Friday, May 16, 2014

Dev basics: Using cryptography

Cryptography is different from other fields of programming. It is very very tricky and you cannot check whether your code is correct by just running the program (like you can do with, for example, graphics). Security holes are pretty much invisible but at the same time you need to be the first person to discover them. If someone beats you and misuses the discovery, you're in trouble.

And because cryptographic errors cannot be tested in any simple way, developers need to focus on correct implementation in the first place. What does this mean?

1. Don't invent your own algorithms

We have AES, RSA, DSA, ECDSA and so on. If you are making a real world application that is going to protect some sensitive data, don't even think about making your own encryption algorithm. Doing that is fine if you're just playing with encryption for fun or are a seasoned cryptographic researcher who eats algebra for breakfast. In production, you can just as well go juggling grenades.

2. Assume the attacker knows what algorithms you use

Relying on the attacker not knowing which cryptographic primitives you are using is about as safe as jumping off a cliff. Security is ensured by using secret keys and correct algorithms. If you make the mistake of violating this principle and an attacker discovers how you app works (every kid can use disassembly of Python, Java, .NET nowadays), what are you going to do about it? Try to change the implementation in 10 hours and ship a critical update? Building the security of your system on trying to hide implementation details ensures nothing but headache.

3. Use crypto primitives in exactly the way they are designed to be used

To stay secure (and enjoy the feeling of extra protection, dryness and safety!), you need to use cryptographic primitives in exactly the same way they were designed to be used and in no other way. There is a number of tools in the cryptographer's toolbox and each of them has a different purpose. Let's list some of them:
  • symmetric encryption (AES, Twofish, ...)
    purpose: Hide data from an attacker using a key known to both parties.
    incorrect use: trying to use encryption to prove the author of a message
  • asymmetric encryption (RSA, ...)
    purpose: hiding data from an attacker using an asymmetric key
  • hash functions (SHA)
    purpose: get a fixed length data digest from a long message that doesn't allow getting any info about the original message
    incorrect use: trying to ensure that an attacker hasn't changed the message along the way
    incorrect use: checking if the entered encryption password is correct
  • password based key derivation functions (PBKDF2, scrypt...)
    purpose: generating a key for encryption algorithm from a password
    incorrect use: not using PBKDF at all and putting the password directly into the encryption algorithm
  • digital signatures (DSA, ECDSA, RSA, ...)
    purpose: ensure that the holder of private key really authored the message
    incorrect use: out of ideas how to abuse this
  • message authentication codes (MAC)
    purpose: making sure that the message has not been changed on the way when both parties share a secret key
    incorrect use: not using it when data integrity is important
  • key agreement protocol (Diffie-Helman, ...)
    purpose: You have two parties and they know each other's public key. This allows you to generate a shared secret using the public keys.

4. Handle parameters correctly

For example, encryption algorithms usually work in block modes and it's up to you to choose the block operation mode according to your needs. If you use ECB, I'm sorry and you can say "bye bye" to your privacy (unless your data is smaller than 128 bits). 

Block modes also need a random IV and that data must be transmitted together with the cryptotext. It's a hassle, but if you come up with a "solution" such as generating the IV from the password, you're violating the rule number 3 (do what you are told to do and don't make your own solutions) and defeating the entire purpose of the IV (which is to ensure that you always generate different cryptotexts even when reusing parts of data or password).

More complicated encryption schemes (such as ECIES) need some other data to be also transmitted with the message. Again, you have to implement this exactly according to the spec and refrain from custom inventions such as reusing the ephemeral curve, otherwise you are compromising your own data security.

Conclusion

This article is merely a short summary, it doesn't provide the why for the rules. Usually, the reason is that incorrect use either enables some unexpected way for the attacker to get your data, to tamper with them or to calculate statistical information about them, which is also more serious than most people would expect. You can always find the answers are out there on the internet in specifications of the individual primitives.

A very useful article is Cryptographic right answers.


Thursday, May 1, 2014

Philippines impressions

Philippines, the land of crystal clear sea, beautifully rich marine life and dreamy sunsets over the Bacuit Archipelago. This is the place you see on all the travel package promotional materials and it still looks twice as awesome in real life than on the picture.



The people who are not involved in the ruthless fight for tourist's money are very nice. The folks we stayed at in El Nido and Puerto Princesa were really kind-hearted and we had a few nice chats with them. We even took nice photos!
When I got a flat tire with a rented motorbike, a tricycle driver stopped by and tried to fix it for me, using his home made equipment. I was just standing by, clueless :)

Diving in El Nido. Take one beautiful, unspoiled place on the planet and mix it with the adventure of doing a diving course there. Together with the cool people at Deep Blue Seafari, it's one of the bigger experiences of your life. The underwater world is amazing and so lively in El Nido. It's also great to learn a new skill. I'm already looking up what it takes to get the next level of diving certification.


I loved the jeepneys in Cebu City. They are the easiest way to get around the city, ever. Just figure out where you need to go, look for a car that has your destination written on the side and wave it down. Ask the driver to tell you where should you get off. And it only costs ... well almost nothing. The drivers must love their cars, they decorate them with spray paintings depicting all sorts of stuff, including Jesus, eagles, landscapes or just abstract patterns.


In Bohol, Panglao island, things are getting very touristy and it stops being pleasant. People are trying to sell you stuff every 10 minutes ... not very conductive to a nice relax on the beach. But the Bohol interior is still a thing to see, offering rice fields, rainforests, churches and the Chocolate Hills (they look meh on photos, but in real life they're pretty cool). And if you have a moment or ten, stop by Nuts Huts!

The expat bubble

There are two worlds in Hong Kong. On one side, the local Chinese world with small street-side dim sum restaurants and Chinese medicine shops. On the other side, a place full of English, Irish, German, French restaurants, countless bars and clubs and expensive fashion shops. To some extent, the local, Chinese feel is found in Kowloon and anywhere north from there, the other place, the expat feel, is on Hong Kong Island, mostly Central and Wan Chai.

These areas provide the so-called expat bubble. People who were moved in their jobs from Europe to the Orient are going to look for their familiar environment, familiar home food and likely also hang out with similar people in western-style bars. I also enjoy my Western food every time I get it and drool over any cheese and crispy bread I can find ;) But some of them never get out of that bubble even though something new, interesting is waiting just across the harbour. And when I mention a well known place in Kowloon, they'd say, "I've heard about Kowloon but haven't been there". After 5 years of living in HK. I'm having trouble understanding that.

And if you never venture outside of the expat bubble that has been prepared for you by some other people, you'll never see the outside and therefore won't be able to take the good & useful things into your life. You'll just keep using what's already inside your bubble but the problem is that those things were not selected by you so you can't know if it's the best choice. Without venturing into the local world (which is right outside the bubble!), you'll never see the way of life of the local people and you'll never have the opportunity to see that there might be something to the local way of life. You can miss out on opportunities.

See you in Chung King Mansions ;)