Modern Cryptography

by John Downey

The video titled "Modern Cryptography" features John Downey, a security expert from Braintree, who explores the essential concepts and practices surrounding modern cryptography. Downey emphasizes the importance of cryptography in securing communications and data, particularly for organizations that handle sensitive information such as payments. He aims to demystify cryptography, addressing common mistakes that developers encounter and shedding light on potential vulnerabilities in their systems.

Key Points Discussed:
- Definitions and Purposes of Cryptography: Downey defines cryptography as 'secret writing' with three main purposes: encryption for confidentiality, authentication for message integrity, and identification to confirm senders through digital signatures.
- Mathematical Foundations: Modern cryptography relies on complex mathematical problems (like RSA) and should be peer-reviewed to ensure reliability.
- Common Pitfalls: Developers often misuse cryptographic primitives, and the practical implementation of cryptographic systems can lead to serious flaws. Downey emphasizes understanding the broader system rather than just focusing on algorithms.
- Security Principles: Kirchhoff's Principle indicates that security should rely solely on key secrecy and not algorithm secrecy.
- Critical Cryptographic Practices: Downey discusses the significance of Transport Layer Security (TLS) for data in transit and GPG for data at rest, while cautioning about vulnerabilities such as those identified in SSL.
- Random Number Generation: Proper random number generation is crucial for cryptographic security, illustrated by issues in PHP applications and OpenSSL that highlighted predictable password reset tokens.
- Hash Functions and Length Extension Attacks: Downey explains vulnerabilities in hash functions like SHA-1 and recommends using SHA-256 instead. He describes how length extension attacks can exploit the internal states of hash functions unless mitigated through techniques like HMAC.
- Password Storage Practices: The importance of using adaptive hashing algorithms like Bcrypt and proper salting techniques is highlighted to enhance password security.
- Trust and User Authentication: Downey wraps up with the significance of verifying server fingerprints over SSH and endorses two-factor authentication for improving security.

Conclusion and Takeaways:
The discussion reinforces that cryptographic security is a challenging field where many developers can make critical mistakes. Downey encourages security practitioners to explore these principles and stay updated on best practices within cryptography, with a strong emphasis on understanding the underlying systems and using well-tested frameworks and libraries to avoid common pitfalls.

00:00:09.120 Hello everyone! I’m John Downey, and I work at Braintree, a company that specializes in payments. Security, particularly cryptography-based security, is essential to what we do. Today, I’m excited to talk to you about modern cryptography, which some might consider a daunting subject.

00:00:32.239 As Josh mentioned, I’m going to discuss cryptography. If you want to follow along with my slides, I tweeted a link to them, and I’ll also have the information available at the end of my talk.

00:00:46.160 Braintree is a payment gateway, and our main goal is to enable our customers to receive payments securely. This involves a lot of discussions around financial compliance and security.

00:00:58.560 The first half of this talk will provide a general overview of modern cryptography, while the second half will explore common mistakes that developers often make in this field.

00:01:18.240 To give you a quick overview, 'cryptography' comes from the Greek word for 'secret writing.' In the modern context, cryptography serves three main purposes: first, it enables encryption, which protects the confidentiality of information. Second, it ensures message integrity or authentication to verify that the message hasn’t been altered during transmission. Lastly, it aids in identification, allowing us to confirm who sent a message through often digital signatures.

00:01:45.200 Modern cryptography is based on complex mathematical problems, making it a rigorous science. An example is factoring large numbers into their prime components, which is essential for RSA, a widely used public key cryptographic algorithm. Essentially, we trust that there are no significant breakthroughs in mathematics or computing that might compromise the security of these systems.

00:02:08.720 Cryptography should undergo peer review, just like other scientific fields. It’s crucial not to invent your own algorithms unless you're specifically trained in cryptography, as crafting unbreakable algorithms is challenging. Even if the algorithms are well-established, implementing them correctly remains a complex task.

00:02:40.080 Another key principle in modern cryptography is called Kirchhoff's Principle. It suggests that the security of a cryptographic system should depend solely on the secrecy of the keys and not on the algorithms themselves, which shouldn’t need to be hidden. This is sometimes referred to as 'security through obscurity.'

00:03:03.760 While the algorithms themselves are strong, I don’t expect to wake up to news of the RSA algorithm being broken. However, the practical implementation of these algorithms often fails, and when it happens, the consequences can be severe. It's common for developers to misuse cryptographic primitives, something I'll highlight with an example later.

00:03:36.159 It’s also important to focus not just on the algorithms but on how they fit within the larger system. A quote from 'Cryptography Engineering' by Bruce Schneier and Neil Ferguson states that despite the strength of a bank vault door, it’s pointless if it’s installed into a flimsy structure. When securing cryptography, it is crucial to pay equal attention to the surrounding system.

00:03:50.080 Generally, when dealing with cryptography, it’s wise to approach it with a healthy dose of skepticism. Crypto can be incredibly tricky to verify and test, and even experts often get it wrong. If you have a system where data is transmitted over a network, you should use TLS or SSL for transport layer security. For data at rest, such as information stored on disks or in platforms like Dropbox or AWS S3, use GPG for encryption.

00:04:14.640 Recently, there has been buzz about a new cryptographic vulnerability called CRIME, which will be announced next week. It’s a known attack on SSL relating to compression. If you haven’t heard about it yet, you can be sure you’ll hear more shortly. The recommendation for now is to disable SSL compression on your servers to mitigate the risk.

00:04:53.679 Although TLS and SSL might have their flaws, they are well understood and have undergone extensive scrutiny by academics and government bodies. We rely on these protocols because they remain the best solutions we have for ensuring secure communication and data transfer.

00:05:29.280 Now, let’s discuss common areas where cryptography tends to go wrong. First, we need to talk about random number generation, which is critical to any cryptographic system. It is used to generate encryption keys, API keys, password reset tokens, and session tokens. At a recent security conference, researchers shared findings on attacks targeting PHP applications through their handling of randomness for generating password reset tokens.

00:06:17.680 One particularly memorable slide demonstrated how poor randomness generation could lead to predictable password reset tokens. The stark contrast between poorly generated random numbers and strong cryptographic random number outputs illustrates how vital it is to use proper tools for randomness. For instance, the PHP random number generator on older Windows versions produced patterns that were not secure.

00:06:56.640 Looking back at the OpenSSL library, there was a critical line of code that mixed in system randomness to enhance security. Unfortunately, in 2006, this line was commented out in Debian’s version of OpenSSL, affecting its random number generator. It went unnoticed for two years before being rediscovered, resulting in all keys generated during that period needing revocation.

00:07:22.240 As a rule of thumb, always use cryptographic libraries intended for random number generation. In Ruby, we have the SecureRandom library, which wraps OpenSSL's random number generator, ensuring consistency across different platforms. For Linux and other Unix-like systems, dev/random and dev/urandom can also be used to generate random data.

00:07:48.720 Next, I want to address length extension attacks, which involve hash functions. Hash functions can be thought of as digital fingerprints; they take input data and produce a fixed-size, unique output. However, what makes hash functions beneficial is that they are one-way, meaning you can’t reverse-engineer the input from its output.

00:08:15.680 The SHA-1 hash function is among those commonly used, but it has been found vulnerable, so we recommend using SHA-256 for new systems. Despite this, I will use SHA-1 in some of my examples due to its simplicity.

00:08:49.920 Considering length extension attacks, let’s say we want to create a new object called 'widget' in a RESTful web service. Typically, the hash would include a signing process where an API key is prepended to the object being created, followed by hashing the combination. However, the problem arises because the internal state of hash functions allows for exploitation; an attacker can append data to the original input to manipulate it without knowing the API key.

00:09:20.480 This exploitation method has been demonstrated in real-world scenarios, such as a vulnerability found in Flickr, discovered by researchers of earlier attacks. To prevent such attacks, utilize HMAC (Hash-based Message Authentication Code) which incorporates keys and mitigates the threat of length extension attacks.

00:09:54.080 Shifting gears to password storage, it remains a prevalent and complicated issue in security. Many systems are still using poor practices, as evidenced by the numerous data breaches where hashed passwords were leaked but easily crackable. For instance, after the LinkedIn breach, it became evident that groupthink around using SHA-1 hashing without proper salting left users vulnerable.

00:10:25.679 While using salts to add randomness to hashed passwords does create a stronger defense through increased difficulty in cracking any one password, it’s critical to note that SHA-1 still remains too fast for secure password hashing. The sheer speed of SHA-1 can allow an attacker with enough computational power to brute-force password guesses rapidly.

00:10:56.640 Thus, we advocate for adaptive hashing algorithms like Bcrypt, Scrypt, and PBKDF2, which allow developers to control the hashing speed. If you can avoid storing passwords altogether by delegating authentication to a trusted service, do so. However, should you need to store passwords, always choose one of these adaptive hashing methods.

00:11:32.720 In Ruby on Rails, secure password handling is simplified with gems like 'has_secure_password' and 'Devise', both of which use Bcrypt by default. Take the time to configure the number of iterations appropriately, ensuring it provides adequate protection against brute-force attacks.

00:12:01.639 Finally, let’s discuss the importance of trust in online systems. When connecting to servers over SSH, it is crucial to verify their fingerprint to confirm that you are communicating with the intended system and not a man-in-the-middle attack.

00:12:27.680 Trust on the Internet can be a precarious thing, contingent on verification and potentially exposing users to risk if they aren’t careful or informed about how they manage their connections.

00:12:52.720 A project named 'Crypt' aims to improve Ruby's cryptographic capabilities, especially for OpenSSL bindings, by offering a more user-friendly interface and functions that are less error-prone. This is a project worth watching if you're interested in Ruby security.

00:13:13.520 As we wrap up, I encourage you to explore these topics further, whether it’s through reviewing my slides or engaging with the resources I’ll provide.

00:13:23.680 Now, I’d like to open the floor to questions. Please raise your hand if you're interested in asking something!

00:13:40.160 One attendee raised a point about client-side certificates for user authentication. While they offer a valuable additional security layer, they have not gained traction primarily due to lack of user awareness and the complexity of configurations in modern web browsers.

00:14:15.680 Another audience member expressed concerns over mixed content issues on websites due to third-party ad integrations that do not use SSL. Unfortunately, until all parties serve their content securely, this continues to be a challenge.

00:15:33.360 In response to a suggestion of sending one-time hashes via email as a login method: it is indeed a promising feature that could enhance user experience across devices, leveraging the convenience of email to authenticate users without conventional credentials.

00:16:21.120 The discussion wound down towards the significance of two-factor authentication. I firmly believe that utilizing two-factor authentication significantly increases security for user accounts. Thank you all for your engaging questions and participation!