Полезна криптография за уеб и мобилни разработчици - това ще бъде една от темите на ТърновоКонф утре. Без да се задълбаваме в теория, ще разгледаме основните крипто инструменти - хеш, HMAC, подпис и (а)симетричен тайнопис и техни практични приложения като верификация на потребители, single-sign on, CSRF защита, автентикация към уеб интерфейси и прочие :)
MOOCs, Automation, Artificial Intelligence and Pedagogical AgentsGeorge Veletsianos
Open courses are a sociocultural phenomenon. This phenomenon represents symptoms, responses, and failures facing Higher Education. In this talk, I examined open courses and MOOCs from a variety of angles and discussed the degree to which MOOCs have portrayed education as a product that can be packaged, automated, and delivered. Empirical research on the design and development of pedagogical and intelligent agents that may be used in MOOCs was also presented. More information here: http://www.veletsianos.com/2014/06/05/moocs-automation-artificial-intelligence-seminar/
This document lists many nerdy and pop culture events happening over the next year and a half in Phoenix and surrounding areas. In June 2015 there will be comic, sci-fi, and gaming conventions. Throughout the rest of 2015 and into early 2016 there will be additional conventions as well as movie screenings, runs, festivals and other events focused around comics, sci-fi, gaming, and pop culture. Major conventions like Phoenix Comicon and Tucson Comicon will take place annually in spring.
<p>
[데브멘토 동영상]클라우드 컴퓨팅과 오픈소스2부 최종</p>
<p>
안재석PM/ KT종합기술원</p>
<p>
오픈소스를 기반으로 한 클라우드 플랫폼 기술개발 및 서비스 구축 업무 수행</p>
<p>
KT 종합기술원 기술개발실OSS Cloud Platform Project 마스터PM</p>
<p>
University of Texas at Austin 컴퓨터공학과 대학원 졸</p>
Mark Tuminello is a skilled financial expert who teaches finance and statistics courses at universities in the New York area. This is a list of American Universities, ranked by Forbes Magazine in July 2014.
1. The document contrasts different systems for creating and allocating money: debt-based money created by commercial banks through lending (the current system), finite cryptocurrencies like Bitcoin, and Positive Money where new money is created by a central authority and granted rather than lent into existence.
2. Under Positive Money, an expert committee would track GDP and recommend how much new money is needed to match economic growth, which would be created by the central bank and allocated by government for purposes like reducing taxes or debt.
3. Commercial banks would still exist but could no longer create new money through lending, addressing issues like bubbles and ensuring benefits of money creation accrue to society rather than banks.
The document discusses the values that drive an organization: passion for achieving the best results for customers through their work in education, innovation through creating customer-focused solutions in their field, empowerment by providing access to information and connections that help students and institutions reach their potential, integrity where decisions and actions are made independently and transparently to be trusted, and valuing diversity as a strength with activities that are global but sensitive to different audiences. The overall goal is to enable motivated people worldwide to achieve their potential through international mobility, educational achievement, and career development.
If you are an aspirant design student, you have reasons to be thrilled because there is a great demand in the Indian business scenario for talented industrial, product and car designers. If pursuing design education in the most reputed design schools is your long-time dream, here is a list of the ‘Top 5 Design Schools in India’ you should aim for.
This document provides summaries of 20 Chicago neighborhoods:
- Rogers Park and Edgewater are located along Lake Michigan and offer beaches and public transit access to downtown.
- Andersonville is known for its sense of community, festivals and locally owned restaurants along Clark Street.
- Lincoln Square has German influences with old world charm and attractions like the Old Town School of Folk Music.
- Lakeview, Bucktown, Wicker Park, and Logan Square are popular for their diversity of shops, restaurants, and arts scenes.
- Lincoln Park boasts gardens and attractions like the Lincoln Park Zoo and beaches.
- The Gold Coast is home to mansions and high-end shopping while River North attracts those with taste
Hardware By the Numbers: O'Reilly Solid Keynote Renee DiResta
Hardware trends in 3 sentences:
Hardware manufacturing was challenging due to the difficulties of prototyping, offshoring, and lack of investor interest. However, the rise of hackerspaces, 3D printing, lower China wages, and increased VC funding in hardware has made hardware development easier. The growth of connected devices, wearables, and the Internet of Things is driving more investment and opportunities in hardware.
This document profiles 10 top universities in the United States that offer comprehensive graduate and undergraduate programs, research opportunities, and residential campus experiences. The universities discussed include Princeton University, Harvard University, Yale University, Columbia University, Stanford University, the University of Chicago, the Massachusetts Institute of Technology, Duke University, the University of Pennsylvania, and the California Institute of Technology. Key details provided on each university include their location, academic programs, campus culture, and areas of research expertise.
This document provides an overview of integration capabilities in Microsoft Dynamics AX 2012. It discusses the types of services available in Dynamics AX 2012, including document services and custom services, and how they can be used to integrate Dynamics AX with external systems. It also provides examples of service attributes and describes the AIF architecture for exchanging data between Dynamics AX and other applications via XML documents.
Симетрични и асиметрични алгоритми за криптиране на информацияKaloyan Kosev
1. Причини за криптирането на информация
2. Криптографията като наука
3. Криптиране и декриптиране на информация
4. Криптиране със симетричен ключ
5. Криптиране с асиметричен (публичен) ключ
6. Използвани източници
Cryptography is bypassed, not penetrated!
The primary purpose of applying COBIT 5 to the transformation of cybersecurity is to enable a uniform governance, risk management and security management framework for enterprises and other organizations. The secondary purpose is to provide guidance on detailed concepts and steps in transforming cybersecurity, and to align them with the existing information security strategy and processes.
Focus on the fundamentals with a new strategy:
- Educate new hires about security;
- Train existing employees to be vigilant about phishing attacks;
- Increase the awareness of data security for everyone at the bank.
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs can be signed to provide proof of authenticity and integrity, and encrypted to provide confidentiality. A JWT typically contains header, payload, and signature. The payload holds claims about an entity and is digitally signed to protect integrity. JWTs can be passed in HTML and HTTP environments and used from lightweight clients.
Plovdev 2013: How to be a better programmer, beyond programmingVladimir Dzhuvinov
This document contains notes from a presentation or lecture on software engineering best practices and overcoming cognitive biases. It discusses the importance of collaboration, observing other successful programmers, reframing mistakes as learning opportunities, and challenging limiting beliefs. Completing an entire software project from start to finish is recommended to gain experience with the full development cycle. Cognitive biases that can hinder progress are identified, like the need to be perfect or see errors as failures rather than useful feedback. Reframing thought patterns and embracing challenges can help create innovative solutions outside of existing models.
Binding components, events + data sources in HTML + JSVladimir Dzhuvinov
The document discusses component and data binding in Beer.js. It describes two types of binding: 1) Component bindings that encapsulate groups of HTML tags and provide higher-level behavior. 2) Data binding that provides automatic updates from the controller to the model and from the model to the view. It provides an example of a <moneybox> component that can be used to display currency values and interacted with via JavaScript methods to set properties like currency, amount, and refresh interval. The component allows linking views to models declaratively in HTML for more structure and less complex code.
7. 1. Случайното число
Полезни приложения:
● Непредсказуеми
идентификатори
● CSRF защита
Внимаваме за:
● Ентропия на семенцата
● Достатъчно дъъъъъъъъълго
ли ни е случайното число?
● Периодично презасяване
import java.security.SecureRandom;
byte[] random = new byte[16];
SecureRandom.getInstance("SHA1PRNG").nextBytes(random);
8. 2. Хеш функция
Криптографската хеш
функция е като
еднопосочна улица.
Връщането назад не е
желателно. Който все
пак успее печели един
биткойн :-)
9. 2. Хеш функция
Полезни приложения:
● За проверка че не са ни барали
данните в съхраниение /
съобщенията в транзит
● За извеждане на ключове от
пароли
Внимаваме за:
● Ползваме достатъчно дълъг
хеш (SHA-256+) за избягване на
колизии. MD5 е отживял!
● Смесваме със солчица за
предпазваме от речникови атаки
import java.security.MessageDigest;
byte[] hash = MessageDigest
.getInstance("SHA-256")
.update(saltBytes)
.digest("Hello world!".getBytes("UTF-8"));
10. 3. HMAC
Код за автентикация
и проверка целостта
на данна или
съобщение. Кодът
се генерира и
проверява с таен
ключ. Не, това не е
електронен подпис!
HMAC = Hash-based Message Authentication Code
11. 3. HMAC
Полезни приложения:
● Потвърждение на email адрес
при регистрация на
потребител
● Уеб и мобилни сесии без база
на сървъра
● Сигурно обвързване на заявки
с обратни обаждания през
браузъра (OAuth callback)
● Алтернатива на HTTP Basic
автентикация, без споделяне
на тайната парола
Важно:
● Достатъчно дъъъъъъъълъг
ли ни е HMAC ключа?
256+ бита
● Внимаваме някой да не ни
гепи HMAC ключа! Всеки
който има достъп до него
може да създава кодове за
автентикация
● Важно: HMAC няма силата
на цифров подпис!
12. 4. JOSE / JWT
● Улеснява живота на разработчиците на уеб, JavaScript, мобилни и
IoT приложения, които се нуждаят от HMAC, цифрови подписи и
шифриране на данни и съобщения
● URL-безопасен формат (Base64URL) за предаване на защитени
обекти и токени чрез HTTP връзки, форми и заглавия
● RFC 7515, 7516, 7517, 7518, 7519, 7520
JSON заглавие Товарен отсег
HMAC / RSASSA /
ECDSA
{''alg'':''HS256''} Hello World! xxxxxxxxxxxxx
14. 4. Java библиотеката за
JOSE/JWT
● HMAC, RSA / EC подписи +
шифриране и куп други крипто
чудесии под Java
● Работи в приложения
обслужващи над 70 милиона
потребители в мрежата
(OpenID Connect, OAuth)
● Десетки зубъри поддръжници
и тестери
● 100% документирана
● С отворен код и Apache 2.0
лиценз
http://connect2id.com/products/nimbus-jose-jwt
15. 5. Код за email потвърждение
// Message: {''sub'':''alice'',''exp'':1449237518}
byte[] macKey = new byte[32];
SecureRandom.getInstance("SHA1PRNG").nextBytes(macKey);
JWTClaimsSet claims = new JWTClaimsSet.Builder()
.subject("alice")
.expirationTime(new Date(new Date().getTime() + 10*60*1000))
.build();
SignedJWT jwt = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claims);
jwt.sign(new MACSigner(macKey));
assertTrue(jwt.verify(new MACVerifier(macKey)));
// eyJhbGciOiJIUzI1NiJ9.SGVsbG8gd29ybGQh.Dby-zS1BF21apXtsukTokzcU22dbXT38hx2H-R2A3G8
16. 6. Цифров подпис
Доста по-
функционален от
обикновения подпис.
Идентифицира лицето
подписало документа
и също гарантира
неговата цялост.
17. 6. Цифров подпис
Полезни приложения:
● Удостоверяване на
документи, токени и
съобщения
● Билет за вход (OpenID
Connect - Identity token)
● Билет за достъп до уеб
API (OAuth 2.0 bearer
access token)
Внимаваме за:
● RSA ключ поне 1024 бита,
по-добре 2048
● Пазим надеждно частния
клюс, с който се подписват
съобщенията
● Периодично сменяме
ключовете (ротация)
● Не използваме един и същ
RSA / EC ключ за
подписване и шифриране