Posts

Showing posts from January, 2020

Is Open-Source Cryptography Really Secure?

Image
By Lane Wagner –  @wagslane  on Twitter The purpose of cryptography is to keep information private, and the purpose of open-source is to make code public… …Danger! Just kidding. I’ve been asked this several times by multiple people so I figured it is a subject worth addressing. Many developers seem to be under the impression that crypto and security systems (the application-specific implementation of cryptosystems) are more secure if their details are kept private. This can’t be further from the truth According to Kerckhoffs’s principle , also known as Shannon’s maxim: The enemy knows the system. One ought to design systems under the assumption that the enemy will immediately gain full familiarity with them. #security #opensource #privacy Click To Tweet There are several reasons as to why this is a good rule to live by, let’s examine each one. 1. Obfuscation Isn’t Encryption If a developer is operating under the assumption that attackers won’t know about the det...

Hashing Passwords – Python Cryptography Examples

Image
By Lane Wagner –  @wagslane  on Twitter Building a from-scratch server or using a lightweight framework is empowering. With that power comes responsibility, specifically the responsibility to securely store user’s passwords. Not understanding the security implications of password storage can lead to devastating breaches and leaks. If you are building an application and need to store user credentials, learn about hash functions. Click To Tweet Can I Store Passwords In Plain Text? To demonstrate the potential dangers, let us assume we DON’T hash passwords on a fake example website, LoveMatchingToday . Inevitably when a hacker or disgruntled employee obtains access to LoveMatchingToday’s database, they will download all the usernames and passwords: user.one@gmail.com – somePa$$wordHere user.two@hotmail.com – otherPlainTextPass Now the attacker can go to other websites, and because a majority of people reuse passwords on different websites, they can hack other s...

(Very) Basic Intro to Lattices in Cryptography

Image
By Lane Wagner –  @wagslane on Twitter Lattice-based cryptography has been coming into the spotlight recently. In January 2019, Many of the semifinalists in the NIST post-quantum-cryptography competition were based on lattices. Let’s explore the basics of lattices and how they apply to cryptosystems. What is a Lattice? A Lattice According to Wikipedia , a lattice is the set of all integer linear combinations of basis vectors: i.e. More simply put, a lattice is defined by basis vectors, which are only able to be scaled by integers… yay no fractions! For example, let’s create a lattice of all the integers in a two-dimensional plane: The definition of our lattice contains only 2 basis vectors, v1 = (0,1) v2 = (1,0) Our lattice is the set of all values that can be reached by any combination and scale of our basis vectors. For example, the point (2,0) is in our lattice because it can be reached by 2*v1 Similarly, we could create an entirely new ...

Why is Exclusive Or (XOR) Important in Cryptography?

Image
If you are getting into cryptography, or just trying to understand the fundamentals, you may have noticed that the exclusive-or operation is used quite often, especially in ciphers. What is XOR ( ⊕ )? XOR, or “exclusive or” operates on binary data. It returns true if both of its inputs are opposites (one false and one true), otherwise, it returns false. An example in go code would be something like: func exclusiveOr(a bool, b bool) bool { return a != b } XOR Cipher – The Perfect Cipher The XOR operation can be used as a simple cipher for encrypting and decrypting messages with a single key. This is known as symmetric encryption. It is interesting to note that if: The key is the same size as the message The key is kept secret and generated truly randomly Then the cipher is impossible to crack. This is known as a one time pad . However, a simple XOR shouldn’t be used in production due to the key length needing to be too long to be practical. Cipher Example A...

JavaScript With Statement Explained – A Deep Dive

Image
By  @wagslane  (twitter) Let’s look at the JavaScript with statement. We will go over the simple uses, as well as a deep dive into some more advanced concepts. Note: Use of the with statement is discouraged. It can lead to strange bugs. That said, it is important to understand how it works because it may exist in legacy code. With Function Syntax From Mozilla’s definition: with (expression){ statement } expression : An expression that evaluates to an object that will become the default object inside its scope. statement : Code that will run with the evaluated expression as the default object Example let car = {color: 'red'} with(car){ console.log(color) } // prints 'red' As you can see, the car object becomes the default object in the scope. The object’s properties become available without using the ‘.’ operator. If the variable already exists in the parent scope, it will be overwritten: let color = 'blue' let car = {color: 'red'}...

JavaScript vs Java – Differences, Similarities, and History

Image
By  @wagslane  (twitter) JavaScript and Java confuse many new programmers. They sound so similar, so one might think they have the same use-cases, or perhaps the same company created both languages. Neither of those hypotheses is true! Let’s go over the differences and history in this quick read. Java – Brief History Java was created in 1991 by James Gosling of Sun Microsystems. Sun Microsystems wrote software for many different devices, and re-compiling or restructuring code to run on various CPU architectures became time-consuming. Fun Fact: The founding team had a hard time thinking of a good name for their project, and while out for coffee, decided to name the language after their coffee. Cross-Platform (JVM) Java is a general-purpose programming language that allows developers to run code on any device. Code is compiled into Java-specific byte code, then the Java Virtual Machine (JVM) converts that byte code into machine compatible code. When code is compiled i...

JavaScript Map Function Explained – A Deep Dive

Image
We are going to walk through the JavaScript map function, and I’ll explain how it works in a simple way. Later in the article, we will do a deep dive into some more advanced concepts regarding the map function and its uses. Map Function Syntax From Mozilla’s definition: let newArray = oldArray.map(function callback(currentValue, index, array) { // return element for new_array }, thisArg) The Array object’s map method takes a function definition as its first parameter (required). The function whose definition we pass in will have 3 arguments available to it and will be called for each element in the original array. Each return value that the function creates will be the elements for the new array. A simple example would look like: const oldArray = [1, 4, 9, 16]; function ourFunc(val, index, arr){ return val * 2 } const newArray = oldArray.map(ourFunc); // newArray = [2, 8, 18, 32] There is also an optional second parameter to the map function that we will go over late...

BitBanged SPI in Go, An Explanation

Image
I’m going to focus mostly on some design decisions and how I went about writing an SPI interface using Go on a Raspberry Pi. I assume my readers have a basic understanding of what a Raspberry Pi is, and how basic electronics work. If not, read on anyway and I will be sure to include some valuable resources below. Why Go? In a past life, I worked on hardware interfacing software, and the first thing I can tell you is that I hate C. Don’t get me wrong, I understand the appeal of having lightning-fast code and the ability to manipulate memory and low-level functions. I also understand the headache of writing concurrent C code, and anyone familiar with Go knows that this is where it shines. https://www.raspberrypi.org/blog/compute-module-3-launch/ The project that first got me interested in using Go for embedded applications was one where we decided to use a Raspberry Pi Compute Module 3 to interact with ADC (analog to digital converter) components, and collect data using several ...

Top 10 Online Crypto Communities 2020

Image
Crypto is still rapidly growing in 2020, and while the hype train has somewhat left the station, we are sure it will be back. In the meantime, it’s a good opportunity to learn more about the fundamentals and technology that support decentralized money. These communities can help tremendously. #1 BITCOINTALK https://bitcointalk.org/ Bitcointalk is the gold standard for the community of Crypto on the Web. There are 3 million posts and two million members approaching this platform. There are different sections related to speculations, mining, development, technical assistance, IOC, and more. For convenience, the site is accessible in twenty different languages. CRYPTOCURRENCYTALK https://cryptocurrencytalk.com/ If you are concerned more with newer, riskier, and frankly scummier projects, CryptocurrencyTalk will be the best place for you. REDDIT Reddit has the most siloed and specific communities in regards to crypto. It’s a great place to go, but beware, tribalism run...

Logging for Gophers – Idiomatic Log Strategies in Go (Golang)

Image
In this article, I’m going to cover some rules of thumb for logging in go, as well as some functions you may not have heard of that can make your debugging life easier. Rule #1 – Use Errors Where Appropriate, Not Strings Go has a built-in error type, which allows developers to easily differentiate errors from “normal” strings, as well as check if there are no errors in a more succinct way. The error type is an interface, that simply requires the type in question to define an “Error()” function that prints itself as a string. type error interface { Error() string } Never use a normal string where an error is more appropriate! Strings imply to users of your function that “business as usual” is going on. Errors make it clear that something is wrong. For example, let’s pretend we are building a REST API. We may want a function that takes a response writer, a message, and a code that can be used to return error codes on erroneous API calls. Here is our first attempt: func respon...

Cryptography Trends And News Going Into 2020

Image
Quantum Computing While quantum computing may not be coming quite as fast as some in the field had feared (or perhaps hoped), Google did solve an impressive problem this year. They published a paper in Nature stating that their quantum processor solved a problem that a digital computer would take 10,000 years to solve. The problem that was solved deals with generating certifiably random numbers. Their processor, ‘Sycamore’, uses 53 qubits, which corresponds to a search space of 10 16 . Lattice-Based Cryptography Lattice-based Cryptography (LBC) is one of our best bets for secure “Post Quantum Cryptography”. Almost half of the second round of NIST’s PQC contest are based on lattice math. Lattice crypto is often based on the shortest vector problem . A problem where, given a basis of a vector space and a norm , the goal is to find the shortest non-zero vector. Matthew Dozer has a great introductory video: Lattice-Based Crypto for IOT (Khalid, McCarthy, O’Neill) Latti...

(Very) Basic intro to AES-256 Cipher

Image
AES stands for “Advanced Encryption Standard” and is a specification that has selected the Rijndael cipher as its symmetric key ciphering algorithm. Using AES, a message can be encrypted with a key (like a password) and no one except the key holder can decrypt the message. This is useful for many reasons, but a good example is a password manager that encrypts all of the user’s passwords using one master password. This is how  Qvault , our free open-source password manager operates. Symmetric Encryption vs Asymmetric Encryption https://learn.g2.com/what-is-encryption As shown above,  symmetric encryption uses the same key  for encryption and decryption and  asymmetric encryption uses different keys. Asymmetric  encryption is preferred when you want someone to be able to send you encrypted data, but  you don’t want to give them your private key . Symmetric  encryption is preferred when you are encrypting  only for yourself . Kullabs ...