SlideShare una empresa de Scribd logo

AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst of Controls (SAC306)

Amazon Web Services
Amazon Web Services

This document provides a summary of a presentation on encryption. It discusses why encryption is important for compliance with regulations like PCI DSS and HIPAA. It covers different encryption techniques like block ciphers and stream ciphers. It describes how protocols like TLS work and how certain ciphers like RC4 have been broken over time. It discusses attacks like BEAST and ways crypto failures can occur. It emphasizes that encryption is difficult and recommends following best practices around key management and the challenges of real-world implementation.

Tecnología
1 de 65
Descargar para leer sin conexión
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Eric Brandwine, AWS Senior Principal Security Engineer December 1, 2016 Encryption It Was the Best of Controls, It Was the Worst of Controls SAC306
A tale of two ciphers datasets
What is this talk?
Why Encrypt? PCI:DSS Requirement 3: Protection at rest PCI:DSS Requirement 4: Encrypt on the network "A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv)) Etc., etc., etc.
Encryption is HARD
Encryption is EXPENSIVE
Encryption is worth it (sometimes)
MATH + + = A recipe
MATH + + = Unbreaking an egg
How I thought crypto failed
How crypto actually fails
Primitives, Modes, and Protocols MATH + + = Super_Secret_Message S u p e r _ S e E n c r y p t e Block Cipher c r e t _ M e s d _ C i p h e r Block Cipher …
TLS as a protocol Arbitrarily bad network (The Internet) Confidentiality Server authentication Tamper evidence Replay protection …
A leak! MATH + + = Awfully_Awfully_Secret A w f u l l y _ E n c r y p t e Block Cipher A w f u l l y _ E n c r y p t e Block Cipher …
A big pile of crypto Primitive Protocol Mode Primitive Protocol Mode Primitive Mode
We believe
Crypto here and crypto there
Encryption in transit
A tale of one cipher Super_Secret_Message S u p e r _ S e E n c r y p t e Stream Cipher c r e t _ M e s d _ C i p h e r K e y s t r e a m _ b y t e s _ ⨁ ⨁⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ RC4
RC4 timeline 1987: Created by Rivest at RSA 1994: Anonymously leaked 1995: Included in SSL 1999: RFC 2246, TLS 1.0 Use RC4, don't use RC4, I don't care
A wild BEAST appears Browser Exploit Against SSL/TLS
Cipher Block Chaining E n c r y p t e Block Cipher d _ C i p h e r Block Cipher … Awfully_Awfully_Secret A w f u l l y _ A w f u l l y _ ⨁ ⨁IV
Chosen Plaintext Attack x ⨁ A ⨁ A = x Ci = AES(k, Ci-1 ⨁ Pi) We want to decrypt Ci, and obtain Pi. Pick m as a guess for Pi. Let Pj = Cj-1 ⨁ Ci-1⨁ m Cj = AES(k, Cj-1 ⨁ Pj) Cj = AES(k, Cj-1 ⨁ Cj-1⨁ Ci-1 ⨁ m) Cj = AES(k, Ci-1 ⨁ m) Thus, m = Pi iff Cj = Ci
Blockwise Chosen Boundary Attack POST /A HTTP 1.1rnCookie: SessionID=XXXX POST /AAAAAA HTTP 1.1rnCookie: SessionID=XXXX Let m = ‘P 1.1rnCookie: a’ Let m = ‘P 1.1rnCookie: b’ Let m = ‘P 1.1rnCookie: S’ … POST /AAAAA HTTP 1.1rnCookie: SessionID=XXXX Let m = ‘ 1.1rnCookie: Sa’ … Cj ≠ Ci Cj ≠ Ci Cj = Ci
Assume the cookie is 16 characters, one full block. Guessing the entire cookie at once: 2128 guesses (worst case) = 340,282,366,920,938,463,463,374,607,431,768,211,456 Guessing the entire cookie one byte at a time: 16 * 28 guesses (worst case) = 4,096 That’s 2116 times faster or just 0.0000000000000000000000000000000012% as many guesses
The short version If: I can cause your client to make requests JavaScript I can control block alignment I can sniff the resulting TLS traffic There is a repeated field worth stealing Cookies Then: I can guess byte-wise rather than block-wise
RC4 timeline 1987: Created by Rivest at RSA 1994: Anonymously leaked 1995: Included in SSL 1999: RFC 2246, TLS 1.0 2011: BEAST Use RC4, don't use RC4, I don't care Use RC4!!!
But…. If: I can cause your client to make requests JavaScript I can control block alignment I can sniff the resulting TLS traffic There is a repeated field worth stealing Cookies Then: I can guess byte-wise rather than block-wise
Defense in depth Includes timestamp!
The end approaches
RC4 timeline 1987: Created by Rivest at RSA 1994: Anonymously leaked 1995: Included in SSL 1999: RFC 2246, TLS 1.0 2011: BEAST 2013: Statistical biases 2015: RFC7465, Nope! Use RC4, don't use RC4, I don't care Use RC4!!! Oh my, no way!
IoT, the Internet of Television I like RC4, AES, and 3DES In that order. Cool! Let's use AES 'cause RC4 is broken LIES!
Don't fly blind 2015-05-13T23:39:43.945958Z my-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000086 0.001048 0.001337 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.38.0" DHE-RSA-AES128-SHA TLSv1.2
We've got a logjam
Diffie Hellman key agreement
Tackling the discrete log problem 512 bit: 50 core-years 35 core-minutes 768 bit: 36.5k core-years 2 core-days 1024 bit: 45M core-years 30 core-days
Meet SSL Labs
Diffie-Hellman in S3 Every webserver thread creates a new prime at startup >> 10k primes in use at any time We fingerprint the ClientHello and alter our response Browsers are not offered DHE SSL Labs gets a different view than your browser
https://github.com/awslabs/s2n
The bathtub curve of change Howscaryisit? How often does it happen?
Encryption at rest
MATH + + = Our recipe
MATH Following the recipe
This is a human
She's a beauty! Low, low miles!
This one, not so much Data Encryption Standard 1975: Published 1976: Approved as a standard 1977: FIPS 1992: Differential cryptanalysis 1998: First public break 1998: Break in 58 hours 1999: Break in 22 hours 2006: COPACOBANA: 9 days, $10,000
MATH + + = Another recipe MORE MATH
Keys are sensitive Ciphertext is sensitive
Keep your ciphertext close
MATH Oblivious clients
Keys in the network
Keys on disk
Keys are long term sensitive Ciphertext is long term sensitive
How we do this in S3 S3 Storage Backend S3 Web AWS KMS
Encryption is HARD Encryption is EXPENSIVE Encryption is worth it (sometimes)
In theory, there's no difference between theory and practice. In practice, there is.
Thank you!
Remember to complete your evaluations!
Rules of Crypto Rule #1: Don’t do it unless you’re an expert Rule #2: You’re not an expert Rule #3: You’re going to screw it up, even if you are an expert

Recomendados

(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
Amazon Web Services
 
Another Day, Another Billion Packets
Another Day, Another Billion PacketsAnother Day, Another Billion Packets
Another Day, Another Billion Packets
Amazon Web Services
 
Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv
Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel AvivConsolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv
Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv
Amazon Web Services
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
Amazon Web Services
 
Vandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksVandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricks
Basim Aly (JNCIP-SP, JNCIP-ENT)
 
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
Amazon Web Services
 
AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)
AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)
AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)
Amazon Web Services
 
Deep Dive: Amazon Virtual Private Cloud
Deep Dive: Amazon Virtual Private CloudDeep Dive: Amazon Virtual Private Cloud
Deep Dive: Amazon Virtual Private Cloud
Amazon Web Services
 

Recomendados

(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
Amazon Web Services
 
Another Day, Another Billion Packets
Another Day, Another Billion PacketsAnother Day, Another Billion Packets
Another Day, Another Billion Packets
Amazon Web Services
 
Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv
Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel AvivConsolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv
Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv
Amazon Web Services
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
Amazon Web Services
 
Vandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksVandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricks
Basim Aly (JNCIP-SP, JNCIP-ENT)
 
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
Amazon Web Services
 
AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)
AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)
AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)
Amazon Web Services
 
Deep Dive: Amazon Virtual Private Cloud
Deep Dive: Amazon Virtual Private CloudDeep Dive: Amazon Virtual Private Cloud
Deep Dive: Amazon Virtual Private Cloud
Amazon Web Services
 
Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)
Julien SIMON
 
AstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & AsteriskAstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & Asterisk
Evan McGee
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
Moshe Zioni
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINX
NGINX, Inc.
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Priyanka Aash
 
Another Day, Another Billion Packets
Another Day, Another Billion PacketsAnother Day, Another Billion Packets
Another Day, Another Billion Packets
Amazon Web Services
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
Docker, Inc.
 
Double Redundancy with AWS Direct Connect - Pop-up Loft Tel Aviv
Double Redundancy with AWS Direct Connect - Pop-up Loft Tel AvivDouble Redundancy with AWS Direct Connect - Pop-up Loft Tel Aviv
Double Redundancy with AWS Direct Connect - Pop-up Loft Tel Aviv
Amazon Web Services
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
Jumbo Mumbo in OpenStack
Jumbo Mumbo in OpenStackJumbo Mumbo in OpenStack
Jumbo Mumbo in OpenStack
Vikram G Hosakote
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
Yongyoon Shin
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
Amazon Web Services
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
Amazon Web Services
 
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private CloudAWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
Amazon Web Services
 
2015 03 06 lmtv wtf http webcast
2015 03 06 lmtv wtf http webcast2015 03 06 lmtv wtf http webcast
2015 03 06 lmtv wtf http webcast
Tony Fortunato
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
NGINX, Inc.
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 
VerneMQ - Distributed MQTT Broker
VerneMQ - Distributed MQTT BrokerVerneMQ - Distributed MQTT Broker
VerneMQ - Distributed MQTT Broker
Adriano Pimpini
 
AWS re:Invent 2016: The Psychology of Security Automation (SAC307)
AWS re:Invent 2016: The Psychology of Security Automation (SAC307)AWS re:Invent 2016: The Psychology of Security Automation (SAC307)
AWS re:Invent 2016: The Psychology of Security Automation (SAC307)
Amazon Web Services
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Priyanka Aash
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
Double Redundancy with AWS Direct Connect - Pop-up Loft Tel Aviv
Double Redundancy with AWS Direct Connect - Pop-up Loft Tel AvivDouble Redundancy with AWS Direct Connect - Pop-up Loft Tel Aviv
Double Redundancy with AWS Direct Connect - Pop-up Loft Tel Aviv
Amazon Web Services
 
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private CloudAWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
Amazon Web Services
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
NGINX, Inc.
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 

La actualidad más candente (20)

Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)
 
AstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & AsteriskAstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & Asterisk
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINX
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
 
Another Day, Another Billion Packets
Another Day, Another Billion PacketsAnother Day, Another Billion Packets
Another Day, Another Billion Packets
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
Double Redundancy with AWS Direct Connect - Pop-up Loft Tel Aviv
Double Redundancy with AWS Direct Connect - Pop-up Loft Tel AvivDouble Redundancy with AWS Direct Connect - Pop-up Loft Tel Aviv
Double Redundancy with AWS Direct Connect - Pop-up Loft Tel Aviv
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
 
Jumbo Mumbo in OpenStack
Jumbo Mumbo in OpenStackJumbo Mumbo in OpenStack
Jumbo Mumbo in OpenStack
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private CloudAWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
 
2015 03 06 lmtv wtf http webcast
2015 03 06 lmtv wtf http webcast2015 03 06 lmtv wtf http webcast
2015 03 06 lmtv wtf http webcast
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
 
VerneMQ - Distributed MQTT Broker
VerneMQ - Distributed MQTT BrokerVerneMQ - Distributed MQTT Broker
VerneMQ - Distributed MQTT Broker
 

Destacado

AWS re:Invent 2016: The Psychology of Security Automation (SAC307)
AWS re:Invent 2016: The Psychology of Security Automation (SAC307)AWS re:Invent 2016: The Psychology of Security Automation (SAC307)
AWS re:Invent 2016: The Psychology of Security Automation (SAC307)
Amazon Web Services
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
Amazon Web Services
 
AWS re:Invent 2016: Lessons from a Chief Security Officer: Achieving Continuo...
AWS re:Invent 2016: Lessons from a Chief Security Officer: Achieving Continuo...AWS re:Invent 2016: Lessons from a Chief Security Officer: Achieving Continuo...
AWS re:Invent 2016: Lessons from a Chief Security Officer: Achieving Continuo...
Amazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
Amazon Web Services
 
AWS re:Invent 2016: All Your Chats are Belong to Bots: Building a Serverless ...
AWS re:Invent 2016: All Your Chats are Belong to Bots: Building a Serverless ...AWS re:Invent 2016: All Your Chats are Belong to Bots: Building a Serverless ...
AWS re:Invent 2016: All Your Chats are Belong to Bots: Building a Serverless ...
Amazon Web Services
 
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
Amazon Web Services
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
Amazon Web Services
 
AWS re:Invent 2016: Case Study: Data-Heavy Healthcare: UPMCe’s Transformative...
AWS re:Invent 2016: Case Study: Data-Heavy Healthcare: UPMCe’s Transformative...AWS re:Invent 2016: Case Study: Data-Heavy Healthcare: UPMCe’s Transformative...
AWS re:Invent 2016: Case Study: Data-Heavy Healthcare: UPMCe’s Transformative...
Amazon Web Services
 
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
Amazon Web Services
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 

Destacado (20)

AWS re:Invent 2016: The Psychology of Security Automation (SAC307)
AWS re:Invent 2016: The Psychology of Security Automation (SAC307)AWS re:Invent 2016: The Psychology of Security Automation (SAC307)
AWS re:Invent 2016: The Psychology of Security Automation (SAC307)
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
 
AWS re:Invent 2016: Lessons from a Chief Security Officer: Achieving Continuo...
AWS re:Invent 2016: Lessons from a Chief Security Officer: Achieving Continuo...AWS re:Invent 2016: Lessons from a Chief Security Officer: Achieving Continuo...
AWS re:Invent 2016: Lessons from a Chief Security Officer: Achieving Continuo...
 
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
 
AWS re:Invent 2016: Amazon s2n: Cryptography and Open Source at AWS (NET405)
AWS re:Invent 2016: Amazon s2n: Cryptography and Open Source at AWS (NET405)AWS re:Invent 2016: Amazon s2n: Cryptography and Open Source at AWS (NET405)
AWS re:Invent 2016: Amazon s2n: Cryptography and Open Source at AWS (NET405)
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
Encryption
EncryptionEncryption
Encryption
 
AWS re:Invent 2016: All Your Chats are Belong to Bots: Building a Serverless ...
AWS re:Invent 2016: All Your Chats are Belong to Bots: Building a Serverless ...AWS re:Invent 2016: All Your Chats are Belong to Bots: Building a Serverless ...
AWS re:Invent 2016: All Your Chats are Belong to Bots: Building a Serverless ...
 
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
 
AWS re:Invent 2016: bots + serverless = ❤ (SVR304)
AWS re:Invent 2016: bots + serverless = ❤ (SVR304)AWS re:Invent 2016: bots + serverless = ❤ (SVR304)
AWS re:Invent 2016: bots + serverless = ❤ (SVR304)
 
AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual...
AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual...AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual...
AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual...
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
 
Fundamentals of Information Encryption
Fundamentals of Information EncryptionFundamentals of Information Encryption
Fundamentals of Information Encryption
 
Lesson 8 Encryption
Lesson 8 EncryptionLesson 8 Encryption
Lesson 8 Encryption
 
Information Security Lesson 8 - Cryptography - Eric Vanderburg
Information Security Lesson 8 - Cryptography - Eric VanderburgInformation Security Lesson 8 - Cryptography - Eric Vanderburg
Information Security Lesson 8 - Cryptography - Eric Vanderburg
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
 
AWS re:Invent 2016: Case Study: Data-Heavy Healthcare: UPMCe’s Transformative...
AWS re:Invent 2016: Case Study: Data-Heavy Healthcare: UPMCe’s Transformative...AWS re:Invent 2016: Case Study: Data-Heavy Healthcare: UPMCe’s Transformative...
AWS re:Invent 2016: Case Study: Data-Heavy Healthcare: UPMCe’s Transformative...
 
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 

Similar a AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst of Controls (SAC306)

us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacks
fangjiafu
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
PROIDEA
 
Django SEM
Django SEMDjango SEM
Django SEM
Gandi24
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS Security
Aaron Zauner
 

Similar a AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst of Controls (SAC306) (20)

SSL/TLS Eavesdropping with Fullpath Control
SSL/TLS Eavesdropping with Fullpath ControlSSL/TLS Eavesdropping with Fullpath Control
SSL/TLS Eavesdropping with Fullpath Control
 
Introduction to encryption
Introduction to encryptionIntroduction to encryption
Introduction to encryption
 
Go paranoid
Go paranoidGo paranoid
Go paranoid
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography - A Brief History
Cryptography - A Brief HistoryCryptography - A Brief History
Cryptography - A Brief History
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
Intro to Cryptography
Intro to CryptographyIntro to Cryptography
Intro to Cryptography
 
Playing CTFs for Fun & Profit
Playing CTFs for Fun & ProfitPlaying CTFs for Fun & Profit
Playing CTFs for Fun & Profit
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
 
Information System Security.pptx
Information System Security.pptxInformation System Security.pptx
Information System Security.pptx
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacks
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
 
Django SEM
Django SEMDjango SEM
Django SEM
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS Security
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
Cryptography - An Overview
Cryptography - An OverviewCryptography - An Overview
Cryptography - An Overview
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst of Controls (SAC306)

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Eric Brandwine, AWS Senior Principal Security Engineer December 1, 2016 Encryption It Was the Best of Controls, It Was the Worst of Controls SAC306
  • 2. A tale of two ciphers datasets
  • 3. What is this talk?
  • 4.
  • 5.
  • 6.
  • 7. Why Encrypt? PCI:DSS Requirement 3: Protection at rest PCI:DSS Requirement 4: Encrypt on the network "A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv)) Etc., etc., etc.
  • 11. MATH + + = A recipe
  • 13. How I thought crypto failed
  • 15. Primitives, Modes, and Protocols MATH + + = Super_Secret_Message S u p e r _ S e E n c r y p t e Block Cipher c r e t _ M e s d _ C i p h e r Block Cipher …
  • 16. TLS as a protocol Arbitrarily bad network (The Internet) Confidentiality Server authentication Tamper evidence Replay protection …
  • 17. A leak! MATH + + = Awfully_Awfully_Secret A w f u l l y _ E n c r y p t e Block Cipher A w f u l l y _ E n c r y p t e Block Cipher …
  • 18. A big pile of crypto Primitive Protocol Mode Primitive Protocol Mode Primitive Mode
  • 20. Crypto here and crypto there
  • 22. A tale of one cipher Super_Secret_Message S u p e r _ S e E n c r y p t e Stream Cipher c r e t _ M e s d _ C i p h e r K e y s t r e a m _ b y t e s _ ⨁ ⨁⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ RC4
  • 23. RC4 timeline 1987: Created by Rivest at RSA 1994: Anonymously leaked 1995: Included in SSL 1999: RFC 2246, TLS 1.0 Use RC4, don't use RC4, I don't care
  • 24. A wild BEAST appears Browser Exploit Against SSL/TLS
  • 25. Cipher Block Chaining E n c r y p t e Block Cipher d _ C i p h e r Block Cipher … Awfully_Awfully_Secret A w f u l l y _ A w f u l l y _ ⨁ ⨁IV
  • 26. Chosen Plaintext Attack x ⨁ A ⨁ A = x Ci = AES(k, Ci-1 ⨁ Pi) We want to decrypt Ci, and obtain Pi. Pick m as a guess for Pi. Let Pj = Cj-1 ⨁ Ci-1⨁ m Cj = AES(k, Cj-1 ⨁ Pj) Cj = AES(k, Cj-1 ⨁ Cj-1⨁ Ci-1 ⨁ m) Cj = AES(k, Ci-1 ⨁ m) Thus, m = Pi iff Cj = Ci
  • 27. Blockwise Chosen Boundary Attack POST /A HTTP 1.1rnCookie: SessionID=XXXX POST /AAAAAA HTTP 1.1rnCookie: SessionID=XXXX Let m = ‘P 1.1rnCookie: a’ Let m = ‘P 1.1rnCookie: b’ Let m = ‘P 1.1rnCookie: S’ … POST /AAAAA HTTP 1.1rnCookie: SessionID=XXXX Let m = ‘ 1.1rnCookie: Sa’ … Cj ≠ Ci Cj ≠ Ci Cj = Ci
  • 28. Assume the cookie is 16 characters, one full block. Guessing the entire cookie at once: 2128 guesses (worst case) = 340,282,366,920,938,463,463,374,607,431,768,211,456 Guessing the entire cookie one byte at a time: 16 * 28 guesses (worst case) = 4,096 That’s 2116 times faster or just 0.0000000000000000000000000000000012% as many guesses
  • 29. The short version If: I can cause your client to make requests JavaScript I can control block alignment I can sniff the resulting TLS traffic There is a repeated field worth stealing Cookies Then: I can guess byte-wise rather than block-wise
  • 30. RC4 timeline 1987: Created by Rivest at RSA 1994: Anonymously leaked 1995: Included in SSL 1999: RFC 2246, TLS 1.0 2011: BEAST Use RC4, don't use RC4, I don't care Use RC4!!!
  • 31. But…. If: I can cause your client to make requests JavaScript I can control block alignment I can sniff the resulting TLS traffic There is a repeated field worth stealing Cookies Then: I can guess byte-wise rather than block-wise
  • 34. RC4 timeline 1987: Created by Rivest at RSA 1994: Anonymously leaked 1995: Included in SSL 1999: RFC 2246, TLS 1.0 2011: BEAST 2013: Statistical biases 2015: RFC7465, Nope! Use RC4, don't use RC4, I don't care Use RC4!!! Oh my, no way!
  • 35. IoT, the Internet of Television I like RC4, AES, and 3DES In that order. Cool! Let's use AES 'cause RC4 is broken LIES!
  • 36.
  • 37. Don't fly blind 2015-05-13T23:39:43.945958Z my-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000086 0.001048 0.001337 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.38.0" DHE-RSA-AES128-SHA TLSv1.2
  • 38. We've got a logjam
  • 39. Diffie Hellman key agreement
  • 40. Tackling the discrete log problem 512 bit: 50 core-years 35 core-minutes 768 bit: 36.5k core-years 2 core-days 1024 bit: 45M core-years 30 core-days
  • 42.
  • 43. Diffie-Hellman in S3 Every webserver thread creates a new prime at startup >> 10k primes in use at any time We fingerprint the ClientHello and alter our response Browsers are not offered DHE SSL Labs gets a different view than your browser
  • 45. The bathtub curve of change Howscaryisit? How often does it happen?
  • 47. MATH + + = Our recipe
  • 49. This is a human
  • 50. She's a beauty! Low, low miles!
  • 51. This one, not so much Data Encryption Standard 1975: Published 1976: Approved as a standard 1977: FIPS 1992: Differential cryptanalysis 1998: First public break 1998: Break in 58 hours 1999: Break in 22 hours 2006: COPACOBANA: 9 days, $10,000
  • 52. MATH + + = Another recipe MORE MATH
  • 56. Keys in the network
  • 58. Keys are long term sensitive Ciphertext is long term sensitive
  • 59.
  • 60. How we do this in S3 S3 Storage Backend S3 Web AWS KMS
  • 61. Encryption is HARD Encryption is EXPENSIVE Encryption is worth it (sometimes)
  • 62. In theory, there's no difference between theory and practice. In practice, there is.
  • 65. Rules of Crypto Rule #1: Don’t do it unless you’re an expert Rule #2: You’re not an expert Rule #3: You’re going to screw it up, even if you are an expert