Merken

The Art & Craft of Secrets: Using the Cryptographic Toolbox

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
this is kind of here and it would thank you for coming both of you a little odd and deregulated a ago of so you can jump right in we had a question to start off do you trust me thank
you and if you don't you're in good company but if you do I'd like you take a 2nd in just think about why you trust me this talk is about why are asking trustor users and vice-versa on so that the topic of the day so many of my name is
Michael Sweden which you know if you read the slide at the 2nd year of I work for a company called atomic object this was asked I'm going to screen answers this was about a year ago but 50 people in the EU customs soccer development so when mobile but it across the board look and I have to do the obligatory patience really at every single talk today while we are hiring experienced developers their offices in Ann Arbor in Grand Rapids so India yeah so today's talk here is
not so much about algorithms or bits and bytes or any of that kind of stuff I'm not going to start unpacking AES and RSA impending element and bunch but this is a talk about how those different pieces all fit together it turned out that it's a really complicated nasty dance did any of the stop working right together in the stuff that many of us might have experienced in college in a discreet math courses does not come anywhere near covering so that no 1 is odd argmax I apologize in advance if somebody did want more details well in addition to some of how at its together you'll see my little spy pop up in the side of screen we have a story to tell about some real world security failures but some context and some of these so I'm only go I have about
trust now my name is Michael Sweden then you can trust me because I had the idea to prove it on the idea was issued by the government so I won't go so far as asking you to trust the government will need trust that they check my birth certificate and other ideas before the issued and I picture the name matches we see in the conference program what even at least trust that this is the top element to be given at this loss even if you don't trust anything else almost everything we do in terms of security there are apps is built on the chain of trust like that something real from program to name to government to ID almost nothing is made from some big over arching solution it's all tiny little pieces fit together in just the right way In light wave that I'm terrified I'm going to screw up because this hard so the
example of this is what you get if you do like Rails new wherever the command of nowadays and add device and don't recyling so I made an example user account for instance end of last 1 did but OK unlike it's really easy load a hand wave over what just happened when is buried under a single 1 here we actually did just a lot of stocks River make mention we had dual saying data with evaluated and no change things so when the impact factor the the we lost month and manager
spring OK so we had a DNS lookup defined for we had to make a connection we had this somehow magically make it secure we can send are gradual over check them and 1 person so that's great and it's rather than we have best still pretty and wave so when you rewind With connectedness now before we do anything else where check the server certificate so funny story time we do this of get to prove authenticity the on and this is important so you've example back in 0 wait a man stole all roughly 850 thousand dollars from 2 based are around the DC area he walked in and said that by year for the and you look right he would have a uniform the gun in every except he wasn't actually working for a security company grabs a bag of that really dollars walks out the the I don't think he actually had an armored car is prior gotten like a Ford Escort and away the strap under did the same thing the next day and another that engage with different bet the don't matter have a torque room you have been In the talk is secure and it's locked it doesn't matter if you're sending your data a fairly to the wrong place so this is quantitative for but let's begin the way it really is also delivers really brave here then so firstly if a public key public he for the server they're trying to have a conversation it are the key fell is just a number they don't tell anything and the number could be lying anybody but I can give you a number 42 of so will be add certificate if the metadata refers not only is this the number that were talking about it belongs to this name obliged to Amazon . com rails guide our work the and we trust that the certificate authority validated them the of and they measure the certificate and what they do is they fight they applied cryptographic signature which is created with a certificate authority up private key and so we can verify this is delta G interest for us I trust my web browser the browser ships with public you for all the certificate authorities so they can check are that the certificate is validly signs and the certificate was signed as a whole so we know that key goes to 0 that name and because the public in there that's a tool we can use to help facilitate secure communication with whomever have their private key all we have proven that part just yet all we improving is that this is the right of public key for us to be using so we trust the key this more left with a system of the certificate authority vouching for the kid basically what the market doesn't mean that a new member what about as well actually to be honest OK so we've got this certificate stored in memory the more distant on the next thing we have this key exchange we have a key in that certificate but have not actually what we used to communicate generally speak of public-key algorithms like our said the and I this applies to what DSS the other signatory out in both our at least is firstly really computationally intensive and secondly the final mutations to outside the incorrect so it works well for exchanging by 2 of the 6 picking a a little less well for downloading the intuitive soprano 2 ways I'm doing key exchange for the 1st is are SAT exchange the client generates a secret and the accept using the public key in the certificate then we can send it over and be assured that no observed will be able to steal a key so has the key then and I was thinking Ambleside's and we cannot be secure also excluded the and that was no in 71 I think winning the artist paper was published the pretty big deal this 1 other way we the exchange which all all the better so the you remember seeing idea remember seeing
this i in school or this image that was taken from Wikipedia method Diffie-Hellman Key exchange are undoubtedly knew exactly how it works but here's the super quick demo inside generates a secret and there and keep that secret secret the we also generate something there really exchange publicly and this is where our Weasley special on the server side we science this is an extension of the regular Diffie-Hellman key exchange that we do with TLS and this led you prove authenticity for the server because so if we get our sense only the person with the private key could be corrected because they don't apply here we need to do that some other way so service I the keys we swap the public have and then from there we can construct a session can we can use but this is more than the cool the 1st happened generated never got training so that provides a facility we call forward secrecy are you remember when I show you for our all of data that matters for the connection was sent over the match so someone happened the unit at a time didn't have the private key it by year to legally acquire it they can go back to the recording the conversation in the crypt I Diffie-Hellman everyone we delete those up the parts that we didn't transmit we I can be assured that were relatively unlikely at least that anyone can ever reproduce this particular conversation no 1 thing that was really interesting forward secrecy is actually not enabled in mostly different Cyprus weeks off as a cell and the last provide knowledge of the deal of there was kind of a big news item at some point in the past we Google enabled them for all their services all which in you should consider OK so regardless we somehow have established fashion he and so we can start encryptor the for I took but you have to get there and before in mind when we just review what we've accomplished with all we talk about authenticity 1 make sure we're talking to the correct personally it the primacy 1 is pretty obvious and all understand something and now have that observed on the last 1 is integrity and I didn't talk much about them that's because there isn't a step for integrity by the way we do that until last is pretty much every time the exchange data part they hashes provided on data from the side that sends it and so on animal and they can validate that had still works but such a threaded through everything talked OK live births are stuff we typically don't to deal with of ourselves every day the yeah but this part the actual log stuff that nuts and bolts is that's what did I give the theories about that's what your lighting draw will do the so all of these pieces are transport layer and are you did not like this to the following not is stuff that someone smarter than he wrote for me In but in Apache or and enact up in the browser increment of the other stuff that's my JavaScript my to mount my gym filed by controllers but human being mine this is all stuff that's my problem and your problem the I so these are kind of separate pieces now at hand labeled over forgetting about those 1st bits for a little bit and focus on how our panels of internal you know and on I start up a development server and makes a request so this is a usually larger request that we downloaded are ready to start now becomes the development mode I don't have TLS enabled this means I answer just talented in make requests is a really good Hanlon exactly what's happening on the wire when you do that because the no no other layers in between the the request for this click log button and we say it's a post to the user's controller sign and find out the bottom there's the data I'm sending my e-mail and selling a password I not URL-encoded and were lying here on it being sent over encrypted channels that warrants this is exactly what a little later observer so that's the steps we descend
the log invention and tolerance verifying it though chanting lower so this is sort of like and the key bed is this here we sent a you name of art rails kind that example that can in some did the right use database and try to find record now that actually only cues of aligning process that's really showing up in our life are in a good way here are the rats that actually right here are chronologically speaking that for work from the in-memory staff in figure out if the pasteurized light is also valid I am a dwell on profit for a little bit
because it something we have to deal with a lot and easy for to screw on the for a temporary session cues that's all stuff that under control but the path of come our users so we can rebuild that without the you without really irritating areas
selecting we have some some of them have good profits from an are duplicates some women bad benefits of yeah so this is a simple way to do it but now we all know this is wrong it's easy but it's and it's wrong because of his own get all of our database they have all users passwords the because users are so readily when using passwords it means that if we link our database somehow on this just keeps happening if you watch the news it's late were leaking not only are users methods for us and what of Amelia were also leaving probably the banks password going very well then I can have a new password for every service we all know better of course 1 but they tell you OK so storing pointed fashion simple but don't bother the OK let's give it
another try suppose national press this analysis marginally last back they'd end up looking like this in the database and so we just take the hash where they provide a comparative and summarize on but immediately is really obvious that but if you can do with a passionate exposed but I also want to point out the China 1 is really fast so can problem so another story time in 2 thousand and 13 at the Boston without telling you your but they lost a lot of money FIL might be restored brute application of course jewelry case by the front but this is a broad daylight so front doors unlike desk is man made the case here and probably bulletproof glass and locked but 2 men walk in transcodes possible what a sledgehammer slash the case they grab on and a 2 million dollars worth of watches jewelry couplings etc. and they walk back out there was so no 1 could do anything that's like that of example of you know you don't really expect that failure mode and that's the way it is with the Athletics here you could try to calculate all the passwords folic acid and it seemed like should be invisible but it's actually not this attack type called a rainbow table and all it is is an implementation of a time-space tradeoff that would create a look at the so all the table for all 0 to a character passwords with the know 95 prepared to run US keyboard it less than half a terabyte so today I'm an island not a big deal but even to the whole that much shorter cost you about 6 thousand hours they that the NSA had access to that kind of computing power and probably an angel with a credit card can make a system that can do that so even it looks better than for plaintext password it's almost identical the but we can know the Gabor by applying a salt so in the database looks like that we generate some random data but in practice to be larger than this but where and I went on the slide on and we actually use possibly include the salt and whatever they provided and then check that against the against the patch where we store this actually finally search together in the realm of being kind of secure and is still notable the fact that you know Chaturvedi 6 challenge deathly broken arm there Google published attack recently on each item 6 I think the current state of the art if you're watching this in 6 months I flatter myself the largest in 6 months maybe things changed I don't know but right now right so this is good but
not perfect we can do better are we really really wanted to it just apply a password specific hessian l of the crypt a stripped of PKD to while I'm out there is just going to pick the right 1 and this ties together everything we have so it's what so this has Silicon Graphics in your database but let me really quick show you a little about what stored there this is our blink delimited for the 1st spilled in the Virgin Bobby trapped in this case burden to this is the better the 2nd field was 12 that's what differentiates it from not just a standard sort of effort on that 12 is the work factor so I to me that the 2 year 20 we knew that to scale how hard the problem this there's who can't French we don't want that to be fast there is no advantage to it because the widened by users don't really care that 2 and millisecond or 1 the and if we find out later that our computers are too fast but due 2025 1st 22 characters layer that is the salt 128 bit space of the foreign goes up and there's a catch so that merits of every the so that's verifying what individuals finally we can start to get to the point of 1 year and was started trying to figure out 20 minutes ago 5 so I mean arrest and here was the 1st response an interesting that amongst all the fires is that we session cookie I said that in Figure rail fashion sort of use the database for this and so on so this might look a little different the key thing is is something that we gave to the user so that they can bring that next time instead of using the past it's revoke so if we need to change things we can just like the user out not a big deal the lot harder to do that with the actual task OK so the next
request there a bring in that token that cookie In the wheel and then we're done whether 22 minutes to get there all so this is what we've accomplished right username password to authenticate the With issued an unpredictable unique session so that we know on all perspective 6 steps we know no 1 else that token because we've exchanging over a secure channel the that is a kind of a big bang how you treat your token here's an example of
this woman who have enough anatomize in the 20 that t in r Melbourne Cup it 2015 Melbourne Cup in Australia I'll bet on horses she won 800 dollars and very naturally human side as you posted around based with about in the time it took her to get from the track that over to about encounter someone called the the secret token out of that bar code and claim the prize should a bit miffed about where now know we think we do better because you know the separated you know we're not it's exposing it but it turns out all in
2010 developer aired Butler released this off funding coal-fire sheet on this screenshot from his website was still off you do a search and find it a lot of major web apps at a time where you have a valid to attack the login page but not to protect all of the other parts of the year and so that session token that last property they broke and that meant that if you were corrected in coffee shops and open Wi-Fi networks your basically it shall in your then Scholes out into the world for anyone who would listen so not after other lesser here is you should always be using as a solitary pair of work till which now replaced SSL of if you care about security at all OK so here's right where I don't you it to the too much the scene but I'm the type of on the same panel session hijacking attacks against which of
so I go to twitter and open up cronies dad tools and here we have but not stoking cookies so the article Q and experimentally to find out that if this 1 and that 1 Twitter section but if I did this type of this token they will act as if it's coming from me so I provided the had a when I had
Twitter on so that sent over in the engaged in the others and they give me back a successful request that this whole thing is the mass to dig through but we actually dig into the HTML but it's still a mass on we scroll down about 70 500 pixels you see my name the I'll leave it as an exercise to the audience to verify that your Twitter don't have my name on it and that's all it took now that does not mean that Twitter is insecure but because they did everything right in terms of exchanging over HTTP ass and protagonist of I would get added because I control the began this on my laptop and I control browser so someone takes over your browser you just pass I don't really have any good advice for you there of the laser problem be solved eventually the but you have to and up trusting something entrusted to the authorities we trust about interest a laptop that's a really hard problem where but now
we talked knowledge it's on take a 2nd year and shift here the who are the guys that by others makes fun of me for really liking single signer of other thing is actually a cool demonstration because single sign-on between 2 separate isolated acts going have and what appears to be a shared session between them ties together everything we've talked about so far did you not cryptographic primitives to establish trust with each individual system and between the system so not yet had time where they can do this and hopefully you'll see how this accommodated dance works little about so let's say we have some boring system because in a chart it knows who I am it can authenticate we we don't have any data that I actually am interested in I thought maybe there's some other system and a wiki maybe that 1 has the that I walked it the web and support so much that cannot find them now we're not with a provision the silver I exchange some keys In this particular implementation is just random data are is the same data on both sides the other is set of keys need something allow was established trust and a note about me so let's assume that there's all creating major me in a database we OK so I'm about the which item I miss backward so I go to my Wiki I say thank you but of course and want it I don't have a session on of a cookie for the answer they don't know me but that go talk to the other on the other database here linear rewrite over here because this database that actually knows who the hell I am what just the annotator to redirect Norina carry along the edges of the page and trying to get to so that you know in about 11 minutes whereas time well no stranger rear-ended all OK so I go to the other day they had Will you vouch for me for the other to the other and analyzes read it for yourselves no on what this guy is people the so we'll give me a lot and the 1 and I don't the limits like for so I make a POST request thank you mainly minutes then without checking the from like then you did in a session luckily it's only good here but will not understand employs outcome session cookies to make it at so is also to give me a token that the other half of the truck energy that that have to be to that
1 is gonna have to establish who I am the other thing I have to prove that a token is actually accurate all serve on story about boards tokens later if we have time so who I am is trivial maybe it stays on our during sample maybe fractional but whatever his sons who I am on have an expiration date on this token is only there to get made from here over to the other half so get the last more than a minute or 2 in adults then if I get fired and my axes of remote then that totally missed still logged in savvy batteries in the story we probably URL-encoded to make it easier to send and that's layer not for I there are a lot of techniques we can use public key cryptography to all clear signature which can be verified private keys another method that I can like birth when adjust to system and intimate homegrown with a hash-based message authentication code so this is actually the specific primitive that's used to do integrity checking on all of the SSL opac as they go across In all it is is we wrap up some random data with out as a key the data to be signed and a hash function and the applied and some barely specific way to create a hash so if the other side has the keys which remember we appreciate the key no real the reality that OK so theory directly by your
Ulsterman get to be a bit of a man's life cumulate things so we're going over to the other and over here in still carrying along my final destination but now we have a token that says who I am and that the age map that says you can trust this interest came from someone who knows so I follow their redirect which making making Gary class and now that acts like a longer undecided this should be a session token and so now I have 1 token per over there 1 token per over here in the different that really connected the that don't have to share database because of having key sign up with them same data you know the integer channel of the user and entrusted now will finally reacting to the place I want to go the corollary redirect I provide the cookies an item on the data the line illustrate that just because it was in effect on illustrate that because if such a match I feel like applying contains error as the cell and everything all of layers and whatever views but that model that's the same model for are open ID connect thoughts on why mention primarch any single sign-on solution you get off the shelf will work roughly this way the no I really intended include this graph in the rest of the talk but this those opinions well 1 of the road in heavy end anyway so this just a little dependency graph of ons how some of the different on map primitives and other all business things like trusted 3rd party all come together to let us know able to act securely online and then go through spiders prepare show this in the bloodied maps the but is a really careful stack of things in I find interesting vibrant about of I definitely do not trust myself to implement it and so I strongly recommend if you can get a third-party trusted well ordered library for example with sodium is an implementation and 1 thing that's cool about that is then set up so that they never have a branch in their code that depends on the grade data this is that apparently that up but cannot possess the kind of thing that like I'm not going to think about we then an expert in this and in all likelihood you 90 plus per cent of you guys are very few people really trust this well it finally are but I hope that in a while for me it but the
means that on cover imagine I promise to storage ownership share with you to more fun stories about occasion going awry so in my theory when I actually included this in our my talk submission trails in 19 70 or 71 made so this is background of the anomalous protest there's is a group of protesters at broke into at Philadelphia draughtboard office so they were going to steal the selected some the papers other people were being drafted the they discovered in this particular office made could not break through this door the padlock without wondering the paper replace on something they done other parts summarize so 1 of them has great idea while there is joint tactical some of your notes in the road the notes that we don't like this door tonight the case the door they came back a few hours later insurance it was opened so absolutely right there at high stress just so damn simple so that's a problem with that use sale or something you get a lot of time this other side that says you can trust the person who has this token as long as obtain from the right place on little can assign that's really critical we validate your trust every level the break that chain you're leaving your front door wide open the but it's really about 4 minutes appears questions discussion haggling pipelines now but it will happen so that parts speech
Computeranimation
Diskrete Mathematik
Internetworking
Addition
Bit
Computersicherheit
Einfache Genauigkeit
Element <Mathematik>
Kontextbezogenes System
Whiteboard
Computeranimation
Office-Paket
Objekt <Kategorie>
Rechenschieber
Algorithmus
Reelle Zahl
Softwareentwickler
Touchscreen
App <Programm>
Einfügungsdämpfung
Digitales Zertifikat
Computersicherheit
Wellenlehre
Mathematisierung
Vorzeichen <Mathematik>
Extrempunkt
E-Mail
Term
Teilbarkeit
Computeranimation
Datenmanagement
Verkettung <Informatik>
Last
Rechter Winkel
Minimum
Optimierung
Instantiierung
Quelle <Physik>
Satellitensystem
Domain <Netzwerk>
Demo <Programm>
Umsetzung <Informatik>
Bit
Konfiguration <Informatik>
Punkt
Browser
Programmverifikation
Dicke
Login
Computeranimation
Spezialrechner
Metadaten
Client
Algorithmus
Einheit <Mathematik>
Regulärer Graph
Konsistenz <Informatik>
Vorzeichen <Mathematik>
Kryptologie
Gamecontroller
Uniforme Struktur
Minimum
Schlüsselverteilung
Telnet
E-Mail
Metropolitan area network
ATM
Datentyp
Computersicherheit
Programmierumgebung
Elektronische Unterschrift
Dienst <Informatik>
Rechter Winkel
Login
Festspeicher
Client
Server
Versionsverwaltung
Schlüsselverwaltung
Public-Key-Kryptosystem
Telekommunikation
Server
Subtraktion
Wellenlehre
Content <Internet>
Zahlenbereich
Zellularer Automat
Datenmissbrauch
Physikalische Theorie
Data Mining
Chiffrierung
Elektronische Unterschrift
Direkte numerische Simulation
COM
Luenberger-Beobachter
Passwort
Softwareentwickler
Maßerweiterung
Hilfesystem
Bildgebendes Verfahren
Einfach zusammenhängender Raum
Autorisierung
Trennungsaxiom
Digitales Zertifikat
Matching <Graphentheorie>
Browser
Magnetooptischer Speicher
Physikalisches System
Fokalpunkt
Maskierung <Informatik>
Integral
Thread
Flächeninhalt
Mereologie
Gamecontroller
Authentifikation
Direkte numerische Simulation
Digitales Zertifikat
Stab
Benutzerführung
Bit
Domain <Netzwerk>
Server
Prozess <Physik>
Stab
Programmverifikation
Content <Internet>
E-Mail
Dicke
Computeranimation
Chiffrierung
Last
Datensatz
Elektronische Unterschrift
Telnet
Ordnung <Mathematik>
Strom <Mathematik>
Figurierte Zahl
Transaktionsverwaltung
Videospiel
Datentyp
Prozess <Informatik>
Datenhaltung
Browser
Menge
Maskierung <Informatik>
Inverser Limes
Rechter Winkel
Login
Parametersystem
Client
Systemtechnik
Digitales Zertifikat
Direkte numerische Simulation
Dienst <Informatik>
Flächeninhalt
Datenhaltung
Gamecontroller
Passwort
Passwort
Computeranimation
ARM <Computerarchitektur>
Schnelltaste
ATM
Computersicherheit
Datenhaltung
Implementierung
Gemeinsamer Speicher
Kartesische Koordinaten
Physikalisches System
Sommerzeit
Computeranimation
Chipkarte
Patch <Software>
Transcodierung
Datentyp
Hash-Algorithmus
Randomisierung
Passwort
Aggregatzustand
Leistung <Physik>
Tabelle <Informatik>
Metropolitan area network
Analysis
Server
Bit
Decodierung
Punkt
Kontrollstruktur
Programmverifikation
Content <Internet>
Computerunterstütztes Verfahren
Raum-Zeit
Computeranimation
Task
Chiffrierung
Elektronische Unterschrift
Authentifikation
Kryptologie
Perspektive
Endogene Variable
Telnet
Passwort
Passwort
Figurierte Zahl
Umwandlungsenthalpie
Datentyp
Datenhaltung
Cookie <Internet>
Browser
Maskierung <Informatik>
Teilbarkeit
Quick-Sort
Hesse-Matrix
Token-Ring
Datenfeld
Rechter Winkel
Login
Cookie <Internet>
Client
Digitales Zertifikat
Direkte numerische Simulation
Standardabweichung
Web Site
Bit
Datennetz
Kategorie <Mathematik>
Computersicherheit
Web-Applikation
Token-Ring
Login
Code
Computeranimation
Homepage
Demoszene <Programmierung>
Weg <Topologie>
Isolation <Informatik>
Token-Ring
Authentifikation
Einheit <Mathematik>
Offene Menge
Mereologie
Passwort
Softwareentwickler
Server
Browser
Kommunikationsdesign
Maßerweiterung
Twitter <Softwareplattform>
Term
Computeranimation
Notebook-Computer
Datentyp
Mobiles Internet
Skript <Programm>
Ereignishorizont
Autorisierung
Pixel
Cookie <Internet>
Ruhmasse
Vorzeichen <Mathematik>
TLS
Gruppenoperation
Twitter <Softwareplattform>
Rechter Winkel
Wurzel <Mathematik>
Cookie <Internet>
Garbentheorie
Digitales Zertifikat
Public-Key-Kryptosystem
Wiki
Mereologie
Decodierung
Implementierung
Code
Whiteboard
Physikalische Theorie
Computeranimation
Datenhaltung
Homepage
Message-Passing
Benutzerbeteiligung
Authentifikation
Code
Hash-Algorithmus
Stichprobenumfang
Primitive <Informatik>
URL
Verschiebungsoperator
Datenhaltung
Indexberechnung
Einfache Genauigkeit
Token-Ring
Physikalisches System
Wiki
Elektronische Unterschrift
Integral
Energiedichte
Token-Ring
COM
Cookie <Internet>
Single Sign-On
Authentifikation
Schlüsselverwaltung
Message-Passing
Bit
Gemeinsamer Speicher
Gruppenkeim
Computeranimation
Gradient
Übergang
Vorzeichen <Mathematik>
Kontrollstruktur
Gerade
Metropolitan area network
Sichtenkonzept
Kryptologie
Marketinginformationssystem
Arithmetisches Mittel
Verkettung <Informatik>
Ganze Zahl
COM
Normalspannung
Fehlermeldung
Wiki
Hash-Algorithmus
Klasse <Mathematik>
Zellularer Automat
Implementierung
Sprachsynthese
Identitätsverwaltung
Code
Physikalische Theorie
Überlagerung <Mathematik>
Informationsmodellierung
Programmbibliothek
Primitive <Informatik>
Speicher <Informatik>
Einfach zusammenhängender Raum
Soundverarbeitung
Videospiel
Expertensystem
Graph
Matching <Graphentheorie>
Ontologie <Wissensverarbeitung>
Spider <Programm>
Likelihood-Funktion
Cookie <Internet>
Verzweigendes Programm
Indexberechnung
Token-Ring
Office-Paket
Programmfehler
Mapping <Computergraphik>
Symmetrische Matrix
Offene Menge
Mereologie
Cookie <Internet>
Mehrrechnersystem
Single Sign-On
Digitales Zertifikat

Metadaten

Formale Metadaten

Titel The Art & Craft of Secrets: Using the Cryptographic Toolbox
Serientitel RailsConf 2017
Teil 02
Anzahl der Teile 86
Autor Swieton, Michael
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/31290
Herausgeber Confreaks, LLC
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Picking an encryption algorithm is like choosing a lock for your door. Some are better than others - but there's more to keeping burglars out of your house (or web site) than just the door lock. This talk will review what the crypto tools are and how they fit together with our frameworks to provide trust and privacy for our applications. We'll look under the hood of websites like Facebook, at game-changing exploits like Firesheep, and at how tools from our application layer (Rails,) our protocol layer (HTTP,) and our transport layer (TLS) combine build user-visible features like single sign-on.

Ähnliche Filme

Loading...