Help Irongeek.com pay for bandwidth and research equipment:
Practical Crypto Review for Developers - David Dillard (BSides Tampa 2020) (Hacking Illustrated Series InfoSec Tutorial Videos)
Practical Crypto Review for Developers
David Dillard
BSides Tampa 2020
Abstract: Cryptography is hard. It's hard because there are often a number of mistakes a developer can make when writing cryptographic code, but there's no easy way for the developer to look at the ciphertext or use unit tests to know that he made any mistakes. As long as the data can be correctly decrypted the developer usually assumes everything is fine, when in fact there may be issues that a knowledgeable attacker could take advantage of to recover the plaintext data. The easiest way to find such issues is to review how the crypto was done, but what should someone look for in such a review?
This presentation will cover both common and not so common mistakes made with crypto I've encountered when performing crypto reviews and that have otherwise been made public, e.g. in news articles, blogs posts or CVEs. It will give attendees a number of practical things they can look for in performing crypto reviews of their own software. Examples of topics that will be covered include random number generation, the use of salts, salt generation, key generation, key derivation, IV generation, nonce generation and why developers should prefer AEAD ciphers.
Bio:
David has worked as a software professional for over 30 years. The first part of his career was spent developing mass storage software. During this time he represented several employers in storage related standards organizations, primarily the Storage Networking Industry Association (SNIA). For the last ten years he's been involved in application security, including five years in the product security group at Symantec. In his current position he focuses primarily on the management of third party software and cryptography.