hacknbeers sqli and cryptography
DESCRIPTION
TRANSCRIPT
![Page 1: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/1.jpg)
ì Information Security SQL Injec*on and Cryptography
![Page 2: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/2.jpg)
About me
ì Miguel Ibarra
ì PHP developer since 2000 ì Actually, coding since 1986
ì Projects from simple web pages to GRP’s
ì SoLware Engineer @ Tiempo Development
ì Webservices, security and cryptography fan
![Page 3: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/3.jpg)
ì I can has ur data?
![Page 4: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/4.jpg)
I can has ur data?
ì Today, informa*on assets can be more valuable than physical assets… ì Lost your USB s*ck lately?
ì Data theL is becoming an every-‐day issue and concern…
![Page 5: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/5.jpg)
ì Data Dump I can has ur data?
![Page 6: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/6.jpg)
I can has ur data?
ì linkedin.com ì 6th June 2012 ì More than 6 million
passwords
ì eharmony.com ì 6th June 2012 ì More than 1.5 million
passwords
ì last.fm ì 7th June 2012 ì ? Million passwords
ì yahoo.com ì 12th June 2012 ì 443K passwords ì Sql injec*on ì Passwords in plain text…
![Page 7: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/7.jpg)
ì
I can has ur data?
Hot news!
![Page 8: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/8.jpg)
ì
2010 -‐ 2013
World’s biggest data breaches
![Page 9: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/9.jpg)
ì
2010 – 2013 (Web only)
World’s biggest data breaches
![Page 10: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/10.jpg)
I can has ur data?
ì Public web applica*ons expose an authen,cated and authorized connec,on to DBMS servers ì DBMS have their own authen*ca*on and
authoriza*on systems ì Applica*ons that use such DBMS need creden*als to
connect to DB servers ì This type of apps can have their own auth
procedures ì They can be vulnerable
![Page 11: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/11.jpg)
I can has ur data?
ì It does not maeer if your DBMS is behind a firewall and/or private network
User
Public network
Web server
Private network
DBMS Server
![Page 12: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/12.jpg)
ì SQL Injection How I got your data
![Page 13: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/13.jpg)
SQL Injection
ì Golden rule:
ì Filter/Validate inputs, escape outputs
ì …many ‘developers’ do not follow this rule…
![Page 14: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/14.jpg)
SQL Injection
ì Our database schema
ì Sample resultset WTF?
![Page 15: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/15.jpg)
SQL Injection
ì Live demonstra*on
![Page 16: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/16.jpg)
ì Protecting your data – Password Hashing
![Page 17: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/17.jpg)
Protecting your data – Password Hashing
ì Hash ì Algorithm that maps data of variable length to data
of fixed length ì One way func*on
ì Output cannot be reversed using an efficient algorithm
ì Also called ‘pseudo-‐random func*on’ ì Output indis*nguishable from true random data
ì Popular hashing algorithms ì md5 ì sha1
![Page 18: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/18.jpg)
Protecting your data – Password Hashing
ì Hash proper*es ì Output yields a fixed length result
ì md5(‘1’) = ‘c4ca4238a0b923820dcc509a6f75849’
ì md5(‘Hello world’) = ‘3e25960a79dbc69b674cd4ec67a72c62’
ì The slightest change, totally different results ì md5(‘Hello World’) =
‘b10a8db164e0754105b7a99be72e3fe5’
![Page 19: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/19.jpg)
Protecting your data – Password Hashing
Message space Result space
![Page 20: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/20.jpg)
Protecting your data – Password Hashing
Hashing encryp*ng
![Page 21: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/21.jpg)
Protecting your data – Password Hashing
ì Our new schema
ì Sample resultset
![Page 22: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/22.jpg)
Protecting your data – Password Hashing
ì Again, cannot revert a hash using an efficient algorithm
ì … but can be cracked… ì Crack <> Hack
Hash Algorithm Data
![Page 23: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/23.jpg)
Protecting your data – Password Hashing
ì Brute force aeack ì Generate hashes from a dic*onary
ì Common words ì Generate character combina*ons
ì Exhaus*ve search ì Generated hash = target hash?
ì Bingo ì Inneficient, but…
ì CPU power is growing (mul*ple cores) ì GPU can be used too (thousands of cores) ì Cloud systems
![Page 24: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/24.jpg)
ì ATI HD 5970 String consis*ng of a-‐z|A-‐Z|0-‐9
Algorithm Speed 8 chars 9 chars 10 chars md5 5600
million h/s 10 hours 27 days 4.5 years
sha1 2300 million h/s
26 hours 68 days 11.5 years
![Page 25: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/25.jpg)
Protecting your data – Password Hashing
ì Hash database aeack ì Query a database with pregenerated hashes
ì Several sites offer this service, free ì Google.com
ì hep://bit.ly/15O4SLN
![Page 26: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/26.jpg)
Protecting your data – Password Hashing
ì Gesng a hash through sql injec*on ì Live demonstra*on
![Page 27: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/27.jpg)
ì Password salting
![Page 28: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/28.jpg)
Password salting
ì Salt ì Random character string
ì f(password, salt) = hash(password + salt)
![Page 29: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/29.jpg)
Password salting
Result
Salt
Password
![Page 30: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/30.jpg)
Password salting
ì Our new schema
ì Sample resultset
![Page 31: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/31.jpg)
Password salting
ì Salt has to be stored in clear text as to authen*cate a user
ì if( hash(<provided password> + <salt field>) == <password field> ) then ì User creden*als are valid
![Page 32: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/32.jpg)
Password salting
ì Hash database aeack becomes improbable
ì If hash remains unknown, brute force aeack becomes improbable ì Total characters: 42 ì Calcula*ons per second: 4 billion ì Possible combina*ons: 522 duovigin*llion ì Total *me to crack: 4 septendecillion years*
ì According to heps://howsecureismypassword.net/
![Page 33: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/33.jpg)
Password salting
ì But the aeacker could modify the aeack to obtain the salt field…
ì DEMO
ì The aeacker would only need to launch a brute force aeack ì Generate some character combina*on string ì Concatenate salt and hash ì Compare hashes
![Page 34: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/34.jpg)
ì Password stretching
![Page 35: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/35.jpg)
Password stretching
ì To mi,gate men*oned aeack, use password stretching technique
ì Create a recursive / itera*ve algorithm that calculates a hash value over itself thousand (or more) *mes
![Page 36: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/36.jpg)
Salt Password Hash
Salt Password Hash
Salt Password
Hash Algorithm
Hash Algorithm
Thousands of *mes
![Page 37: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/37.jpg)
Password stretching
ì This algorithm should iterate enough to delay each calcula*on by 1 second
ì In order to crack with a brute force aeack, the aeacker… ì Should know the exact itera*on count
ì +/-‐ 1 itera*on will result in totally different hash value ì Should wait 1 second between each aeemp ì This makes the aeack highly improbable
![Page 38: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/38.jpg)
Password stretching
ì Several standard algorithms for password stretching
ì PBKDF2 ì Bcrypt ì Scrypt ì …
![Page 39: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/39.jpg)
ì I can still has ur data…
![Page 40: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/40.jpg)
I can still has ur data…
ì We give it away freely… ì Facebook ì Twieer ì Foursquare
ì If it is free, you are the product
![Page 41: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/41.jpg)
I can still has ur data…
ì We uninten*onally give it away… ì Phishing scams ì Social engineering ì Adware / Spyware / Browser bars / Apps ì Weak passwords
ì Names ì Birthdays ì Phone numbers ì Common passwords
![Page 42: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/42.jpg)
I can still has ur data…
ì It is forcibly/unlawfully taken from us… ì Extor*ons / black mail ì Unethical prac*ces
ì banks ì Government spy programs
ì NSA’s PRISM ì Communica*ons Intercept System Mexico
ì Requested by USDoS to Mexican Federal Government in 2007
ì Request cancelled in 2012… ì Unknown sponsored spy programs
ì Rumored FinFisher program probably running in networks belonging to Uninet, Iusacell and Televisa
![Page 43: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/43.jpg)
ì Cryptography 101
![Page 44: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/44.jpg)
Cryptography 101
ì Krypto ì Hidden
ì Graphos ì Script
ì Tecnique to modify a linguis*cal or caligrafical presenta*on of a message
ì Ruled by an algorithm ì Must allow forward and backward process
![Page 45: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/45.jpg)
Cryptography 101
ì 700BC -‐ Scytale
![Page 46: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/46.jpg)
Cryptography 101
ì <40BC – Caesar Cipher
![Page 47: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/47.jpg)
Cryptography 101
ì 1467 – Alber* Cipher
![Page 48: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/48.jpg)
Cryptography 101
ì 1797 – Jefferson Wheel
![Page 49: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/49.jpg)
Cryptography 101
ì 1943 – Enigma machine
![Page 50: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/50.jpg)
Cryptography 101
ì Today, cryptography is performed by an automated algorithm: Cipher
ì Short name for pseudo-‐random permuta*on ì Takes an input ì Applies a reversible algorithm ì Outputs data indis*nguishable from a truly random
data stream ì Result space is equal to message space
ì No collisions
![Page 51: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/51.jpg)
Message space
Result space
![Page 52: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/52.jpg)
Cryptography 101
ì Modern algorithms use a ‘key’
ì They key is used to transform a message into a pseudo-‐random string ì This is called ‘cipher’
ì This pseudo-‐random string can be transformed back to the original message only with this key ì ‘decipher’
![Page 53: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/53.jpg)
Cryptography 101
ì 2 key types
ì Symetric
ì Asymetric
![Page 54: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/54.jpg)
ì Symetric ciphers
![Page 55: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/55.jpg)
Symetric ciphers
ì The same key is used to cipher and decipher
ì The 2 endpoints must agree on this key
ì Security relies mainly in this key
ì Key must be improbably guessed ì Key space has to be large…
![Page 56: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/56.jpg)
Symetric ciphers
ì Simple and safest symetric key chipher algorithm ì XOR
ì 1 ⊕ 0 = 1 ì 1 ⊕ 1 = 0 ì 0 ⊕ 0 = 0
ì ‘a’ = ascii(97)
ì 9710 = 110000012
ì Random key = 01010000
![Page 57: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/57.jpg)
1 1 0 0 0 0 0 1
0 1 0 1 0 0 0 0
1 0 0 1 0 0 0 1
1 0 0 1 0 0 0 1
0 1 0 1 0 0 0 0
Data to cipher
Random key
Ciphered data
Data to decipher
Random key
Original data
![Page 58: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/58.jpg)
Symetric ciphers
ì Ciphered data is impossible to decipher without the key by an efficient algorithm ì This is, no exhaus*ve search for the key
ì Is very simple
ì Key length must be the same as message length
ì Security measures applied while securily sharing the key might as well we applied to the unciphered message
![Page 59: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/59.jpg)
Symetric ciphers
ì In fact, every symetrical cipher weakest link is the key ì An aeacker, instead of brute forcing the key, might
as well focus on incercep*ng the key
ì Popular cipher algorithms ì DES ì 3DES ì AES
![Page 60: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/60.jpg)
ì Asymetric ciphers
![Page 61: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/61.jpg)
Asymetric ciphers
ì Has a key pair ì Private key: only the owner can know it ì Public key: owner can share it freely
ì Message ciphered with the public key can only be deciphered with the private key
ì Message ciphered with the private key can be deciphered with the public key
ì This adds a message authen*ca*on mechanism
![Page 62: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/62.jpg)
Asymetric ciphers
ì Algorithms are based on prime number and one way func*ons ì Way too easy to mul*ply to prime numbers ì Factorizing a number into its prime factors is very
difficult ì Usually involves very large prime numbers
ì Hundreds of digits
![Page 63: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/63.jpg)
Asymetric ciphers
ì Asymetric ciphers require more processing *me
ì Keys are required to be large ì As today’s standards, 2048 bits
ì Ciphered message is bigger than the original message
ì Popular algorithms ì RSA ì Hybrid symetric/asymetric algorithms
ì HTTPS/TLS
![Page 64: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/64.jpg)
ì Just encrypt it and you are safe …are you?
![Page 65: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/65.jpg)
Just encrypt it and you are safe… are you?
ì Weakest links in cryptography ì Again, the key… ì … and how it is implemented
ì Aircrack anyone? ì WEP algor*hm: example of bad crypto
implementa*on
![Page 66: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/66.jpg)
Just encrypt it and you are safe… are you?
ì Common cryptography implementa*on misconcep*on
C Message
Key
Cipher Message
![Page 67: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/67.jpg)
Just encrypt it and you are safe… are you?
ì Do not… ì Use a short key ì Use weak random data to
generate a key ì Use directly the generated
key ì Try to derive the key first
ì PBKDF2 ì Pseudo-‐random
func*on ì Use the same key to cipher
iden*cal messages ì Informa*on leak
ì Use the same key to cipher mul*ple messages ì WEP’s Achilles’ heel ì If you need to, use nonces
ì Nonce ≃ salt ì Nonce is included with
the message ì Cipher and send…
ì Always add signature verifica*on mechanism ì Hash-‐mac
ì Hash with a key ì Hash-‐mac signature
included in message
![Page 68: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/68.jpg)
ì Do not use weak random data Random data, PHP 4’s rand() func*on output on Windows converted to bitmap
![Page 69: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/69.jpg)
ì Encryption in databases
![Page 70: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/70.jpg)
Encryption in databases
ì We have the following schema
![Page 71: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/71.jpg)
Encryption in databases
ì The aeacker, unable to get login details, could modify the aeack to get personal informa*on:
![Page 72: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/72.jpg)
Encryption in databases
ì MySQL supports AES cipher algorithm, then we could modify our schema
![Page 73: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/73.jpg)
Encryption in databases
ì If the aeacker executes the injec*on
![Page 74: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/74.jpg)
Encryption in databases
ì S*ll informa*on can be leaked ì Suppose the 2 users share the same phone number,
the aeacker could no*ce this since data was ciphered with the same key
![Page 75: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/75.jpg)
ì Tweakable encryption
![Page 76: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/76.jpg)
Tweakable encryption
ì Remember, do not use the same key to cipher mul*ple messages… ì Do we need to generate a new key for each record? ì Say, we have thousands of records, do we need
thousand keys?
ì NO ì Use a tweak
![Page 77: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/77.jpg)
Tweakable encryption
ì Every table should have a primary key ì So the values inside the primary key must be unique
to every record
ì Use the master key + primary key value, then hash ì f(key, pk value) = hash(key + pk value)
ì You’ll have an unique cipher key for each record
ì Now, fields with the same plain text value will appear to be completely different when ciphered
![Page 78: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/78.jpg)
Last Words
ì Last words… ì Informa*on privacy is YOUR RIGHT ì Do you consider it to be a paranoid idea…
ì …or a daily life concern? ì First informa*on privacy law from 1890 US
ì Laws cannot keep up with technology
![Page 79: Hacknbeers sqli and cryptography](https://reader034.vdocument.in/reader034/viewer/2022042509/540900748d7f7267058b4601/html5/thumbnails/79.jpg)
QA
ì QA
ì Thank y’all!