The Video recording of my talk at NDC London is now available to watch on-line. This was my first major conference so it was a little scary, but I really enjoyed the experience. The room was about 2 thirds full and I got an excellent speaker rating at the end so I must have done something right.
Today I am on the Dot Net Rocks show talking about Cryptography with Carl and Richard. We talk mostly about secure ways to store passwords and also talk about Hybrid Cryptography where you use a combination of AES, RSA, and SHA256 to create a robust encryption scheme.
The show was a lot of fun to record. It is quite daunting when you are suddenly on a show that you have been listened too every week for 5 years, but Carl and Richard made the experience very easy going and fun.
Here is the show description.
Encrypt all the things! Carl and Richard talk to Stephen Haunts about how to use cryptography properly. And as it turns out, you don’t have to be a mathematician to put crypto to work for you! The conversation starts out focusing on password hashing – lots of ways to do it wrong, salting seems complicated, but in the end, there is a built-in, poorly named function in the .NET Framework that will give you proper leading edge password hashing, you just have to know what it is (check the links on the show page). From there Stephen talks about 2-way symmetric and asymmetric encryption. Best used together, and best used on any and all data that you have. Good stuff!
In January I will be attending the NDC conference in London and doing a talk on Cryptography in .NET. This talk will be on Thursday 14th January at 4.20pm. I am really excited to be doing this talk as it is my first major conference.
Cryptography in .NET is a subject I am very passionate about and have been teaching developers about all this year at user groups, and also with my book from syncfusion called “Cryptography in .NET Succinctly” and my course on the same subject, “Practical Cryptography in .NET” over at Pluralsight.
On Friday 15th January, I will also be at the Pluralsight stand at 1pm and 4pm to talk about authoring for Pluralsight. If you are interested in hearing about what it takes to develop courses for Pluralsight and are at NDC, then please come along and I will be happy to answer your questions.
I will also be hanging around the Usergroups and Community stand at the conference promoting the idea of attending and running user group.
If you are at NDC, then please pop along and say hello.
I have already spoken about Password Based Key Derivation Functions before on this blog and I have discussed secure password storage with PBKDF2 at length in my Pluralsight course, Practical Cryptography in .NET, but in this post I want to expand this a bit and talk about picking suitable iteration lengths for the PBKDF2 key derivation process.
A reader of this blog, Geoff Hirst, gave me a heads up to an episode of the Security Now podcast and specifically episode 512 where the recent security breach at LastPass was discussed. Luckily no one’s data was actually at risk due to their security policies and good use of encryption, but the podcast talked about something that was interesting and that was, what should you set your PBKDF2 iteration count too?
I must admit I have always used round numbers like 50,000 or 100,000 but the podcast says this isn’t a good idea and you should use 5 figure number, beginning with a number larger than 2, but a random number which isn’t rounded up to specific whole number, as in 50,000 or 100,000.
By making this a random number that you do not disclose you are making an attackers life much harder as they have to get the iteration count correct. Of course you shouldn’t rely on this as a main piece of security information, but anything that can make an attackers life a little harder has to be a good thing.
If you are dealing with a system that has multiple users, why not randomly generate different iteration counts per user. Then if one user does get compromised and their password recovered, your other users are still safe as the attacker would still need to guess their number of iterations.
I am pleased to announce that my latest course, Practical Cryptography in .NET has been released by Pluralsight.
The course description is as follows:
As a software developer you have a duty to your employer to secure and protect their data. In this course you will learn how to use the .NET Framework to protect your data to satisfy confidentiality, integrity, non-repudiation and authentication.
This course covers random number generation, hashing, authenticated hashing and password based key derivation functions. The course also covers both symmetric and asymmetric encryption using DES, Triple DES, AES and RSA. You then learn how to combine these all together to product a hybrid encryption scheme which includes AES, RSA, HMACS and Digital Signatures.
The course is aimed at teaching developers about the importance of protecting sensitive data within their systems.
As-well as giving lots of technical background, the course will be very practical with lots of live code demonstrations. The course will be split into the following modules.
1. Course Outline and Introduction
2. Cryptographic Random Numbers
3. Hashing Algorithms
4. Secure Password Storage
5. Symmetric Encryption
6. Asymmetric Encryption
7. Hybrid Encryption
8. Digital Signatures
9. Secure String
10. Course Summary
Modules 2 – 6 covers a lot of theory and practical advice on using what is built into the .NET Framework. Module 7 on Hybrid Cryptography takes this a step further to combine a lot of the cryptographic primitives discussed into a cryptography scheme that gives the flexible key management benefits of RSA with the benefits and speed of algorithms like AES which includes full authenticated integrity checking.
This then gets expanded on further by introducing the concept of Digital Signatures to build in non-repudiation into the system.
The course has been a lot of fun to produce and I hope you find it useful. Protecting data is something that every developer should take very seriously and this course gives you all the tools you need to protect your companies data from ex-filtration by hackers or anyone else that wants to cause organisations harm.
I will be doing a talk at the Derbyshire Dot Net user group on March 26th 2015 in Derby. The talk will be on Cryptography in .NET. The talk will be at Sadler Bridge Studios in the City Centre and start at 7pm.
The talk synopsis is:
Data security is something that we as developers have to take seriously when developing solutions for our organizations. Cryptography can be a deeply complicated and mathematical subject but as developers we need to be pragmatic and use what is available to us to secure our data without disappearing down the mathematical rabbit hole.
In this talk Stephen Haunts will take you through what is available in the .NET framework for enterprise desktop and server developers to allow you to securely protect your data to achieve confidentiality, data integrity and non-repudiation of exchanged data. Stephen will cover the following:
- Cryptographically secure random number generation.
- Hashing and Authenticated Hashes.
- Secure Password Storage
- Symmetric Encryption with DES, TripleDES, and AES.
- Asymmetric Encryption with RSA.
- Hybrid Encryption by using Symmetric and Asymmetric encryption together.
- Digital Signatures.
Stephen Haunts is a Development Manager working in the healthcare division at Boots and has been developing code since he was 10. Stephen is also an author with Pluralsight and a book author writing for the Syncfusion Succinctly series of books.