00:00:20.779
All right, welcome everyone! Thank you for making your way all the way to the far side of the hall over here. My name is Jeffrey Cohen.
00:00:30.720
I know we're getting started a little bit late. I'll do my best to wrap up by about 11:30. If I'm right up against the clock for questions, I'll hang out here as long as you all want to take questions afterwards. It might be a bit easier than trying to extend the time of the session. That way, we can all get to lunch.
00:00:49.350
Welcome to RailsConf! I think this is my fifth RailsConf. For those of you here for the first time, welcome! I hope this conference is as meaningful for you as it has been for me over the years.
00:01:09.330
I've been working with Rails since around 2006. I currently consult on projects that come under various regulations, such as HIPAA and PCI. I also work with companies on building mentorship and apprenticeship programs.
00:01:14.820
One of the common topics that has come up in both of those areas has been questions about cryptography. It was also something that was very new to me. I'm not a mathematics person by background. I got into programming without a computer science degree, and I realized I was interested in learning the basics of cryptography.
00:01:36.000
So, this talk is totally beginner-level. I'm simply going to share the story of how I began to understand the most common uses of cryptography in everyday programming, especially in Ruby programming.
00:02:07.950
If you feel five minutes in that this is not for you, that's totally fine. There are many other great sessions available, but hopefully this will be helpful.
00:02:26.340
I'm going to talk about how public key cryptography works, but without getting too deep into the mathematics. For those of you interested in the detailed math, I’d be happy to discuss that afterward. I'm going to try to keep the math light during this talk.
00:02:52.200
Let's go back to 1586. Mary, Queen of Scots, was found plotting against Queen Elizabeth. She was sending ciphered messages to her co-conspirators. The messages were intercepted, and she didn’t live much longer after that.
00:03:25.610
This is a cheat sheet from the folks who worked on decoding that cipher. For a very long time, the idea of keeping things secret has been of paramount importance to both governments and individuals. For many years, people tried to create secret ways to communicate and hoped that their methods wouldn’t be deciphered.
00:03:51.430
For thousands of years, things pretty much stayed the same until encryption became mechanized. Many of you probably recognize this machine: the Enigma machine. It is one of the most famous examples of cryptographic machinery, eventually broken by a British mathematician who invented the concept of a general-purpose computer.
00:04:12.350
Today, we depend on cryptography for a lot of things. For example, we recently all received credit cards with chips in them—how does that chip work? Why is it more secure than the traditional magnetic stripe we’ve been using for years?
00:04:34.320
The rules of cryptography and the advancements in computerized cryptography are what enable our modern society. It's hard to contemplate what would happen if we didn't have these capabilities.
00:05:07.929
Let’s explore the history of what we’re really discussing here.
00:05:13.110
We think about cryptography in terms of ciphers—currently, we use letter-by-letter encoding. This technique is only a specific branch of cryptography, so I'll be focusing on this aspect since it's the means of communication we use every day.
00:05:39.029
I want to clarify that cryptography is not the same as security. You can be proficient in encrypting and decrypting data, yet still not be secure; security is a broader topic.
00:06:00.539
There are two primary use cases for cryptography: verification and secrecy. The verification aspect surprised me initially, as I thought cryptography was solely for secrecy.
00:06:36.319
Let’s start with verification: message tampering and authorship. We need to verify that a message was transmitted correctly and that it didn’t change along the way.
00:07:12.699
When we hear the term 'tampering,' we often think of someone intentionally altering the data. However, this wasn’t the entire story for those of us who started programming with dial-up modems, where bit mixing on the phone line was a constant concern.
00:07:50.460
Parity bits were initially used to verify data integrity. For instance, if you were to search for 'cat' on the internet, ASCII translates that into binary. The challenge is ensuring that the intended message was received, despite potential errors, such as receiving 'bat' or 'rat' instead.
00:08:22.080
Early systems employed parity checks to confirm accuracy. Although it wasn't perfect, it represented an early method of verifying that data was transmitted correctly.
00:09:13.290
My journey to understanding cryptography began with the notion of check digits in the late 60s. At that time, cash registers were rudimentary, processing purchases manually and often resulting in entry mistakes.
00:09:59.490
To counteract these mistakes, stores began implementing product codes for easier inventory tracking. However, there was still room for error in entering those codes, leading to the development of a check system to validate the accuracy.
00:10:40.710
Thus, the concept of check digits emerged. It led to complex algorithms used in UPC codes, ensuring inventory accuracy with a systematic mathematical approach.
00:11:03.360
Hashing, digesting, or creating digital fingerprints are checksums against some content. For Rails developers, a standard example is bcrypt, which is a one-way hash.
00:11:28.710
Reversing the hash is impossible; thus, for security purposes, we can check that incoming content is correct without knowing the original content.
00:12:02.730
Next, let's discuss symmetric encryption. If I send a simple encoded message to you, I could use a scheme like the Caesar cipher, whereby each letter is advanced by one letter.
00:12:42.390
This algorithm is reversible, meaning the recipient can decode it. In practice, there are various symmetric algorithms such as DES, Triple DES, and AES that help encrypt messages.
00:13:10.790
However, it's crucial never to use symmetric encryption for passwords. While it may seem counterintuitive, recovering the password puts you at risk in case of a breach.
00:13:55.400
The historical problem was transmitting keys. For thousands of years, the challenge remained until the rise of public key cryptography, which utilizes two keys where one key encrypts and the other decrypts.
00:14:43.040
With public key cryptography, one key is arbitrarily designated as public and the other as private, allowing secure communications where the public key can encrypt but only the private key can decrypt.
00:15:06.620
For example, if Mr. A wants to send a secret message to Mr. B using Mr. B's public key, only Mr. B can decrypt it with his private key.
00:15:37.160
These two keys are mathematically linked and can reverse each other's operations. You don't need to worry too much about how to secure the public key; it's meant to be widely shared.
00:16:01.980
The next use case is authenticity. Historically, messages were sealed by the king with a unique wax seal, making it challenging to replicate and verify their authenticity.
00:16:35.300
In modern times, we encounter similar scenarios with online transactions. For instance, when visiting a secure site, we can check for a certificate, which is intended to validate the authenticity of the publisher.
00:17:00.800
This is analogous to how Mr. A can ensure that a message sent to Mr. B is indeed from him. Before sending the message, Mr. A calculates a digest of its content using hashing algorithms.
00:17:47.720
This digest—which acts as a check digit for the content—is then encrypted with Mr. A's private key. When Mr. B receives the message, he can decrypt it using Mr. A's public key to verify the authenticity.
00:18:40.760
Mr. B then independently calculates the hash of the received content to compare it with the decrypted hash. If they match, this assures Mr. B of the message’s authenticity and integrity.
00:19:54.890
Therefore, public key cryptography handles both confidentiality and authenticity, resolving the challenges that have plagued cryptographic communication for centuries.
00:20:41.950
Before public key cryptography was established, transferring money between banks required both parties to possess the same decryption method. The RSA algorithm revolutionized this by permitting secure exchanges.
00:21:20.990
At present, we primarily use both public key and symmetric encryption in tandem. For substantial data transmissions, we apply symmetric encryption to simplify the process.
00:21:58.740
Modern cryptographic systems exchange a randomly generated symmetric key utilizing public key cryptography, allowing for secure transmission without intermediary eavesdropping.
00:22:34.890
To prevent exposure of the sessions, it is critical to utilize a fresh symmetric key for every connection to maintain privacy. SSL or TLS operates on this principle.
00:23:29.680
Currently, numerous public key standards exist, demonstrating varying algorithms alongside RSA, such as elliptic curve cryptography. Continually advancing defenses against malicious attacks is essential.
00:24:09.850
However, looming concerns regarding quantum computing indicate potential vulnerabilities in standard public key cryptography. Quantum computing could quickly unravel current cryptographic barriers.
00:25:21.660
Nevertheless, some experts believe the impact of quantum computing will be manageable. Symmetric encryption may become even more challenging to break, providing an opportunity to enhance our security protocols.
00:26:00.900
Conversely, there are skeptics who question the validity of the impending threat posed by quantum computing, believing there is time to adapt our encryption methods accordingly.
00:26:36.330
As I wrap up, please feel free to ask any questions you may have. I'll be here for a few more minutes, and I'd be more than happy to discuss any cryptographic inquiries you have.