cookies and code

This was the final session of the conference. The speaker, Daryl Banttari, put together a very good introduction to cryptography. Yet again another well prepared talk with a good use of terminology. Daryl discussed:

• Man in the middle attack using packet sniffing and/or ARP cache poisoning via impersonation and interception
• Vulnerabilities in WEP (he stated that it can take as little as 1 minute to break now)
• Explained the mechanics of SSL. He cleared up my misconception about what public key encryption was actually used for in SSL (to deliver a symmetric key for HTTP message encryption).
• Message digest (=cryptographically strong hash). Typically 128 bits + in length. MD5 and SHA-1 shown to be weak.
• Digital Signatures – a means by which checksums can be created for message confirmation. DS are verified by trusted resource: CA or PGP (for example)
• No support in ColdFusion for public key encryption. Java has support but has potential to be complex.
• Bad Systems
• Passwords stored in a digested form used for authentication – Use a shared key between client/server as a salt for the hashing process, this can prevent a “man in the middle” attack. Public key encryption can be used with the help of trusted sources.

There were a few questions about OpenID and the issue of trust, but Daryl didn’t get into too many details when answering the question. Overall, a good end to a great conference.