# Python Cryptography - Keeping Secrets from the NSA

... or at least we'll give it our best shot

## About
* James Alexander
* https://jamesralexander.com
* @yanigisawa

Crypto Challenge:

http://bit.ly/nsa-secrets

`Erzrzore gb qevax lbhe Binygvar!`

`Q29uZ3JhdHVsYXRpb25zISBIZXJlIGlzIGEgcmFuZG9tIGVhc3RlciBlZ2c6DQoNCmFIUjBjSE02THk5NWIzVjBkUzVpWlM5b1gyeDZaMjgzY0cxNmF3PT0=`

## General Security - Can we actually keep secrets?
* Application security
* OWASP Top Ten
* SQL Injection
* XSS, CSRF
* Access control
* Authentication
* Secure SDLC - BSIMM
* Security Assessments
* Physical Security



* BSIMM - Building Security in Maturity Model - study of exising software security initiatives

* Data Encryption at Rest

## Topics
* Define Terms & Background information
* Introduce Bob & Alice
* Discuss the following for building an App:
  * Storing Passwords (Hashes)
  * Storing OAuth2 Tokens Securely (Rijndael / AES)




* Alice, Bob, Carol, Dave, Eve, Faith, Mallory, Trent

## Definitions
* Plain Text - message to keep secret
* Ciphertext - encrypted Plain Text message
* Sender
* Receiver

\begin{equation*}
E(M)   = C
\end{equation*}

\begin{equation*}
D(C)   = M
\end{equation*}

\begin{equation*}
D(E(M)) = M
\end{equation*}

## Definitions
* Authentication - the receiver of a message should be able to ascertain the sender, and an intruder should not be able to masquarade as the sender
* Integrity - Message has not been modified in transit
* Nonrepudiation - Sender cannot deny having sent a message

## Algorithms
![](img/al_gore.gif)

## Definitions

### Kerchoff's Principle: 
```
A cryptosystem should be secure even if everything about the system, 
except the key, is public knowledge.
```

* Cryptographic Algorithm (Cipher) - Mathematical function for encrypting or decrypting a message
* Restricted Algorithms - Cipher held privately by the users 
  * Can't be used by a large or changing group of users
  * Can't be Quality Controlled or Standardized
* Key - Allows the Cipher to be public, while maintaining the secrecy of the message

## Definitions
* Symmetric Algorithm - uses same key to encyrpt and decrypt
  * Stream vs Block ciphers

\begin{equation*}
E_{K}(M)   = C
\end{equation*}

\begin{equation*}
D_{K}(C)   = M
\end{equation*}
  
* Asymetric - uses different key to encrypt and decrypt
  * SSH, TLS, GPG

\begin{equation*}
E_{K1}(M)   = C
\end{equation*}

\begin{equation*}
D_{K2}(C)   = M
\end{equation*}

## Cryptanalysis
* Eavesdroppers have complete access to commucation
* Cryptanalyst has complete knowledge of algorithm
* Goal is to find the key, or plaintext, or both



## Attacks
* Ciphertext-only

\begin{equation*}
\text{Given:   } C_1 = E_k(P_1), C_2 = E_k(P_2) \cdots C_i=E_k(P_i)
\end{equation*}

\begin{equation*}
\text{Deduce Either:   } P_1, P_2, \cdots P_i, k
\end{equation*}

\begin{equation*}
\text{... or an algorithm to infer:   }    P_{i + 1} \text{  from  } C_{i + 1} = E_k(P_{i + 1})
\end{equation*}




## Attacks
* Known-plaintext
* Chosen-plaintext (Cryptanalyst gets to choose the plaintext)

\begin{equation*}
\text{Given:   } P_1, C_1 = E_k(P_1), P_2, C_2 = E_k(P_2) \cdots P_i, C_i=E_k(P_i)
\end{equation*}

\begin{equation*}
\text{Deduce Either:   } k
\end{equation*}

\begin{equation*}
\text{... or an algorithm to infer:   }    P_{i + 1} \text{  from  } C_{i + 1} = E_k(P_{i + 1})
\end{equation*}


## Attacks
* Adaptive-chosen-plaintext
* Chosen-ciphertext
* Chosen-key - cryptanalyst has knowledge of the relationsip between different keys - not very practical
* Rubber-hose cryptanalysis

### Notes

Chosen-plaintext and known-plaintext are more common than at first glance. If a message is given to an ambassador to relay to his country, you will probably find that it gets encrypted and sent back.

Further, source code and othe messages with common headers and footers are also vulnerable to known-plaintext.

Kerchoff's assumption: If the strength of your cryptosystem relies on the fact the attacker doesn't know your algorithm, you're sunk. 

The best algorithms we have are public, have been attacked by the best cryptographers in the world, and are still unbreakable. NOTE: the NSA keeps their algorithms secret, but they have a team of researchers that can peer-review their work.

### Breaking Algorithms

1. Total Break - Cryptanalyst finds the key to decrypt all messages
2. Global Deduction - An Alternate equivalent algorithm is found
3. Instance Deduction - Found plaintext
4. Information Deduction - Partial plaintext or key found

### Complexity
1. Data Complexity
2. Processing Complexity - "Work Factor"
3. Storage Requirements - Memory

* Instance - found one specific plaintext from specific cipher text
* Information Deduction - found only part (a few bits) of the key

## Example

* If Complexity = $2^{128}$, then $2^{128}$ brute force operations are required to break it.
* Using $10^9$ processors, each performing $10^9$ operations per second:

\begin{equation*}
\frac{\frac{2^{128}}{(10^9 \times 10^9)}}{3.154\times10^7} = 1.08 \times 10^{13} \text{  years }
\end{equation*}

3.154×10^7 = # of seconds per year
[Wolphram Alpa Link][1]

[1]: https://www.wolframalpha.com/input/?i=2%5E128+%2F+(10%5E9+*+10%5E9)+%2F+3.154%C3%9710%5E7




### Notes

* Value of data decreases over time
* Cost of decrypting (brute-forcing) encrypted text should be larger than the value of the data
* Unconditionally Secure: no matter how much ciphertext, there is insufficient information to recover the plaintext
* All Cryptosystems besides a one-time pad are succesptible to a Brute Force attack of trying all possible keys
* Computationally Secure: cannot be broken with "available resources"

## Steganography

* `The practice of concealing messages or information within other nonsecret text or data.`

E.g.:
* Invisible Inks
* Pin Punctures
* Pencil Marks on typewritten characters
* Least Significant Bit of Images: 64 KB in a 1024 x 1024 grayscale image

## Substitution Ciphers:
* Simple (ROT13 - Caesar Cipher)
* Homophonic -  A single letter could map to one of several replacement letters
* Polygram - Groups of letters encrypted together
* Polyalphabetic - Multiple simple ciphers, changing for each character

### Notes
* Homophonic -  A single letter could map to one of several replacement letters
* Polygram - Groups of letters encrypted together
* Polyalphabetic - Multiple simple ciphers, changing for each character

## One-Time Pads

Plaintext: `ONETIMEPAD`

Key: `TBFRGFARFM`

Ciphertext: `HOJKOREGFP`

In [1]:
key = 'TBFRGFARFM'

def otp_encrypt(message):
    ciphertext = ''
    for idx, c in enumerate(message):
        m, k = ord(c), ord(key[idx])
        ciphertext += chr((ord(c) + ord(key[idx])) % 26 + 65)
    
    return ciphertext

def otp_decrypt(ciphertext):
    message = ''
    for idx, c in enumerate(ciphertext):
        m, k = ord(c), ord(key[idx])
        message += chr((ord(c) - ord(key[idx])) % 26 + 65)
    
    return message

In [2]:

print(otp_encrypt('ONETIMEPAD'))
print(otp_decrypt(otp_encrypt('ONETIMEPAD')))
key = 'POYYAEAAZX'
print(otp_decrypt('HOJKOREGFP'))
key = 'BXFGBMTMXM'
print(otp_decrypt('HOJKOREGFP'))

HOJKOREGFP
ONETIMEPAD
SALMONEGGS
GREENFLUID


## XOR
<img src="img/xor.jpg">

## Abbreviations
* PBKDF2
* HMAC
* MD
* DES
* AES

* Password Based Key Derifivation Function
* Hashed Message Authentication Code
* Message Digest
* Data Encryption Standard - Believed secure in Triple DES, but theoretical weaknesses exist in algorithm, but are impractical to reproduce
* Advanced Encryption Standard - Announced by NIST in November 26, 2001

<img src="img/dave_enough.png" height="400">

## Features 
1. User Login (storing passwords)
2. Storing OAuth2 refresh tokens

### QuickBooks Online OAuth2 Token Storage

> Be sure to encrypt the refresh_token before saving it to persistent storage. Then, decrypt the it and store it in volatile memory when you need to use it to refresh the access_token.

> OAuth 2.0
Encrypt and store the refresh token and realmId in persistent memory.
Encrypt the refresh token with a symmetric algorithm (3DES or AES). AES is preferred.
Store your AES key in your app, in a separate configuration file.

<img src="img/alice_small.png" height="400">

<img src="img/bob_password_field.png" height="400">

<img src="img/boss_attention.png" height="400">

## Option 1 - Plaintext

* Alices finds [plaintextoffenders.com](http://plaintextoffenders.com/) - (now defunct)
* Need Another option

## Option 2 - Caeser Cipher (ROT13)

In [3]:
import codecs
text = "this is some text to encrypt"
encoded = codecs.encode(text, 'rot_13')
decoded = codecs.encode(encoded, 'rot_13')
print(f'Original: "{text}"\nEncoded: "{encoded}"\nDecoded: "{decoded}"')

Original: "this is some text to encrypt"
Encoded: "guvf vf fbzr grkg gb rapelcg"
Decoded: "this is some text to encrypt"


## Frequency Analysis

<img src="img/English_letter_frequency_(frequency).svg">

By Nandhp - Own work; en:Letter frequency., Public Domain, https://commons.wikimedia.org/w/index.php?curid=9971079

## Base64 Encoding

In [4]:
import base64
text = b'this is some text to encrypt'
encoded = base64.b64encode(text)
decoded = base64.b64decode(encoded)
print(f'Original: "{text}\nEncoded: {encoded}\nDecoded: {decoded}')

Original: "b'this is some text to encrypt'
Encoded: b'dGhpcyBpcyBzb21lIHRleHQgdG8gZW5jcnlwdA=='
Decoded: b'this is some text to encrypt'


In [5]:
text = b'this is a secret message'
encoded = base64.b64encode(text)
decoded = base64.b64decode(encoded)
print(f'Original: "{text}\nEncoded: {encoded}\nDecoded: {decoded}')

Original: "b'this is a secret message'
Encoded: b'dGhpcyBpcyBhIHNlY3JldCBtZXNzYWdl'
Decoded: b'this is a secret message'


## Hashes
### 5 Properties

1. it is deterministic so the same message always results in the same hash
2. it is quick to compute the hash value for any given message
3. it is infeasible to generate a message from its hash value except by trying all possible messages
4. a small change to a message should change the hash value so extensively that the new hash value appears uncorrelated with the old hash value
5. it is infeasible to find two different messages with the same hash value

### Examples

* MD5 - Has been shown to have produce collisions via "birthday attack" 
* SHA1 - Has been shown to collide with two dissimilar PDF files
* SHA-2 - 256 - 512
* SHA-3 also exists and is a good choice too

SHAttered – first public collision[edit]
On 23 February 2017, the CWI (Centrum Wiskunde & Informatica) and Google announced the SHAttered attack, in which they generated two different PDF files with the same SHA-1 hash in roughly $2^{63.1}$ SHA-1 evaluations. This attack is about 100,000 times faster than brute forcing a SHA-1 collision with a birthday attack, which was estimated to take $2^{80}$ SHA-1 evaluations. The attack required "the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations

In [6]:
import hashlib
print(hashlib.md5(b'0').hexdigest())
print(hashlib.md5(b'1').hexdigest())

cfcd208495d565ef66e7dff9f98764da
c4ca4238a0b923820dcc509a6f75849b


In [7]:
print(hashlib.sha224(b'').hexdigest())
print(hashlib.sha256(b'').hexdigest())
print(hashlib.sha384(b'').hexdigest())
print(hashlib.sha512(b'').hexdigest())

d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e


In [8]:

file1, file2 = '', ''
with open('md5/file1.txt', 'r') as f1:
    file1 = ''.join(f1.readlines()).replace(' ', '').replace('\n', '')
with open('md5/file2.txt', 'r') as f2:
    file2 = ''.join(f2.readlines()).replace(' ', '').replace('\n', '')
    
print(file1)
print('------')
print(file2)
    

d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f8955ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5bd8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70
------
d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f8955ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5bd8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70


<img src="img/md5_files.png">

In [9]:
from binascii import unhexlify
print(hashlib.md5(unhexlify(file1)).hexdigest())
print(hashlib.md5(unhexlify(file2)).hexdigest())

79054025255fb1a26e4bc422aef54eb4
79054025255fb1a26e4bc422aef54eb4


In [10]:
import hashlib, binascii
# hashlib.pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None)
dk = hashlib.pbkdf2_hmac('sha1', b'plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd', b'A009C1A485912C6AE630D3E744240B04', 1000)
dk2 = hashlib.pbkdf2_hmac('sha1', b"eBkXQTfuBqp'cTcar&g*", b'A009C1A485912C6AE630D3E744240B04', 1000)
print(binascii.hexlify(dk))
print(binascii.hexlify(dk2))

b'1428fb4a370a79b1196a41ccdaef31a130cea49e'
b'1428fb4a370a79b1196a41ccdaef31a130cea49e'


PBKDF2 (password based key derivation function) has an interesting property when using HMAC (hashed message authentication code) as its pseudo-random function. It is possible to trivially construct any number of resulting collisions for different passwords. If a supplied password is longer than the block size of the underlying HMAC hash function, the password is first pre-hashed into a digest, and that digest is instead used as the password. 

HMAC provides both integrity and authentication of the cipher text

## LinkedIn Attack
* Unsalted SHA-1 hashes used for password storage
* [Detailed article](http://blog.erratasec.com/2012/06/linkedin-vs-password-cracking.html) showing the steps an attacker would take to identify the passwords from the hashed values
* [SANS Article](https://www.sans.org/reading-room/whitepapers/basics/password-security-thirty-five-years-35592) on password security for the past 35 years
  > ATI Radeon HD69xx can achieve 10.3
billion single-round MD5 hashes per second or 2.6 billion single-round SHA1 hashes per second.
One Radeon R9 295x2 GPU can brute force 23.2 billion single-round MD5 hashes per second or
5.97 billion single-round SHA1 hashes per second

* LinkedIn breach from 2012
  * Link, from Robert Graham, explains in detail how to run (ocl)Hashcat to algorithmically obtain passwords. 
  * Possible attacks: Dictionary, mutated dictionary, rule based, custom character set, combination, brute force 
* Sans article from 2014

In [1]:
# * 8 NVIDIA 1080 GPU Machine
# * [Hashcat](https://hashcat.net/hashcat/) - 341 GH/z (NTLM)

from IPython.display import HTML
HTML('<iframe width="560" height="315" src="https://www.youtube.com/embed/p3a9xwJ6ACI?start=45&end=74" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>')

* 8 NVIDIA 1080 GPU Machine
* [Hashcat](https://hashcat.net/hashcat/) - 341 GH/z (NTLM)

* Single Vidia GTX 1080 on Newegg is $819
* At 341 GH/s, can crack all 7 character NTLM passwords in 7 seconds

## From MD5 to Argon2
* Reset all users passwords all at once, requiring everyone to login and change their password
* Change passwords in place

* Note: IETF (Internet Engineering Task Force) as of January 2017 still recommends PBKDF2 as its password hashing algorithm. No mention of Argon2. Likely due to the new-ness of the Argon2 protocol.
* Which option is preferred depends on the nature of the problem being solved.
  * If there is no hurry and there are a lot of users, write some code to transition the hashed value to the new algorithm when the user logs in next.
  * If there are few uers (i.e. an internal app), it might be simpler (i.e. require less developer time) to have everyone reset their passwords at the same time. 
* Argon2 was released as the winner in 2015. It has options to allow it to be tuned for time, memory, and parallelism to protect against attacks. This allows it to provide more forward secrecy as moore's law continues to provide more and faster computation capabilities.

In [13]:
username = "user".encode() # probably from a request object
password = "password".encode() # probably from a request object

hashed = hashlib.md5(password).hexdigest()
hashed

'5f4dcc3b5aa765d61d8327deb882cf99'

In [14]:
from passlib.hash import argon2, pbkdf2_sha256

ar2 = argon2.hash(password)
pbkdf2 = pbkdf2_sha256.hash(password)
print(f'pbkdf2: {pbkdf2}\nargon2: {ar2}')
print(argon2.verify('password', ar2))
print(pbkdf2_sha256.verify('password', pbkdf2))
argon2.using(rounds=4, memory_cost=1000, parallelism=3).hash('password')

pbkdf2: $pbkdf2-sha256$29000$fS.lNIYQYiwFYKwV4jzHuA$RZgFmpgiEwLHkhVUGUJ5kwikPu7ZRIK7MOC.2A9HJsg
argon2: $argon2i$v=19$m=512,t=2,p=2$AQBAKGXs3ZszhhBCyNk75w$Bp0Zkb+mD8JpuFmqf9fg1g
True
True


'$argon2i$v=19$m=1000,t=4,p=3$jtEaIyQk5BwjhJCScg4hhA$Froo6GG0AZ2e+Q7A3VsU6g'

argon2i - Strongest against side-channel attacks
argon2d - Strongest against GPU based attacks
`Argon2d is faster and uses data-depending memory access, which makes it highly resistant against GPU cracking attacks and suitable for applications with no threats from side-channel timing attacks (eg. cryptocurrencies). Argon2i instead uses data-independent memory access, which is preferred for password hashing and password-based key derivation, but it is slower as it makes more passes over the memory to protect from tradeoff attacks. Argon2id is a hybrid of Argon2i and Argon2d, using a combination of data-depending and data-independent memory accesses, which gives some of Argon2i's resistance to side-channel cache timing attacks and much of Argon2d's resistance to GPU cracking attacks.`

`The right rounds value for a given hash & server should be the largest possible value that doesn’t cause intolerable delay for your users.`

M is an integer representing the variable memory cost, in kibibytes (512kib in the example).
T is an integer representing the variable time cost, in linear iterations. (3 in the example).
P is a parallelization parameter, which controls how much of the hash calculation is parallelization (2 in the example).

Next: Auth0

<img src="img/auth0.png">
<img src="img/auth0_pricing.png">

## Other Options

<table border="0">
    <tr>
        <td width="300"><img src="img/sqrl.png" width="150"></td>
        <td><img src="img/fido_alliance.png"></td>
    </tr>
</table>

* FIDO = Fast Identity Online
* SQRL = Secure, Quick, Reliable, Login

## Encryption
* Encrypt and decrypt a refresh_token for OAuth2
* Token will be valid for up to 100 days, and can be reused to generate a new access_token to gain API access to QuickBooks.

## AES - Subset of Rijndael
* Vincent Rijmen and Joan Daemen - Belgian Cryptographers
* 128 bit blocks with keys of 128, 192, or 256 bits


* Rijndael the Cipher itself can handle block and key sizes of any 32 bit multiple. AES standardizes on 128 bit blocks, and 128, 192, or 256 bit keys

In [15]:
from IPython.display import HTML

HTML('<iframe width="560" height="315" src="https://www.youtube.com/embed/mlzxpkdXP58" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>')

* XOR error at 2:33, but otherwise the concepts of the visualization are sound
* By 2006, the best known attacks were on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys
* Various Side-channel attacks have been shown to be effective against AES. 
* 128 bit key for SECRET, 192 or 256 for TOP SECRET classified information
* AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys.

In [2]:
from cryptography.fernet import Fernet
from base64 import urlsafe_b64decode
# Put this somewhere safe!
key = Fernet.generate_key()
f = Fernet(key)
token = f.encrypt(b"A really secret message. Not for prying eyes.")
print(token)
# print(urlsafe_b64decode(token))
f.decrypt(token)

b'gAAAAABadF5TFpSj7tIFDOn3wKSog-amxiHF7RHNfNvoUNVV14e6gGD2A79WfeOGKl4OJpx4F6M25E0ZUEOnBiTEpnHOYYMeiLUd-9fEmmNh4k2nMc5N59YeweH_flwx2v0KtOKCu61U'


b'A really secret message. Not for prying eyes.'

In [4]:
print(f.encrypt(b'some other message'))
print(f.encrypt(b'a third and completely different message'))

b'gAAAAABadF6SH6IeIWsvwlRDs_TJB7k6mBcTAlGh-b5dNTTEqyHeNX1tE2ZwxnTwgNFJTY1IKhwGruvEFZAktgSOehJ6qFMBZk2Mpgy5WCX-NB6LmnnXZOQ='
b'gAAAAABadF6SJEkmMUytQ5z5qmuqM281qdhuvUcTwItmroqh48WEyzbg5f6VEodiIGWtfPxU8zk5s2efy1avVKP9KBSqKEDlYGorfnC0ZaJZx122sfETWF-ZsZFsfhwWqGelnCPK8Jhf'


Several notes about the Fernet algorithm:

* The Version number was not incremented despite several spec-level changes to the /spec repository
* Fernet uses a 128 bit Signging Key and a 128 bit encryption key
* Fernet as a protocol seems to have originated with Heroku, and was used for data in transit. Since it is the default implementation in the Cryptography library in Python, it makes sense for ease of use.

## Fernet Spec

    Version ‖ Timestamp ‖ IV ‖ Ciphertext ‖ HMAC

- *Version*, 8 bits
- *Timestamp*, 64 bits
- *IV*, 128 bits
- *Ciphertext*, variable length, multiple of 128 bits
- *HMAC*, 256 bits

In [7]:
import base64
import os
from cryptography.fernet import Fernet
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
password = b"password"
salt = os.urandom(16)
kdf = PBKDF2HMAC(
     algorithm=hashes.SHA256(),
     length=32,
     salt=salt,
     iterations=400000,
     backend=default_backend()
)
key = base64.urlsafe_b64encode(kdf.derive(password))
f = Fernet(key)
token = f.encrypt(b"Secret message!")
print(token)
f.decrypt(token)

b'gAAAAABadHJzxM1o1S_XVvchNLaTCcV-tH-bmfZqc-XDNI34ll09vBdEfaVH4g9sPu436stWl4Hq0QMmQVQgAZWNhcibphwrKA=='


b'Secret message!'

* Django documentation recommended at least 100,000 iterations back in 2014.

In [3]:
' - '.join(['{0:08b}'.format(t) for t in urlsafe_b64decode(token)])

'10000000 - 00000000 - 00000000 - 00000000 - 00000000 - 01011010 - 01110100 - 01011110 - 01010011 - 00010110 - 10010100 - 10100011 - 11101110 - 11010010 - 00000101 - 00001100 - 11101001 - 11110111 - 11000000 - 10100100 - 10101000 - 10000011 - 11100110 - 10100110 - 11000110 - 00100001 - 11000101 - 11101101 - 00010001 - 11001101 - 01111100 - 11011011 - 11101000 - 01010000 - 11010101 - 01010101 - 11010111 - 10000111 - 10111010 - 10000000 - 01100000 - 11110110 - 00000011 - 10111111 - 01010110 - 01111101 - 11100011 - 10000110 - 00101010 - 01011110 - 00001110 - 00100110 - 10011100 - 01111000 - 00010111 - 10100011 - 00110110 - 11100100 - 01001101 - 00011001 - 01010000 - 01000011 - 10100111 - 00000110 - 00100100 - 11000100 - 10100110 - 01110001 - 11001110 - 01100001 - 10000011 - 00011110 - 10001000 - 10110101 - 00011101 - 11111011 - 11010111 - 11000100 - 10011010 - 01100011 - 01100001 - 11100010 - 01001101 - 10100111 - 00110001 - 11001110 - 01001101 - 11100111 - 11010110 - 00011110 - 11000001 

## Conclusion

* Cryptography is Hard

* Cryptography is the easy part

* Crypto has well defined boundaries and requirements. An entire system is complex with many possibilities for compromise

## Further Reading
<img src="img/applied_crypto.jpg" style="float: left; padding-right: 5px" height="350px">
<img src="img/crypto_engineering.jpg" height="350px">

## Fin

* Questions?

Final Challenge:

`UGxlYXNlIGxldCBtZSBrbm93IHdoYXQgeW91IHRoaW5rIG9mIG15IHRhbGs6DQoNCmh0dHA6Ly9zcGtyOC5jb20vdC83NDMyMQ==`

## Notes:
Security Now Transcripts:
* [Cryptographic Backdoors](https://www.grc.com/sn/sn-491.pdf)
* [Eliptic Curve Cryptography](https://www.grc.com/sn/sn-374.pdf) - Also available in Applied Crypto book
* [Authenticated Encryption](https://www.grc.com/sn/sn-460-notes.pdf)
* [Symetric Ciphers](https://www.grc.com/sn/sn-125.pdf)
* [NSA Fingerprints](https://www.grc.com/sn/sn-644-notes.pdf)

## References

* [Password Hashing Competition](https://password-hashing.net/)
* [Password Security for 35 Years](https://www.sans.org/reading-room/whitepapers/basics/password-security-thirty-five-years-35592)
* [Painless Password Migration](https://veggiespam.com/painless-password-hash-upgrades/)