Building Encrypted APIs with HTTPS and Paillier
-
Upload
nicholas-doiron -
Category
Internet
-
view
81 -
download
1
Transcript of Building Encrypted APIs with HTTPS and Paillier
Building Encrypted APIswith
HTTPS and Paillier
Nick Doiron - @mapmeld~30 min + questions
About meTraveling web dev and mapmaker
Some useful things:
One Laptop per Child, Code for America,Myanmar 2015 election API
Some useless things:
Fortran.io, GitJK
(can answer Qs in Spanish… maybe)
What’s so special about HTTPS?HTTP is easy to track, intercept, modify, or forge
HTTPS encrypts page’s
- URL (beyond subdomain.domain.com)- content
An HTTPS certificate shows that the content was encrypted by the domain(no modifying / forgery)
Forward secrecy: compromised key can’t decode old sessions (iOS mandatory)
HTTPS critical for news, political sites: https://securethe.news/sites/
Some JS won’t run without HTTPS
Web crypto API (OpenPGP.js)
getUserMedia (camera/mic)
Where do certs come from?
Certificate Authorities (and uber-authorities)
Team started in 2012: FREE HTTPS ON DEMAND
Public beta in December 2015 - over 24 million in one year!
LetsEncrypt: can I do it?- github.com/certbot/certbot, written in Python, maintained with EFF
- you could have a big impact on online security, by helping out this repo
- ./certbot-auto CLI- No wildcard domains- Easier if you run in sudo- Apache or Nginx auto-setups (you should be using one already)- Also does renewals
Checking your HTTPS settingsSSL Labs: grades your HTTPS security on several settings
OverEncrypt
Hacker News bait - Security beyond LetsEncrypt Defaults
Apache/Nginx config
- Is this necessary?- ‘Stormchaser’
- Steps reviewableon SSL Labs
Must-Staple
OCSP Stapling = standard to publicly notify when revoking certificates
Must-Staple tells browser to always check that the cert has not been revoked
LetsEncrypt supports it, but does not auto-enable
Certificate Transparency
Mostly forward-thinking and not fully used today
LetsEncrypt posts every cert issued, on https://crt.sh
Goal is to notice unusual and distrust non-public certs
More info: https://certificate-transparency.org
Public Key Pinning
WARNING: this can brick your entire domain
Tells browsers to only allow certs with a certain SHA256 hash
I recommend current cert + root cert (renewal gives you a brand new cert and hash)But then you are tied to LetsEncrypt :-\
Allow Preload
Used on major websites, governments, etc
Most major browsers have a list of expected certs for these websites, you can apply
Avoids attacks on cert authorities, first-time users
OverEncrypt CLI
I’m developing a CLI to recommend or make these changes automatically
https://github.com/mapmeld/overencrypt
Python Nginx-config-parser broke on my settings (?)
General Tips
and future notes
And you can start
living in the future NOW
UUID - don’t use sequential IDs
Future: Quantum Computers and BoringSSL
BoringSSL:
- initially created by Google to avoid sketchy OpenSSL code
- recently testing ‘A New Hope’- Ring Learning With Errors > Lattice-based
Encryption > Post-Quantum Encryption
Future: Homomorphic Encryption
What if I could send you encrypted data and numbers,
and you could run code / operations on it,
without ever decrypting it?
1st fully-homomorphic algorithm in 2009
Potential for e-voting, private medical data, exchange rates, searching encrypted data
Crypto-GeoFence project
Uses partially-homomorphic encryption called Paillier cryptosystem
Check if client’s latitude / longitude is in the target area
- don’t reveal client location to server- don’t reveal target area to client
github.com/Georeactor/crypto-geofence
Crypto-GeoFence
pip install phe (partially-homomorphic encryption)
X > Left_Border&&X > Right_Border
X > Left_Border&&X < Right_Border
Crypto-GeoFence
Calculate distance to sides
Randomize
Client can decrypt if it is inside the box
Thank you - Muchas gracias - Questions?Nick Doiron - @mapmeld