<< DevTeach - Session 2 - Jeremy D. Miller | Home | DevTeach - Session 5 (I skipped 4) - Joel Semeniuk >>

DevTeach - Session 3 - Rod Paddock

Looking for a bit of inspiration for a security talk I am working on I am at "Compression, Encryption and Hashing in your app".

Encryption
-So far general general general. I am bored.... its 30 seconds in (am I quick to judge)?
-Example is using precanned code which kind of sucks but he says he has lots of examples
-Apparently IV (initialization vectors)are the same as the term "salt"
-Rod said that encrypting a big string will result in a string of equal size once encrypted. I don't know how much I agree with that statement (as there are so many different algorithms) but I don't have any real world rebuttal to his fact.
-he just showed that it was 3 bytes bigger when using the triple des provider (I would like to try other algorithms)
-Ok so a basic presentation on encryption yet it was skipped what the purpose of a salt/vector is
-I think I am jaded against this guy... sorry for my bias
-A good question was asked "what is the best way to store your keys?".
Rod: use public key infrastructure so you don't have to worry about it.
Dave: well if you need to decrypt it then you need to store the key
Rod: obfuscate your code
Dave: c'mon its a string! How long would it take someone to run all the strings against encrypted data?
-I did not actually say this as I have the feeling it would turn into a long debate. Rod did say he was not an expert in that area but I know it is a hot topic in the security realm

Hashing
-Hashing can be used to determine is data has been tampered with
-I am bored so am going to add notes to his presentation if I was talking
-Dave: create a hash of data... send it to a client... when they send it back if the hash does not match then data has been matched (although two separate pieces of data can create the same hash it is very unlikely). This is the technique that is used when you run secured viewstate.
-Dave: hashes are useful for one way encryption. By using this you would hash someone's password i.e. "qwerty" -> "34dgacws4". When a user logs in you would take their password, encrypt it and compare it to the stored hash so user would login with "qwerty" which would become "34dgacws4" then check if "34dgacws4" = "34dgacws4" and then the login would succeed. This is a good way to store information such as passwords as if someone steals your database you get back "34dgacws4" which is useless as it can not be decrypted (it can be brute forced or rainbow table the data but that's another rant)

Compression
-oh a slide on what compression is. If you don't know what compression is go back to elementry (omg I can't spell elementary back to school for me).
-SharpZipLib is an open source compression library
-Supports ZIP, GZIP, TAR and BZIP (although TAR is not a compression format it is a concatenation format... but that's a technicality)
-ohhh how to use a library! YAY!
-ohhh lets change the encryption level and look at the output of filesize. soooo riveting!
-Rod used compression to compress a large dataset send it to the client and decompress it. On a LAN I think the time to take to compress the data would be a negative hit but along a slow speed or even a WAN link it might be beneficial but important to test (and make sure you have the CPU/Memory to handle the volume of compression/decompression for the application).
-I asked about this and he said that he when they turned it on they noticed no difference in performance but I would still recommend benchmarking your app with and without under load to check it out

-A good thing was that Rod had lots of real examples of using this stuff which was nice to see.

Print | posted on Tuesday, May 15, 2007 6:38 PM

Comments

No comments posted yet.

My Links

Recent Comments

DevTeach - Session 3 - Rod Paddock