The document discusses cryptography and provides details on various cryptographic techniques including symmetric and asymmetric key cryptography, hash functions, and their applications. It emphasizes the importance of using well-established cryptography, securely storing keys, implementing industry best practices for transport layer protection and password storage.
The document discusses cryptography and provides details on various cryptographic techniques including symmetric and asymmetric key cryptography, hash functions, and their applications. It emphasizes the importance of using well-established cryptography, securely storing keys, implementing industry best practices for transport layer protection and password storage.
The document discusses cryptography and provides details on various cryptographic techniques including symmetric and asymmetric key cryptography, hash functions, and their applications. It emphasizes the importance of using well-established cryptography, securely storing keys, implementing industry best practices for transport layer protection and password storage.
Crypt (hidden) + o+ graphy (writing) OWASP Top 10 (2021) Technique of securing information and communication through codes so that intended person can only understand the same Features • Confidentiality • Integrity • Non-repudiation • Authentication Types • Symmetric Key – Single key • Asymmetric Key – Private and public keys • Hash Functions Symmetric Key Key Key
Plaintext Ciphertext Plaintext
Encryption Decryption Algorithm Algorithm Asymmetric Key Public Key Private Key
Plaintext Ciphertext Plaintext
Encryption Decryption Algorithm Algorithm Hash
Message Enc Message (M1)
Sender Hash Algo
M1 = M2?
Message Enc Message (M2)
Receiver Hash Algo Principles • Never try to design your own cryptosystem • Never rely on security through obscurity • Keys should always be kept at most secured location • Make sure you use industry standard best practices Protecting Keys • Store keys in filesystem protected by strong ACL. • Encrypt DEK (Data Encryption Key) with KEK (Key Encryption Key). KEK should be password based. • Use of HSM (Hardware Security Module) Best Practices • Secure your development cryptography • Use well established cryptography technique • Use proper encryption of data during transit and at rest • Use key management • Secure password storage • Do we need to store that data? Transport Layer Protection • TLS (Transport Layer Security) benefits – Confidentiality – Integrity – Replay prevention – Authentication Transport Layer Protection SSL vs TLS • SSL V2 and V3 are having serious cryptograpic weaknees • SSL V3.1 -> TLS V1.0 • TLS – V1.0 – V1.1 – V1.2 – V1.3 Transport Layer Protection Server Configuration • Support strong protocols e.g. TLS 1.3 • Support strong ciphers – https://ssl-config.mozilla.org/ – Disable the followings • Null ciphers • Anonymous ciphers • EXPORT ciphers • Use strong Diffie-Hellman parameters – openssl dhparam 2048 -out dhparam2048.pem • Disable compression • Patch cryptographic libraries • Test the server configurations Transport Layer Protection Certificates • Use strong keys and protect them • Use strong hashing algorithm e.g SHA256 • Use correct domain names – Primary FDQN (Fully Qualified Domain Name)should be in CN (commonName) – Full list of FDQN in SAN (subjectAlternativeName) – Consider WWW – Don’t include non-qualified hostnames – Don’t include IP addresses – Don’t include internal domain names for external facing certificates Transport Layer Protection Certificates • Carefully consider the use of Wildcards Certificates – Use only if really needed – Never use for systems at different trust levels – Consider the use of a reverse proxy server which performs TLS termination, so that the wildcard private key is only present on one system. – A list of all systems sharing a certificate should be maintained to allow them all to be updated if the certificate expires or is compromised. – Limit the scope of a wildcard certificate by issuing it for a subdomain (such as *.foo.example.org), or a for a separate domain. Transport Layer Protection Certificates • Use an appropriate CA (certificate authority) • Use CAA Records to Restrict Which CAs can Issue Certificates • Always Provide All Needed Certificates • Consider the use of Extended Validation Certificates Cryptographic Storage Architectural design • Where to perform encryption – Application level – Database level – Filesystem level – Hardware level • Minimize storage of sensitive information Cryptographic Storage Algorithm • Symmetric – AES128, AES256 • Asymmetric - Curve25519, RSA (2048 bits) • Never use custom algorithm • Cipher modes • Random padding e.g. PKCS#1 • Secure random number generation • UUIDs and GUIDs • Defense in depth Cryptographic Storage Key Management • Processes • Key generation • Key lifetimes and rotation • Key storage • Separation of keys and data • Encrypting stored keys – Data Encryption Keys (DEK) for data – Key Encryption Keys (KEK) for DEK Password Storage • Hashing vs encryption – Password should be hashed not encrypted • Password storage mechanism – Salting – Peppering • Password hashing algorithms – Argon2id – scrypt – bcrypt Hashing Algorithms • MD5 • SHA-1 • SHA-2 – SHA256 – SHA512 MD5 (Message Digest Algorithm) • Generates 32 characters long string • Generates a signature for a file • Signature is matched with the file sent at receiving end MDS - Caveat • MD5 Collision Attack MD5 Algorithm Preparing Input • Input is divided in blocks of 512 bits each • 64 bits are inserted at the end of last block which records the length of original input • Extra padding is used if last block is less than 512 bits • Each block is divided into 16 words of 32 bits each which are denoted as M0 – M15 MD5 Algorithm Helper Functions • The buffer Word A: 01 23 45 67 Word B: 89 ab cd ef Word C: fe dc ba 98 Word D: 76 54 32 10 • The table (K) – It has 64 elements where Ki = abs(sin(i + 1)) * 232 MD5 Algorithm Helper Functions • 4 Auxiliary Functions F(X, Y, Z) = (X and Y) or (not (X) and Z) G(X,Y,Z) = (X and Z) or (Y and not(Z)) H(X,Y,Z) = X xor Y xor Z I(X,Y,Z) = Y xor (X or not(Z)) MD5 Algorithm Processing the blocks
E-Voting and E-Recap Verification and Validation Schemes For Indonesia Utilizing Cryptographic Hash Function Message Authentication Codes (MAC) and Public Key Infrastructure (PKI)