Building a Better Web
June 11–12, 2018: Training
June 12–14, 2018: Tutorials & Conference
San Jose, CA

The Art & Craft of Secrets: Using the Cryptographic Toolbox

Michael Swieton (Atomic Object)
11:00am–11:40am Thursday, June 14, 2018
Security
Location: 212 A/B Level: Intermediate
Secondary topics:  Best practice, Technical, Web Pillars Track: Performance, Security, Accessibility

Who is this presentation for?

Developers, full-stack, web

Prerequisite knowledge

We'll be talking about security in the context of the web and its protocols, so an understanding of web basics (requests, cookies) will be critical. Attendees will not need deep knowledge of math, specific encryption algorithms, or network protocol internals.

What you'll learn

Many developers have heard of encryption, or signatures, or know what modular arithmetic is. But all of that is a far cry from actually securing a site. So often people copy and paste `openssl` commands from web pages to generate Certificate Signing Requests, or to generate SSH keys. Through good illustrations and examples attendees will understand how the pieces fit together

Description

In 1970, a small group of activists broke into a draft board office in Delaware to steal records. These records were stored in a secure room, and none of them were able to pick the lock. Instead, hours before the planned robbery one of them pasted a note on the door reading “Please don’t lock this door tonight.” After hours when they arrived, the door was open.

The moral of the story is that security is not about picking the right lock. It’s about how the different pieces all come together to make a complete system.

Securing any software system usually isn’t about picking a better cipher algorithm (i.e. a better lock.) It’s about the way that cipher works with a sophisticated suite of related security tools to provide trust and privacy. Even the simplest website now uses public key cryptography, signatures, password hashes, key exchange, and stream ciphers – at a minimum. We often take this diverse suite of tools for granted.

This session will build an understanding of how this ecosystem provides security for our applications. We’ll start with a quick review of what the tools in the toolbox are:

  • Asymmetric and symmetric encryption
  • Hashes, password hashes, and salts
  • Signatures
  • Certificates
  • and so on

And then we’ll focus on how these tools come together with our applications in order to achieve user-visible functionality like:

  • secure sessions
  • user authentication
  • single sign-on

We’ll learn about real implementations by digging under the hood of HTTP requests to popular websites.

These tools and technologies are not new, or shiny, or hip. But they are complicated, critical, and ubiquitous. Understanding the tools in the toolbox will make you better equipped to create, debug, and deploy your applications.

Photo of Michael Swieton

Michael Swieton

Atomic Object

I am a software developer at Atomic Object. For more than decade I’ve written, tweaked, bent, and broken code into the shape of software of all sorts for many industries.

I obsess over details, lines, and patterns. I travel regularly and seek out adventures ranging from theatre and culture to altitude sickness. I enjoy peeking under the hood of everything, be it math, or software, or coffee, or cake.

In the past, I’ve spoken at RailsConf, Windy City Rails, SyntaxCon, BeerCityCode, GLSEC, and several local meet-ups.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)