Security
Modern Cryptography for the Absolute Beginner

Summarized using AI

Modern Cryptography for the Absolute Beginner

Jeffrey Cohen • April 03, 2019 • Minneapolis, MN

The video titled "Modern Cryptography for the Absolute Beginner" presented by Jeffrey Cohen at RailsConf 2019 introduces the essential concepts of cryptography tailored for developers lacking a deep mathematical background. The session emphasizes the critical role of cryptography in modern life, showcasing its application in everyday technologies such as online banking and secure communication. Through a series of key points, Cohen elucidates the fundamentals of cryptography without delving into complicated math, aiming to make it accessible to beginners.

Key Points Discussed:

  • Understanding Cryptography in Context: Cohen begins with a historical perspective of cryptography, noting its significance since ancient times and its transformation with mechanized systems like the Enigma machine.
  • Cryptography vs. Security: He clarifies the distinction between cryptography, which deals with encryption and decryption techniques, and broader security issues.
  • Primary Uses of Cryptography:

    • Verification: This involves ensuring that a message has not been tampered with and verifying authorship.
    • Secrecy: Protecting the confidentiality of messages through various encryption methods.
  • Types of Encryption:

    • Symmetric Encryption: Discussed through the example of the Caesar cipher and modern algorithms like AES, where the same key is used for both encryption and decryption.
    • Public-Key Cryptography: Cohen explores the revolutionary nature of this approach, using two keys (public and private) to solve the challenge of securely transmitting information without needing to share secrets beforehand.
  • Digital Signatures: He explains how digital signatures function similarly to wax seals, ensuring message authenticity by encrypting a digest of the message with a private key, which can then be verified with a public key.

  • Quantum Computing Implications: Cohen concludes by addressing the future challenges posed by quantum computing, which threatens traditional cryptography by potentially allowing for rapid factorization of large numbers, thereby undermining public-key systems.

In summary, the session emphasizes that understanding cryptography is not just for security experts but is essential for all developers involved in modern applications. Cohen encourages further inquiry into cryptographic principles and their growing relevance in the face of advancements like quantum computing.

Modern Cryptography for the Absolute Beginner
Jeffrey Cohen • April 03, 2019 • Minneapolis, MN

RailsConf 2019 - Modern Cryptography for the Absolute Beginner by Jeffrey Cohen
_______________________________________________________________________________________________
Cloud 66 - Pain Free Rails Deployments
Cloud 66 for Rails acts like your in-house DevOps team to build, deploy and maintain your Rails applications on any cloud or server.

Get $100 Cloud 66 Free Credits with the code: RailsConf-19
($100 Cloud 66 Free Credits, for the new user only, valid till 31st December 2019)

Link to the website: https://cloud66.com/rails?utm_source=-&utm_medium=-&utm_campaign=RailsConf19
Link to sign up: https://app.cloud66.com/users/sign_in?utm_source=-&utm_medium=-&utm_campaign=RailsConf19
_______________________________________________________________________________________________
Modern life depends on cryptography. Did you get cash from an ATM this week? Buy something online? Or pick up a prescription? A cryptographic algorithm was needed to make it happen!

Increasingly, developers need to become familiar with the essentials of encryption. But MD5, bcrypt, DES, AES, SSL, digital signatures, public keys - what are they for, and why do we care?

Armed with only a vanilla Rails application and beginner-level Ruby code, this talk will demonstrate the key ideas in modern cryptography. We will also take a peek ahead to quantum computing and its implications on cryptography.

RailsConf 2019

00:00:20.779 All right, welcome everyone! Thank you for making your way all the way to the far side of the hall over here. My name is Jeffrey Cohen.
00:00:30.720 I know we're getting started a little bit late. I'll do my best to wrap up by about 11:30. If I'm right up against the clock for questions, I'll hang out here as long as you all want to take questions afterwards. It might be a bit easier than trying to extend the time of the session. That way, we can all get to lunch.
00:00:49.350 Welcome to RailsConf! I think this is my fifth RailsConf. For those of you here for the first time, welcome! I hope this conference is as meaningful for you as it has been for me over the years.
00:01:09.330 I've been working with Rails since around 2006. I currently consult on projects that come under various regulations, such as HIPAA and PCI. I also work with companies on building mentorship and apprenticeship programs.
00:01:14.820 One of the common topics that has come up in both of those areas has been questions about cryptography. It was also something that was very new to me. I'm not a mathematics person by background. I got into programming without a computer science degree, and I realized I was interested in learning the basics of cryptography.
00:01:36.000 So, this talk is totally beginner-level. I'm simply going to share the story of how I began to understand the most common uses of cryptography in everyday programming, especially in Ruby programming.
00:02:07.950 If you feel five minutes in that this is not for you, that's totally fine. There are many other great sessions available, but hopefully this will be helpful.
00:02:26.340 I'm going to talk about how public key cryptography works, but without getting too deep into the mathematics. For those of you interested in the detailed math, I’d be happy to discuss that afterward. I'm going to try to keep the math light during this talk.
00:02:52.200 Let's go back to 1586. Mary, Queen of Scots, was found plotting against Queen Elizabeth. She was sending ciphered messages to her co-conspirators. The messages were intercepted, and she didn’t live much longer after that.
00:03:25.610 This is a cheat sheet from the folks who worked on decoding that cipher. For a very long time, the idea of keeping things secret has been of paramount importance to both governments and individuals. For many years, people tried to create secret ways to communicate and hoped that their methods wouldn’t be deciphered.
00:03:51.430 For thousands of years, things pretty much stayed the same until encryption became mechanized. Many of you probably recognize this machine: the Enigma machine. It is one of the most famous examples of cryptographic machinery, eventually broken by a British mathematician who invented the concept of a general-purpose computer.
00:04:12.350 Today, we depend on cryptography for a lot of things. For example, we recently all received credit cards with chips in them—how does that chip work? Why is it more secure than the traditional magnetic stripe we’ve been using for years?
00:04:34.320 The rules of cryptography and the advancements in computerized cryptography are what enable our modern society. It's hard to contemplate what would happen if we didn't have these capabilities.
00:05:07.929 Let’s explore the history of what we’re really discussing here.
00:05:13.110 We think about cryptography in terms of ciphers—currently, we use letter-by-letter encoding. This technique is only a specific branch of cryptography, so I'll be focusing on this aspect since it's the means of communication we use every day.
00:05:39.029 I want to clarify that cryptography is not the same as security. You can be proficient in encrypting and decrypting data, yet still not be secure; security is a broader topic.
00:06:00.539 There are two primary use cases for cryptography: verification and secrecy. The verification aspect surprised me initially, as I thought cryptography was solely for secrecy.
00:06:36.319 Let’s start with verification: message tampering and authorship. We need to verify that a message was transmitted correctly and that it didn’t change along the way.
00:07:12.699 When we hear the term 'tampering,' we often think of someone intentionally altering the data. However, this wasn’t the entire story for those of us who started programming with dial-up modems, where bit mixing on the phone line was a constant concern.
00:07:50.460 Parity bits were initially used to verify data integrity. For instance, if you were to search for 'cat' on the internet, ASCII translates that into binary. The challenge is ensuring that the intended message was received, despite potential errors, such as receiving 'bat' or 'rat' instead.
00:08:22.080 Early systems employed parity checks to confirm accuracy. Although it wasn't perfect, it represented an early method of verifying that data was transmitted correctly.
00:09:13.290 My journey to understanding cryptography began with the notion of check digits in the late 60s. At that time, cash registers were rudimentary, processing purchases manually and often resulting in entry mistakes.
00:09:59.490 To counteract these mistakes, stores began implementing product codes for easier inventory tracking. However, there was still room for error in entering those codes, leading to the development of a check system to validate the accuracy.
00:10:40.710 Thus, the concept of check digits emerged. It led to complex algorithms used in UPC codes, ensuring inventory accuracy with a systematic mathematical approach.
00:11:03.360 Hashing, digesting, or creating digital fingerprints are checksums against some content. For Rails developers, a standard example is bcrypt, which is a one-way hash.
00:11:28.710 Reversing the hash is impossible; thus, for security purposes, we can check that incoming content is correct without knowing the original content.
00:12:02.730 Next, let's discuss symmetric encryption. If I send a simple encoded message to you, I could use a scheme like the Caesar cipher, whereby each letter is advanced by one letter.
00:12:42.390 This algorithm is reversible, meaning the recipient can decode it. In practice, there are various symmetric algorithms such as DES, Triple DES, and AES that help encrypt messages.
00:13:10.790 However, it's crucial never to use symmetric encryption for passwords. While it may seem counterintuitive, recovering the password puts you at risk in case of a breach.
00:13:55.400 The historical problem was transmitting keys. For thousands of years, the challenge remained until the rise of public key cryptography, which utilizes two keys where one key encrypts and the other decrypts.
00:14:43.040 With public key cryptography, one key is arbitrarily designated as public and the other as private, allowing secure communications where the public key can encrypt but only the private key can decrypt.
00:15:06.620 For example, if Mr. A wants to send a secret message to Mr. B using Mr. B's public key, only Mr. B can decrypt it with his private key.
00:15:37.160 These two keys are mathematically linked and can reverse each other's operations. You don't need to worry too much about how to secure the public key; it's meant to be widely shared.
00:16:01.980 The next use case is authenticity. Historically, messages were sealed by the king with a unique wax seal, making it challenging to replicate and verify their authenticity.
00:16:35.300 In modern times, we encounter similar scenarios with online transactions. For instance, when visiting a secure site, we can check for a certificate, which is intended to validate the authenticity of the publisher.
00:17:00.800 This is analogous to how Mr. A can ensure that a message sent to Mr. B is indeed from him. Before sending the message, Mr. A calculates a digest of its content using hashing algorithms.
00:17:47.720 This digest—which acts as a check digit for the content—is then encrypted with Mr. A's private key. When Mr. B receives the message, he can decrypt it using Mr. A's public key to verify the authenticity.
00:18:40.760 Mr. B then independently calculates the hash of the received content to compare it with the decrypted hash. If they match, this assures Mr. B of the message’s authenticity and integrity.
00:19:54.890 Therefore, public key cryptography handles both confidentiality and authenticity, resolving the challenges that have plagued cryptographic communication for centuries.
00:20:41.950 Before public key cryptography was established, transferring money between banks required both parties to possess the same decryption method. The RSA algorithm revolutionized this by permitting secure exchanges.
00:21:20.990 At present, we primarily use both public key and symmetric encryption in tandem. For substantial data transmissions, we apply symmetric encryption to simplify the process.
00:21:58.740 Modern cryptographic systems exchange a randomly generated symmetric key utilizing public key cryptography, allowing for secure transmission without intermediary eavesdropping.
00:22:34.890 To prevent exposure of the sessions, it is critical to utilize a fresh symmetric key for every connection to maintain privacy. SSL or TLS operates on this principle.
00:23:29.680 Currently, numerous public key standards exist, demonstrating varying algorithms alongside RSA, such as elliptic curve cryptography. Continually advancing defenses against malicious attacks is essential.
00:24:09.850 However, looming concerns regarding quantum computing indicate potential vulnerabilities in standard public key cryptography. Quantum computing could quickly unravel current cryptographic barriers.
00:25:21.660 Nevertheless, some experts believe the impact of quantum computing will be manageable. Symmetric encryption may become even more challenging to break, providing an opportunity to enhance our security protocols.
00:26:00.900 Conversely, there are skeptics who question the validity of the impending threat posed by quantum computing, believing there is time to adapt our encryption methods accordingly.
00:26:36.330 As I wrap up, please feel free to ask any questions you may have. I'll be here for a few more minutes, and I'd be more than happy to discuss any cryptographic inquiries you have.
Explore all talks recorded at RailsConf 2019
+102