ATTEND
Cart

deep knowledge technical trainings

APRIL 17 - 25 @ MOVENPICK AMSTERDAM

Hacking Cryptography

This class does not require prior knowledge in cryptography. However, the material is compressed and we move fast. Participants should be familiar with at least one scripting language (e.g. Python) and have a working understanding of computer networks.
Categories , ,

3,299.00

Duration

3-day

Delivery Method

In-Person

Level

intermediate

Seats Available

20

REGISTRATION CLOSED

DATE: 17-19 April 2023

TIME: 09:00 to 17:00 CEST/GMT+2

Date Day Time Duration
17 Apr Monday 0900-17:00 CEST/GMT+2 8 Hours
18 Apr Tuesday 0900-17:00 CEST/GMT+2 8 Hours
19 Apr Wednesday 0900-17:00 CEST/GMT+2 8 Hours
Virtually all digital communication is secured using cryptography. Our laptops, phones, printers, cars, bank cards and washing machines use cryptography to keep things confidential, to make sure messages aren’t tampered with and to establish secure connections. However, even though modern security heavily relies on it, cryptography is complex and oftentimes fragile. This in-depth training shows how cryptography is misused in practice. Moreover, participants will learn how common cryptography screwups can be exploited. To foster skills, participants will write their own exploits and use them on real world systems provided by us.
Agenda
Day 1:

Basic Terminology

  • Cryptography
  • Primitives
  • Security Guarantees
  • “Oracles”

 

Python

  • Basics of Python
  • Using Python on Raw Bits and Bytes
  • Using Python for Bignum Computation
  • **Challenge Lab: Python**

 

Attacks on Symmetric Crypto

Stream Ciphers

  • Introduction to Stream Ciphers
  • The One Time Pad and XOR Ciphers
  • Salsa20/Chacha, RC4
  • Exploiting Output Bias
  • Leveraging Partialy Known Plaintext
  • Nonce Reuse Attacks
  • (Compression) Side Channels
  • **Challenge Lab: Hacking Stream Ciphers**

 

Block Ciphers

  • Introduction to Block Ciphers
  • AES, DES, 3DES
  • Modes of Operation (ECB, CBC, CTR, XTS)
  • Block Shuffling Attacks
  • Nonce Reuse Attacks
  • Bit-Flipping Attacks
  • Padding Oracles
  • **Challenge Lab: Hacking Block Ciphers**

 

Hash Functions

  • Introduction to Hash Functions
  • Collision Attacks (SHA1/MD5)
  • Length Extension Attacks
  • Rainbow Table Attacks
  • **Challenge Lab: Hacking Hash Functions**

 

 

Day 2:

Attacks on Message Authentication Codes

  • Introduction to Message Authentication Codes
  • Attacks on Primitive Constructs
  • Forgery Attacks
  • Authenticated Encryption
  • GCM Forbidden Attack
  • **Challenge Lab: Hacking MACs**

 

Entropy Attacks

  • Introduction to the Linux Entropy Pool
  • Misuse of Pseudo Random Number Generators
  • Predicting Linear Congruential Generators
  • Predicting Mersenne Twister
  • Predicting Linear Feedback Shift Registers
  • The Dual EC DRBG Backdoor
  • **Challenge Lab: Hacking Randomness**

 

Attacks on Asymmetric Crypto / RSA

  • Introduction to RSA
  • RSA Key Formats
  • Attacks on Textbook RSA
  • Attacks on Short Keys
  • Forging RSA Signatures
  • RSA PKCS#1.5 Signatures
    * Padding/Bleichenbacher Attacks on RSA
  • **Challenge Lab: Hacking RSA**

 

Day 3:

Attacks on Asymmetric Crypto / ECC

  • Introduction to Elliptic Curve Cryptography
  • The Java ECC Screwup
  • Exploiting ecDSA Nonce Reuse
  • Exploiting ed25519 Bad Public Keys
  • Invalid Point Attacks
  • **Challenge Lab: Hacking ECC**

 

Certificates

  • Introduction to Certificates
  • x509 structure
  • Common certificate pitfalls
  • **Challenge Lab: Working with Certificates**

 

Further Attacks

  • JWT Implementation Bugs
  • TLS Weaknesses
  • **Challenge Lab: Exploiting JWT**

 

Outlook

  • Sneak Peak at Post Quantum Crypto


Farewell

  • **Presentation of Take Home Challenges**
  • Recap – Cryptography

Why You Should Take This Course

This class does not require prior knowledge in cryptography. However, the material is compressed and we move fast. Participants should be familiar with at least one scripting language (e.g. Python) and have a working understanding of computer networks.

Who Should Attend

Penetration testers, sysadmins and developers that wish to get a better understanding of how cryptography works and often times fails.

Prerequisite Knowledge

This is a beginner to intermediate course. The contents are compressed, but no prior knowledge of cryptography is needed. Every subject is introduced before attacks are presented.
Students should be familiar with at least one scripting language (e.g. Python) and have a basic understanding of computer networks.

Hardware / Software Requirements

Participants should bring a laptop with administrator/root access to install software.

TRAINER

Ruben Gonzalez

Lead Trainer

  • 10 years in offensive security research
  • Bug hunter for cryptography code
  • Lead trainer at Neodyme.io
  • Auditor of crypto code for multiple large industry projects
  • Part-time PhD candidate for cryptographic implementations at the Max Planck Institute
  • Multi-time DEFCON CTF finalist (team Sauercloud)
  • Twitter: redrocket_ctf

SEE YOU IN AMSTERDAM

Interested in being a sponsor or exhibitor? Email us to request for a sponsorship kit!

TITANIUM SPONSOR

COMMSEC TRACK SPONSOR

CTF & CTF PRIZE SPONSOR

SILVER SPONSORS

EXHIBITORS

Tines-Full_Logo-Tines_Black
hardwareninja
RRG Logo
Facebook-f Twitter Youtube

Copyright 2023 © All rights Reserved. Hack In The Box