SlideShare une entreprise Scribd logo

Dodging WebCrypto API Landmines

E
Ernie Turner

WebCrypto presentation.

Logiciels
1  sur  84
Dodging Web Crypto API Landmines
@erniewturner
Finalized! January 2017 WebCrypto API - W3C JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. @erniewturner
Web Browser ServerIn Transit Why WebCrypto API @erniewturner
Web Browser SSL ServerIn Transit Why WebCrypto API @erniewturner
Cryptographically Strong PRNG window.crypto.getRandomValues() @erniewturner
Subtle Crypto window.crypto.subtle.* @erniewturner It is named SubtleCrypto to reflect the fact that many of these algorithms have subtle usage requirements in order to provide the required algorithmic security guarantees. -W3C It is named SubtleCrypto to reflect the fact that many of these algorithms have subtle usage requirements in order to provide the required algorithmic security guarantees. -W3C
Subtle Crypto Developers making use of the SubtleCrypto interface are expected to be aware of the security concerns associated with both the design and implementation of the various algorithms provided. The raw algorithms are provided in order to allow developers maximum flexibility in implementing a variety of protocols and applications, each of which may represent the composition and security parameters in a unique manner that necessitate the use of the raw algorithms. -MDN @erniewturner
Subtle Crypto Methods are generic and take crypto algorithms as strings or objects Nearly all operations return Promises Only available over HTTPS @erniewturner
Subtle Crypto decrypt deriveKey digest encrypt exportKey generateKey importKey sign unwrapKey verify wrapKey @erniewturner
Subtle Crypto digest exportKey generateKey sign unwrapKey verify wrapKey @erniewturner decrypt deriveKey encrypt importKey
Subtle Crypto RSA ECDSA ECDH SHA HMAC @erniewturner AES PBKDF2
Subtle Crypto RSA ECDSA ECDH SHA HMAC @erniewturner AES PBKDF2
Typed Arrays Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array Array-like view into binary data @erniewturner
Uint8Array @erniewturner 10110010100101010100110010101010
Uint8Array @erniewturner 10110010 10010101 01001100 10101010
Uint8Array @erniewturner 178 149 76 170
Uint8Array @erniewturner 178 149 76 170, ,, ][
const empty = new Uint8Array(32); Uint8Array [0, 0, 0, ...] const fixed = new Uint8Array([35, 183, 21, 111]); [35, 183, 21, 111] const text = UTF8.encode('text'); [116, 101, 120, 116] const flag = UTF8.encode('!'); [240, 159, 135, 179, 240, 159, 135, 180] @erniewturner
CryptoKey @erniewturner
Symmetric Key Algorithm @erniewturner AES-256 GCM DecryptEncrypt Symmetric Key Alice Bob
AES-256 GCM @erniewturner 256 bit = 32 byte 96 bit = 12 byte AES-GCM Crypto Key Initialization Vector
Military Grade AES-256 GCM
PBKDF2 @erniewturner Password Based Key Derivation Function 2 User Password Crypto Key
PBKDF2 SHA-256 User password Salt AES-GCM Crypto Key PBKDF2 @erniewturner
Browser Support Edge IE Chrome Firefox Safari PRNG Algorithms @erniewturner Typed Arrays
ENCRYPT Example Project @erniewturner …….. Password
Encryption @erniewturner
User Adds Data User Enters Password Convert Password to CryptoKey Derive AES Key Encrypt Data Encrypt @erniewturner
function encryptData(secretData: string, password: string){ const dataAsBytes = UTF8.encode(secretData); const passwordAsBytes = UTF8.encode(password); }
Dat Passcod Derive AES EncryImport function encryptData(secretData: string, password: string){ const dataAsBytes = UTF8.encode(secretData); const passwordAsBytes = UTF8.encode(password); }
function encryptData(secretData: string, password: string){ const dataAsBytes = UTF8.encode(secretData); const passwordAsBytes = UTF8.encode(password); }
function encryptData(secretData: string, passwo const dataAsBytes = UTF8.encode(secretData); const passwordAsBytes = UTF8.encode(password) } Data to Encrypt byte array form User Passcode in binary formbyte array form
User Password Import Key User Passcode Crypto Key importKey @erniewturner byte array form
@erniewturner importKey window.crypto.subtle.importKey( format: string, keyData: Uint8Array, algo: object|string, extractable: boolean, usages: string[] )
function encryptData(secretData: string, password: string){ const dataAsBytes = UT8.encode(secretData); const passwordAsBytes = UTF8.encode(password); window.crypto.subtle.importKey( “raw", passwordAsBytes, 'PBKDF2', false [‘deriveKey’] ) .then((passwordKey: CryptoKey) => { }); }
function encryptData(secretData: string, password: string){ const dataAsBytes = UT8.encode(secretData); const passwordAsBytes = UTF8.encode(password); window.crypto.subtle.importKey( “raw", passwordAsBytes, 'PBKDF2', false [‘deriveKey’] ) .then((passwordKey: CryptoKey) => { }); }
function encryptData(secretData: string, password: string){ const dataAsBytes = UT8.encode(secretData); const passwordAsBytes = UTF8.encode(password); window.crypto.subtle.importKey( “raw", passwordAsBytes, 'PBKDF2', false [‘deriveKey’] ) .then((passwordKey: CryptoKey) => { }); }
function encryptData(secretData: string, passwor const dataAsBytes = UT8.encode(secretData); const passwordAsBytes = UTF8.encode(password); window.crypto.subtle.importKey( “raw", passwordAsBytes, 'PBKDF2', false [‘deriveKey’] ) .then((passwordKey: CryptoKey) => { }); } Data to Encrypt byte array form User Password Crypto Key
deriveKey @erniewturner PBKDF2 SHA-256 User Password Crypto Key Salt AES-GCM Crypto Key
deriveKey window.crypto.subtle.deriveKey( algorithm: object, masterKey: CryptoKey, derivedKeyAlgorithm: object, extractable: boolean, usages: string[] ) @erniewturner
.then((passwordKey: CryptoKey) => { const salt = window.crypto.getRandomValues(new Uint8Array(12)); return window.crypto.subtle.deriveKey({ name: 'PBKDF2', salt, iterations: 250000, hash: {name: 'SHA-256'} }, passwordKey, {name: 'AES-GCM', length: 256}, false, ['encrypt']); }) .then((aesKey: CryptoKey) => { });
.then((passwordKey: CryptoKey) => { const salt = window.crypto.getRandomValues(new Uint8Array(32)); return window.crypto.subtle.deriveKey({ name: 'PBKDF2', salt, iterations: 250000, hash: {name: 'SHA-256'} }, passwordKey, {name: 'AES-GCM', length: 256}, false, ['encrypt']); }) .then((aesKey: CryptoKey) => { });
.then((passwordKey: CryptoKey) => { const salt = window.crypto.getRandomValues(new Uint8Array(32)); return window.crypto.subtle.deriveKey({ name: 'PBKDF2', salt, iterations: 250000, hash: {name: 'SHA-256'} }, passwordKey, {name: 'AES-GCM', length: 256}, false, ['encrypt']); }) .then((aesKey: CryptoKey) => { });
.then((passwordKey: CryptoKey) => { const salt = window.crypto.getRandomValues(new Uint8Array(32)); return window.crypto.subtle.deriveKey({ name: 'PBKDF2', salt, iterations: 250000, hash: {name: 'SHA-256'} }, passwordKey, {name: 'AES-GCM', length: 256}, false, ['encrypt']); }) .then((aesKey: CryptoKey) => { });
.then((passwordKey: CryptoKey) => { const salt = window.crypto.getRandomValues(new Uint8Array(32)); return window.crypto.subtle.deriveKey({ name: 'PBKDF2', salt, iterations: 250000, hash: {name: 'SHA-256'} }, passwordKey, {name: 'AES-GCM', length: 256}, false, ['encrypt']); }) .then((aesKey: CryptoKey) => { });
Data to Encrypt byte array form .then((passwordKey: CryptoKey) => { const salt = window.crypto.getRandomValues(new U return window.crypto.subtle.deriveKey({ name: 'PBKDF2', salt, iterations: 250000, hash: {name: 'SHA-256'} }, passwordKey, {name: 'AES-GCM', length: 256}, }) .then((aesKey: CryptoKey) => { }); AES-GCM Crypto Key
Encrypt @erniewturner byte array form Encrypted DataEncrypt AES-GCM Crypto Key Initialization Vector Data to Encrypt
Encrypt window.crypto.subtle.encrypt( algorithm: object, key: CryptoKey, data: Uint8Array ) @erniewturner
.then((aesKey: CryptoKey) => { const iv = window.crypto.getRandomValues(new Uint8Array(12)); return window.crypto.subtle.encrypt({ name: 'AES-GCM', iv, }, aesKey, dataAsBytes); }) .then((encryptedContent: ArrayBuffer) => { const encryptedBytes = new Uint8Array(encryptedContent); });
.then((aesKey: CryptoKey) => { const iv = window.crypto.getRandomValues(new Uint8Array(12)); return window.crypto.subtle.encrypt({ name: 'AES-GCM', iv, }, aesKey, dataAsBytes); }) .then((encryptedContent: ArrayBuffer) => { const encryptedBytes = new Uint8Array(encryptedContent); });
.then((aesKey: CryptoKey) => { const iv = window.crypto.getRandomValues(new Uint8Array(12)); return window.crypto.subtle.encrypt({ name: 'AES-GCM', iv, }, aesKey, dataAsBytes); }) .then((encryptedContent: ArrayBuffer) => { const encryptedBytes = new Uint8Array(encryptedContent); });
.then((aesKey: CryptoKey) => { const iv = window.crypto.getRandomValues(new Uint8Array(12)); return window.crypto.subtle.encrypt({ name: 'AES-GCM', iv, }, aesKey, dataAsBytes); }) .then((encryptedContent: ArrayBuffer) => { const encryptedBytes = new Uint8Array(encryptedContent); });
Encrypted Data .then((aesKey: CryptoKey) => { const iv = window.crypto.getRandomValues(new Uint8Ar return window.crypto.subtle.encrypt({ name: 'AES-GCM', iv, }, aesKey, dataAsBytes); }) .then((encryptedContent: ArrayBuffer) => { const encryptedBytes = new Uint8Array(encryptedConte }); byte array form
Storage 256 bit = 32 byte (Uint8Array) 96 bit = 12 byte (Uint8Array) > 0 bytes (Uint8Array) @erniewturner Salt Encrypted Data Initialization Vector PBKDF2 AES-GCM
Storage 32B Salt 12B IV Encrypted Data+ + @erniewturner
Encrypted Data32B Salt 12B IV Storage @erniewturner
Storage @erniewturner Base64 String TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB…..…
.then((encryptedContent: ArrayBuffer) => { const encryptedBytes = new Uint8Array(encryptedContent); const encryptedPackage = concat( salt, iv, encryptedBytes ); return Base64.fromByteArray(encryptedPackage); });
.then((encryptedContent: ArrayBuffer) => { const encryptedBytes = new Uint8Array(encryptedContent); const encryptedPackage = concat( salt, iv, encryptedBytes ); return Base64.fromByteArray(encryptedPackage); });
.then((encryptedContent: ArrayBuffer) => { const encryptedBytes = new Uint8Array(encryptedContent); const encryptedPackage = concat( salt, iv, encryptedBytes ); return Base64.fromByteArray(encryptedPackage); });
Decryption @erniewturner
Get Encrypted Data User Enters Password Convert Password to CryptoKey Derive AES Key Decrypt Data Decrypt @erniewturner
DECRYPT Decryption @erniewturner …….. Password
Decryption EncryptedData32BSalt12BIV @erniewturner Decrypted Data Decrypt PBKDF2 SHA-256 Crypto Key Salt AES-GCM Crypto Key Initialization Vector Encrypted Data
function decryptData(encryptedData: string, password: string){ const encryptedBytes = Base64.toByteArray(encryptedData); const salt = encryptedBytes.slice(0, 32); const IV = encryptedBytes.slice(32, 12); const encryptedData = encryptedBytes.slice(32 + 12); }
function decryptData(encryptedData: string, password: string){ const encryptedBytes = Base64.toByteArray(encryptedData); const salt = encryptedBytes.slice(0, 32); const IV = encryptedBytes.slice(32, 12); const encryptedData = encryptedBytes.slice(32 + 12); }
function decryptData(encryptedData: string, password: string){ const encryptedBytes = Base64.toByteArray(encryptedData); const salt = encryptedBytes.slice(0, 32); const IV = encryptedBytes.slice(32, 12); const encryptedData = encryptedBytes.slice(32 + 12); }
Decrypt window.crypto.decrypt( algorithm: object, key: CryptoKey, data: Uint8Array ); @erniewturner
return window.crypto.subtle.importKey(...) .then(() => window.crypto.subtle.deriveKey(...)) .then((aesKey: CryptoKey) => { return window.crypto.subtle.decrypt({ name: 'AES-GCM', iv, }, aesKey, encryptedData); }) .then((decryptedContent: ArrayBuffer) => { const decryptedBytes = new Uint8Array(decryptedContent); }); }
return window.crypto.subtle.importKey(...) .then(() => window.crypto.subtle.deriveKey(...)) .then((aesKey: CryptoKey) => { return window.crypto.subtle.decrypt({ name: 'AES-GCM', iv, }, aesKey, encryptedData); }) .then((decryptedContent: ArrayBuffer) => { const decryptedBytes = new Uint8Array(decryptedContent); }); }
return window.crypto.subtle.importKey(...) .then(() => window.crypto.subtle.deriveKey(...)) .then((aesKey: CryptoKey) => { return window.crypto.subtle.decrypt({ name: 'AES-GCM', iv, }, aesKey, encryptedData); }) .then((decryptedContent: ArrayBuffer) => { const decryptedBytes = new Uint8Array(decryptedContent); }); }
return window.crypto.subtle.importKey(...) .then(() => window.crypto.subtle.deriveKey(...)) .then((aesKey: CryptoKey) => { return window.crypto.subtle.decrypt({ name: ‘AES-GCM', iv, }, aesKey, encryptedData); }) .then((decryptedContent: ArrayBuffer) => { const decryptedBytes = new Uint8Array(decryptedContent); }); }
Important Notes Key derivation will not fail if user enters wrong password PBKDF2 Iterations must be the same on encrypt as on decrypt There is no “forgot password” support @erniewturner There is no way to feature detect which algorithms are supported
POLYFILL You CANNOT polyfill random number generation. Stanford Javascript Crypto Library @erniewturner
Title PBKDF2 
 (250K) Native SJCL 1203ms 132ms Native SJCL Performance @erniewturner Desktop - MBP 2016
Title PBKDF2 
 (250K) Native SJCL 4310ms 137ms Native SJCL Performance @erniewturner MOBILE - Pixel 1
Title AES 
 (1 KB) Native SJCL 3.2ms 0.3ms Native SJCL Performance @erniewturner Desktop - MBP 2016
Title AES 
 (1 KB) Native SJCL 4.8ms 1.1ms Native SJCL Performance @erniewturner MOBILE - Pixel 1
Title AES 
 (10MB) Native SJCL 3015ms 27ms Native SJCL Performance @erniewturner Desktop - MBP 2016
Title AES 
 (10MB) Native SJCL 7781ms 195ms Native SJCL Performance @erniewturner MOBILE - Pixel 1
WEB WORKERS Bytes to encrypt/decrypt
 User password bytes Encrypted/decrypted bytes MAIN THREAD WEB WORKER
Thank You @erniewturner ernieturner @ironcorelabs ironcorelabs.com Ernie Turner

Recommandé

Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developersMichel Schudel
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Derrick Isaacson
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
 
Geth important commands
Geth important commandsGeth important commands
Geth important commandsNexThoughts Technologies
 

Recommandé

Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developersMichel Schudel
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Derrick Isaacson
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
 
Geth important commands
Geth important commandsGeth important commands
Geth important commandsNexThoughts Technologies
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & SecurityJose Manuel Ortega Candel
 
9 password security
9 password security9 password security
9 password securitydrewz lin
 
amani_rwc_password
amani_rwc_passwordamani_rwc_password
amani_rwc_passwordArvind Mani
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWestDerrick Isaacson
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
Encryption Boot Camp at Øredev
Encryption Boot Camp at ØredevEncryption Boot Camp at Øredev
Encryption Boot Camp at ØredevMatthew McCullough
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden TicketGiuseppe Trotta
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)Maarten Mulders
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersFestGroup
 
2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGESecure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGEPriyanka Aash
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average DeveloperAnthony Ferrara
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Futuretcloudcomputing-tw
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptographyErik LaBianca
 

Contenu connexe

Tendances

9 password security
9 password security9 password security
9 password securitydrewz lin
 
amani_rwc_password
amani_rwc_passwordamani_rwc_password
amani_rwc_passwordArvind Mani
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWestDerrick Isaacson
 
Encryption Boot Camp at Øredev
Encryption Boot Camp at ØredevEncryption Boot Camp at Øredev
Encryption Boot Camp at ØredevMatthew McCullough
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)Maarten Mulders
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersFestGroup
 
2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGESecure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGEPriyanka Aash
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average DeveloperAnthony Ferrara
 

Tendances (20)

Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
 
9 password security
9 password security9 password security
9 password security
 
amani_rwc_password
amani_rwc_passwordamani_rwc_password
amani_rwc_password
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWest
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
Encryption Boot Camp at Øredev
Encryption Boot Camp at ØredevEncryption Boot Camp at Øredev
Encryption Boot Camp at Øredev
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
 
SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
 
2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGESecure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and Defenses
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average Developer
 

Similaire à Dodging WebCrypto API Landmines

Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Futuretcloudcomputing-tw
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Java Symmetric
Java SymmetricJava Symmetric
Java Symmetricphanleson
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Matthew McCullough
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Michel Schudel
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia PotapenkoFwdays
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)Maarten Mulders
 
Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keysDr. Edwin Hernandez
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configurationextremeunix
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 

Similaire à Dodging WebCrypto API Landmines (20)

Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Java Symmetric
Java SymmetricJava Symmetric
Java Symmetric
 
Web cryptography javascript
Web cryptography javascriptWeb cryptography javascript
Web cryptography javascript
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010
 
Onward15
Onward15Onward15
Onward15
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)
 
Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keys
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)
 

Dernier

Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 

Dernier (20)

Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 

Dodging WebCrypto API Landmines