WebHack #11 Using Cryptography Safely
Organizing : https://webhack.connpass.com/
Free Admission + Dinner (self-paid)
Using Cryptography Safely
Web apps are using cryptography very often nowadays, but still this is not a simple task. As shown, a whopping 87% of Android apps and 80% of iOS apps analyzed by Veracode were found to have cryptographic issues.
If you're using your language's standard library to encrypt something, you'll suddenly find yourself grappling with arcane choices. Should you use CFB, CBC, CTR or ECB? Should you use PKCS#7 padding? What is an IV and how do you set it's value?
These little choices can easily break your cryptography entirely, even you've chosen a strong cipher. Turning to the web for help, won't save you either. Unfortunately, Stack Overflow answers, blog articles and tutorials are still full of mistakes and bad advice.
There are some good news, though. You can understand how encryption works without understanding all the math behind it. This talk will try to unlock the meaning behind all these confusing terms and help you learn new ideas and write safer code in the same time.
Boaz Yaniv is Software Architect who is passionate about security and cryptography. Linguist and Humanities specialist by training, he found himself working on authentication solutions - first for the Israeli government then for Rakuten, Inc. in Japan - and add to learn a lot about cryptography in the process.
Lightning talk: Overview of JSON Object Signing and Encryption (JOSE)
JSON Object Signing and Encryption (JOSE) WG in IETF standardized mechanism for integrity protection (signature and MAC) and encryption as well as the format for keys and algorithm identifiers to support interoperability of security services for protocols that use the JSON.
There are specifications such as JSON Web Key (JWK), JSON Web Signature (JWS) and JSON Web Encryption (JWE) in JOSE WG. This lightning talk will introduce overview of them.
Masaru Kurahayashi(@kura_lab) is Authentication Technology kuro-obi(黒帯) and CISO-Board in Yahoo! Japan Corporation. He is an engineer and responsible for Identity federation systems such as OAuth and OpenID Connect provided by Yahoo! JAPAN. Also, He works for OpenID Foundation Japan as an evangelist for about four years.
- 19:00-19:10 Registration
- 19:10-20:00 Presentation from Mr. Boaz Yaniv
- 20:00-20:10 Q&A
- 20:10-20:20 Talk from Mr. Masaru Kurahayashi
- 20:30-22:00 Dinner
Tech Meetup WebHack would like to express the special thanks of gratitude to Yahoo! JAPAN who provide the wonderful venue.