HITB-Invoice-Logo-1.png

3-day hands-on technical Workshop

Hacking Cryptography: Attacks, Tools & Techniques

Register$3,299.00

This course turns you into a powerful weapon. You will know how applied cryptography works, how it’s commonly misused in the field and how this leads to exploitable bugs. By the end of the course, you will be among the very selected group of people that can identify, avoid and exploit vulnerabilities in code using crypto.

Duration

3-day

Delivery Method

In-Person

Level

intermediate

Seats Available

20

ATTEND IN-PERSON: Onsite at Abu Dhabi

DATE: 25-27 Nov 2024

TIME: 09:00 to 17:00 GST/GMT+4

Date Day Time Duration
25 Nov Monday 09:00 to 17:00 GST/GMT+4 8 Hours
26 Nov Tuesday 09:00 to 17:00 GST/GMT+4 8 Hours
27 Nov Wednesday 09:00 to 17:00 GST/GMT+4 8 Hours

Crypto related bugs are super common. OWASP even ranks “Cryptographic Failure” as the second most common security vulnerability class in software. Yet, very often these vulnerabilities are overlooked by developers, code auditors, blue teamers and penetration testers alike. Because, let’s face it: Nobody knows how cryptography works.

During the course you will:

  • Understand how modern cryptography works.
  • Find common crypto vulnerabilities in real software.
  • Write crypto exploits for real software (and an IoT device).

Using case studies from our own pentesting and red teaming engagements, we’ll introduce core concepts of applied cryptography and how they fail in practice.

At the end of the course you will be able to spot an exploitable crypto bug from miles away (and be able to avoid them yourself)! No prior knowledge required.

 

Key Learning Objectives

  • Learn how modern cryptography operates. Learn what kind of guarantees are given by certain primitives, and which aren’t.
  • Understand how crypto primitives are combined into protocols.
  • Learn how cryptography is often misused in practice and how this misuse can be exploited.
  • Write exploits for systems using cryptography in an inappropriate way.
  • Evaluate program code that uses cryptography for proper usage.
  • Identify cryptographic schemes and potential vulnerabilities in black-box tests.
Agenda
Day 1:
  • Introduction to Cryptography
    • Basic Terminology
    • Security Guarantees
    • Composition of Primitives
  • Attack Categorization
    • Security Objectives and Their Relation to Cryptography
    • Attack Categorization
  • Working with Crypto Tools
    • Introduction to Cyber Chef
    • Crypto tools: CryCry Toolkit and OpenSSL
    • Challenge Lab: CryCry, OpenSSL and Cyber Chef
  • Hacking Encryption
    • Stream Ciphers
      • Introduction to Stream Ciphers
      • Real World Examples of Vulnerabilities
      • Attacks on Stream Cipher Uses
      • Challenge Lab: (Ab)using Stream Ciphers
    • Block Ciphers
      • Introduction to Block Ciphers
      • Modes of Operation
      • Real World Examples of Vulnerabilities
      • Attacks on Block Cipher Uses
      • Challenge Lab: (Ab)using Block Ciphers
  • Hash Functions
    • Introduction to Hash Functions
    • Real World Examples of Vulnerabilities
    • Password Storage & Cracking
    • Challenge Lab: (Ab)using Hash Functions and PW Cracking
  • Message Authentication Codes and Authenticated Encryption
    • Introduction to Message Authentication Codes
    • Pitfalls on trivial constructions
    • Real World Examples of Vulnerabilities
    • Challenge Lab: (Ab)using MACs and AuthEnc
  • Attacks on Entropy and Randomness
    • Generating Secure Keys with OS Entropy Pools
    • Misuse of Pseudo Random Number Generators
    • Backdoors and Cleptography
    • Real World Examples of Vulnerabilities
    • Challenge Lab: Keys and Randomness

 

Day 2:
  • Asymmetric Crypto with RSA and ECC
    • Introduction to RSA and ECC
    • Key Formats
    • Key Sizes and Brute Force
    • Real World Examples of Vulnerabilities
    • Challenge Lab: RSA and ECC
  • Public Key Infrastructure and Certificates
    • Introduction to Certificates
    • x509 Certificate Structure and Features
    • Common Certificate Pitfalls
    • Chain of Trust and PKI services
    • TOFU Principle and Man-In-The-Middle Threats
    • Challenge Lab: Certificates and PubKeys
  • TLS and Man in the Middle
    • Introduction to TLS and similar protocols
    • TLS Security parameters
    • Exploiting a Man-In-The-Middle position for TLS and VPN
    • Intercepting and Decrypting TLS Traffic for Application Testing
    • Defeat Public Key Pinning with Dynamic instrumentation
    • Challenge Lab: Intercepting TLS
  • JWTs and JOSE
    • Introduction to JSON Web Tokens and Javascript Object Signing and Encryption
    • Real World Examples of Vulnerabilities
    • Challenge Lab: Exploiting JWT
  • Passkeys, WebAuthn, FIDO and 2nd Factor Solutions
    • Introduction to Password-Less Authentication
    • TOTP Algorithms and Seeds
    • Passkeys, FIDO2 and WebAuthn
    • Footguns and Examples of Vulnerabilities
  • Post-Quantum Cryptography
    • Introduction to Post-Quantum Algorithms
    • Post-Quantum Signatures and KEMs
    • Upcoming Post-Quantum Standards
    • Challenge Lab: Using OpenSSL with Post-Quantum (20 min)
  • Farewell
    • Outlook on future developments
    • Presentation of Take Home Challenges
    • Recap – Cryptography

TRAINER

Security Researcher and Trainer

Neodyme

Why You Should Take This Course

This course turns you into a powerful weapon. You will know how applied cryptography works, how it’s commonly misused in the field and how this leads to exploitable bugs. By the end of the course, you will be among the very selected group of people that can identify, avoid and exploit vulnerabilities in code using crypto.

Who Should Attend

Penetration Testers, Developers, Sysadmins and InfoSec Professionals

Prerequisite Knowledge

This is a beginner to intermediate course. Students should be familiar with at least one scripting language and have a basic understanding of computer networks. The contents are compressed, but no prior knowledge of cryptography is needed. Every subject is introduced before attacks are presented.

Hardware / Software Requirements

Participants should bring a laptop with a modern browser to join the virtual learning environment.