough, OU=Consulting, O="Ambient
Friday, January 15, L=Denver, ST=Colorado, C=US correct?
Ideas, LLC", 2010 50
[no]: yes
Enter key password for <mykey>
! (RETURN if same as keystore password):
201. keytool -genkeypair -keyalg RSA -keysize 2048 -
Creating a keystore
keystore myapp.keystore
Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
[Unknown]: Matthew McCullough
What is the name of your organizational unit?
[Unknown]: Consulting
What is the name of your organization?
[Unknown]: Ambient Ideas, LLC
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: Colorado
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Matthew McCullough, OU=Consulting, O="Ambient
Ideas, LLC", L=Denver, ST=Colorado, C=US correct?
[no]: yes
Enter key password for <mykey>
! (RETURN if same as keystore password):
Friday, January 15, 2010 51
202. Using a keystore
java -Djavax.net.ssl.keyStore=keystore
-Djavax.net.ssl.keyStorePassword=y3$1t1s
ServerApp
Using a Truststore
java -Djavax.net.ssl.trustStore=truststore
-Djavax.net.ssl.trustStorePassword=tru$tM3
ClientApp
Friday, January 15, 2010 52
203. JSSE
Network communications security
Friday, January 15, 2010 53
204. JSSE
! Java Secure Socket Extension
! Built on top of JCE
! Specific to networking
! Standard as of JRE 1.4
! Implementations of
! Secure Sockets Layer (SSL) 2.0 and 3.0
! Transport Layer Security (TLS) 1.0
Friday, January 15, 2010 54
http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html
Previously an optional add on up through JRE 1.3
http://en.wikipedia.org/wiki/Transport_Layer_Security
TLS 1.0 in 1999. Improvements to SSL 3.0 (1996)
205. JAAS
Authentication and Authorization
Friday, January 15, 2010 55
206. JAAS
! Java Authentication and
Authorization Service
! Single sign on helper
! Supports biometric, smartcard
devices
! Adds “user” control
(above code control)
Friday, January 15, 2010 56
207. SYMMETRIC
My key is your key
Friday, January 15, 2010 57
208. Why Symmetric?
! Fast
! Bulk data
! Controlled environment
! Never decrypted at remote end
Friday, January 15, 2010 58
209. Symmetric Problems
! Keys vulnerable to capture
! Eavesdropping on future
communications after key
compromise
! Key distribution challenges
! Triangular number key growth
Friday, January 15, 2010 59
How do you distribute keys?
System-wide number of keys for N nodes to talk securely to any node
is Tn
http://mathworld.wolfram.com/TriangularNumber.html
210. Symmetric Problems
! Triangular number key growth
Friday, January 15, 2010 60
211. DES & 3DES
! Block cipher
! DES is known to be broken
! 3DES and DESede
! basically three passes of DES
! Reasonably strong
Friday, January 15, 2010 61
212. Blowfish
! Secure replacement for DES
! Faster than DES
! Block cipher
Friday, January 15, 2010 62
Sounds like a new flavor of Ben and Jerry’s ice cream
214. AES
! Advanced Encryption Standard
! Government standard
! Rijndael algorithm
(Joan Daemen, Vincent Rijmen)
! 4 years of evaluation
! Final in December 2000
! Very Secure
! block cipher
Friday, January 15, 2010 64
215. import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import sun.misc.BASE64Encoder;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random number.
*/
public class SymmetricEncrypt
{
public static void main( String[] args )
throws NoSuchAlgorithmException, NoSuchProviderException,
NoSuchPaddingException, InvalidKeyException,
IllegalBlockSizeException, BadPaddingException
{
final String message1 = "Four score and seven years ago";
Friday, Januarya15, 2010
//Build new encryption key 65
final KeyGenerator keyGen = KeyGenerator.getInstance("DESede");
keyGen.init(168);
final SecretKey desKey = keyGen.generateKey();
//Set up the cipher
final Cipher desCipher = Cipher.getInstance("DESede/ECB/PKCS5Padding");
//////////////////////////////////////
//Put the cipher in encryption mode
desCipher.init(Cipher.ENCRYPT_MODE, desKey);
//Encrypt and output the base64 data
byte[] clearText = message1.getBytes();
byte[] encryptedBytes = desCipher.doFinal(clearText);
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
System.out.println("Encrypted text: " + base64Encrypted);
//////////////////////////////////////
//Put the cipher in decryption mode
desCipher.init(Cipher.DECRYPT_MODE, desKey);
//Decrypt and output the original string
byte[] decryptedBytes = desCipher.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
216. import javax.crypto.SecretKey;
import sun.misc.BASE64Encoder;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random number.
*/
public class SymmetricEncrypt
{
public static void main( String[] args )
throws NoSuchAlgorithmException, NoSuchProviderException,
NoSuchPaddingException, InvalidKeyException,
IllegalBlockSizeException, BadPaddingException
{
final String message1 = "Four score and seven years ago";
//Build a new encryption key
final KeyGenerator keyGen = KeyGenerator.getInstance("DESede");
keyGen.init(168);
final SecretKey desKey = keyGen.generateKey();
//Set up the cipher
final Cipher desCipher = Cipher.getInstance("DESede/ECB/PKCS5Padding");
//////////////////////////////////////
//Put the cipher in encryption mode
desCipher.init(Cipher.ENCRYPT_MODE, desKey);
//Encrypt and output the base64 data
byte[] clearText = message1.getBytes();
byte[] encryptedBytes = desCipher.doFinal(clearText);
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
Friday, January 15, 2010
System.out.println("Encrypted text: " + base64Encrypted); 66
//////////////////////////////////////
//Put the cipher in decryption mode
desCipher.init(Cipher.DECRYPT_MODE, desKey);
//Decrypt and output the original string
byte[] decryptedBytes = desCipher.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
217. {
final String message1 = "Four score and seven years ago";
//Build a new encryption key
final KeyGenerator keyGen = KeyGenerator.getInstance("DESede");
keyGen.init(168);
final SecretKey desKey = keyGen.generateKey();
//Set up the cipher
final Cipher desCipher = Cipher.getInstance("DESede/ECB/PKCS5Padding");
//////////////////////////////////////
//Put the cipher in encryption mode
desCipher.init(Cipher.ENCRYPT_MODE, desKey);
//Encrypt and output the base64 data
byte[] clearText = message1.getBytes();
byte[] encryptedBytes = desCipher.doFinal(clearText);
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
System.out.println("Encrypted text: " + base64Encrypted);
//////////////////////////////////////
//Put the cipher in decryption mode
desCipher.init(Cipher.DECRYPT_MODE, desKey);
//Decrypt and output the original string
byte[] decryptedBytes = desCipher.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
Friday, January 15, 2010 67
218. //Set up the cipher
final Cipher desCipher = Cipher.getInstance("DESede/ECB/PKCS5Padding");
//////////////////////////////////////
//Put the cipher in encryption mode
desCipher.init(Cipher.ENCRYPT_MODE, desKey);
//Encrypt and output the base64 data
byte[] clearText = message1.getBytes();
byte[] encryptedBytes = desCipher.doFinal(clearText);
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
System.out.println("Encrypted text: " + base64Encrypted);
//////////////////////////////////////
//Put the cipher in decryption mode
desCipher.init(Cipher.DECRYPT_MODE, desKey);
//Decrypt and output the original string
byte[] decryptedBytes = desCipher.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
Friday, January 15, 2010 68
219. Input
String message1 = "Four score and seven years ago";
Result
Encrypted text: P0FT6N3XXrohtsz7OLh3FGYY0wErkPIur1DP6Csbj4g=
Decrypted text: Four score and seven years ago
Friday, January 15, 2010 69
221. ASYMMETRIC
Throwing away keys
faster than an intern locksmith
Friday, January 15, 2010 71
222. Friday, January 15, 2010 72
http://www.isg.rhul.ac.uk/node/329
http://www.isg.rhul.ac.uk/files/IMG_9819.JPG
http://en.wikipedia.org/wiki/Diffie
223. Diffie-Hellman
! Key Agreement Protocol
! Alice & Bob independently
generate the shared (session) key
! asymmetric Key handshake
! 1970s
! Vulnerable to MITM attack
! Fixed by
! PKI
! signing the agreed key
Friday, January 15, 2010 73
http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
224. DH Diagrammed
Friday, January 15, 2010 74
http://matdonline.free.fr/RSA-Diffie-Hellman-explained-in-5-
minutes.htm
225. Friday, January 15, 2010 75
RSA
http://www.usc.edu/dept/molecular-science/pictures/RSA-2003.jpg
226. RSA
! Ron Rivest, Adi Shamir, Leonard
Adleman
! Published in 1978
! M.I.T. Patented in 1983
! Patent Expired in 2000
Friday, January 15, 2010 76
Not patented in many other countries due to paper published before
patent.
There was later found to be prior art might not have allowed this to get
patented at all.
227. import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import sun.misc.BASE64Encoder;
/**
* Use the SecureRandom java security class to generate
* a more expensive, but cryptographically secure random
number.
*/
Friday,public class EncryptRSA
January 15, 2010 77
{
public static void main( String[] args ) throws
NoSuchAlgorithmException, NoSuchProviderException,
IOException, NoSuchPaddingException, InvalidKeyException,
IllegalBlockSizeException, BadPaddingException
{
final String message1 = "Four score and seven years ago";
// Generate the Key Pair
final KeyPairGenerator keyGen =
KeyPairGenerator.getInstance("RSA");
final SecureRandom random =
SecureRandom.getInstance("SHA1PRNG", "SUN");
keyGen.initialize(1024, random);
KeyPair pair = keyGen.generateKeyPair();
final PrivateKey privKey = pair.getPrivate();
final PublicKey pubKey = pair.getPublic();
//Encrypt using the private key
Cipher rsa = Cipher.getInstance("RSA/ECB/PKCS1Padding");
228. {
public static void main( String[] args ) throws
NoSuchAlgorithmException, NoSuchProviderException,
IOException, NoSuchPaddingException, InvalidKeyException,
IllegalBlockSizeException, BadPaddingException
{
final String message1 = "Four score and seven years ago";
// Generate the Key Pair
final KeyPairGenerator keyGen =
KeyPairGenerator.getInstance("RSA");
final SecureRandom random =
SecureRandom.getInstance("SHA1PRNG", "SUN");
keyGen.initialize(1024, random);
KeyPair pair = keyGen.generateKeyPair();
final PrivateKey privKey = pair.getPrivate();
final PublicKey pubKey = pair.getPublic();
//Encrypt using the private key
Cipher rsa = Cipher.getInstance("RSA/ECB/PKCS1Padding");
rsa.init(Cipher.ENCRYPT_MODE, privKey);
byte[] encryptedBytes = rsa.doFinal(message1.getBytes());
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
Friday, January 15, 2010
System.out.println("Encrypted text: " + base64Encrypted); 78
//Decrypt using the private key
rsa.init(Cipher.DECRYPT_MODE, pubKey);
byte[] decryptedBytes = rsa.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
229. keyGen.initialize(1024, random);
KeyPair pair = keyGen.generateKeyPair();
final PrivateKey privKey = pair.getPrivate();
final PublicKey pubKey = pair.getPublic();
//Encrypt using the private key
Cipher rsa = Cipher.getInstance("RSA/ECB/PKCS1Padding");
rsa.init(Cipher.ENCRYPT_MODE, privKey);
byte[] encryptedBytes = rsa.doFinal(message1.getBytes());
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
System.out.println("Encrypted text: " + base64Encrypted);
//Decrypt using the private key
rsa.init(Cipher.DECRYPT_MODE, pubKey);
byte[] decryptedBytes = rsa.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
Friday, January 15, 2010 79
230. final PrivateKey privKey = pair.getPrivate();
final PublicKey pubKey = pair.getPublic();
//Encrypt using the private key
Cipher rsa = Cipher.getInstance("RSA/ECB/PKCS1Padding");
rsa.init(Cipher.ENCRYPT_MODE, privKey);
byte[] encryptedBytes = rsa.doFinal(message1.getBytes());
BASE64Encoder b64e = new sun.misc.BASE64Encoder();
String base64Encrypted = b64e.encode(encryptedBytes);
System.out.println("Encrypted text: " + base64Encrypted);
//Decrypt using the private key
rsa.init(Cipher.DECRYPT_MODE, pubKey);
byte[] decryptedBytes = rsa.doFinal(encryptedBytes);
String decryptedText = new String(decryptedBytes);
System.out.println("Decrypted text: " + decryptedText);
}
}
Friday, January 15, 2010 80
231. Input
String message1 = "Four score and seven years ago";
Result
Encrypted text: A8Is+4r7sDn28fD6IQvZiR5JxPs/vh7UnXrF38acJt6R/
ARisj/zLtC7Xn6iJgNQPhc16wkVZhCF
em7oNoim+ooTUDDZQ+E3qP6y/
DZJGkLBoZuZVLeLAW1LUtHSzduRUOg1uMynJz14wxzwfV8wfRwf
atpySkOhGqWS63bPNRs=
Decrypted text: Four score and seven years ago
Friday, January 15, 2010 81
232. OTHER FRAMEWORKS
and alternative JCE providers
Friday, January 15, 2010 82
233. Bouncy Castle
! JCE Provider
! Many more encryption and digest
algorithms than the Sun provider
(AES)
Friday, January 15, 2010 83
http://www.mobilefish.com/developer/bouncycastle/
bouncycastle_quickguide_install.html
234. Jasypt
Frictionless Java encryption
Friday, January 15, 2010 84
Works beautifully with Hibernate and The Spring Framework
235. Gnu
Open source library
Friday, January 15, 2010 85
Hundreds of algorithms implemented
http://www.gnu.org/software/gnu-crypto/
236. WIFI
You are the weakest link
Friday, January 15, 2010 86
237. WIFI Algorithms
! WEP
! WPA
! WPA2 TKIP
AES
Friday, January 15, 2010 87
WEP can be sniffed for keys
WPA2 implements the mandatory elements of 802.11i
239. TJ Maxx
! $1 billon USD final cost
! 45 million credit card
numbers stolen
Friday, January 15, 2010 89
240. the
criticized
rts have
“ Ma
s
ny securit
trength of
cracked
y expe
tion. WEP w
as initially
WEP encryp recently broken by
and most
in 2001, last month
ordinary
searchers
German re
u s i n g a nunder three
laptop in
seconds et UK
— Tom Esp
iner, ZDN
”
Friday, January 15, 2010 90
http://www.zdnetasia.com/news/security/
0,39044215,62011583,00.htm
241. WIFI Interception
! Hey Look! A MyFreeWIFI SSID...
! Tempting
! Ridiculously unsafe
Friday, January 15, 2010 91
242. Tools of the Trade
! AirCrack
! AirSnort
! WireShark
! Silent Proxies
Friday, January 15, 2010 92
243. WEP Cracking
! Listen for packets
! Slow
! Untraceable
! Inject bad packets
! Listen for reply
! Faster
! leaves a footprint
Friday, January 15, 2010 93
244. WireShark Demo
Friday, January 15, 2010 94
http://www.wireshark.org/
245. Upside-Down-Ternet
Demo
Friday, January 15, 2010 95
http://www.ex-parrot.com/pete/upside-down-ternet.html
254. ENC RYPTION BOOmpleAedP
TC M
t
n co
security missio
@matthewmccull
#EncryptBC
matthewm@ambientideas.com
http://ambientideas.com/blog
http://speakerrate.com/matthew.mccullough
Friday, January 15, 2010 104
264. Steganography
! High signal to noise
ratio
! Slow
but
! Inconspicuous
Friday, January 15, 2010 114
265. Cracks in the News
! Thomas Jefferson letter
! London Tube Oyster cards
! GSM
! Iraq drone video feeds
! Pacemakers
! Zune
! WPA
! Blue-ray
! DVD
! Skype
! Windows Vista BitLocker
Friday, January 15, 2010 115
Jefferson: All your liberty are belong to us!
GSM: Yet another reason to switch away from AT&T
Zune: No one cared.
266. Encryption & The Law
! Encryption considered a
munition under
international law
! 1999 Relaxation of
rules
Friday, January 15, 2010 116
267. Digital Signatures
! Hash with Private Key
! Public Private Key Systems
! Public Key Infrastructure (PKI)
Friday, January 15, 2010 117
268. Breakthroughs
! IBM
! Statistics on encrypted data
! No compromise on security or
anonymity
Friday, January 15, 2010 118
http://www.net-security.org/secworld.php?id=7690
269. Keys
! Clickers/Tokens
! One Time Pads (paper)
Friday, January 15, 2010 119
270. Misc
! Message Digests == Hash?
! Certificates (x509 v3)
! Digital signatures
! Just means hashing a message, then signing
the hash with the private key
! Later verified by decrypting the hash with
the public key, then re-running the hash
and comparing the two hashes.
! Block vs Stream ciphers
Friday, January 15, 2010 120