[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:16.54,0:00:18.56,Default,,0000,0000,0000,,TONY ARCIERI: We ready to go here?
Dialogue: 0,0:00:19.70,0:00:21.16,Default,,0000,0000,0000,,So it used to be you didn't have to
Dialogue: 0,0:00:21.17,0:00:24.51,Default,,0000,0000,0000,,think about security when you're writing a\NRuby program.
Dialogue: 0,0:00:24.51,0:00:28.21,Default,,0000,0000,0000,,Well, guess what, pall? Times have changed!\NThere's all
Dialogue: 0,0:00:28.21,0:00:30.58,Default,,0000,0000,0000,,sorts of bad people out there, and you gotta
Dialogue: 0,0:00:30.58,0:00:32.72,Default,,0000,0000,0000,,know how to stop them!
Dialogue: 0,0:00:32.72,0:00:37.60,Default,,0000,0000,0000,,All right. I'm not gonna do the entire talk
Dialogue: 0,0:00:37.60,0:00:40.24,Default,,0000,0000,0000,,as Crocket impressions. Sorry.
Dialogue: 0,0:00:40.24,0:00:43.54,Default,,0000,0000,0000,,So I am Tony Arcieri, or @bascule on Twitter.
Dialogue: 0,0:00:43.54,0:00:46.95,Default,,0000,0000,0000,,I work on the, or work at the inform-
Dialogue: 0,0:00:46.95,0:00:50.72,Default,,0000,0000,0000,,I work at Square on the information security\Nteam.
Dialogue: 0,0:00:50.72,0:00:54.98,Default,,0000,0000,0000,,And my talk today is about cryptography and,\Nyou
Dialogue: 0,0:00:54.98,0:00:58.04,Default,,0000,0000,0000,,know, I just want to encrypt something. How\Nhard
Dialogue: 0,0:00:58.04,0:01:00.81,Default,,0000,0000,0000,,could it possibly be?
Dialogue: 0,0:01:00.81,0:01:04.58,Default,,0000,0000,0000,,The answer to this is definitely hard. So\Nhow
Dialogue: 0,0:01:04.58,0:01:07.14,Default,,0000,0000,0000,,hard is it? Well, today you're gonna drink\Nfrom
Dialogue: 0,0:01:07.14,0:01:11.21,Default,,0000,0000,0000,,the fire hose, and I'm gonna show you exactly
Dialogue: 0,0:01:11.21,0:01:12.48,Default,,0000,0000,0000,,how hard it is.
Dialogue: 0,0:01:12.48,0:01:17.76,Default,,0000,0000,0000,,So quick itinerary here. We're gonna talk\Nabout attacks.
Dialogue: 0,0:01:17.76,0:01:19.88,Default,,0000,0000,0000,,We're going to talk about how to defeat them
Dialogue: 0,0:01:19.88,0:01:24.51,Default,,0000,0000,0000,,using something called authenticated encryption.\NAnd then we're going
Dialogue: 0,0:01:24.51,0:01:27.29,Default,,0000,0000,0000,,to learn how to completely avoid all these\Nproblems
Dialogue: 0,0:01:27.29,0:01:30.72,Default,,0000,0000,0000,,by just letting cryptographers do all this\Nstuff for
Dialogue: 0,0:01:30.72,0:01:31.28,Default,,0000,0000,0000,,us.
Dialogue: 0,0:01:31.28,0:01:35.13,Default,,0000,0000,0000,,So, I think Ruby's traditionally been in a\Npretty
Dialogue: 0,0:01:35.13,0:01:38.44,Default,,0000,0000,0000,,bad situation when it comes to cryptography,\Nand the
Dialogue: 0,0:01:38.44,0:01:41.69,Default,,0000,0000,0000,,main reason for this is the OpenSSL library\Nhas
Dialogue: 0,0:01:41.69,0:01:43.91,Default,,0000,0000,0000,,been the only game in town for quite some
Dialogue: 0,0:01:43.91,0:01:44.92,Default,,0000,0000,0000,,time.
Dialogue: 0,0:01:44.92,0:01:48.61,Default,,0000,0000,0000,,So I think we can change this. I think
Dialogue: 0,0:01:48.61,0:01:52.45,Default,,0000,0000,0000,,this is a fixable problem. But to do that,
Dialogue: 0,0:01:52.45,0:01:54.96,Default,,0000,0000,0000,,we really need to know, how the hell does
Dialogue: 0,0:01:54.96,0:01:57.09,Default,,0000,0000,0000,,crypto actually work?
Dialogue: 0,0:01:57.09,0:02:01.79,Default,,0000,0000,0000,,So, the answer to this is magic. But, not
Dialogue: 0,0:02:01.79,0:02:06.67,Default,,0000,0000,0000,,really magic. It's actually just math. So\Nthere's two
Dialogue: 0,0:02:06.67,0:02:10.58,Default,,0000,0000,0000,,types of encryption cyphers I'm gonna talk\Nabout today.
Dialogue: 0,0:02:10.58,0:02:13.56,Default,,0000,0000,0000,,We'll show how one builds on the other. The
Dialogue: 0,0:02:13.56,0:02:16.20,Default,,0000,0000,0000,,first is called Symmetric. So here we have\NAlice
Dialogue: 0,0:02:16.20,0:02:18.85,Default,,0000,0000,0000,,who just wants to send a message to herself,
Dialogue: 0,0:02:18.85,0:02:22.67,Default,,0000,0000,0000,,or rather, just put this message away in a
Dialogue: 0,0:02:22.67,0:02:25.79,Default,,0000,0000,0000,,box and lock it, and then she can use
Dialogue: 0,0:02:25.79,0:02:28.14,Default,,0000,0000,0000,,the key to open it again and get the
Dialogue: 0,0:02:28.14,0:02:30.10,Default,,0000,0000,0000,,original message out.
Dialogue: 0,0:02:30.10,0:02:32.70,Default,,0000,0000,0000,,The other is asymmetric. So Alice wants to\Nsend
Dialogue: 0,0:02:32.70,0:02:35.68,Default,,0000,0000,0000,,a message to Bob. Same idea here. She's gonna
Dialogue: 0,0:02:35.68,0:02:37.45,Default,,0000,0000,0000,,put it in a box and lock it with
Dialogue: 0,0:02:37.45,0:02:40.25,Default,,0000,0000,0000,,one key, and then Bob magically has another\Nkey
Dialogue: 0,0:02:40.25,0:02:43.53,Default,,0000,0000,0000,,that lets him get the message out.
Dialogue: 0,0:02:43.53,0:02:46.68,Default,,0000,0000,0000,,The big problem with encryption is it lies\Nat
Dialogue: 0,0:02:46.68,0:02:52.65,Default,,0000,0000,0000,,the intersection of math and security. So,\Nlike, math
Dialogue: 0,0:02:52.65,0:02:55.30,Default,,0000,0000,0000,,is hard and security is hard, and when we
Dialogue: 0,0:02:55.30,0:02:58.35,Default,,0000,0000,0000,,put all these things together, especially\Nwhen we're talking
Dialogue: 0,0:02:58.35,0:03:01.21,Default,,0000,0000,0000,,about doing this in a programming language\Nwhere we
Dialogue: 0,0:03:01.21,0:03:05.48,Default,,0000,0000,0000,,have bugs, things are gonna get pretty hard.
Dialogue: 0,0:03:05.48,0:03:08.06,Default,,0000,0000,0000,,And this is one of my favorite quotes from
Dialogue: 0,0:03:08.06,0:03:12.10,Default,,0000,0000,0000,,Cryptonomicon. So, this is kind of the situation\Nwe're
Dialogue: 0,0:03:12.10,0:03:14.17,Default,,0000,0000,0000,,in, I think, in the Ruby world. That most
Dialogue: 0,0:03:14.17,0:03:17.68,Default,,0000,0000,0000,,of the encryption gems out there aren't designed\Nby
Dialogue: 0,0:03:17.68,0:03:23.42,Default,,0000,0000,0000,,cryptographers, they're designed by amateurish\Npeople who are trying
Dialogue: 0,0:03:23.42,0:03:26.28,Default,,0000,0000,0000,,to, trying to put everything together but\Nmaybe just
Dialogue: 0,0:03:26.28,0:03:28.66,Default,,0000,0000,0000,,don't quite know how.
Dialogue: 0,0:03:28.66,0:03:31.73,Default,,0000,0000,0000,,So I'm gonna go through all the attacks on
Dialogue: 0,0:03:31.73,0:03:35.06,Default,,0000,0000,0000,,symmetric crypto. Unfortunately, I don't think\NI have time
Dialogue: 0,0:03:35.06,0:03:37.75,Default,,0000,0000,0000,,to do asymmetric crypto. So I left a bunch
Dialogue: 0,0:03:37.75,0:03:40.82,Default,,0000,0000,0000,,of those attacks out. But, guess what, it's\Neven
Dialogue: 0,0:03:40.82,0:03:46.13,Default,,0000,0000,0000,,worse. So we're gonna talk about AES today.\NAES
Dialogue: 0,0:03:46.13,0:03:50.45,Default,,0000,0000,0000,,is a symmetric encryption cipher. It's great.\NI would
Dialogue: 0,0:03:50.45,0:03:53.65,Default,,0000,0000,0000,,recommend you use AES, but it's sort of like
Dialogue: 0,0:03:53.65,0:03:57.25,Default,,0000,0000,0000,,aim away from face, read all instructions\Nbefore proceeding
Dialogue: 0,0:03:57.25,0:03:58.67,Default,,0000,0000,0000,,kind of thing.
Dialogue: 0,0:03:58.67,0:04:02.68,Default,,0000,0000,0000,,So this is how AES works. It's a block
Dialogue: 0,0:04:02.68,0:04:05.92,Default,,0000,0000,0000,,cypher, so it works on fix-sized blocks. So\Nwe're
Dialogue: 0,0:04:05.92,0:04:10.07,Default,,0000,0000,0000,,gonna take a sixteen byte piece of plain text
Dialogue: 0,0:04:10.07,0:04:11.81,Default,,0000,0000,0000,,and we're gonna use a key, which can either
Dialogue: 0,0:04:11.81,0:04:15.54,Default,,0000,0000,0000,,be sixteen, twenty-four, or thirty-two bytes.\NYou want to
Dialogue: 0,0:04:15.54,0:04:16.66,Default,,0000,0000,0000,,generate that randomly.
Dialogue: 0,0:04:16.66,0:04:19.90,Default,,0000,0000,0000,,And from that we're gonna get a sixteen byte
Dialogue: 0,0:04:19.90,0:04:21.07,Default,,0000,0000,0000,,block of cyphertext.
Dialogue: 0,0:04:21.07,0:04:24.70,Default,,0000,0000,0000,,So, that's all well good. AES works great.\NThere's
Dialogue: 0,0:04:24.70,0:04:27.89,Default,,0000,0000,0000,,just this little problem. How do we encrypt\Nsomething
Dialogue: 0,0:04:27.89,0:04:30.17,Default,,0000,0000,0000,,that is large than sixteen bytes?
Dialogue: 0,0:04:30.17,0:04:35.33,Default,,0000,0000,0000,,Well, one solution to this, PHP decided to\Nuse
Dialogue: 0,0:04:35.33,0:04:38.83,Default,,0000,0000,0000,,a different ver- so AES is derived from a
Dialogue: 0,0:04:38.83,0:04:43.24,Default,,0000,0000,0000,,cypher called Rijndael. PHP should be the\Nversion of
Dialogue: 0,0:04:43.24,0:04:47.52,Default,,0000,0000,0000,,Rijndael with the 256 byte block size. So\Nthis
Dialogue: 0,0:04:47.52,0:04:52.14,Default,,0000,0000,0000,,is awesome. It's a completely non-standard\Nversion of AES
Dialogue: 0,0:04:52.14,0:04:55.28,Default,,0000,0000,0000,,that only PHP uses.
Dialogue: 0,0:04:55.28,0:04:58.15,Default,,0000,0000,0000,,So let's not do that.
Dialogue: 0,0:04:58.15,0:05:01.22,Default,,0000,0000,0000,,So let's figure out how to do this, right.
Dialogue: 0,0:05:01.22,0:05:03.20,Default,,0000,0000,0000,,So the naive solution to this is to use
Dialogue: 0,0:05:03.20,0:05:08.18,Default,,0000,0000,0000,,something called ECB mode. So there's this\Nguy here,
Dialogue: 0,0:05:08.18,0:05:11.44,Default,,0000,0000,0000,,he apparently couldn't find out how to use,\Ndo
Dialogue: 0,0:05:11.44,0:05:14.98,Default,,0000,0000,0000,,encryption with OpenSSL itself, so he went\Noff and
Dialogue: 0,0:05:14.98,0:05:19.06,Default,,0000,0000,0000,,he made his own gem to encrypt stuff with
Dialogue: 0,0:05:19.06,0:05:20.38,Default,,0000,0000,0000,,ECB mode.
Dialogue: 0,0:05:20.38,0:05:23.80,Default,,0000,0000,0000,,You see there, he has C security nodes, ECB
Dialogue: 0,0:05:23.80,0:05:27.25,Default,,0000,0000,0000,,mode only. The problem with the ECB mode is
Dialogue: 0,0:05:27.25,0:05:32.02,Default,,0000,0000,0000,,it's really, really bad. So what ECB mode\Nwould
Dialogue: 0,0:05:32.02,0:05:34.64,Default,,0000,0000,0000,,have you to is just take all these blocks
Dialogue: 0,0:05:34.64,0:05:37.70,Default,,0000,0000,0000,,of plain text and encrypt them under the same
Dialogue: 0,0:05:37.70,0:05:39.92,Default,,0000,0000,0000,,key.
Dialogue: 0,0:05:39.92,0:05:42.26,Default,,0000,0000,0000,,So what's the problem with that? Well, it\Nleaks
Dialogue: 0,0:05:42.26,0:05:46.60,Default,,0000,0000,0000,,information. So let's say this is our plain\Ntext
Dialogue: 0,0:05:46.60,0:05:49.01,Default,,0000,0000,0000,,we want to encrypt. If we run that through
Dialogue: 0,0:05:49.01,0:05:52.08,Default,,0000,0000,0000,,ECB mode, we get something that looks like\Nthis.
Dialogue: 0,0:05:52.08,0:05:54.15,Default,,0000,0000,0000,,So I think you can all see from this
Dialogue: 0,0:05:54.15,0:05:59.04,Default,,0000,0000,0000,,that this thing isn't very well-encrypted.\NWe can totally,
Dialogue: 0,0:05:59.04,0:06:02.20,Default,,0000,0000,0000,,can totally see what it is.
Dialogue: 0,0:06:02.20,0:06:05.91,Default,,0000,0000,0000,,So what's the solution to this? So, we need
Dialogue: 0,0:06:05.91,0:06:10.67,Default,,0000,0000,0000,,to use a different block cipher mode of operation.
Dialogue: 0,0:06:10.67,0:06:13.11,Default,,0000,0000,0000,,There's lots of these guys. We just kind of
Dialogue: 0,0:06:13.11,0:06:15.66,Default,,0000,0000,0000,,have to pick one. There's all sorts of various
Dialogue: 0,0:06:15.66,0:06:20.47,Default,,0000,0000,0000,,trade-offs. The one that people mostly settled\Non today
Dialogue: 0,0:06:20.47,0:06:22.12,Default,,0000,0000,0000,,is countermode.
Dialogue: 0,0:06:22.12,0:06:26.31,Default,,0000,0000,0000,,So counter mode is fairly easy to understand,\NI
Dialogue: 0,0:06:26.31,0:06:29.64,Default,,0000,0000,0000,,think. It's sort of similar to a one-time\Npad.
Dialogue: 0,0:06:29.64,0:06:32.47,Default,,0000,0000,0000,,So what we're gonna do is take a block
Dialogue: 0,0:06:32.47,0:06:34.61,Default,,0000,0000,0000,,cypher, like AES and try to turn it into
Dialogue: 0,0:06:34.61,0:06:38.60,Default,,0000,0000,0000,,a stream cypher. So what we're gonna do is
Dialogue: 0,0:06:38.60,0:06:41.56,Default,,0000,0000,0000,,effectively generate a bunch of pseudo-random\Nnumbers.
Dialogue: 0,0:06:41.56,0:06:44.72,Default,,0000,0000,0000,,So we feed in a nance, which is some
Dialogue: 0,0:06:44.72,0:06:48.56,Default,,0000,0000,0000,,secret starting place, and a key, which is\Nthe
Dialogue: 0,0:06:48.56,0:06:51.01,Default,,0000,0000,0000,,same as what we were putting in before. And
Dialogue: 0,0:06:51.01,0:06:53.19,Default,,0000,0000,0000,,then there's this little counter, and every\Ntime we
Dialogue: 0,0:06:53.19,0:06:56.60,Default,,0000,0000,0000,,crypt a block, it's just gonna count it by
Dialogue: 0,0:06:56.60,0:06:56.95,Default,,0000,0000,0000,,one.
Dialogue: 0,0:06:56.95,0:06:58.90,Default,,0000,0000,0000,,So what we're actually gonna do is combine\Nthe
Dialogue: 0,0:06:58.90,0:07:01.81,Default,,0000,0000,0000,,nance and the counter, and encrypt that with\NAES,
Dialogue: 0,0:07:01.81,0:07:03.39,Default,,0000,0000,0000,,and what we're gonna get is a little bit
Dialogue: 0,0:07:03.39,0:07:06.85,Default,,0000,0000,0000,,of pseudo-random pad for each part of the\Nplain
Dialogue: 0,0:07:06.85,0:07:10.34,Default,,0000,0000,0000,,text. And for each of these paths, for each
Dialogue: 0,0:07:10.34,0:07:12.41,Default,,0000,0000,0000,,of these blocks, we're gonna x over the pad
Dialogue: 0,0:07:12.41,0:07:14.70,Default,,0000,0000,0000,,with a plain text, and that's gonna give us
Dialogue: 0,0:07:14.70,0:07:15.77,Default,,0000,0000,0000,,our cypher text.
Dialogue: 0,0:07:15.77,0:07:18.74,Default,,0000,0000,0000,,So if we go back to our little Ruby
Dialogue: 0,0:07:18.74,0:07:23.45,Default,,0000,0000,0000,,gem image here, what we're gonna do is combine
Dialogue: 0,0:07:23.45,0:07:26.06,Default,,0000,0000,0000,,this with a pseudo random pad, and what we're
Dialogue: 0,0:07:26.06,0:07:29.81,Default,,0000,0000,0000,,gonna get is the cypher text. So I hope
Dialogue: 0,0:07:29.81,0:07:34.50,Default,,0000,0000,0000,,you can see that little subtle change there.\NSo
Dialogue: 0,0:07:34.50,0:07:37.04,Default,,0000,0000,0000,,this is actually encrypted, right. We can\Nno longer
Dialogue: 0,0:07:37.04,0:07:42.36,Default,,0000,0000,0000,,see that gem and now we're done. Success!
Dialogue: 0,0:07:42.36,0:07:47.95,Default,,0000,0000,0000,,We've, we've obtained confidentiality. Except\Na problem.
Dialogue: 0,0:07:47.95,0:07:50.84,Default,,0000,0000,0000,,Our repeating nonces will leak information.\NSo we can't
Dialogue: 0,0:07:50.84,0:07:54.47,Default,,0000,0000,0000,,ever use the same nance and key. So the
Dialogue: 0,0:07:54.47,0:07:57.38,Default,,0000,0000,0000,,solution is just don't do that.
Dialogue: 0,0:07:57.38,0:08:02.26,Default,,0000,0000,0000,,So we've got another problem here. Support\Nfor counter
Dialogue: 0,0:08:02.26,0:08:06.69,Default,,0000,0000,0000,,mode in Ruby OpenSSL is spotty. So unfortunately\Nwe
Dialogue: 0,0:08:06.69,0:08:10.19,Default,,0000,0000,0000,,can't use sort of the industry best practices\Nhere.
Dialogue: 0,0:08:10.19,0:08:11.63,Default,,0000,0000,0000,,And what we're gonna use is CBC mode. CDC
Dialogue: 0,0:08:11.63,0:08:15.86,Default,,0000,0000,0000,,mode is fine. There are a few small issues
Dialogue: 0,0:08:15.86,0:08:19.89,Default,,0000,0000,0000,,with it, but unfortunately I don't have time\Nto
Dialogue: 0,0:08:19.89,0:08:21.26,Default,,0000,0000,0000,,go into them.
Dialogue: 0,0:08:21.26,0:08:24.39,Default,,0000,0000,0000,,So, next problem. Attacker, who we hand this\Nmessage
Dialogue: 0,0:08:24.39,0:08:30.01,Default,,0000,0000,0000,,to, can manipulate, with something called\Nmalleability. So let's
Dialogue: 0,0:08:30.01,0:08:33.20,Default,,0000,0000,0000,,say our plain text is attack at dawn, and
Dialogue: 0,0:08:33.20,0:08:35.07,Default,,0000,0000,0000,,we encrypt that and we have a cypher text
Dialogue: 0,0:08:35.07,0:08:37.36,Default,,0000,0000,0000,,and we hand that to an attacker. Let's say
Dialogue: 0,0:08:37.36,0:08:39.60,Default,,0000,0000,0000,,this attacker is able to guess what the plain
Dialogue: 0,0:08:39.60,0:08:41.32,Default,,0000,0000,0000,,text was.
Dialogue: 0,0:08:41.32,0:08:43.93,Default,,0000,0000,0000,,So what this attacker can then do is x
Dialogue: 0,0:08:43.93,0:08:47.63,Default,,0000,0000,0000,,over part of the cypher text with what he
Dialogue: 0,0:08:47.63,0:08:49.98,Default,,0000,0000,0000,,thinks the original plain text is, and then\Nx
Dialogue: 0,0:08:49.98,0:08:52.03,Default,,0000,0000,0000,,over that again with what he wants it to
Dialogue: 0,0:08:52.03,0:08:54.48,Default,,0000,0000,0000,,be. So what you get is sort of this
Dialogue: 0,0:08:54.48,0:08:57.87,Default,,0000,0000,0000,,like manipulated cypher text, and now when\Nwe decrypt
Dialogue: 0,0:08:57.87,0:09:00.95,Default,,0000,0000,0000,,it, it gives us the wrong thing. This isn't
Dialogue: 0,0:09:00.95,0:09:03.36,Default,,0000,0000,0000,,what we expected it to be.
Dialogue: 0,0:09:03.36,0:09:05.74,Default,,0000,0000,0000,,So the solution to this is to use something
Dialogue: 0,0:09:05.74,0:09:09.74,Default,,0000,0000,0000,,called a message authentication code. When\Nwe combine this
Dialogue: 0,0:09:09.74,0:09:12.74,Default,,0000,0000,0000,,with a encryption cypher, what we get is something
Dialogue: 0,0:09:12.74,0:09:15.47,Default,,0000,0000,0000,,called authenticate encryption.
Dialogue: 0,0:09:15.47,0:09:18.28,Default,,0000,0000,0000,,So with a Mac, what we do is we
Dialogue: 0,0:09:18.28,0:09:22.34,Default,,0000,0000,0000,,take the message and then we have a key,
Dialogue: 0,0:09:22.34,0:09:24.12,Default,,0000,0000,0000,,and when we combine the message and the key,
Dialogue: 0,0:09:24.12,0:09:27.04,Default,,0000,0000,0000,,we get this fix-lengthed tag. So we know we
Dialogue: 0,0:09:27.04,0:09:31.40,Default,,0000,0000,0000,,have the right message when we take the same
Dialogue: 0,0:09:31.40,0:09:33.44,Default,,0000,0000,0000,,message and the same key and then we get
Dialogue: 0,0:09:33.44,0:09:35.20,Default,,0000,0000,0000,,the mac we expect.
Dialogue: 0,0:09:35.20,0:09:38.73,Default,,0000,0000,0000,,So once again, there's a whole lot of these.
Dialogue: 0,0:09:38.73,0:09:42.34,Default,,0000,0000,0000,,Like, HMAC is the one I'm sure you've heard
Dialogue: 0,0:09:42.34,0:09:44.68,Default,,0000,0000,0000,,of if you've heard of one of these. The
Dialogue: 0,0:09:44.68,0:09:47.16,Default,,0000,0000,0000,,others are somewhat less common.
Dialogue: 0,0:09:47.16,0:09:51.81,Default,,0000,0000,0000,,So now we have yet another problem. What order
Dialogue: 0,0:09:51.81,0:09:56.56,Default,,0000,0000,0000,,do we combine the encryption and the mac?\NSo
Dialogue: 0,0:09:56.56,0:10:00.87,Default,,0000,0000,0000,,there's effectively three ways to do this,\Nand common
Dialogue: 0,0:10:00.87,0:10:03.56,Default,,0000,0000,0000,,internet tools have all sort of chosen their\Nown
Dialogue: 0,0:10:03.56,0:10:07.81,Default,,0000,0000,0000,,different way. So the first is called mac-then-encrypt.\NThis
Dialogue: 0,0:10:07.81,0:10:11.15,Default,,0000,0000,0000,,is what's used by SSL and TLS. So the
Dialogue: 0,0:10:11.15,0:10:14.31,Default,,0000,0000,0000,,idea is you take the plain text and you
Dialogue: 0,0:10:14.31,0:10:17.06,Default,,0000,0000,0000,,compute the mac to the plain text, and then
Dialogue: 0,0:10:17.06,0:10:22.34,Default,,0000,0000,0000,,you sort of combine those together and encrypt\Nboth.
Dialogue: 0,0:10:22.34,0:10:25.00,Default,,0000,0000,0000,,Another way to do it is called encrypt-then-mac.\NThis
Dialogue: 0,0:10:25.00,0:10:30.30,Default,,0000,0000,0000,,is used by the IP sect protocol for, like,
Dialogue: 0,0:10:30.30,0:10:34.51,Default,,0000,0000,0000,,yeah. So we have plain text. What we're gonna
Dialogue: 0,0:10:34.51,0:10:37.86,Default,,0000,0000,0000,,do is encrypt it first, and then we're going
Dialogue: 0,0:10:37.86,0:10:42.38,Default,,0000,0000,0000,,to calculate the mac of the cypher text. So
Dialogue: 0,0:10:42.38,0:10:45.19,Default,,0000,0000,0000,,the third way, which is used by SSH, we
Dialogue: 0,0:10:45.19,0:10:49.19,Default,,0000,0000,0000,,take the plain text and we encrypt it, then
Dialogue: 0,0:10:49.19,0:10:52.01,Default,,0000,0000,0000,,we get the cypher text, and then we take
Dialogue: 0,0:10:52.01,0:10:54.00,Default,,0000,0000,0000,,the original plain text and we compute the\Nmac
Dialogue: 0,0:10:54.00,0:10:56.15,Default,,0000,0000,0000,,of that and then we put the cypher text
Dialogue: 0,0:10:56.15,0:10:58.52,Default,,0000,0000,0000,,and the mac of the plain text together.
Dialogue: 0,0:10:58.52,0:11:03.03,Default,,0000,0000,0000,,So which, which of these sort of three standards
Dialogue: 0,0:11:03.03,0:11:06.12,Default,,0000,0000,0000,,or three approaches got it right? Anybody\Nwant to
Dialogue: 0,0:11:06.12,0:11:10.17,Default,,0000,0000,0000,,take a guess which of these is actually the
Dialogue: 0,0:11:10.17,0:11:11.74,Default,,0000,0000,0000,,right way?
Dialogue: 0,0:11:11.74,0:11:13.91,Default,,0000,0000,0000,,None. There's actually a right answer. One\Nof them
Dialogue: 0,0:11:13.91,0:11:18.04,Default,,0000,0000,0000,,did get it right. So the answer is encrypt-then-mac
Dialogue: 0,0:11:18.04,0:11:21.43,Default,,0000,0000,0000,,used by IP sect. So why? What's wrong with
Dialogue: 0,0:11:21.43,0:11:24.32,Default,,0000,0000,0000,,these other methods?
Dialogue: 0,0:11:24.32,0:11:26.92,Default,,0000,0000,0000,,So SSL/TLS, you might remember there was this\Nattack
Dialogue: 0,0:11:26.92,0:11:31.17,Default,,0000,0000,0000,,called Beast. It's using something called\Na padding oracle.
Dialogue: 0,0:11:31.17,0:11:34.43,Default,,0000,0000,0000,,I didn't really go into how padding actually\Nworks,
Dialogue: 0,0:11:34.43,0:11:37.53,Default,,0000,0000,0000,,but it's how you deal with, when your plain
Dialogue: 0,0:11:37.53,0:11:40.37,Default,,0000,0000,0000,,text isn't actually aligned to a block.
Dialogue: 0,0:11:40.37,0:11:42.73,Default,,0000,0000,0000,,So, using Beast, they were able to get a
Dialogue: 0,0:11:42.73,0:11:46.46,Default,,0000,0000,0000,,little bit of information out of when it decrypts
Dialogue: 0,0:11:46.46,0:11:50.26,Default,,0000,0000,0000,,and it does this padding check and you can
Dialogue: 0,0:11:50.26,0:11:52.27,Default,,0000,0000,0000,,tell if it got through the padding or not
Dialogue: 0,0:11:52.27,0:11:54.36,Default,,0000,0000,0000,,before it hit the mac.
Dialogue: 0,0:11:54.36,0:11:57.16,Default,,0000,0000,0000,,So the solution TLS uses now is to make
Dialogue: 0,0:11:57.16,0:11:59.16,Default,,0000,0000,0000,,sure it always checks the mac, even if the
Dialogue: 0,0:11:59.16,0:12:01.57,Default,,0000,0000,0000,,padding fails. So that's a little bit of a
Dialogue: 0,0:12:01.57,0:12:02.73,Default,,0000,0000,0000,,band aid.
Dialogue: 0,0:12:02.73,0:12:07.66,Default,,0000,0000,0000,,Encrypt-and-mac, used by SSH, is vulnerable\Nto chosen cyphertext
Dialogue: 0,0:12:07.66,0:12:12.23,Default,,0000,0000,0000,,attacks. There's a fun little paper on this.\NFortunately
Dialogue: 0,0:12:12.23,0:12:18.09,Default,,0000,0000,0000,,the SSH protocol was extensible enough they\Nmanaged to
Dialogue: 0,0:12:18.09,0:12:22.53,Default,,0000,0000,0000,,avoid, they managed to effectively fix this\Nretroactively.
Dialogue: 0,0:12:22.53,0:12:26.30,Default,,0000,0000,0000,,So in review here, if we were trying to
Dialogue: 0,0:12:26.30,0:12:30.47,Default,,0000,0000,0000,,build our own authenticated encryption scheme,\Nwhat we have
Dialogue: 0,0:12:30.47,0:12:33.04,Default,,0000,0000,0000,,so far is sort of using AES in CBC
Dialogue: 0,0:12:33.04,0:12:36.59,Default,,0000,0000,0000,,mode, since Ruby OpenSSL doesn't support countermode.\NWe're gonna
Dialogue: 0,0:12:36.59,0:12:40.72,Default,,0000,0000,0000,,do the IP sect thing and encrypt-then-mac\Nand I
Dialogue: 0,0:12:40.72,0:12:44.00,Default,,0000,0000,0000,,showed HMAC. HMAC is really nice cause it\Ntakes
Dialogue: 0,0:12:44.00,0:12:45.73,Default,,0000,0000,0000,,a lot of the sharp edges off some of
Dialogue: 0,0:12:45.73,0:12:47.33,Default,,0000,0000,0000,,the other macs.
Dialogue: 0,0:12:47.33,0:12:51.01,Default,,0000,0000,0000,,So what this actually ends up looking like\Nis
Dialogue: 0,0:12:51.01,0:12:55.51,Default,,0000,0000,0000,,what's in Rails. The ActiveSupport message\Nencrypter. So this
Dialogue: 0,0:12:55.51,0:12:58.14,Default,,0000,0000,0000,,is definitely a cool thing to use if you
Dialogue: 0,0:12:58.14,0:13:01.38,Default,,0000,0000,0000,,just need to encrypt something and you're\Nusing Rails.
Dialogue: 0,0:13:01.38,0:13:04.37,Default,,0000,0000,0000,,It's definitely a way to go.
Dialogue: 0,0:13:04.37,0:13:07.56,Default,,0000,0000,0000,,So let's talk about what else could go wrong.
Dialogue: 0,0:13:07.56,0:13:09.56,Default,,0000,0000,0000,,Not done yet.
Dialogue: 0,0:13:09.56,0:13:13.27,Default,,0000,0000,0000,,So the next thing is timing attacks on. So
Dialogue: 0,0:13:13.27,0:13:17.33,Default,,0000,0000,0000,,speaking of that ActiveSupport message encryptor,\Nit used to
Dialogue: 0,0:13:17.33,0:13:20.47,Default,,0000,0000,0000,,be vulnerable to these. So this is a patch
Dialogue: 0,0:13:20.47,0:13:24.27,Default,,0000,0000,0000,,by Koda Hail to implement a constant time\Ncomparison
Dialogue: 0,0:13:24.27,0:13:26.52,Default,,0000,0000,0000,,of the mac. And the problem is if you
Dialogue: 0,0:13:26.52,0:13:29.29,Default,,0000,0000,0000,,don't do this, the attacker can use this sort
Dialogue: 0,0:13:29.29,0:13:33.87,Default,,0000,0000,0000,,of, like, infinitesimal timing information,\Nespecially if they're on
Dialogue: 0,0:13:33.87,0:13:35.37,Default,,0000,0000,0000,,the same LAN as you or on the same
Dialogue: 0,0:13:35.37,0:13:37.72,Default,,0000,0000,0000,,host, to just try to guess at the mac
Dialogue: 0,0:13:37.72,0:13:39.39,Default,,0000,0000,0000,,a byte at a time.
Dialogue: 0,0:13:39.39,0:13:41.56,Default,,0000,0000,0000,,So you see before what it was doing was
Dialogue: 0,0:13:41.56,0:13:45.12,Default,,0000,0000,0000,,not equals. So the problem with not equals\Nis
Dialogue: 0,0:13:45.12,0:13:47.91,Default,,0000,0000,0000,,it'll sort of bail fast and exit early as
Dialogue: 0,0:13:47.91,0:13:51.47,Default,,0000,0000,0000,,soon as it sees something that doesn't match.\NSo
Dialogue: 0,0:13:51.47,0:13:53.98,Default,,0000,0000,0000,,by using the timing information off of that,\Nan
Dialogue: 0,0:13:53.98,0:13:57.59,Default,,0000,0000,0000,,attacker can effectively guess the mac a byte\Nat
Dialogue: 0,0:13:57.59,0:13:58.71,Default,,0000,0000,0000,,a time.
Dialogue: 0,0:13:58.71,0:14:01.21,Default,,0000,0000,0000,,So the solution is all that nonsense you see
Dialogue: 0,0:14:01.21,0:14:04.28,Default,,0000,0000,0000,,down there at the bottom, where they're doing\Nxor
Dialogue: 0,0:14:04.28,0:14:07.24,Default,,0000,0000,0000,,between the two bytes and doing or equals\Nand
Dialogue: 0,0:14:07.24,0:14:09.59,Default,,0000,0000,0000,,doing this over all the bytes and then looking
Dialogue: 0,0:14:09.59,0:14:12.53,Default,,0000,0000,0000,,at the actual value of the result.
Dialogue: 0,0:14:12.53,0:14:16.100,Default,,0000,0000,0000,,So this is all pretty crazy stuff, right.\NAnd
Dialogue: 0,0:14:16.100,0:14:21.70,Default,,0000,0000,0000,,we haven't even talked about pubkey. So really,\NI
Dialogue: 0,0:14:21.70,0:14:24.63,Default,,0000,0000,0000,,don't think amateurs should be trying to put\Nall
Dialogue: 0,0:14:24.63,0:14:27.09,Default,,0000,0000,0000,,this stuff together. Unfortunately that's\Nsort of been the
Dialogue: 0,0:14:27.09,0:14:32.13,Default,,0000,0000,0000,,state of the world in Ruby.
Dialogue: 0,0:14:32.13,0:14:35.27,Default,,0000,0000,0000,,So what can we do better? We can have
Dialogue: 0,0:14:35.27,0:14:41.61,Default,,0000,0000,0000,,more boring crypto constructs. So what, what\Nqualifies as
Dialogue: 0,0:14:41.61,0:14:44.59,Default,,0000,0000,0000,,boring? Well, to do that, let's talk about\Nwhat
Dialogue: 0,0:14:44.59,0:14:46.37,Default,,0000,0000,0000,,isn't boring.
Dialogue: 0,0:14:46.37,0:14:50.41,Default,,0000,0000,0000,,So this has been how most things have worked
Dialogue: 0,0:14:50.41,0:14:53.75,Default,,0000,0000,0000,,in the Ruby world. So OpenSSL is kind of
Dialogue: 0,0:14:53.75,0:14:57.98,Default,,0000,0000,0000,,a terrible library to begin with, and then\Npretty
Dialogue: 0,0:14:57.98,0:15:00.59,Default,,0000,0000,0000,,much every Ruby gem you see that deals with
Dialogue: 0,0:15:00.59,0:15:04.65,Default,,0000,0000,0000,,encryption just layers on a bunch of amateur\Ncode,
Dialogue: 0,0:15:04.65,0:15:06.43,Default,,0000,0000,0000,,trying to put all this stuff I just described
Dialogue: 0,0:15:06.43,0:15:07.16,Default,,0000,0000,0000,,to you together.
Dialogue: 0,0:15:07.16,0:15:10.91,Default,,0000,0000,0000,,And typically, they'll get at least one thing\Nwrong.
Dialogue: 0,0:15:10.91,0:15:14.34,Default,,0000,0000,0000,,So, I'm not gonna name anymore names besides\Nthat
Dialogue: 0,0:15:14.34,0:15:16.91,Default,,0000,0000,0000,,Fast APS gem, because I think that one was
Dialogue: 0,0:15:16.91,0:15:20.38,Default,,0000,0000,0000,,just pretty crazy and dangerous. But pretty\Nmuch every
Dialogue: 0,0:15:20.38,0:15:22.60,Default,,0000,0000,0000,,gem out there, if you go through and you
Dialogue: 0,0:15:22.60,0:15:24.39,Default,,0000,0000,0000,,try to look for all these things to make
Dialogue: 0,0:15:24.39,0:15:26.79,Default,,0000,0000,0000,,sure they got it all right, they will generally
Dialogue: 0,0:15:26.79,0:15:30.38,Default,,0000,0000,0000,,get something wrong. Oftentimes they will\Nnot use a
Dialogue: 0,0:15:30.38,0:15:32.81,Default,,0000,0000,0000,,mac at all, so they'll just use encryption,\Nand
Dialogue: 0,0:15:32.81,0:15:37.14,Default,,0000,0000,0000,,the attacker can screw with your cypher text.
Dialogue: 0,0:15:37.14,0:15:39.19,Default,,0000,0000,0000,,And then there's all sorts of other little\Nthings
Dialogue: 0,0:15:39.19,0:15:42.27,Default,,0000,0000,0000,,that they can get wrong which I didn't even
Dialogue: 0,0:15:42.27,0:15:43.41,Default,,0000,0000,0000,,cover here.
Dialogue: 0,0:15:43.41,0:15:49.01,Default,,0000,0000,0000,,So the boring approach in my opinion is to
Dialogue: 0,0:15:49.01,0:15:52.03,Default,,0000,0000,0000,,use a crypto library written by cryptographers.\NAnd when
Dialogue: 0,0:15:52.03,0:15:55.13,Default,,0000,0000,0000,,I talk about a cryptographer, who am I talking
Dialogue: 0,0:15:55.13,0:15:57.63,Default,,0000,0000,0000,,about? And it isn't someone like me, right.\NI'm
Dialogue: 0,0:15:57.63,0:16:01.39,Default,,0000,0000,0000,,a crypto enthusiast, but I'm not a cryptographer.\NI
Dialogue: 0,0:16:01.39,0:16:03.97,Default,,0000,0000,0000,,cannot design my own cyphers that will be\Nsecure
Dialogue: 0,0:16:03.97,0:16:07.69,Default,,0000,0000,0000,,yet. It's something I aspire to maybe, but\Nnot
Dialogue: 0,0:16:07.69,0:16:09.14,Default,,0000,0000,0000,,quite yet.
Dialogue: 0,0:16:09.14,0:16:12.23,Default,,0000,0000,0000,,So what we really want is to bind to
Dialogue: 0,0:16:12.23,0:16:16.12,Default,,0000,0000,0000,,a library that was actually written by cryptographers,\Npeople
Dialogue: 0,0:16:16.12,0:16:19.10,Default,,0000,0000,0000,,who spend all their time thinking about these\Nkinds
Dialogue: 0,0:16:19.10,0:16:20.90,Default,,0000,0000,0000,,of attacks.
Dialogue: 0,0:16:20.90,0:16:25.22,Default,,0000,0000,0000,,So I have written a library like this that
Dialogue: 0,0:16:25.22,0:16:29.100,Default,,0000,0000,0000,,is actually a FFI binding to an actual library
Dialogue: 0,0:16:29.100,0:16:34.53,Default,,0000,0000,0000,,written by cryptographers. So the name is,\Nunfortunately, a
Dialogue: 0,0:16:34.53,0:16:39.38,Default,,0000,0000,0000,,little bit confusing. I call it RbNaCl, but\Nyou
Dialogue: 0,0:16:39.38,0:16:43.40,Default,,0000,0000,0000,,may also know there is Google native client.\NIt
Dialogue: 0,0:16:43.40,0:16:48.43,Default,,0000,0000,0000,,isn't that. And there's also a, a, an ACL
Dialogue: 0,0:16:48.43,0:16:54.14,Default,,0000,0000,0000,,organization that, in Japan, you might be\Nfamiliar with.
Dialogue: 0,0:16:54.14,0:16:55.58,Default,,0000,0000,0000,,It isn't that.
Dialogue: 0,0:16:55.58,0:16:57.60,Default,,0000,0000,0000,,So this is a library by this guy Dan
Dialogue: 0,0:16:57.60,0:17:01.31,Default,,0000,0000,0000,,Burnstein. You may know him for libraries\Nlike, or
Dialogue: 0,0:17:01.31,0:17:07.93,Default,,0000,0000,0000,,projects like Qmail, DJBDNS, and DaemonTools.\NAnd if you
Dialogue: 0,0:17:07.93,0:17:10.47,Default,,0000,0000,0000,,haven't been paying attention to him for the\Npast
Dialogue: 0,0:17:10.47,0:17:13.82,Default,,0000,0000,0000,,decade or so, what he's really going hardcore\Nfor
Dialogue: 0,0:17:13.82,0:17:14.72,Default,,0000,0000,0000,,is cryptography.
Dialogue: 0,0:17:14.72,0:17:17.54,Default,,0000,0000,0000,,So he has designed quite a few of his
Dialogue: 0,0:17:17.54,0:17:22.42,Default,,0000,0000,0000,,own cyphers. And all sorts of algorithms and\Ncreated
Dialogue: 0,0:17:22.42,0:17:26.94,Default,,0000,0000,0000,,this NaCl library, which is slowly gaining\Na little
Dialogue: 0,0:17:26.94,0:17:30.88,Default,,0000,0000,0000,,bit of popularity. And you see the URL down
Dialogue: 0,0:17:30.88,0:17:35.86,Default,,0000,0000,0000,,there. It's under the cryptosphere organization,\Nslash rbnacl.
Dialogue: 0,0:17:35.86,0:17:39.78,Default,,0000,0000,0000,,So to make things even more confusing, this\Nisn't
Dialogue: 0,0:17:39.78,0:17:43.77,Default,,0000,0000,0000,,actually binding to nacl, it's binding to\Na portable
Dialogue: 0,0:17:43.77,0:17:48.16,Default,,0000,0000,0000,,repackaging of nacl called libsodium. So the\Nbest description
Dialogue: 0,0:17:48.16,0:17:52.68,Default,,0000,0000,0000,,I've heard of this, is it's de-Burnsteinized.\NA lot
Dialogue: 0,0:17:52.68,0:17:56.07,Default,,0000,0000,0000,,of, a lot of people don't like DJB's bold
Dialogue: 0,0:17:56.07,0:17:58.43,Default,,0000,0000,0000,,system, and it's kind of crazy cause the way
Dialogue: 0,0:17:58.43,0:18:01.10,Default,,0000,0000,0000,,it works, once you bolt the library it's completely
Dialogue: 0,0:18:01.10,0:18:04.71,Default,,0000,0000,0000,,non-relocatable, so you can't really package\Nit as a
Dialogue: 0,0:18:04.71,0:18:07.14,Default,,0000,0000,0000,,binary for a distribution.
Dialogue: 0,0:18:07.14,0:18:11.49,Default,,0000,0000,0000,,So libsodium took nacl and added a standard\Nautomake
Dialogue: 0,0:18:11.49,0:18:15.52,Default,,0000,0000,0000,,style build system. So it's easy to install,\Nit
Dialogue: 0,0:18:15.52,0:18:18.31,Default,,0000,0000,0000,,is in Mac ports, and you can install it
Dialogue: 0,0:18:18.31,0:18:22.85,Default,,0000,0000,0000,,with brew install libsodium. There are packages\Nfor various
Dialogue: 0,0:18:22.85,0:18:25.91,Default,,0000,0000,0000,,Linux distributions. Some of them, you know,\Nyou'll have
Dialogue: 0,0:18:25.91,0:18:29.33,Default,,0000,0000,0000,,to actually build yourself from source, but\Nthe basic
Dialogue: 0,0:18:29.33,0:18:31.69,Default,,0000,0000,0000,,work is there, and it's getting more and more
Dialogue: 0,0:18:31.69,0:18:33.61,Default,,0000,0000,0000,,widespread option.
Dialogue: 0,0:18:33.61,0:18:39.45,Default,,0000,0000,0000,,So nacl has many primitives. I'm only gonna\Ntalk
Dialogue: 0,0:18:39.45,0:18:43.49,Default,,0000,0000,0000,,about two here. So these are the symmetric\Nand
Dialogue: 0,0:18:43.49,0:18:48.65,Default,,0000,0000,0000,,asymmetric encryption I was referring to earlier.\NBut it
Dialogue: 0,0:18:48.65,0:18:50.91,Default,,0000,0000,0000,,also has a ton of other stuff, so it
Dialogue: 0,0:18:50.91,0:18:56.79,Default,,0000,0000,0000,,has HMAC. It has digital signatures. It has\Nall
Dialogue: 0,0:18:56.79,0:18:59.97,Default,,0000,0000,0000,,sorts of fun stuff for elliptic curve cryptography.
Dialogue: 0,0:18:59.97,0:19:04.64,Default,,0000,0000,0000,,So I definitely recommend checking out. You\Ncan go
Dialogue: 0,0:19:04.64,0:19:07.14,Default,,0000,0000,0000,,to the rbnacl wiki and it has all the
Dialogue: 0,0:19:07.14,0:19:12.22,Default,,0000,0000,0000,,features listed out for you.
Dialogue: 0,0:19:12.22,0:19:14.65,Default,,0000,0000,0000,,So first I'm gonna talk about the symmetric\Nencryption
Dialogue: 0,0:19:14.65,0:19:20.66,Default,,0000,0000,0000,,primitive it provides. So this is authenticated\Nsymmetric encryption
Dialogue: 0,0:19:20.66,0:19:22.16,Default,,0000,0000,0000,,and it is called secretbox.
Dialogue: 0,0:19:22.16,0:19:29.16,Default,,0000,0000,0000,,So this may be a little hard to see.
Dialogue: 0,0:19:29.32,0:19:33.15,Default,,0000,0000,0000,,But it should be fairly straightforward to\Nfollow, I
Dialogue: 0,0:19:33.15,0:19:34.59,Default,,0000,0000,0000,,hope. So what we're gonna do is we're gonna
Dialogue: 0,0:19:34.59,0:19:37.46,Default,,0000,0000,0000,,make a key that is the size of a
Dialogue: 0,0:19:37.46,0:19:41.34,Default,,0000,0000,0000,,secret box key. It's actually thirty-two bytes.
Dialogue: 0,0:19:41.34,0:19:45.77,Default,,0000,0000,0000,,So you get a random key and that is
Dialogue: 0,0:19:45.77,0:19:52.40,Default,,0000,0000,0000,,using rbnacl's own random number generation.\NOn Unix-like operating
Dialogue: 0,0:19:52.40,0:19:57.26,Default,,0000,0000,0000,,systems it upholds from devurandom and on\NWindows it
Dialogue: 0,0:19:57.26,0:20:01.62,Default,,0000,0000,0000,,uses, I forget what it's called. Yeah. Windows.
Dialogue: 0,0:20:01.62,0:20:05.19,Default,,0000,0000,0000,,Anyway. It does work on Windows.
Dialogue: 0,0:20:05.19,0:20:07.20,Default,,0000,0000,0000,,So after we've done that, we're gonna make\Na
Dialogue: 0,0:20:07.20,0:20:10.84,Default,,0000,0000,0000,,new secret box with the key, and then here's
Dialogue: 0,0:20:10.84,0:20:14.09,Default,,0000,0000,0000,,the fun part. We need to make a nance.
Dialogue: 0,0:20:14.09,0:20:17.59,Default,,0000,0000,0000,,So this is just generating a random nance\Nof
Dialogue: 0,0:20:17.59,0:20:21.08,Default,,0000,0000,0000,,the secret box's nance byte's length.
Dialogue: 0,0:20:21.08,0:20:25.84,Default,,0000,0000,0000,,There's also another feature in rbnacl called\Nrandom-nance box
Dialogue: 0,0:20:25.84,0:20:28.44,Default,,0000,0000,0000,,that'll do all this stuff for you. The important
Dialogue: 0,0:20:28.44,0:20:33.26,Default,,0000,0000,0000,,part is a nance is a single-use value. So
Dialogue: 0,0:20:33.26,0:20:36.18,Default,,0000,0000,0000,,every time you encrypt something with this\Nbox, you
Dialogue: 0,0:20:36.18,0:20:37.79,Default,,0000,0000,0000,,need to make a new nance.
Dialogue: 0,0:20:37.79,0:20:40.65,Default,,0000,0000,0000,,So it doesn't actually have to be random.\NIt
Dialogue: 0,0:20:40.65,0:20:43.54,Default,,0000,0000,0000,,could just be a counter. The nice thing about
Dialogue: 0,0:20:43.54,0:20:48.01,Default,,0000,0000,0000,,it being random is it's long, so it's twenty-four
Dialogue: 0,0:20:48.01,0:20:51.05,Default,,0000,0000,0000,,bytes, so if you just do a random number
Dialogue: 0,0:20:51.05,0:20:54.08,Default,,0000,0000,0000,,every time it's hard to screw up. You don't
Dialogue: 0,0:20:54.08,0:20:55.76,Default,,0000,0000,0000,,need to keep track of the state of how
Dialogue: 0,0:20:55.76,0:20:58.58,Default,,0000,0000,0000,,many nances you've used.
Dialogue: 0,0:20:58.58,0:21:01.15,Default,,0000,0000,0000,,So after that you hand the nance and the
Dialogue: 0,0:21:01.15,0:21:03.82,Default,,0000,0000,0000,,message to the secret box. It'll make the\Ncypher
Dialogue: 0,0:21:03.82,0:21:07.07,Default,,0000,0000,0000,,text for you. And to decrypt it, you give
Dialogue: 0,0:21:07.07,0:21:09.63,Default,,0000,0000,0000,,the same nance and the cypher text and it
Dialogue: 0,0:21:09.63,0:21:12.26,Default,,0000,0000,0000,,will decrypt. And behind the scenes, this\Nis doing
Dialogue: 0,0:21:12.26,0:21:15.41,Default,,0000,0000,0000,,all the authenticate encryption stuff. So\Nit's adding a
Dialogue: 0,0:21:15.41,0:21:18.47,Default,,0000,0000,0000,,mac, it's checking it, and it's using an encrypted
Dialogue: 0,0:21:18.47,0:21:18.82,Default,,0000,0000,0000,,mac.
Dialogue: 0,0:21:18.82,0:21:21.04,Default,,0000,0000,0000,,And then down there at the bottom, you see
Dialogue: 0,0:21:21.04,0:21:24.54,Default,,0000,0000,0000,,if you try to open the box and something
Dialogue: 0,0:21:24.54,0:21:26.94,Default,,0000,0000,0000,,is wrong, either the nance is wrong or the
Dialogue: 0,0:21:26.94,0:21:29.89,Default,,0000,0000,0000,,cypher text has been corrupted, it'll raise\Nan exception
Dialogue: 0,0:21:29.89,0:21:33.76,Default,,0000,0000,0000,,for you reliably.
Dialogue: 0,0:21:33.76,0:21:37.26,Default,,0000,0000,0000,,So this is using a couple of algorithms designed
Dialogue: 0,0:21:37.26,0:21:40.59,Default,,0000,0000,0000,,by Dan Burnstein. So the encryption cypher\Nis called
Dialogue: 0,0:21:40.59,0:21:45.61,Default,,0000,0000,0000,,the XSalsa20, and the Mac is called Poly1305.\NSo
Dialogue: 0,0:21:45.61,0:21:48.98,Default,,0000,0000,0000,,probably right now, you're thinking, what\Nthe hell is
Dialogue: 0,0:21:48.98,0:21:52.65,Default,,0000,0000,0000,,XSalsa20. Like, never heard of this. That\Ncan't be
Dialogue: 0,0:21:52.65,0:21:53.44,Default,,0000,0000,0000,,boring, right.
Dialogue: 0,0:21:53.44,0:21:56.57,Default,,0000,0000,0000,,So I think this is boring because it is
Dialogue: 0,0:21:56.57,0:21:59.55,Default,,0000,0000,0000,,a cypher that has sort of been standardized\Nthrough
Dialogue: 0,0:21:59.55,0:22:03.04,Default,,0000,0000,0000,,this contest in Europe called ecrypt. And\Nthe goal
Dialogue: 0,0:22:03.04,0:22:06.13,Default,,0000,0000,0000,,of ecrypt is sort of like when there is
Dialogue: 0,0:22:06.13,0:22:10.20,Default,,0000,0000,0000,,an AES contest. They're trying to produce\Nbetter stream
Dialogue: 0,0:22:10.20,0:22:14.22,Default,,0000,0000,0000,,cyphers so the Salsa20 cypher was one four\Nthey
Dialogue: 0,0:22:14.22,0:22:17.61,Default,,0000,0000,0000,,selected for inclusion in what they call the\Nestream
Dialogue: 0,0:22:17.61,0:22:18.74,Default,,0000,0000,0000,,portfolio.
Dialogue: 0,0:22:18.74,0:22:23.35,Default,,0000,0000,0000,,I say this is boring because things have gotten
Dialogue: 0,0:22:23.35,0:22:30.35,Default,,0000,0000,0000,,very not boring in the cryptography world\Nlately. So
Dialogue: 0,0:22:30.69,0:22:34.05,Default,,0000,0000,0000,,you may have heard nist standardized a random\Nnumber
Dialogue: 0,0:22:34.05,0:22:38.83,Default,,0000,0000,0000,,generator designed by the NSA called duel\NEC DRBG,
Dialogue: 0,0:22:38.83,0:22:43.09,Default,,0000,0000,0000,,and turns out that thing had a back door.
Dialogue: 0,0:22:43.09,0:22:47.61,Default,,0000,0000,0000,,So there's still open questions about the\Nnist elliptic
Dialogue: 0,0:22:47.61,0:22:50.90,Default,,0000,0000,0000,,curves as well and whether or not they contain
Dialogue: 0,0:22:50.90,0:22:56.04,Default,,0000,0000,0000,,possible NSA backdoors. I mean, if you're\Nasking one
Dialogue: 0,0:22:56.04,0:23:00.49,Default,,0000,0000,0000,,layman's opinion, I'd say it's probably unlikely\Nthey have
Dialogue: 0,0:23:00.49,0:23:04.86,Default,,0000,0000,0000,,backdoors in nist elliptic curves, but it's\Nhard to
Dialogue: 0,0:23:04.86,0:23:07.12,Default,,0000,0000,0000,,know, and I think the boring thing is to
Dialogue: 0,0:23:07.12,0:23:13.46,Default,,0000,0000,0000,,use cyphers that are beyond reproach.
Dialogue: 0,0:23:13.46,0:23:17.74,Default,,0000,0000,0000,,So to take, to do asymmetric crypto using\Nthe
Dialogue: 0,0:23:17.74,0:23:20.50,Default,,0000,0000,0000,,same sort of primitives, we have this thing\Ncalled
Dialogue: 0,0:23:20.50,0:23:26.70,Default,,0000,0000,0000,,box. And here is an example on how to
Dialogue: 0,0:23:26.70,0:23:28.40,Default,,0000,0000,0000,,use box. So this time we have to actually
Dialogue: 0,0:23:28.40,0:23:31.66,Default,,0000,0000,0000,,generate a random key.
Dialogue: 0,0:23:31.66,0:23:35.02,Default,,0000,0000,0000,,So this is using that elliptic curve stuff\NI
Dialogue: 0,0:23:35.02,0:23:36.95,Default,,0000,0000,0000,,was talking about earlier. I'll get into how\Nthat
Dialogue: 0,0:23:36.95,0:23:40.52,Default,,0000,0000,0000,,works a bit later. So we take a private
Dialogue: 0,0:23:40.52,0:23:45.19,Default,,0000,0000,0000,,key and, unlike RSA, with elliptic curves\Nwe can
Dialogue: 0,0:23:45.19,0:23:49.49,Default,,0000,0000,0000,,calculate the public key from the private\Nkey. I
Dialogue: 0,0:23:49.49,0:23:55.27,Default,,0000,0000,0000,,think I spot a typo there. Awesome. Oh no.
Dialogue: 0,0:23:55.27,0:23:57.24,Default,,0000,0000,0000,,So yeah. So once we've done that, we have
Dialogue: 0,0:23:57.24,0:24:01.76,Default,,0000,0000,0000,,a public key and you'll notice here when we
Dialogue: 0,0:24:01.76,0:24:05.45,Default,,0000,0000,0000,,make a new box we're giving it both somebody
Dialogue: 0,0:24:05.45,0:24:08.61,Default,,0000,0000,0000,,else's public key and our private key, and\Nthe
Dialogue: 0,0:24:08.61,0:24:11.22,Default,,0000,0000,0000,,neat thing about this is it's performing something\Ncalled
Dialogue: 0,0:24:11.22,0:24:12.94,Default,,0000,0000,0000,,mutual authentication.
Dialogue: 0,0:24:12.94,0:24:16.37,Default,,0000,0000,0000,,So all these boxes are based around a set
Dialogue: 0,0:24:16.37,0:24:19.34,Default,,0000,0000,0000,,of keys. It's who you're sending the message\Nto,
Dialogue: 0,0:24:19.34,0:24:22.34,Default,,0000,0000,0000,,and your private key, so that way when somebody
Dialogue: 0,0:24:22.34,0:24:23.96,Default,,0000,0000,0000,,opens up the box, they'll know they got it
Dialogue: 0,0:24:23.96,0:24:26.50,Default,,0000,0000,0000,,from the right person.
Dialogue: 0,0:24:26.50,0:24:30.77,Default,,0000,0000,0000,,So make a new box. They'll also have a
Dialogue: 0,0:24:30.77,0:24:35.07,Default,,0000,0000,0000,,box on the other side. It is effectively the
Dialogue: 0,0:24:35.07,0:24:39.41,Default,,0000,0000,0000,,same box, just computed from the irreversible\Nkeys.
Dialogue: 0,0:24:39.41,0:24:42.07,Default,,0000,0000,0000,,So then after here it's pretty straightforward,\Njust like
Dialogue: 0,0:24:42.07,0:24:45.76,Default,,0000,0000,0000,,the symmetric crypto. So what we're gonna\Ndo is
Dialogue: 0,0:24:45.76,0:24:49.23,Default,,0000,0000,0000,,make a nance again. We have the message and
Dialogue: 0,0:24:49.23,0:24:53.20,Default,,0000,0000,0000,,we're going to encrypt the message under that\Nnance
Dialogue: 0,0:24:53.20,0:24:57.14,Default,,0000,0000,0000,,and under that pair of keys. We get a
Dialogue: 0,0:24:57.14,0:24:59.48,Default,,0000,0000,0000,,cypher text again and then the person on the
Dialogue: 0,0:24:59.48,0:25:02.22,Default,,0000,0000,0000,,other side can open it, and once again, like
Dialogue: 0,0:25:02.22,0:25:05.19,Default,,0000,0000,0000,,before, if it has been tampered with it will
Dialogue: 0,0:25:05.19,0:25:05.74,Default,,0000,0000,0000,,raise an exception.
Dialogue: 0,0:25:05.74,0:25:11.41,Default,,0000,0000,0000,,So box is built on the same primitives as
Dialogue: 0,0:25:11.41,0:25:14.66,Default,,0000,0000,0000,,secret box, so it's still using the xSalsa20\Ncypher
Dialogue: 0,0:25:14.66,0:25:18.64,Default,,0000,0000,0000,,and the Poly1305 mac. The main difference\Nhere is
Dialogue: 0,0:25:18.64,0:25:24.12,Default,,0000,0000,0000,,we're adding in a Diffie-Hellman function.\NSo that is
Dialogue: 0,0:25:24.12,0:25:30.21,Default,,0000,0000,0000,,called curve25519. And that is an elliptic\Ncurve algorithm
Dialogue: 0,0:25:30.21,0:25:31.37,Default,,0000,0000,0000,,designed by Dan Burnstein.
Dialogue: 0,0:25:31.37,0:25:35.26,Default,,0000,0000,0000,,So one of the big worries about elliptic curve
Dialogue: 0,0:25:35.26,0:25:38.85,Default,,0000,0000,0000,,cryptography, in addition to possible NSA\Ntampering has been
Dialogue: 0,0:25:38.85,0:25:43.86,Default,,0000,0000,0000,,patents. So DJB has designed this curve specifically\Nto
Dialogue: 0,0:25:43.86,0:25:46.68,Default,,0000,0000,0000,,side-step all the patents. It's pretty awesome.\NIf you
Dialogue: 0,0:25:46.68,0:25:49.57,Default,,0000,0000,0000,,go to the website for it you'll also add
Dialogue: 0,0:25:49.57,0:25:52.07,Default,,0000,0000,0000,,the patent, and he lists out the prior art
Dialogue: 0,0:25:52.07,0:25:55.49,Default,,0000,0000,0000,,saying this patent is bullshit, anyway. But\Nthen he's
Dialogue: 0,0:25:55.49,0:25:59.33,Default,,0000,0000,0000,,like, here I completely avoided that problem\Nentirely.
Dialogue: 0,0:25:59.33,0:26:06.33,Default,,0000,0000,0000,,So really quick, here's how Diffie-Hellman\Nworks. SO it's
Dialogue: 0,0:26:06.60,0:26:09.91,Default,,0000,0000,0000,,pretty simple. What we do is a thing called
Dialogue: 0,0:26:09.91,0:26:14.95,Default,,0000,0000,0000,,scalar multiplication. So we take Alice's\Nprivate key and
Dialogue: 0,0:26:14.95,0:26:18.53,Default,,0000,0000,0000,,perform a scalar multiplication operation\Nwith Bob's public key
Dialogue: 0,0:26:18.53,0:26:20.90,Default,,0000,0000,0000,,and we get a shared secret.
Dialogue: 0,0:26:20.90,0:26:25.66,Default,,0000,0000,0000,,And Bob is able to calculate the same secret
Dialogue: 0,0:26:25.66,0:26:29.50,Default,,0000,0000,0000,,by multiplying his private key by Alice's\Npublic key.
Dialogue: 0,0:26:29.50,0:26:33.77,Default,,0000,0000,0000,,So these two, two operations are sort of like
Dialogue: 0,0:26:33.77,0:26:35.64,Default,,0000,0000,0000,,a reflection of each other.
Dialogue: 0,0:26:35.64,0:26:40.94,Default,,0000,0000,0000,,So secret, box works by taking that shared\Nsecret
Dialogue: 0,0:26:40.94,0:26:42.94,Default,,0000,0000,0000,,and using it to drive a symmetric key.
Dialogue: 0,0:26:45.86,0:26:50.00,Default,,0000,0000,0000,,And that's all I got. Keep it boring.