Scribd Logo
Upload

Welcome to Scribd!

  • Cryptography Guide

    Uploaded by

    vikram vicky
    7 views31 pages
    The document discusses cryptography and provides details on various cryptographic techniques including symmetric and asymmetric key cryptography, hash functions, and their applications. It emphasizes the importance of using well-established cryptography, securely storing keys, implementing industry best practices for transport layer protection and password storage.

    Original Description:

    its about encription and decription

    Original Title

    cryptography

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses cryptography and provides details on various cryptographic techniques including symmetric and asymmetric key cryptography, hash functions, and their applications. It emphasizes the importance of using well-established cryptography, securely storing keys, implementing industry best practices for transport layer protection and password storage.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views31 pages

    Cryptography Guide

    Uploaded by

    vikram vicky
    The document discusses cryptography and provides details on various cryptographic techniques including symmetric and asymmetric key cryptography, hash functions, and their applications. It emphasizes the importance of using well-established cryptography, securely storing keys, implementing industry best practices for transport layer protection and password storage.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 31

    Cryptography

    Shaikh Mahbub Abbas


    Crypt (hidden) +
    o+
    graphy (writing)
    OWASP Top 10 (2021)
    Technique of securing information and
    communication through codes so that
    intended person can only understand the
    same
    Features
    • Confidentiality
    • Integrity
    • Non-repudiation
    • Authentication
    Types
    • Symmetric Key
    – Single key
    • Asymmetric Key
    – Private and public keys
    • Hash Functions
    Symmetric Key
    Key Key

    Plaintext Ciphertext Plaintext


    Encryption Decryption
    Algorithm Algorithm
    Asymmetric Key
    Public Key Private Key

    Plaintext Ciphertext Plaintext


    Encryption Decryption
    Algorithm Algorithm
    Hash

    Message Enc Message (M1)


    Sender Hash Algo

    M1 = M2?

    Message Enc Message (M2)


    Receiver Hash Algo
    Principles
    • Never try to design your own cryptosystem
    • Never rely on security through obscurity
    • Keys should always be kept at most secured
    location
    • Make sure you use industry standard best
    practices
    Protecting Keys
    • Store keys in filesystem protected by strong
    ACL.
    • Encrypt DEK (Data Encryption Key) with KEK
    (Key Encryption Key). KEK should be password
    based.
    • Use of HSM (Hardware Security Module)
    Best Practices
    • Secure your development cryptography
    • Use well established cryptography technique
    • Use proper encryption of data during transit
    and at rest
    • Use key management
    • Secure password storage
    • Do we need to store that data?
    Transport Layer Protection
    • TLS (Transport Layer Security) benefits
    – Confidentiality
    – Integrity
    – Replay prevention
    – Authentication
    Transport Layer Protection
    SSL vs TLS
    • SSL V2 and V3 are having serious cryptograpic
    weaknees
    • SSL V3.1 -> TLS V1.0
    • TLS
    – V1.0
    – V1.1
    – V1.2
    – V1.3
    Transport Layer Protection
    Server Configuration
    • Support strong protocols e.g. TLS 1.3
    • Support strong ciphers
    – https://ssl-config.mozilla.org/
    – Disable the followings
    • Null ciphers
    • Anonymous ciphers
    • EXPORT ciphers
    • Use strong Diffie-Hellman parameters
    – openssl dhparam 2048 -out dhparam2048.pem
    • Disable compression
    • Patch cryptographic libraries
    • Test the server configurations
    Transport Layer Protection
    Certificates
    • Use strong keys and protect them
    • Use strong hashing algorithm e.g SHA256
    • Use correct domain names
    – Primary FDQN (Fully Qualified Domain Name)should be in
    CN (commonName)
    – Full list of FDQN in SAN (subjectAlternativeName)
    – Consider WWW
    – Don’t include non-qualified hostnames
    – Don’t include IP addresses
    – Don’t include internal domain names for external facing
    certificates
    Transport Layer Protection
    Certificates
    • Carefully consider the use of Wildcards Certificates
    – Use only if really needed
    – Never use for systems at different trust levels
    – Consider the use of a reverse proxy server which performs
    TLS termination, so that the wildcard private key is only
    present on one system.
    – A list of all systems sharing a certificate should be
    maintained to allow them all to be updated if the
    certificate expires or is compromised.
    – Limit the scope of a wildcard certificate by issuing it for a
    subdomain (such as *.foo.example.org), or a for a separate
    domain.
    Transport Layer Protection
    Certificates
    • Use an appropriate CA (certificate authority)
    • Use CAA Records to Restrict Which CAs can
    Issue Certificates
    • Always Provide All Needed Certificates
    • Consider the use of Extended Validation
    Certificates
    Cryptographic Storage
    Architectural design
    • Where to perform encryption
    – Application level
    – Database level
    – Filesystem level
    – Hardware level
    • Minimize storage of sensitive information
    Cryptographic Storage
    Algorithm
    • Symmetric – AES128, AES256
    • Asymmetric - Curve25519, RSA (2048 bits)
    • Never use custom algorithm
    • Cipher modes
    • Random padding e.g. PKCS#1
    • Secure random number generation
    • UUIDs and GUIDs
    • Defense in depth
    Cryptographic Storage
    Key Management
    • Processes
    • Key generation
    • Key lifetimes and rotation
    • Key storage
    • Separation of keys and data
    • Encrypting stored keys
    – Data Encryption Keys (DEK) for data
    – Key Encryption Keys (KEK) for DEK
    Password Storage
    • Hashing vs encryption
    – Password should be hashed not encrypted
    • Password storage mechanism
    – Salting
    – Peppering
    • Password hashing algorithms
    – Argon2id
    – scrypt
    – bcrypt
    Hashing Algorithms
    • MD5
    • SHA-1
    • SHA-2
    – SHA256
    – SHA512
    MD5 (Message Digest Algorithm)
    • Generates 32 characters long string
    • Generates a signature for a file
    • Signature is matched with the file sent at
    receiving end
    MDS - Caveat
    • MD5 Collision Attack
    MD5 Algorithm
    Preparing Input
    • Input is divided in blocks of 512 bits each
    • 64 bits are inserted at the end of last block
    which records the length of original input
    • Extra padding is used if last block is less than
    512 bits
    • Each block is divided into 16 words of 32 bits
    each which are denoted as M0 – M15
    MD5 Algorithm
    Helper Functions
    • The buffer
    Word A: 01 23 45 67
    Word B: 89 ab cd ef
    Word C: fe dc ba 98
    Word D: 76 54 32 10
    • The table (K)
    – It has 64 elements where Ki = abs(sin(i + 1)) * 232
    MD5 Algorithm
    Helper Functions
    • 4 Auxiliary Functions
    F(X, Y, Z) = (X and Y) or (not (X) and Z)
    G(X,Y,Z) = (X and Z) or (Y and not(Z))
    H(X,Y,Z) = X xor Y xor Z
    I(X,Y,Z) = Y xor (X or not(Z))
    MD5 Algorithm
    Processing the blocks

    You might also like