SlideShare une entreprise Scribd logo

Whispered secrets

Eleanor McHugh
Eleanor McHugh

An introduction to secrecy and privacy in software system design with code examples in Go demonstrating secure transport techniques with https, tcp/tls and encrypted udp.

Technologie
1  sur  62
Télécharger pour lire hors ligne
Whispered Secrets @feyeleanor
this is supposed to be a talk about code but you need to understand why you need that code we’ll examine some of it later in this talk but the following resources go into more detail some are in Ruby but should translate easily to Go
slideshare://feyeleanor
http://leanpub.com/GoNotebook
we all have secrets and those secrets matter to us that’s what makes them secrets software should keep our secrets
some secrets are awful conspiracy infidelity criminality
some secrets are banal bank account numbers embarrassing incidents sexual preferences
secrecy should be absolute our tech must protect the awful otherwise it can’t protect the banal
but there are laws we must comply with these assist the legitimate reject the illegitimate
secrecy ——> privacy
privacy is not absolute privacy requires mutual trust mutual trust is a contract and contracts can be broken
who now trusts Ashley-Madison?
today’s topic is applied paranoia
paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} A mental condition characterized by delusions of persecution, unwarranted jealousy, or exaggerated self-importance, typically worked into an organized system. It may be an aspect of chronic personality disorder, of drug abuse, or of a serious condition such as schizophrenia in which the person loses touch with reality. Unjustified suspicion and mistrust of other people: mild paranoia afflicts all prime ministers
paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} The perfectly reasonable belief that someone, somewhere is watching your online behaviour with malicious and/or voyeuristic intent. It may be a result of reading a Hacking Exposed or Hacking for Dummies publication, experiencing the fallout from identity theft, or shopping with bitcoin. Justified suspicion and mistrust of other people: chronic paranoia afflicts all information security professionals accute paranoia afflicts the victims of hacking
we have to trust governments governments are privileged if they don’t trust us they can hurt us and there’s not much we can do about it
our users have to trust us network services are privileged they store secrets with real-life value users have no way of knowing how well
but who can we trust? technology bars the gates but people have to monitor them
encrypt all transports
encrypt all transports • establish a secure channel by exchanging public keys • and check their validity against trusted certificates (SSL, TLS, etc.) • as an added measure pin these certificates (like SSH pins keys) • then exchange symmetric keys for a private secure channel • change these keys frequently (cheap cipher streams) • and pin each distinct message to a distinct key (one-time pads)
https
package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/28
package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/29
package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/30
tcp/tls server
package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/32
package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/33
package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/34
tcp/tls client
package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: true, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/36
package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: false, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/37
package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: true, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/38
udp/aes server
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/40
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/41
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/42
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/43
package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/44
udp/aes client
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/46
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/47
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/48
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/49
package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/50
udp/rsa server
package main import . "bytes" import "crypto/rsa" import "encoding/gob" import "net" func main() { HELLO_WORLD := []byte("Hello World") RSA_LABEL := []byte("served") Serve(":1025", func(c *net.UDPConn, a *net.UDPAddr, b []byte) { var key rsa.PublicKey if e := gob.NewDecoder(NewBuffer(b)).Decode(&key); e == nil { if m, e := Encrypt(&key, HELLO_WORLD, RSA_LABEL); e == nil { c.WriteToUDP(m, a) } } return }) } func Encrypt(key *rsa.PublicKey, m, l []byte) ([]byte, error) { return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, m, l) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } go for the would-be network programmer http://slides.games-with-brains.net/52
package main import . "bytes" import "crypto/rsa" import "encoding/gob" import "net" func main() { HELLO_WORLD := []byte("Hello World") RSA_LABEL := []byte("served") Serve(":1025", func(c *net.UDPConn, a *net.UDPAddr, b []byte) { var key rsa.PublicKey if e := gob.NewDecoder(NewBuffer(b)).Decode(&key); e == nil { if m, e := Encrypt(&key, HELLO_WORLD, RSA_LABEL); e == nil { c.WriteToUDP(m, a) } } return }) } func Encrypt(key *rsa.PublicKey, m, l []byte) ([]byte, error) { return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, m, l) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } go for the would-be network programmer http://slides.games-with-brains.net/53
udp/rsa client
package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/55
package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/56
package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/57
aes + rsa —> hybrid crypto
encrypt all passwords • accept unicode to expand the symbol space • hash every new password before it’s submitted • always use a cryptograpically secure hash (HMAC) • and a fresh HMAC key for each password (which you must store) • salt the resulting hash when you receive it (and store the salt) • then hash again before storing in your database
require two-factor authentication • have the user submit their password over a secure channel • then send them a confirmation code out-of-band • that’s an agreed trust anchor acting as a shared secret • the confirmation code should be big enough to generate a HMAC • and only the HMAC should be submitted • now you have two secure channels based on shared secrets
encrypt all storage • secured transport is useless without secured data stores • encrypt all sensitive fields - that probably means all fields • and store HMACs for desired search terms • otherwise you black box is secure but unsearchable • make sure you use different roles for reading, writing and searching • that’s right, your datastore is also a set of secure streams
anchor trust internally • establish your own certificate authority • assign fine-grained roles to different components (microservices) • and minimise your threat surface (regular code audits, security logs) • never deploy without a full security audit • and make those deployments immutable • security audits (like QA) are best done by third parties

Recommandé

Whispered secrets
Whispered secretsWhispered secrets
Whispered secretsEleanor McHugh
 
Encrypt all transports
Encrypt all transportsEncrypt all transports
Encrypt all transportsEleanor McHugh
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and CEleanor McHugh
 
Abusing text/template for data transformation
Abusing text/template for data transformationAbusing text/template for data transformation
Abusing text/template for data transformationArnaud Porterie
 
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIThe Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIEleanor McHugh
 
Implementing Software Machines in C and Go
Implementing Software Machines in C and GoImplementing Software Machines in C and Go
Implementing Software Machines in C and GoEleanor McHugh
 
Go a crash course
Go a crash courseGo a crash course
Go a crash courseEleanor McHugh
 
Go for the paranoid network programmer
Go for the paranoid network programmerGo for the paranoid network programmer
Go for the paranoid network programmerEleanor McHugh
 

Recommandé

Whispered secrets
Whispered secretsWhispered secrets
Whispered secretsEleanor McHugh
 
Encrypt all transports
Encrypt all transportsEncrypt all transports
Encrypt all transportsEleanor McHugh
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and CEleanor McHugh
 
Abusing text/template for data transformation
Abusing text/template for data transformationAbusing text/template for data transformation
Abusing text/template for data transformationArnaud Porterie
 
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIThe Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RI
The Ruby Guide to *nix Plumbing: on the quest for efficiency with Ruby [M|K]RIEleanor McHugh
 
Implementing Software Machines in C and Go
Implementing Software Machines in C and GoImplementing Software Machines in C and Go
Implementing Software Machines in C and GoEleanor McHugh
 
Go a crash course
Go a crash courseGo a crash course
Go a crash courseEleanor McHugh
 
Go for the paranoid network programmer
Go for the paranoid network programmerGo for the paranoid network programmer
Go for the paranoid network programmerEleanor McHugh
 
The Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveThe Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveEleanor McHugh
 
Binomial heap
Binomial heapBinomial heap
Binomial heapKalpana Vijayaraghavan
 
Go for the would be network programmer
Go for the would be network programmerGo for the would be network programmer
Go for the would be network programmerEleanor McHugh
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giantsIan Barber
 
Usp
UspUsp
Usppreethamnaik92
 
C++ Lambda and concurrency
C++ Lambda and concurrencyC++ Lambda and concurrency
C++ Lambda and concurrency명신 김
 
part2
part2part2
part2Cameron White
 
Distributed Data Structures
Distributed Data StructuresDistributed Data Structures
Distributed Data StructuresPDX Web & Design
 
Introducing to Asynchronous Programming
Introducing to Asynchronous ProgrammingIntroducing to Asynchronous Programming
Introducing to Asynchronous ProgrammingАлександр Федоров
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab FileKandarp Tiwari
 
Implementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxImplementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxEleanor McHugh
 
Assignment no39
Assignment no39Assignment no39
Assignment no39Jay Patel
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
Rust
RustRust
RustChih-Hsuan Kuo
 
Introduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineIntroduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineMovel
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild WorldDaniel-Constantin Mierla
 
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014Fantix King 王川
 
Torturing the PHP interpreter
Torturing the PHP interpreterTorturing the PHP interpreter
Torturing the PHP interpreterLogicaltrust pl
 
C++ L08-Classes Part1
C++ L08-Classes Part1C++ L08-Classes Part1
C++ L08-Classes Part1Mohammad Shaker
 
Going Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoGoing Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoEleanor McHugh
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled PresentationWilliams Hernandez
 
Biografía steven jobs
Biografía steven jobsBiografía steven jobs
Biografía steven jobsJessy Lokis
 

Contenu connexe

Tendances

The Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveThe Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveEleanor McHugh
 
Go for the would be network programmer
Go for the would be network programmerGo for the would be network programmer
Go for the would be network programmerEleanor McHugh
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giantsIan Barber
 
C++ Lambda and concurrency
C++ Lambda and concurrencyC++ Lambda and concurrency
C++ Lambda and concurrency명신 김
 
Distributed Data Structures
Distributed Data StructuresDistributed Data Structures
Distributed Data StructuresPDX Web & Design
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab FileKandarp Tiwari
 
Implementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxImplementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxEleanor McHugh
 
Assignment no39
Assignment no39Assignment no39
Assignment no39Jay Patel
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
Introduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineIntroduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineMovel
 
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014Fantix King 王川
 
Torturing the PHP interpreter
Torturing the PHP interpreterTorturing the PHP interpreter
Torturing the PHP interpreterLogicaltrust pl
 
Going Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoGoing Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoEleanor McHugh
 

Tendances (20)

The Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's PerspectiveThe Browser Environment - A Systems Programmer's Perspective
The Browser Environment - A Systems Programmer's Perspective
 
Binomial heap
Binomial heapBinomial heap
Binomial heap
 
Go for the would be network programmer
Go for the would be network programmerGo for the would be network programmer
Go for the would be network programmer
 
How to stand on the shoulders of giants
How to stand on the shoulders of giantsHow to stand on the shoulders of giants
How to stand on the shoulders of giants
 
Usp
UspUsp
Usp
 
C++ Lambda and concurrency
C++ Lambda and concurrencyC++ Lambda and concurrency
C++ Lambda and concurrency
 
part2
part2part2
part2
 
Distributed Data Structures
Distributed Data StructuresDistributed Data Structures
Distributed Data Structures
 
Introducing to Asynchronous Programming
Introducing to Asynchronous ProgrammingIntroducing to Asynchronous Programming
Introducing to Asynchronous Programming
 
Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab File
 
Implementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 reduxImplementing virtual machines in go & c 2018 redux
Implementing virtual machines in go & c 2018 redux
 
Assignment no39
Assignment no39Assignment no39
Assignment no39
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit
 
Rust
RustRust
Rust
 
Introduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy CresineIntroduction to ES6 with Tommy Cresine
Introduction to ES6 with Tommy Cresine
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
About Those Python Async Concurrent Frameworks - Fantix @ OSTC 2014
 
Torturing the PHP interpreter
Torturing the PHP interpreterTorturing the PHP interpreter
Torturing the PHP interpreter
 
C++ L08-Classes Part1
C++ L08-Classes Part1C++ L08-Classes Part1
C++ L08-Classes Part1
 
Going Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with GoGoing Loopy: Adventures in Iteration with Go
Going Loopy: Adventures in Iteration with Go
 

En vedette

Biografía steven jobs
Biografía steven jobsBiografía steven jobs
Biografía steven jobsJessy Lokis
 
Global Telecommunications, Hyderabad, Telecommunication Devices
Global Telecommunications, Hyderabad, Telecommunication DevicesGlobal Telecommunications, Hyderabad, Telecommunication Devices
Global Telecommunications, Hyderabad, Telecommunication DevicesIndiaMART InterMESH Limited
 
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on DemandLinux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on DemandLeostream
 
Communication and role of social media in pakistan's election 2013
Communication and role of social media in pakistan's election 2013Communication and role of social media in pakistan's election 2013
Communication and role of social media in pakistan's election 2013Muhammad Assad Fahim Khan
 
Jeffrey Selorm Dzata_Mechanical Engineer
Jeffrey Selorm Dzata_Mechanical Engineer Jeffrey Selorm Dzata_Mechanical Engineer
Jeffrey Selorm Dzata_Mechanical Engineer Jeffrey Dzata
 
ドリコムの分析環境とデータサイエンス活用事例
ドリコムの分析環境とデータサイエンス活用事例ドリコムの分析環境とデータサイエンス活用事例
ドリコムの分析環境とデータサイエンス活用事例Yohei Sato
 
Clase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
Clase 10 enfermedades_infectocontagiosas_de_origen_bacterianoClase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
Clase 10 enfermedades_infectocontagiosas_de_origen_bacterianomarta fajardo
 

En vedette (13)

Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
 
Biografía steven jobs
Biografía steven jobsBiografía steven jobs
Biografía steven jobs
 
Awards 2015 - deVere Group
Awards 2015 - deVere GroupAwards 2015 - deVere Group
Awards 2015 - deVere Group
 
Global Telecommunications, Hyderabad, Telecommunication Devices
Global Telecommunications, Hyderabad, Telecommunication DevicesGlobal Telecommunications, Hyderabad, Telecommunication Devices
Global Telecommunications, Hyderabad, Telecommunication Devices
 
B.E. CERTIFICATE
B.E. CERTIFICATEB.E. CERTIFICATE
B.E. CERTIFICATE
 
エクセル統計の使い方(分散分析編)
エクセル統計の使い方(分散分析編)エクセル統計の使い方(分散分析編)
エクセル統計の使い方(分散分析編)
 
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on DemandLinux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
 
Communication and role of social media in pakistan's election 2013
Communication and role of social media in pakistan's election 2013Communication and role of social media in pakistan's election 2013
Communication and role of social media in pakistan's election 2013
 
Tokyo r30 anova_part2
Tokyo r30 anova_part2Tokyo r30 anova_part2
Tokyo r30 anova_part2
 
Jeffrey Selorm Dzata_Mechanical Engineer
Jeffrey Selorm Dzata_Mechanical Engineer Jeffrey Selorm Dzata_Mechanical Engineer
Jeffrey Selorm Dzata_Mechanical Engineer
 
ドリコムの分析環境とデータサイエンス活用事例
ドリコムの分析環境とデータサイエンス活用事例ドリコムの分析環境とデータサイエンス活用事例
ドリコムの分析環境とデータサイエンス活用事例
 
The Game Life Cycle & Game Analytics: What metrics matter when?
The Game Life Cycle & Game Analytics: What metrics matter when? The Game Life Cycle & Game Analytics: What metrics matter when?
The Game Life Cycle & Game Analytics: What metrics matter when?
 
Clase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
Clase 10 enfermedades_infectocontagiosas_de_origen_bacterianoClase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
Clase 10 enfermedades_infectocontagiosas_de_origen_bacteriano
 

Similaire à Whispered secrets

OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)Shteryana Shopova
 
Leap Ahead with Redis 6.2
Leap Ahead with Redis 6.2Leap Ahead with Redis 6.2
Leap Ahead with Redis 6.2VMware Tanzu
 
SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingDavid Evans
 
Python postgre sql a wonderful wedding
Python postgre sql a wonderful weddingPython postgre sql a wonderful wedding
Python postgre sql a wonderful weddingStéphane Wirtel
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Siouxnikomatsakis
 
So I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdfSo I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdfezonesolutions
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsDigitalOcean
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.pptINTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.pptsenthilnathans25
 
Introduction to source{d} Engine and source{d} Lookout
Introduction to source{d} Engine and source{d} Lookout Introduction to source{d} Engine and source{d} Lookout
Introduction to source{d} Engine and source{d} Lookout source{d}
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in rubyHiroshi Nakamura
 
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdfIT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdfDhanuskarSankar1
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityFred Posner
 
神に近づくx/net/context (Finding God with x/net/context)
神に近づくx/net/context (Finding God with x/net/context)神に近づくx/net/context (Finding God with x/net/context)
神に近づくx/net/context (Finding God with x/net/context)guregu
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 

Similaire à Whispered secrets (20)

OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)
 
Leap Ahead with Redis 6.2
Leap Ahead with Redis 6.2Leap Ahead with Redis 6.2
Leap Ahead with Redis 6.2
 
SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and Scheduling
 
Python postgre sql a wonderful wedding
Python postgre sql a wonderful weddingPython postgre sql a wonderful wedding
Python postgre sql a wonderful wedding
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Sioux
 
So I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdfSo I am writing a CS code for a project and I keep getting cannot .pdf
So I am writing a CS code for a project and I keep getting cannot .pdf
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking Needs
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
sockets_intro.ppt
sockets_intro.pptsockets_intro.ppt
sockets_intro.ppt
 
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.pptINTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
INTRODUCTION TO SOCKETS IN COMPUTER NETWORKS DEPT OF CSE.ppt
 
Introduction to source{d} Engine and source{d} Lookout
Introduction to source{d} Engine and source{d} Lookout Introduction to source{d} Engine and source{d} Lookout
Introduction to source{d} Engine and source{d} Lookout
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
 
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdfIT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
IT8761-SECURITY LABORATORY-590519304-IT8761 security labmanual.pdf
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and Security
 
神に近づくx/net/context (Finding God with x/net/context)
神に近づくx/net/context (Finding God with x/net/context)神に近づくx/net/context (Finding God with x/net/context)
神に近づくx/net/context (Finding God with x/net/context)
 
Sockets intro
Sockets introSockets intro
Sockets intro
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)
 

Plus de Eleanor McHugh

[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdfEleanor McHugh
 
Generics, Reflection, and Efficient Collections
Generics, Reflection, and Efficient CollectionsGenerics, Reflection, and Efficient Collections
Generics, Reflection, and Efficient CollectionsEleanor McHugh
 
The Relevance of Liveness - Biometrics and Data Integrity
The Relevance of Liveness - Biometrics and Data IntegrityThe Relevance of Liveness - Biometrics and Data Integrity
The Relevance of Liveness - Biometrics and Data IntegrityEleanor McHugh
 
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]Eleanor McHugh
 
Go for the paranoid network programmer, 3rd edition
Go for the paranoid network programmer, 3rd editionGo for the paranoid network programmer, 3rd edition
Go for the paranoid network programmer, 3rd editionEleanor McHugh
 
An introduction to functional programming with Go [redux]
An introduction to functional programming with Go [redux]An introduction to functional programming with Go [redux]
An introduction to functional programming with Go [redux]Eleanor McHugh
 
An introduction to functional programming with go
An introduction to functional programming with goAn introduction to functional programming with go
An introduction to functional programming with goEleanor McHugh
 
Identity & trust in Monitored Spaces
Identity & trust in Monitored SpacesIdentity & trust in Monitored Spaces
Identity & trust in Monitored SpacesEleanor McHugh
 
Don't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignDon't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignEleanor McHugh
 
Don't ask, don't tell the virtues of privacy by design
Don't ask, don't tell the virtues of privacy by designDon't ask, don't tell the virtues of privacy by design
Don't ask, don't tell the virtues of privacy by designEleanor McHugh
 
Anonymity, identity, trust
Anonymity, identity, trustAnonymity, identity, trust
Anonymity, identity, trustEleanor McHugh
 
Going Loopy - Adventures in Iteration with Google Go
Going Loopy - Adventures in Iteration with Google GoGoing Loopy - Adventures in Iteration with Google Go
Going Loopy - Adventures in Iteration with Google GoEleanor McHugh
 
Distributed Ledgers: Anonymity & Immutability at Scale
Distributed Ledgers: Anonymity & Immutability at ScaleDistributed Ledgers: Anonymity & Immutability at Scale
Distributed Ledgers: Anonymity & Immutability at ScaleEleanor McHugh
 
Go for the paranoid network programmer, 2nd edition
Go for the paranoid network programmer, 2nd editionGo for the paranoid network programmer, 2nd edition
Go for the paranoid network programmer, 2nd editionEleanor McHugh
 
Finding a useful outlet for my many Adventures in go
Finding a useful outlet for my many Adventures in goFinding a useful outlet for my many Adventures in go
Finding a useful outlet for my many Adventures in goEleanor McHugh
 
Anonymity, trust, accountability
Anonymity, trust, accountabilityAnonymity, trust, accountability
Anonymity, trust, accountabilityEleanor McHugh
 
Implementing Virtual Machines in Go & C
Implementing Virtual Machines in Go & CImplementing Virtual Machines in Go & C
Implementing Virtual Machines in Go & CEleanor McHugh
 
Implementing Virtual Machines in Ruby & C
Implementing Virtual Machines in Ruby & CImplementing Virtual Machines in Ruby & C
Implementing Virtual Machines in Ruby & CEleanor McHugh
 
Privacy is always a requirement
Privacy is always a requirementPrivacy is always a requirement
Privacy is always a requirementEleanor McHugh
 

Plus de Eleanor McHugh (20)

[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf
 
Generics, Reflection, and Efficient Collections
Generics, Reflection, and Efficient CollectionsGenerics, Reflection, and Efficient Collections
Generics, Reflection, and Efficient Collections
 
The Relevance of Liveness - Biometrics and Data Integrity
The Relevance of Liveness - Biometrics and Data IntegrityThe Relevance of Liveness - Biometrics and Data Integrity
The Relevance of Liveness - Biometrics and Data Integrity
 
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
 
Go for the paranoid network programmer, 3rd edition
Go for the paranoid network programmer, 3rd editionGo for the paranoid network programmer, 3rd edition
Go for the paranoid network programmer, 3rd edition
 
An introduction to functional programming with Go [redux]
An introduction to functional programming with Go [redux]An introduction to functional programming with Go [redux]
An introduction to functional programming with Go [redux]
 
An introduction to functional programming with go
An introduction to functional programming with goAn introduction to functional programming with go
An introduction to functional programming with go
 
Identity & trust in Monitored Spaces
Identity & trust in Monitored SpacesIdentity & trust in Monitored Spaces
Identity & trust in Monitored Spaces
 
Don't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignDon't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By Design
 
Don't ask, don't tell the virtues of privacy by design
Don't ask, don't tell the virtues of privacy by designDon't ask, don't tell the virtues of privacy by design
Don't ask, don't tell the virtues of privacy by design
 
Anonymity, identity, trust
Anonymity, identity, trustAnonymity, identity, trust
Anonymity, identity, trust
 
Going Loopy - Adventures in Iteration with Google Go
Going Loopy - Adventures in Iteration with Google GoGoing Loopy - Adventures in Iteration with Google Go
Going Loopy - Adventures in Iteration with Google Go
 
Distributed Ledgers: Anonymity & Immutability at Scale
Distributed Ledgers: Anonymity & Immutability at ScaleDistributed Ledgers: Anonymity & Immutability at Scale
Distributed Ledgers: Anonymity & Immutability at Scale
 
Hello Go
Hello GoHello Go
Hello Go
 
Go for the paranoid network programmer, 2nd edition
Go for the paranoid network programmer, 2nd editionGo for the paranoid network programmer, 2nd edition
Go for the paranoid network programmer, 2nd edition
 
Finding a useful outlet for my many Adventures in go
Finding a useful outlet for my many Adventures in goFinding a useful outlet for my many Adventures in go
Finding a useful outlet for my many Adventures in go
 
Anonymity, trust, accountability
Anonymity, trust, accountabilityAnonymity, trust, accountability
Anonymity, trust, accountability
 
Implementing Virtual Machines in Go & C
Implementing Virtual Machines in Go & CImplementing Virtual Machines in Go & C
Implementing Virtual Machines in Go & C
 
Implementing Virtual Machines in Ruby & C
Implementing Virtual Machines in Ruby & CImplementing Virtual Machines in Ruby & C
Implementing Virtual Machines in Ruby & C
 
Privacy is always a requirement
Privacy is always a requirementPrivacy is always a requirement
Privacy is always a requirement
 

Dernier

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Dernier (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

Whispered secrets

  • 2. this is supposed to be a talk about code but you need to understand why you need that code we’ll examine some of it later in this talk but the following resources go into more detail some are in Ruby but should translate easily to Go
  • 5. we all have secrets and those secrets matter to us that’s what makes them secrets software should keep our secrets
  • 6. some secrets are awful conspiracy infidelity criminality
  • 7. some secrets are banal bank account numbers embarrassing incidents sexual preferences
  • 8. secrecy should be absolute our tech must protect the awful otherwise it can’t protect the banal
  • 9. but there are laws we must comply with these assist the legitimate reject the illegitimate
  • 11. privacy is not absolute privacy requires mutual trust mutual trust is a contract and contracts can be broken
  • 12. who now trusts Ashley-Madison?
  • 13. today’s topic is applied paranoia
  • 14. paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} A mental condition characterized by delusions of persecution, unwarranted jealousy, or exaggerated self-importance, typically worked into an organized system. It may be an aspect of chronic personality disorder, of drug abuse, or of a serious condition such as schizophrenia in which the person loses touch with reality. Unjustified suspicion and mistrust of other people: mild paranoia afflicts all prime ministers
  • 15.
  • 16.
  • 17.
  • 18. paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} The perfectly reasonable belief that someone, somewhere is watching your online behaviour with malicious and/or voyeuristic intent. It may be a result of reading a Hacking Exposed or Hacking for Dummies publication, experiencing the fallout from identity theft, or shopping with bitcoin. Justified suspicion and mistrust of other people: chronic paranoia afflicts all information security professionals accute paranoia afflicts the victims of hacking
  • 19.
  • 20. we have to trust governments governments are privileged if they don’t trust us they can hurt us and there’s not much we can do about it
  • 21.
  • 22. our users have to trust us network services are privileged they store secrets with real-life value users have no way of knowing how well
  • 23. but who can we trust? technology bars the gates but people have to monitor them
  • 24.
  • 26. encrypt all transports • establish a secure channel by exchanging public keys • and check their validity against trusted certificates (SSL, TLS, etc.) • as an added measure pin these certificates (like SSH pins keys) • then exchange symmetric keys for a private secure channel • change these keys frequently (cheap cipher streams) • and pin each distinct message to a distinct key (one-time pads)
  • 27. https
  • 28. package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/28
  • 29. package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/29
  • 30. package main import . "fmt" import . "net/http" const ADDRESS = ":443" func main() { message := "hello world" HandleFunc("/hello", func(w ResponseWriter, r *Request) { w.Header().Set("Content-Type", "text/plain") Fprintf(w, message) }) ListenAndServeTLS(ADDRESS, "cert.pem", "key.pem", nil) } go for the would-be network programmer http://slides.games-with-brains.net/30
  • 32. package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/32
  • 33. package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/33
  • 34. package main import "crypto/rand" import "crypto/tls" import . "fmt" func main() { Listen(":443", ConfigTLS("scert", "skey"), func(c *tls.Conn) { Fprintln(c, "hello world") }) } func Listen(a string, conf *tls.Config, f func(*tls.Conn)) { if listener, e := tls.Listen("tcp", a, conf); e == nil { for { if connection, e := listener.Accept(); e == nil { go func(c *tls.Conn) { defer c.Close() f(c) }(connection.(*tls.Conn)) } } } } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, Rand: rand.Reader, } } return } go for the would-be network programmer http://slides.games-with-brains.net/34
  • 36. package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: true, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/36
  • 37. package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: false, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/37
  • 38. package main import . "fmt" import "bufio" import "net" import “crypto/tls" func main() { Dial(":1025", ConfigTLS("ccert", "ckey"), func(c net.Conn) { if m, e := bufio.NewReader(c).ReadString('n'); e == nil { Printf(m) } }) } func ConfigTLS(c, k string) (r *tls.Config) { if cert, e := tls.LoadX509KeyPair(c, k); e == nil { r = &tls.Config{ Certificates: []tls.Certificate{ cert }, InsecureSkipVerify: true, } } return } func Dial(a string, conf *tls.Config, f func(net.Conn)) { if c, e := tls.Dial("tcp", a, conf); e == nil { defer c.Close() f(c) } } go for the would-be network programmer http://slides.games-with-brains.net/38
  • 40. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/40
  • 41. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/41
  • 42. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/42
  • 43. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/43
  • 44. package main import "crypto/aes" import "crypto/cipher" import "crypto/rand" import . "net" const AES_KEY = "0123456789012345" func main() { Serve(":1025", func(c *UDPConn, a *UDPAddr, b []byte) { if m, e := Encrypt("Hello World", AES_KEY); e == nil { c.WriteToUDP(m, a) } }) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } func Quantise(m string) (b []byte, e error) { b = append(b, m...) if p := len(b) % aes.BlockSize; p != 0 { p = aes.BlockSize - p // this is insecure and inflexible as we're padding with NUL b = append(b, make([]byte, p)...) } return } func IV() (b []byte, e error) { b = make([]byte, aes.BlockSize) _, e = rand.Read(b) return } func Encrypt(m, k string) (o []byte, e error) { if o, e = Quantise([]byte(m)); e == nil { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte if iv, e = IV(); e == nil { c := cipher.NewCBCEncrypter(b, iv) c.CryptBlocks(o, o) o = append(iv, o...) } } } return } go for the would-be network programmer http://slides.games-with-brains.net/44
  • 46. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/46
  • 47. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/47
  • 48. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/48
  • 49. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/49
  • 50. package main import "bufio" import "crypto/cipher" import "crypto/aes" import . "fmt" import . "net" const AES_KEY = "0123456789012345" func main() { Request(":1025", func(c *UDPConn) { c.Write(make([]byte, 1)) if m, e := ReadStream(c); e == nil { if m, e := Decrypt(m, AES_KEY); e == nil { Println(string(m)) } } }) } func Decrypt(m []byte, k string) (r string, e error) { var b cipher.Block if b, e = aes.NewCipher([]byte(k)); e == nil { var iv []byte iv, m = Unpack(m) c := cipher.NewCBCDecrypter(b, iv) c.CryptBlocks(m, m) r = Dequantise(m) } return } func Unpack(m []byte) (iv, r []byte) { return m[:aes.BlockSize], m[aes.BlockSize:] } func Dequantise(m []byte) string { var i int for i = len(m) - 1; i > 0 && m[i] == 0; i-- {} return string(m[:i + 1]) } func Request(a string, f func(Conn)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() f(conn) } } } go for the would-be network programmer http://slides.games-with-brains.net/50
  • 52. package main import . "bytes" import "crypto/rsa" import "encoding/gob" import "net" func main() { HELLO_WORLD := []byte("Hello World") RSA_LABEL := []byte("served") Serve(":1025", func(c *net.UDPConn, a *net.UDPAddr, b []byte) { var key rsa.PublicKey if e := gob.NewDecoder(NewBuffer(b)).Decode(&key); e == nil { if m, e := Encrypt(&key, HELLO_WORLD, RSA_LABEL); e == nil { c.WriteToUDP(m, a) } } return }) } func Encrypt(key *rsa.PublicKey, m, l []byte) ([]byte, error) { return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, m, l) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } go for the would-be network programmer http://slides.games-with-brains.net/52
  • 53. package main import . "bytes" import "crypto/rsa" import "encoding/gob" import "net" func main() { HELLO_WORLD := []byte("Hello World") RSA_LABEL := []byte("served") Serve(":1025", func(c *net.UDPConn, a *net.UDPAddr, b []byte) { var key rsa.PublicKey if e := gob.NewDecoder(NewBuffer(b)).Decode(&key); e == nil { if m, e := Encrypt(&key, HELLO_WORLD, RSA_LABEL); e == nil { c.WriteToUDP(m, a) } } return }) } func Encrypt(key *rsa.PublicKey, m, l []byte) ([]byte, error) { return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, m, l) } func Serve(a string, f func(*UDPConn, *UDPAddr, []byte)) { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := ListenUDP("udp", address); e == nil { for b := make([]byte, 1024); ; b = make([]byte, 1024) { if n, client, e := conn.ReadFromUDP(b); e == nil { go f(conn, client, b[:n]) } } } } return } go for the would-be network programmer http://slides.games-with-brains.net/53
  • 55. package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/55
  • 56. package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/56
  • 57. package main import "crypto/rsa" import "crypto/rand" import "crypto/sha1" import "crypto/x509" import "bytes" import "encoding/gob" import "encoding/pem" import “io/ioutil" import . "fmt" import . "net" func main() { Request(":1025", "ckey", func(c *net.UDPConn, k *rsa.PrivateKey) { if m, e := ReadStream(c); e == nil { if m, e := Decrypt(k, m, []byte("served")); e == nil { Println(string(m)) } } }) } func LoadPrivateKey(file string) (r *rsa.PrivateKey, e error) { if file, e := ioutil.ReadFile(file); e == nil { if block, _ := pem.Decode(file); block != nil { if block.Type == "RSA PRIVATE KEY" { r, e = x509.ParsePKCS1PrivateKey(block.Bytes) } } } return } func Request(a, file string, f func(*UDPConn, *PrivateKey)) { if k, e := LoadPrivateKey(file); e == nil { if address, e := ResolveUDPAddr("udp", a); e == nil { if conn, e := DialUDP("udp", nil, address); e == nil { defer conn.Close() SendKey(conn, k.PublicKey, func() { f(conn, k) }) } } } } func Decrypt(key *rsa.PrivateKey, m, l []byte) ([]byte, error) { return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, m, l) } func SendKey(c *net.UDPConn, k rsa.PublicKey, f func()) { var b bytes.Buffer if e := gob.NewEncoder(&b).Encode(k); e == nil { if _, e = c.Write(b.Bytes()); e == nil { f() } } } go for the would-be network programmer http://slides.games-with-brains.net/57
  • 58. aes + rsa —> hybrid crypto
  • 59. encrypt all passwords • accept unicode to expand the symbol space • hash every new password before it’s submitted • always use a cryptograpically secure hash (HMAC) • and a fresh HMAC key for each password (which you must store) • salt the resulting hash when you receive it (and store the salt) • then hash again before storing in your database
  • 60. require two-factor authentication • have the user submit their password over a secure channel • then send them a confirmation code out-of-band • that’s an agreed trust anchor acting as a shared secret • the confirmation code should be big enough to generate a HMAC • and only the HMAC should be submitted • now you have two secure channels based on shared secrets
  • 61. encrypt all storage • secured transport is useless without secured data stores • encrypt all sensitive fields - that probably means all fields • and store HMACs for desired search terms • otherwise you black box is secure but unsearchable • make sure you use different roles for reading, writing and searching • that’s right, your datastore is also a set of secure streams
  • 62. anchor trust internally • establish your own certificate authority • assign fine-grained roles to different components (microservices) • and minimise your threat surface (regular code audits, security logs) • never deploy without a full security audit • and make those deployments immutable • security audits (like QA) are best done by third parties