In today's internet connected environment protection from hackers when developing a distributed or internet connected application is crucial. This talk will discuss the options available to us as developers for encrypting the traffic between the nodes of our distributed applications to insure that even intercepted messages are un-readable, and un-encryptable by an adversary. To achieve this we will use one-time and self-destructible private keys, along with dispensable, one-use secrets to generate our encrypted message. We will then learn how to structure our message for transmission to insure it is decryptable by the receiving party, with little risk of being compromised during transmission. To end, we will learn how to decrypt the messages received "on the fly", using only the supplied crypted message itself. This talk is aimed at mid-level Python users but is understandable by beginners.
1. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Hi, I'm Jeff
2. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The need for applications to speak in encrypted
messages is no longer an after-thought it is
a requirement
3. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
What is End-to-End Encryption?
4. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
A method of communicating where only the
authorized users can read the messages
5. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
This method is used by apps like
WhatsApp & Signal
6. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
It prevents man-in-the-middle attacks
7. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
If done right, you need physical access
to read the communications
8. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Even if an ISP is asked to supply a customers
communications, it will only appear as..
9. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The recent WikiLeaks show that even..
The CIA could not break End-to-End Encryption
10. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
They had to create malware that “uses” the app on
your phone in order to read the messages.
Or
Keyloggers that capture the message as you
enter it into the program before it is encrypted
11. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
So how do we implement this?
12. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We want our system to be
as secure as possible
13. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We don't want to store our keys somewhere
they can be hacked/stolen. They need to be
generated and one-time use only.
14. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Give Me Your Keys!!!
15. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
What Keys?
16. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
When encrypting our messages, we also don't
want to know the password. They need to be
generated and one-time use only.
17. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We want to use the
strongest encryption available
18. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Not SHA-1 ;)
Thanks Google!
19. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We want to sign our message so we
know it was not tampered with during transit.
20. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We don't want someone monitoring our network
traffic to easily recognize the format of our
messages. The structure should be random.
21. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
What are some of options we have?
22. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Option 01:
JSON Web Tokens
24. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The Benefits
25. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Our payload is encrypted into a small packet
26. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We can use different algorithms
27. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The Problems
28. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
There are too many constants, even when the
payload and secret are different
30. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
This is partly because the header contains
information about what algorithm
is used and the type of token
So it will remain constant if these are the same
31. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The separator is always a period
32. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The secret is embedded into our code
33. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Is there a better way?
39. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The secret is generated for us
and destroyed after use
40. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The Problems
41. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Our separator could be more random
It is currently a random three digit number
42. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The message size is much bigger
vs
43. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
The Differences
45. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
In JSON Web Tokens (JWT)
Even with a new secret,
parts of the message structure
and output are always the same
46. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
In blanket
Our secret is random and
the output is always different,
even with the same input
47. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Things We Can Improve
48. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We can randomize the size and location of the
separator to further disguise the
structure of our messages
49. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
We can use a hardware secret generator
Like YubiKey or Embedded Chips
50. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Over time our own sequence, even though more
random, could be discovered. So we should
constantly improve our own code and
think of ways to break it
51. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
Nothing is ever “secure enough”!
52. End-to-End Encryption in Distributed Applications
@jeffinkoguru – emailme@jeffinko.guru
For more information you can visit..
github.com/jpadilla/pyjwt
or
github.com/JeffinkoGuru/blanket