Wednesday 1:20 p.m.–4:40 p.m.
What to do when you need crypto
- Audience level:
The cryptographic world doesn't lend itself to the typical developer flow of learning while doing. Add that to the massive amount of bad or outdated information on the web and many developers are lost or worse, build insecure systems. This tutorial will introduce developers to modern cryptography with an eye towards practical scenarios around password management, encryption and key management.
Learning how to implement cryptography correctly is hard. Developers typically learn while doing, using online and local resources and trying and retrying until the code does what they want. Unfortunately, cryptography can't generally be learned in this manner as doing it wrong tends to be indistinguishable from doing it right without a significant amount of effort. This tutorial is designed to help developers over this hump. We'll be covering general cryptography principals and best practices as well as the following topics: _Passwords & Authentication_ - We will cover general authentication topics to help developers choose between the various authentication schemes including generation methods like PDKDF2, scrypt or bcrypt and key based methods using asymmetric crypto. We will then cover how to implement these systems in Python with an eye towards usage in common frameworks. _Data at Rest Encryption_ - Data in applications comes in a huge variety of forms. We will review options for encrypting data and the pros and cons of each method. Once we've covered the cryptographic primitives, we'll cover how to use them securely in common cases and how and when to extend them. _Signing & Verification_ - Many applications don't want to encrypt data for various reasons (performance, debuggability, etc) but do want to be able to verify that information hasn't been tampered with or that it comes from a known, valid user. In this section, we'll cover the use cases and standards around signing & verifications and walk attendees through the implementation of these types of schemes. _Key Management_ - All encryptions schemes are only as secure as their keys. In this session, we'll review the various types of key management for applications and review which type will be appropriate in different scenarios. We'll then walk through an implementation of one or more key management schemes using open source software.
No handouts have been provided yet for this tutorial