How not to shoot yourself in the foot with cryptography

Vinay Keerthi K T (~vinay_keerthi)


11

Votes

Description:

The Pitch

Hear me out, I have an app I'm working on, to store your passwords. How is it secure you ask? Well since I'm a genius, I've used the names of two movies that couldn't be more unlike one another to mask the passwords and keep hackers from guessing it. Trust me, no one could guess what these two movies are. Did someone say Barbenheimer? Fiddle-sticks.

Introduction

Every software engineer thinks they can roll out their own cryptography solution. I mean, I’m the only one who has thought up the idea to hash my database password column with a rot-13 cipher after a "SUPER SECRET WORD" to salt the passwords first right? Right? Every cryptography course tells you not to do this, but my code is impenetrable, isn’t it? Let’s see how impenetrable it really is. If you’re a fan of magic shows, cryptography walks you down a path where you watch a magic show that leaves you traumatised about the internet and websites you use ever day.

Why should you listen to this talk?

Have you ever sat through an interview where someone asked you how public-private key encryption works? Have you heard the term “Diffie-Hellman” and wondered what sort of spider-web of mathematical expressions you need to memorise to understand this? This talk takes you through the avenues of cryptography, through my experience learning about it through the Matasano cryptopals.com challenges, as well as reading through daunting textbooks on the subject to try and understand a little bit of what is going on. You will learn how to take cryptography seriously, and how you can use Python to work through some small cryptography challenges, and implement some well-known cryptography algorithms. Of course, you will also learn why you should not do this. And at the end, if you dare, it will be time to try and guess the key used to hash something from the audience.

Who is this talk for?

  • Any level of programmers
  • Anyone who manages a website
  • Anyone who runs APIs
  • Anyone who uses the internet and can understand a little bit of code.

What will you gain from this talk?

  • A little respect for cryptography
  • Complete loss of the illusion that you are smart enough to write your own cryptographic library.
  • Learn what does an "l33t sup4 h3x0r" really do.
  • A list of easily-approachable resources to learn more about cryptography.

Why did I choose to give this talk?

  • I've been coding in Python for about 9 years, and I've seen developers be non-chalant about security.
  • I've been coding in Rust lately, and working on cryptography-centric libraries at ChainSafe.
  • I am self-taught, and never learnt about cryptography or network security, so I began reading books and blogs about this.
  • The gateway into security-programming seems tall, but you need to find the resources.

What was my journey like?

  • I began using cryptohack.com and cryptopals.com for coding exercises to learn more about cryptography.
  • I read through Real World Cryptography

Prerequisites:

  • A working understanding of how the internet works.
  • Beginner to intermediate Python knowledge.

Speaker Info:

I'm Vinay Keerthi and I work as a Team Lead at ChainSafe Systems where I work with distributed technology and cryptography. I've spoken at PyCon India before, about MicroPython (and my voice-controlled bookshelf), and I'm a regular at BangPypers, having spoken about Flask, MicroPython, Web Application Security and PostgreSQL.

I've previously worked at Flipkart and Visa Inc, where I've built tools and applications for developer productivity. I'm a DIY enthusiast and build my own mechanical keyboards and tools.

I write at stonecharioteer.com, about software, career advice and general life happenings.

Section: Networking and Security
Type: Talks
Target Audience: Intermediate
Last Updated: