A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Practical Crypto Review for Developers - David Dillard (BSides Tampa 2020) (Hacking Illustrated Series InfoSec Tutorial Videos)

Practical Crypto Review for Developers
David Dillard
BSides Tampa 2020

Abstract:
Cryptography is hard. It's hard because there are often a number of mistakes a developer can make when writing cryptographic code, but there's no easy way for the developer to look at the ciphertext or use unit tests to know that he made any mistakes. As long as the data can be correctly decrypted the developer usually assumes everything is fine, when in fact there may be issues that a knowledgeable attacker could take advantage of to recover the plaintext data. The easiest way to find such issues is to review how the crypto was done, but what should someone look for in such a review? This presentation will cover both common and not so common mistakes made with crypto I've encountered when performing crypto reviews and that have otherwise been made public, e.g. in news articles, blogs posts or CVEs. It will give attendees a number of practical things they can look for in performing crypto reviews of their own software. Examples of topics that will be covered include random number generation, the use of salts, salt generation, key generation, key derivation, IV generation, nonce generation and why developers should prefer AEAD ciphers.

Bio:
David has worked as a software professional for over 30 years. The first part of his career was spent developing mass storage software. During this time he represented several employers in storage related standards organizations, primarily the Storage Networking Industry Association (SNIA). For the last ten years he's been involved in application security, including five years in the product security group at Symantec. In his current position he focuses primarily on the management of third party software and cryptography.

Back to BSides Tampa 2020 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast