https://aznot.com/index.php?action=history&feed=atom&title=OpenWest_2014%2FCargo_Cult_SecurityOpenWest 2014/Cargo Cult Security - Revision history2026-04-30T05:52:31ZRevision history for this page on the wikiMediaWiki 1.41.0https://aznot.com/index.php?title=OpenWest_2014/Cargo_Cult_Security&diff=46&oldid=prevKenneth at 15:24, 11 May 20142014-05-11T15:24:07Z<p></p>
<p><b>New page</b></p><div>by Derrick Isaacson <br />
<br />
Cargo Cult Security 2014_01_18 - http://www.slideshare.net/DerrickIsaacson/cargo-cult-security-20140118<br />
<br />
Github - https://github.com/disaacson/cargo-cult-security<br />
<br />
Zimmermann Telegram - Mexico German war<br />
<br />
Cypher text, plain text<br />
<br />
Symmetric Key Cryptography (Private-key Cryptography)<br />
<br />
Blowfish, twofish, serpent, aes (rijndael) cast5, rc4, 3des, idea<br />
<br />
Ctrypto Primitives & Goals - https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=6325<br />
<pre><br />
Crytpo Primitives Hash MAC Symmetric Key Asymmetric Key Digital Digital<br />
Salted Hash HMAC Crypto Crypto Signature Certificates<br />
<br />
Security Goals<br />
--------------------------------------------------------------------------------------------------------------------<br />
<br />
Data Integrity XXX XXX XXX<br />
<br />
Data Authentication XXX XXX XXX<br />
<br />
Non-Repudiation XXX XXX<br />
<br />
Confidentiality XXX XXX*<br />
<br />
Trust XXX<br />
</pre><br />
* Public key can be used to encrypt data that can only be decrypted with private key<br />
<br />
Love HMACs<br />
<br />
Cargo Cult Programming - Ritualistic inclusion of code or patterns that are unnecessary for the task at hand.<br />
<br />
Anti-pattern: authentication<br />
* using encryption for authentication is bad. Use HMAC instead<br />
* don't use symmetric key alone, as flipping a bit will just bump IDs to the next<br />
* Use HMAC<br />
<br />
Anti-pattern: Integrity<br />
* Symmetric key is only good for confidentiality<br />
* HMAC good for Data Integrity and Data Authentication<br />
<br />
Anti-pattern: Encryption Modes<br />
* Electronic Codebook (ECB) mode encryption<br />
** can do bit mapping (think picture) hack to get an idea of contained data<br />
* Cipher Block Chaining (CBC) mode encryption<br />
** avoids the patterns found among blocks of ECB<br />
<br />
Anti-pattern: Initialization Vector<br />
* Avoid same data being encrypted repeatedly looking the same<br />
* Cipher-block chaining prevents patterns within messages<br />
* Correct IV prevents patterns across messages<br />
<br />
Anti-pattern: Random Values<br />
* Finding linear congruential seed<br />
<br />
Anti-pattern: Psuedo-random Session IDs<br />
* really only ~20 bits of entropy<br />
* HMACs and secure random<br />
** do not use sessions - use HMACs - seriously<br />
<br />
No Cargo Cult Security:<br />
# Identify true security goal.<br />
# Find correct crypto primitive.<br />
# Spend some time to learn about it.<br />
# Write as little of your own crypto code as possible.</div>Kenneth