Common Developer Crypto Mistakes With Illustrations in Java

okay welcome everybody many of you attended my talk rochester security song okay that's because I was done just give me a heads up this is pretty much a repeat all right so the talk here is that song developer perfect mistakes but I want you to know this is not like some industry consensus over the states these are my own purposes right for my own and the whole experience of looking at over seven years two hundred plus projects about 80 of them design reviews about our 2000 film code inspections it's it's from like small projects that makes a ten thousand lines of code really larger projects like say eight million lines of code I see that eight million lines of

code have some kind of assist you know so anyways they say you're supposed to always you know start talking with a joke right I am a Java but that's so yeah the only important thing really about this is he just need to know that I've been around the world and really still passionate about and application security and I really consider myself more of a developer than a knapsack person but anyways the joke I was gonna basically take this go check what's the problem with all the curved edge jokes is that they're really indistinguishable from random points okay so some of the things that under covers essentially need some good news and bad news there is some good news thankfully and then

the mistakes of these four areas and then if I have time which I probably won't because I ramble on sometimes but we'll talk about some management the transparent database of some good news the bad news is I have not seen developers designing their own crypto for a long long time so that's that's great news and they very rarely implement their run crypto algorithms anymore in fact in the past 70 years of when I see two examples one Blowfish and one was an algorithm called T which differed tiny encryption algorithm but the bad news is that most of the developer expertise still comes from copy and paste type of things from Stack Overflow and so they get a lot of things

wrong particularly there's a mistake between confidentiality which basically is what provides the secrecy for encryption for some authenticity is which what provides data integrity detecting something has been tampered with every algorithm in every second or doesn't provide same thing and speaking of second most most people don't have a clue what didn't spark and that causes problem too so there's basically these extra components called safety modes which is how you combine the subsequent lots of cycles and padding schemes what you do if it doesn't have a sec gonna walk boundary and then more bad news is there's a lot of broken crypto still for legacy applications some of you still see you know deaths and Larson for stuff and

sometimes you know even the experts get things wrong stuff OpenSSL PPG and I was recently looking in CVE details when I counted up in the last three years alone there were 23 CBE's for the open SSL and those people have some really sharp crypto guys and I know some of them I've worked with some of them but you know the code base was kind of other than estimate reaches there a but has 73 right so first thing the one mentioned people get random number generator stuff wrong if you don't have a good source of pseudo-random number generators the grand on this you're gonna have broken crypto and I want how many people are here and for the talk to previous talk

I mean when he talked to Joe talked about the elliptic curve D RPV that was one of the backdoored algorithms basically an estate plan is a generator just shows you basically the you know if you have my keys that are based on some real another generator and they predict the keys right it's game over so cryptographers require random number generators strong ringing Turner's so using like Java but until I've read them that's not as strong that's not even the CSR strategy is to create a mountain are secure in the myths the other thing is that we're using a cryptographically strong stereo marketer you need to have an unpredictable key and the entropy the seed bag has to at least let's see what

the internal state though really large areas so if you're gonna like do cuz there's anybody here do ten inspections some it's a how many of them I'm using your developers so at least speak it's a you know either love for these mistakes or don't make these mistakes or so yeah this what you want to look for it's like if you're using Java util about random for anything that's related to criminal like keys you know I use nonsense months it's the number used once and by the way yes I don't want anybody to get the steering head weights well so if I am unclear on the term because I forget what a means or something please waiter

hand or thrust off at me here you know lots of money and so seating anything was CSR energy was insufficient entropy so that way like an example would be shot one real mark generator that's what you used us with the default is like secure Rihanna and it's 160 bits so you have to give it at least 160 Ted see that's the puck Jeremy problem with the work one limitation if at least running on Linux UNIX system that has like that ran on the W readable because that's accessible uses the seed stuff so here's an example of how you do it correctly point here but the important thing with calling the set seed the securing set

seed is that you want to do that before you call before calling like next bytes or next one next int it turns out fortunately that it sees itself sufficiently well used to be by people but you might want to like you know it's really run with the same instance of scurry another long time then you might decide to just we see it periodically every couple of billion calls are some security weaknesses what let's look for there well there's some completely broken algorithms and so I'm going to say basically MV to be 405 first to even a heartless here anymore PC people use cyclic redundancy check sums and then they should really using secure hash that's something else

to look for you should be saving up shop online I mean you should have started out a long time ago use make sha-256 sha-512 or kept back which is soft shot 3 the other thing people want to do is consider when is your threat model is right so when you're like comparing caches right if you're concerned about internal attackers and this is my problem with external tablets it's doable and or something like that if that's why you're threatened or MPH lose you won't have to worry about this too much but it turns out that like a lot of people basics before it codes the hashes and then those like string equals to compare two hashes or arrays that

leaders prepared to fight the race and those are both time to time now it turns out that before this version of JDK 106 the message digests by is equal was also a time dependent but now some time any kind of algorithm that's my views the other thing is human nature such are not water wall to denial service attacks that if you call like message digest digest or update that you make sure that you've come bad with the input if you let somebody call the fun baton input right you can disappear just like here is done 0 the stuck on this for a while so the thing is a lot of time you see people using passes as message

authentication codes mac messages none occasion because of the key - where the key is some secret valueless usually sure and a lot of times some people will put their own so you see I got here concatenate the message at the end and put a key in that's bad that's something that's basically known as a key length extension attack you know so Kirk goose the proper uses used H Mac which is defined on this RFC as a math class the job that basically allows you to do just that we just admitted with the key before you call digest another thing which he used basically a secure hash to mask data where possible rate everything but it's an example sometimes I've seen

this in in real life where people will go fight so I'm not putting about storing in a log file that was Social Security numbers wearing hospital's social security number oh that's just as bad as the problem is I can't do brain all the social security numbers then I can go through your blog file but figure out of this social security notes associated with this user right so if you can ask Siri can observe passes then they can basically numerate all the bags so some people what about on task is using md5 or sha-1 everywhere ok the best md5 collision just to give you an idea is about to the 24 steps which takes about 5 or 6 seconds on that

you can do this in like 30 seconds probably on your phone it's okay though to use it in following cases if you're just using it as a pseudo-random number generators generate a random stream generates a visualization vectors or something like that or if using it with an HVAC construct these three guys they're photographer's approved that basically H Mac security doesn't require an unmanned half would be collision resistant there like that it has to act as a pseudo-random function which they do any questions at work so symmetric encryption weaknesses so you're not using inappropriate algorithms like our c4 or deaths like death basically methi sighs took six deaths car seats were discussed newer bias in the first 256

bytes of the output which a lot of times whilst oh the breakage it's efficient key size it's one of the things that's not immediately obvious is that if you use the trimmer desk which doesn t de it defaults to two key does vs. 112 bits unless you got with jce on the strength jurisdiction policy files installed if you tell it that you want to use a key size we'll see an it and tell it this time 206 458 then it would give an error sting reinstall the other thing it has to generate see that apply and appropriate use of site promotes inappropriate use to other second notes so mention a little bit later and then

also I touched on earlier there's confusion about confidentiality my date of integrity so a lot of times I see examples number looking for stuff people work instead of generating a secret team the profit levels at each generator will see it just hard coded key that's either a property spot or carpet and in the code both of which are bad because for one thing you're gonna use you put these in your version control and check them in so a lot of people have access to them but aside from that it's just bad each other's like on average I think it's like 3 the average ask you password right they found this basically only have three point two deaths entropy per

but okay so instead of the full it you can get a nice little if you had way the twenty its own character password it's like you know you're only gonna get like 60 deaths or something like that it's not gonna be enough so you know during rainy seasons key generator okay questions where anybody know what the answer to this is was the default size of mono and insulin is ECB electronic codebook yeah thanks for for summers going to blend there's there's block moves in cycling in symmetric ciphers they have to walk on their stream of the to block mounts are ECB and CDC cycle watching and then pretty much anything else is they scream of any mode for

severing ECB requires an initialization vector and IV stream moves must never ever use reuse the same key pair T I prepare okay not ever but one dance extreme does is the did not require paddock so let's talk a little bit about the CPU I said that's it but first this rock occasional cipher algorithm and it's the most commonly misused first and foremost because the first thing you do is when we Google for something right it shows you that example we'll listen TCP it also happens to be first example you see in the most textbooks and generally people just stopped reading soon they find the first example I know I've done that too I mean you know I'm a lazy

developer so do that should work it's the simplest also to implement because you know how those pesky IDs to bother with and what you do is the ID you know I write it the other way around anyways but the weaknesses in the same plain text always encrypts to the same ciphertext so we haven't eaten blocks you will see patterns in in block replace there are also possible in learners physically you can take and rearrange the size of the blocks and we played back at different workers and stuff will see it as positives this is a great example from the Wikipedia but it's the last image is basically any other side of the moat besides ECB looks great but you can sort

of see the pattern there where they gives ECB mode and you can Steve still see the remnants of the original tossed image all right so watch me play attacks there's an adversary can modify without knowing what the key is or what the the MS even they can may move messages beyond recognition they can remove they can do the tape they can interchange blocks right and sometimes that will allow an attacker to change the meaning of especially as we know that the message structure looks like so considered as my example would basically came from nars collective targeting both those actually discussed earlier now have a seat bytes encryption block size you know trying to transfer money

between two banks and you're going to thanks in the message format because you have a receiving and sending sending and receiving account number that the positives name first ones look desperate banking data first and then the counting count number and amount so basically this is what you see be looks like you see that each block is independent of every other block right so that's one reasons that's great for doing things in parallel right I don't I can do them all and walks at the same time ten blocks it will never how many processes have but that's also quite a big range and so if you have this attacker Malory exhausts me in the middle agent in the crypto things and

we're talking between the bank balance and Bank of all matter he concedes both accounts with some money and then she transfers so fixed amount received money to the bank both from the bank of Alice in the course of transactions I never assume either they're not using SSL hey recovery everything with triple des ever put up lightly when what I need to use TLS or right so assume that now we can actually you know get in the middle of activism as active adversary and so not only repeats later in this rental rocks and eventually sort of figures out what the protocol is what the watch structure is so now Mallory can go back into the sir

that's just walks into the communication chain and to basically can take that fixed amount that would be deposited to somebody else's account normally and put in her account over right and the two banks you know they're gonna notice this eventually whenever they reconcile accounts both a time hours are a basically skip town so this cannot is not something that can be disliked seeded by putting in a date the timestamp or something like that or a date this timestamp was a cash if you just put in a pass Mallory can recompute the hash right but it couldn't be done with a message authentication codes of the banks know that they share key format so if they're

looking if you're looking for cases of where is he is used like a Java you would look for just cases of where they're just doing get instance or where they explicitly put in ECB as a cyclic code and then the case when the Guinness is called we call this basically cyclic transformation so the first part is the cipher algorithm the second part is the cycle mode paddocks key you also want to look for no evidence in an initialization vectors being used because a speed on the requirement so in Java you're gonna look for the absence of something when I start right there see it looks for the absence of something but you know I'm not gonna grab for any

kind of look for like I need brain respect and get excited about get IV and then sir you can also check the length of the rezoning encryptions generally when an ID is tasked with the size of text what happens usually is you these are patients who pretended to the ciphertext so the accident is the first walk it's ready to pour off and use immediately so it's using ECB never okay well yes but I get that as a fall I guess this is kind of a complicated situation so in reality the best month to use it at all but you know when you're encrypting less than one cipher block of text and certain things like want replay attacks and other cycle text

the text not feasible maybe because you have a Mac that you're putting around them or when you're encrypting random data for instance if you're encrypting session IDs which already be random you know secret keys or passwords if they're strong counselors for setup gathering because path 0 1 2 3 or whatever it's not ever gonna get past me but it has a can of the password reg and pad is used a perfect basis and I've said the block replays or in case the patient using it like RSA for symmetric for asymmetric encryption ECB is really the only mode you should ever use but if you're not sure look see if there's a lock replay attack and ask yourself

there at long walks that are exposed to an adversary website the text can be tampered with and you know I'm using this word necessary quotes and italics because it's really depending on your threatening right if you don't consider an insider a battle threat and if some companies they don't then you don't really have to be concerned about that so much Dilek questions asked miss Walker you were never going to be failed a detective in some cases there are any cases if the answer to any of these questions who gets the block request it'll be possible when he should've waited so I have initially using not easy rather than the same key and I prepare stream ciphers and block ciphers

operate in streaming those basically work by creating a cyclic bit stream and then the next word with the twenty text right so if we have like it's like the district when we call CK IV and the message for encrypting would be basically just a message XOR with that psycho district so let's see what happens when we basically encrypt two different plaintext message to the same be with the same team IV right if you look through in the walkthrough here it works out to the way that I've suggested you end up with a hex core be and reason for that is because we something with itself basically it's all zeros in the x over X or all zeros with

something activate them identity you get back what you start with so so you basically the next work to clean tech messages a B that's like basically the difference of a and B so what do we do with an X or to plain text messages a thief well it's both of the written some have an or might say they have ASCII character set or so my death we had everything guests that use frequency distribution was basically called overtopping to basically be able to guess the lengthy plaintext events and the frequency increases those who think of correct guess modest computers can basically cracked in a matter of couple minutes for like my leg muscles to say you know fifty character the more cipher

texts that are created with the same giv pair and observed by an adversary the better chances they have the other thing is if you have my fixed messages like that have particular structural work like say so that they no need to be perfect social security knowledge of credit cards this way it makes it even more trivial right eventually you're going to get those little my texts or at least the shortest my text I said this is basically what I'm just talking about pictorially I found this example dr. Rick Smith and got permission to use it so what we have here is basically a plain text message and in a random key and you basically next row them together

you get and you're right in the close-ups you can see that basically the Sun cast encrypted ring and the cryptocube random are actually two different random bits bit tags okay so to recover the original message we would basically XOR to give the best of the encryption key and we get back different message that's anticipated so now let's do the same thing using the same impression he was two different messages so you get let's again on the pond you're right in both cases and you can't really see it from here but those are actually different random patterns right but this is the same encryption key and I have two happens when we explore those two images

together the Sun casts them the smiling encrypted you see the pattern here right so the end up absorbs the difficult patterns but it gets worse and phone applications actually doing this an adversary can decrypt the message on the fly and change it then they mail and use it beyond the middle attack and actually alter the cipher text so I does actually call a stream cipher attack to the PD example basically what they're doing here is they changed an amount that was encrypted four thousand bars and they change it with $9,500 so just like increase the amount so like you know you send me a thing that says that you're gonna pay a thousand dollars and I can't

get to your time okay so the owner of this is the detour is the thing calling a sonicated impression it does provide both confidentiality and integrity

integrity is not exactly the same as authenticity but it's sort of related because the idea is if we know that we produced it we and we're trusting that recipient and we basically are also trusting the Tegrity and they can detect anything that's been tampered with we can't tell us that what's been changed because there's three different approaches to trying to do a sonicated encryption with one better Mac encrypt an Mac and a Mac then it and I'm not gonna go into the details but turns out that only decrypt then Mac is the only one really this actually secure in his heart filled in with some psycho mode like CCM GCM you get a texture there's

another important thing to remember when you do cryptography principle it's relevant basically when you're gonna say do my own Mac we're gonna use a syndicated encryption what should i what data should I have sent a Kate what data should I included in that integrity check so what you want is basically you want to send the Kate what you actually mean not what you actually end up saying you want to avoid on a Sunday the data either you don't either won't either don't send them across the wire or included as part of the antenna cable data but don't send it across the wire I'm a fan of Kate if it's anything that needs to be under

steam it's good okay I need this mistake when I was doing these happening you know was where I put the site the bug in and didn't map it and because of that somebody could actually change the size of mode from like CDC to OSP or something like that and it caused other problems basically broke the cycle text and a lot of change a lot of people change it alright so basically the included metadata there then there's special ways to do that with like CCM DCM bugs okay so cipher block chaining mode this is most frequently used and it's one of those things is good about it is that if used incorrectly by the way streaming modes it doesn't

completely break it just be grains basically to PCB modes right so it has for both worst case the worst case is my total breakage right used correctly CDC was the random key in the rain the night he was padding and a new H Mac was incredible magic approach but you see a lot of common mistakes people would use fixed IDs or predictable IDs linked account of our time or stuff like that or failure to map it correctly like they don't matter all they use occur in math back then encrypt type of things so the things we look for in code if you're in doubt basically easy to use it's undecayed encryption if you don't there's a thing called padding Oracle

tap with CBC mode income that can happen this for a long time for like eight years basically as a way of theory and then razones bomb basically came out with poet software in 2010 they they broke last thing they taught server faces and is gets got net a bunch of other stuff that was using this that have packet one okay so symmetric encryption weaknesses assuming the confidentiality files data integrity that's only true if you're using an angular if it's not if confidentiality it's not required it's it's better and faster to just use an H Mac turns out CCM and GCM are actually fairly complicated to use and if you look for examples do it correctly you

won't find any at least identified to me so it's kind of all rocket science I suppose they need you to look at the bounce of Castle Jaden the test of my flats home but that's probably not doing it twice

okay so a similar site curves when you have two different keys one or if you want to decrypt like RSA is an example right you always have what's called the chosen plaintext attack possible it's not always fatal but as long as possible with any kind of asymmetric cipher and the reason for that is as long as it soon that someone else has access to the public key there's a reason they call it public right so given the fact that basically they're thinking have access to the public key they can basically take and they can choose any plain text that they want encrypted with that public key observe the output observe the ciphertext right says where

we have basically it chosen plaintext attack so I mean if I know that there's a small number of possibilities that you're occurring let's say social security numbers and stuff like that it could be problematic right you're like the new breed all right so I just mentioned that so basically we have a small space so new comers can be a problem and in fact this is a real-life example now it turns out that this is not a problem there's two different kind I mention padding right the the default padding for my RSA for example is pkcs1 tralala that turns out that's a very bad padding choice it's insecure but if the person had though AT&T that will

actually defeat this problem but I saw code review and some vendor code or they basically thought they were doing a great job encrypting credit card numbers and storm in a database and they were using the default pattern and really his head you know sites would not get instance RSA and I pointed out to them that basically all the credit card numbers now basically could be enumerated and you know something inside of the road PDA or something like that I could grab the ciphertext from the databases that person can enumerate all them and figure out that they all work and so fixes so we team he minutes menaced by the hardest problem in cryptography okay one of the things is

that if you look at the PCI DSS stealer to auto and later it says that you must change the symmetric crypto keys at least yearly if you want to blame somebody for that requirement you can probably point to me because one doesn't never get to say you had to bring the W change them so I challenged about how often is regularly I don't know you know so again we're gonna Katie around every 10,000 years no no like they put in here but it turns out that it's a lot more maybe awesome than that right because aside from the fact that somebody might leak that somewhere you know the encryption key might've stolen or whatever also it turns out that there are attacks

in and in general attack is that you if you have a cipher block text the second one size fits then every two to the x over two were Emma's that's you guys you should change the key right so isn't in deaths of several deaths it's only have the 64-bit walk you should have changed that basically when I think that defective my master I think that work something like 257 or something like that giggle that's right now most of time we were just like doing a couple Social Security numbers and database or something that's not going to be a problem but it's got like a ppm you do the ball file encryption or told my dad that may be a problem it turns

out though that there was actually a real life attack last summer no this is sweet thirty-two that anybody heard of that the tech best agreed swaps it's definitely a good writer Park on the explanation of how all that works but basically this was based on my feet Eve and reusing the safety streets he's in the same keys over another gallon all right so where do you store your keys like well ideally you know could have been an HSN or a TPM but the one thing where we see the must where I've seen code reviews the most fail cases like people put them in the file you know in part cut at the source code or a

properties file both of which around reversal control himself you know that's going to be a problem it's better maybe if you left your your Deluth staff you're off step rather put shoes them put them in a figure in if I lock it down with us and it's not available to like develop persons only only certain very small people you get it but you know that's probably because the developers don't do that ok it's not rocket science writing script let him run it to generate a key you know and even Dave mining you can just generate it and put it in your properties file automatically you have to have an edit file better is that going to not net to use DPA the

DTaP o8x nate guy for java if you have like if you're using oracle oracle weblogic encryption services and if you don't have that you're on java I would recommend a java key store that has problems too I don't have time to go into them but if you're never put the one thing you should not do is don't put the encryption key in the same file of the data that's being primitive selling for instance if I have a database password in a properties file right don't put the database key in the same file that's not good at me it's like making me work a little harder than that okay the encrypting data in a database there are

three different ways three different approaches to do this one of us have a database engine itself do it mostly transparently right another ones to do it via proxy using something might get my teacher key B which is sort of considered still experimental but it's a probably much easier than writing your own application code and then doing it via application code have an application encrypt and decrypt stuff from the application perspective the TDE is very very simple it's transparent almost to the application it's available for a woman and Microsoft SQL Server and it probably satisfied that I've never checked this but it probably satisfies the letter of law for PCI CSS and it offers T de Beauford of warhoon and

microsoft offers like encryption at home on the table and tablespace layers take especially sequel server but that the physical layer you know and then help usually limited cipher suites available like I think typically it'll be ATS of Triple DES only and usually there's like two keys like it work TDE you have a wallet which is like the database master key that gets constructed and passed around and then NS used basically to decrypt and encrypt the other keys from the implements containing some calls taking spaces and usually they use CBC mode but they have to use almost time they have to use the same miss pulsations vector all the time the good things like I said about CBC mode is

that in a breaks or increase in the worst case that's like EVPs PCP Miller but the reason you have to use the same IVs as you like saying two different credit card numbers was two different IDs you end up with different size of the text all of a sudden that breaks in the next thing right because now you don't have a unique entry and so there's cupcakes where you can't use the PDE one is basically where you want to use the result cryptic columns a foreign key into another table so there are some expressions you can use like whether they call it the searches with a percent the ballpark searches right so you can't use wildcard searches I don't want to

say search for all you know credit card numbers that start with or something like that I can't do that okay you have to the numerator overall so they need to do searches like that need to take that stuff into account when you're designing a database assault basically can use with these things it axes that unique I'd be investing Lee says he's a unique ID for this calling or whatever you're applying to but again that means that you cannot index it so it would be okay to have a small number of Records or it's something you did you're just always going to do a search based on something else and then retrieve it and that's fine so what's

your threat not here why this TDE sale well it's a because first of all unless you basically set up appropriate database views so any application has access to death that database table call or call or whatever and that happens to be open or they they can access it in open app database right then they have access to the encrypted data right so that's one of reasons why when you say hey you know restrict that call but you know this other application over here doesn't need to see this encrypted data because it's not really encrypted if they can access that all right so and then back up since the other issue depending on how I've done may end up

with something the database out of my text so they can't be concerned about that generally the data that were encrypting in the database is small you know like credit card or social security numbers or some kind of health information or Claudette has a particular format and so we have a woman in hospital guys and that also is a problem for save reason basically the numerator things in the flame like I said normal cases we don't use the salt because we wanted to be able to be indexed so the same enumeration concerns best they're possible there so what exactly is TD good for going I said it probably covers literal of pci-dss but really what it's protecting it's

basically an attack which you can call it would be similar like using full disk encryption on a laptop right so somebody basically has a laptop that's in hibernate mode or turned off or something like that and then somebody steals it up back in your car so if we're talking about like so what you basically you have an offline backup copy of the disk right and somebody knows a smash-and-grab that this cross and runs out the door with it you're safe but that's pretty much the only case in one scenario really the TV covers okay SSO it's socket and subclasses work or subclasses of it they get created by S&L socket factory don't have hostname verification or

certificate pinning so what that means is that they don't verify like you say I'm going to go to barn on example calm it doesn't actually verify that it's connecting like so it basically because it's still a server-side certificate back from it in it so that should say on CM right if you say for example calm it doesn't do this because it doesn't do this me and the middle attacks are possible good tune that's coming through this slide into the basic we don't wanna take questions alright so there's two possibilities here one is that you get if ya even like either your unsub size to us so socket or the other one is you can creating us at all so I can present

context if you doing this over HTTP however there's a better solution use HTTP URL connection the reason why I see this is because you know I was talking about legacy code the problems with legacy code business when they did they shoot via HTTP URL connection they did not do a corresponding HTTP URL connection it wouldn't come out until like a couple years later and so people started wrapping their own and so you see this a lot in old systems and you also see the cases where I want to use this or so but I don't need to use HTTP right so I'm just talk across socket it's other protocols like that so I'm gonna end here so we have some time for

questions you asked here okay so if you look in here there's some of the tables like that this is the other deaf guy it's still working progress and if anybody's interested in getting feedback we'd certainly be interested in receiving it but this is the things that work in progress there are this basically covers to talk to the job of any other questions so you mentioned earlier code inspection and we do a lot of code review lists for the state develop but little more daunting tasks that I phases by a bunch of new project whatever list what's the lowest hanging fruit that you've seen most often use the ECB mode because they don't realize that's the default number

one and number two is people don't realize danger and number three is this like the first example you encounter when you google because you don't know who's controlling your DMS there is a technique called farming the spell th like fishing is which basically is like a DNS hijacking attack if you make my little Wi-Fi or something like that and so somebody will return their own to archive example.com ID right that gets you to there and we're basically closely verification would work because they just signed it a little different you know CA is not aware of somebody else's find the original fubar example comma so in that Taylor case what would recommend for like mobile applications do what's

called certificate pinning where you're actually pinning the certificate based on depend on anyone to there's the other ways you can either pin and based on a public key which works good when we use key when it expires every year right and just get a new so the condition or you basically pinon based on yeah yeah all right so what happens is when you're doing this is what I said it's not so it's not something which is susceptible over land or land Germany because of network right and jitter basically you know it's it's in that the uncertainty that you can't basically ward out but what happens is if you basically compared to hashes and time based thing the way that like sake Alan

aren't used to this right that's 20 bytes code the way that it'll compare to things like one bite at a time right you can actually if you have like a global timing cooks you can I say out of this belonging went through eighteen mycsustan went through 12 Isis four months group little bites and so you basically can't use that kind of as immoral to detect information about both paths or within the past about saying and then work to like keep one guess we can say is the password has to be trying to attack like guess the password different identities are really in basically see how artists or a nerves actually did cases where the global

system password authentication system did compromise in this play

for Avengers together what actually gets exploited in the wild the most okay I mean see the only things that I've ever seen in the real world now I'm not saying you know we're not talking about the Clint doesn't on the world here but where I've seen reported in the wild of a tax on crypto has been with the whole Wi-Fi web standard because that was so bad that I mean a child was a time that Sinclair could bring it in ten minutes I mean you know it's one of those types of things it was yeah exactly so that's the only case that I can't really recall in real life where it's been done now certainly

people done and wrote exploits like I mentioned though and they have a nice to you busy but Google fir and I would encourage everybody do this to Google for patent horrible tack and watch their stuff demos on YouTube the DeLong and Rizzo did and lick against the asp.net a few state as an example and they like breaking in my homes like 10 15 minutes and then a lot of them actually Davonte decrypt stuff but also read encrypt stuff because they were able to sort of figure out a clever way to reverse it and and actually figure out what you prefer he was so it was equated genius actually but in reality it got fixed fast enough

that so I thought that sort of questions

[Applause] [Music]