Implementing End-to-End Encryption
The role that privacy plays in the success of your application can not be understated. If your application doesn’t ensure privacy, it gives your user a reason not to use it. Among all the approaches in the market for maintaining privacy, the approach that hit a home run is End-to-End Encryption. End-to-End Encryption is making a buzz in the IT industry and everybody is looking for ways to implement for obvious reasons.
End-to-End Encryption (E2EE) is not a tool that you can just install and use. It’s a mechanism that must be designed and built. To make sure you get it right, you must understand many fundamental concepts and what suits best for you. This course will teach you the basic concepts required to implement E2EE and how to setup E2EE.
Available formats for this course
Duration2 days/16 hours of instruction
Public Classroom Pricing
Starting at: $1595(USD)
GSA Price: $1485
Group Rate: $1495
Part 1: Introduction to Cryptography
- What is Cryptography?
- Why do you need Cryptography?
- Mention the importance of privacy and security while storing and transmitting data
- Exercise: Intercept insecure communication such as with an HTTP website to show how plain text username and password can be obtained by attackers.
- Process of Encryption and Decryption
- Exercise: Writing code for encryption and decryption of data using simple Caesar’s Cipher algorithm
- Symmetric key cryptography
- Asymmetric key cryptography
- Mention how the use of public and private keys help in encryption and decryption of data and how it improves security.
Part 2: Secure Key Exchange
- Need for secure key exchange mechanism
- Using asymmetric keys may not be suitable for all use-cases and hence symmetric keys are used. When using symmetric keys, both the communicating parties must agree on the same key.
- If the attackers get to know the key, they can decrypt any data that is encrypted using the same key.
- To avoid this, keys should be shared between the parties securely.
- Diffie Hellman key exchange
- This mechanism allows the parties to decide on the final key without sharing the final key.
- This ensures that the keys being used are present only with the parties communicating with each other.
- Exercise: Implementation of Diffie Hellman Algorithm in Python/Java
Part 3: Pseudo-Random Number Generation
- What are Random Numbers?
- Why are Random Numbers important for Security?
- Random Numbers are mostly used to generate keys and IDs for communication. If these keys are predictable or follow a pattern, then it makes it easy for attackers to attack the application.
- If the keys aren’t random, then they can be brute-forced. This can lead to problems ranging from account takeovers to finding decryption keys
- Properties of Random Numbers
- What are Random Number Generators?
- Types of Random Number Generators: True Random Number Generators (TRNG), Pseudo-Random Number Generators (PRNG), and Pseudo-Random Function (PRF)
- Difference between TRNG and PRNG
- Also a mention of why TRNGs are not used in most of the digital technologies.
- Characteristics of PRNG
- Requirements for PRNG
- Checking Randomness of Pseudo-Random Numbers (Tests for randomness)
- Simple PRNGs: Linear Congruential Generators (LCG), Combined Linear Congruential Generators (CLCG)
- Exercise: Writing codes for LCG, CLCG algorithms
- Cryptographically secure PRNGs (CSPRNG): RC4, ANSI X9.17 PRNG, NIST CTR_DRBG, AES CTR DRBG, ChaCha20, SHA1PRNG
- Exercise: Writing codes for RC4, NIST CTR_DRGB, ChaCha20 algorithms
Part 4: Public Key Infrastructure
- Components of PKI
- Certificate Authority (CA)
- Registration Authority (RA)
- Central Directory
- Certificate Management System
- Certificate Policy
- How PKI works?
- Exercise: Building a Public Key Infrastructure using Cloudflare’s CFSSL or Vault PKI secrets engine.
Part 5: Secure Sockets Layer (SSL)
- What is SSL?
- How SSL 2.0 works?
- Exercise: Setting up SSL 2.0 for your application
- Security Issues in SSL 2.0
- Exercise: Demonstrate how SSL 2.0 security can be broken using DROWN attack
- How SSL 3.0 works?
- Exercise: Setting up SSL 3.0 for your application
- Security Issues in SSL 3.0
- Exercise: Demonstrate how SSL 3.0 security can be broken using POODLE attack
Part 6: Transport Layer Security (TLS)
- What is TLS?
- TLS 1.0
- How TLS 1.0 works?
- Exercise: Setting up TLS 1.0 for your application
- Security Issues in TLS 1.0
- Exercise: Demonstrate how TLS 1.0 security can be broken using BEAST attack
- TLS 1.3
- How TLS 1.3 works?
- Exercise: Setting up TLS 1.3 for your application
Part 7: Implementing End to End Encryption
- Need for End to End Encryption
- When two parties communicate using SSL/TLS, the data is sent from the sender to the server, and from the server to the receiver.
- The data is encrypted during communication but is decrypted at the server.
- This creates a single point of failure. If the server is hacked, then privacy is completely lost.
- End to End Encryption solves this problem.
- What is End to End Encryption
- Case Study: Explain how Whatsapp uses end to end encryption
- Pretty Good Privacy (PGP)
- PGP is one of the first implementations of end to end encryption.
- The data is encrypted at the sender’s side and is decrypted only on the receiver’s side.
- It is an open-source version of PGP. It is based on OpenPGP which is a derivative of PGP.
- GnuPG can be freely used by companies or individuals for end to end encryption.
- Exercise: Installing, configuring, and using OpenPGP/GnuPG
- Cybersecurity Specialists
- IT Security Specialists
- Data Security Specialists
- System Analysts/Admins
- Developers and Engineers Looking to Specialize in E2EE
- The basic concepts of Cryptography
- How to implement codes for different Cryptographic algorithms
- How to securely exchange keys
- How Public Key Infrastructure (PKI) works
- The importance of E2EE
- How to implement OpenPGP/GnuPG E2EE