19. #owaspkyiv @vixentael
THINGS TO DECIDE ON
PADDING
KEY LENGTH
KEY ROTATION
MODE KEY DERIVATION
KEY STORAGE
KEY EXCHANGE
DATA SCOPE ALGORITHM
IV
KEY REVOCATION
28. AS USERS WE WANT…
more ciphers!
more vulnerabilities!
more side channel attacks!
more attacks!
more constant time checks :)
more protocols!
more patches!
#owaspkyiv @vixentael
31. AS USERS WE WANT…
more ciphers!
BORING CRYPTO
#owaspkyiv @vixentael
32. BORING CRYPTO
#owaspkyiv @vixentael
— crypto that simply works, solidly
resists attacks, never needs any
upgrades
https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
Daniel J. Bernstein
34. WHAT DO WE WANT?
instead of adjusting
our resources
— SOLVE USE-CASES!
35. WHAT DO WE WANT?
— HIGH-LEVEL FUNCTIONS
I want to store data securely
I want to send data securely
I want to verify data integrity
#owaspkyiv @vixentael
36. WHAT DO WE WANT?
store data securely
send data securely
verify data integrity
key derivation
key exchange
key rotation
sign/verify ephemeral keys
encr / decr
#owaspkyiv @vixentael
— HIGH-LEVEL FUNCTIONS
47. #owaspkyiv @vixentael
HSM & TPM: PROS
fast hardware crypto!
trusted environment
known security guarantees
keys calculations
48. #owaspkyiv @vixentael
HSM & TPM: CONS
vendor lock / vendor trust
bad for interactive encryption
complicated to maintain
(install, upgrade, support,
not cross-platform)
49. #owaspkyiv @vixentael
HSM & TPM: PRO & CONS
HSM
app
plaintext
data
plaintext data is
far away from
the place it is used
50. #owaspkyiv @vixentael
SOFTWARE CRYPTO SYSTEMS
https://github.com/sobolevn/awesome-cryptography
any kind of encryption
plaintext data is closer
to its usage
cross-platform
51. #owaspkyiv @vixentael
SOFTWARE CRYPTO SYSTEMS
https://github.com/sobolevn/awesome-cryptography
any kind of encryption
plaintext data is closer
to its usage
cross-platform
NO DEVICE TRUST
76. LINKS 1
Boring crypto, Daniel J. Bernstein
https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
Why does cryptographic software fail?
https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf
API design for cryptography
https://2017.hack.lu/archive/2017/hacklu-crypto-api.pdf
77. LINKS 2
Encrypting strings in Android: Let’s make better mistakes
https://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/
Awesome crypto papers
https://github.com/pFarb/awesome-crypto-papers
12 And 1 Ideas How To Enhance Backend Data Security
https://www.cossacklabs.com/backend-data-security-modern-ideas.html
Attestation and Trusted Computing
https://courses.cs.washington.edu/courses/csep590/06wi/finalprojects/bare.pdf
78. MY OTHER SECURITY SLIDES
https://github.com/
vixentael/my-talks
…and more