Presentation: Abstractions to Help Developers Write Good Crypto

Track: Modern CS in the Real World

Location: Pacific DEKJ

Duration: 11:50am - 12:40pm

Day of week: Wednesday

Level: Advanced

Persona: Developer, General Software

What You’ll Learn

  • Find out what are some of the mistakes people make using cryptography.
  • Hear why googling for a cryptography answer to a problem may lead to the wrong solution.
  • Learn from code samples the correct way to use certain Android cryptography libraries.

Abstract

More developers are writing cryptographic code, especially in regulated sectors like health care and financial services, but the code suffers from a combination of poor programming interfaces and a lack of developer training. In one study, 83% of cryptographic flaws (CVEs) were due to programmer misuse of otherwise correct libraries. While solutions like LetsEncrypt have made HTTPS cheaper, encryption of data in transit only covers a small part of the problem space. End-to-end crypto is an important approach, and is getting more widespread, but can programmers implement it securely?

In this talk, we will discuss the impact of programming abstractions on the correctness of cryptographic code, and show why some cryptographic libraries succeed in helping the programmers Do The Right Thing, and why some fail.

Interview

Question: 
Tell us about what you are doing.
Answer: 

Tozny is a cryptography company that builds software tools for computer programmers. Just as cryptography is difficult for end users, cryptography software tools for developers are quite challenging too. Our focus is to make those tools easier to use for developers.

Question: 
What is the motivation for your talk?
Answer: 

We did some research to understand what mistakes people make in implementing cryptography. This came about because I asked a developer to implement something for me using a basic cipher, and the implementation they came back with was incorrect. To fix it, I tried to find an example of a correct implementation on Stack Overflow, but I could not actually find one that was correct! I had to do a significant amount of research myself in making sure that I was using the Java/Android libraries for cryptography correctly, and eventually we actually built an open source library that's very popular. It's used by Fortune 500 companies, and big or small open source projects. It does one thing and it does it well: it encrypts strings using the Android / Java cryptographic libraries correctly. So, the motivation for this talk is helping people understand what's hard and what's easy about cryptography, and the fact that solving problems in cryptography is not exactly the same as a lot of other areas. Googling for answers or finding them on Stack Overflow is not going to work well for cryptography problems.

Question: 
What is the structure of the talk?
Answer: 

First, I’ll set the context of the problem by reviewing some of the research that academics have done, that commercial industry has done, and a little bit of what we did to ourselves to validate the problem. There is good academic research out there showing that 80% of cryptography CVEs are misuse of libraries. That’s programmers using otherwise correct cryptographic libraries incorrectly. I’ll illustrate this with a few Java examples since the QCon audience is mostly very familiar with Java; these examples will resonate very well with them. These include some clear examples of what you would find if you tried to solve a simple problem, for example how to encrypt strings in Android. You can try to solve that problem using the typical approach of just Googling for the answer or finding code that seems to work. Then I will dive in some specific code problems. It's like 10 lines of code but there are five errors in it. I go into each of those errors and help people understand why it's a problem. What security property that you've now lost because you used this code. And then we'll take a deep dive in a couple of those to give people some intuition for the statistics of why key generation works in one way versus another way, and that would be fairly visual.

We'll use our library as an example of how to do things more correctly. It's open source, it is all free. We won't be marketing it, but we used the open source library to validate that this was a big problem, then we built a whole product that's cross-platform to address it in a more robust way. This is something anyone can try out for free of course.

In the end, we want everyone to come away with some new knowledge of common pitfalls and a few nice reasoning and technical tools they can apply to the problem of securing private information.

Speaker: Isaac Potoczny-Jones

Founder @Tozny & Authentication and Privacy Specialist

Isaac founded Tozny to commercialize Galois’ research in cybersecurity and privacy. He has led many successful cybersecurity and identity management projects for government agencies since he started at Galois in 2004. His projects have included secure cross-domain collaboration (Navy, Intelligence Community), practical solutions in identity credentials for first responders (DHS), federated identity for the Open Science Grid (DOE), anonymous authorization and cross-domain search (DOD), mobile password-free authentication (DARPA), authentication for anti-forgery in hardware devices (DARPA), and privacy-preserving authentication and data sharing (NIST). He has applied the NIST Risk Management Framework to commercial and government projects for security assessment and penetration testing. Isaac is an active open source developer in the areas of cryptography and programming languages.

Find Isaac Potoczny-Jones at

.

Tracks

  • Architectures You've Always Wondered About

    Architectural practices from the world's most well-known properties, featuring startups, massive scale, evolving architectures, and software tools used by nearly all of us.

  • Going Serverless

    Learn about the state of Serverless & how to successfully leverage it! Lessons learned in the track hit on security, scalability, IoT, and offer warnings to watch out for.

  • Microservices: Patterns and Practices

    Stories of success and failure building modern Microservices, including event sourcing, reactive, decomposition, & more.

  • DevOps: You Build It, You Run It

    Pushing DevOps beyond adoption into cultural change. Hear about designing resilience, managing alerting, CI/CD lessons, & security. Features lessons from open source, Linkedin, Netflix, Financial Times, & more. 

  • The Art of Chaos Engineering

    Failure is going to happen - Are you ready? Chaos engineering is an emerging discipline - What is the state of the art?

  • The Whole Engineer

    Success as an engineer is more than writing code. Hear inward looking thoughts on inclusion, attitude, leadership, remote working, and not becoming the brilliant jerk.

  • Evolving Java

    Java continues to evolve & change. Track covers Spring 5, async, Kotlin, serverless, the 6-month cadence plans, & AI/ML use cases.

  • Security: Attacking and Defending

    Offense and defensive security evolution that application developers should know about including SGX Enclaves, effects of AI, software exploitation techniques, & crowd defense

  • The Practice & Frontiers of AI

    Learn about machine learning in practice and on the horizon. Learn about ML at Quora, Uber's Michelangelo, ML workflow with Netflix Meson and topics on Bots, Conversational interfaces, automation, and deployment practices in the space.

  • 21st Century Languages

    Compile to Native, Microservices, Machine learning... tailor-made languages solving modern challenges, featuring use cases around Go, Rust, C#, and Elm.

  • Modern CS in the Real World

    Applied trends in Computer Science that are likely to affect Software Engineers today. Topics include category theory, crypto, CRDT's, logic-based automated reasoning, and more.

  • Stream Processing In The Modern Age

    Compelling applications of stream processing using Flink, Beam, Spark, Strymon & recent advances in the field, including Custom Windowing, Stateful Streaming, SQL over Streams.  

Conference for Professional Software Developers