Ruben Gonzalez - Hacking Cryptography: Attacks, Tools and Techniques - DCTLV2025
Name of Training: Hacking Cryptography: Attacks, Tools, and Techniques
Trainer(s): Ruben Gonzalez and Aaron Kaiser
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,000
Course Description:
Crypto related bugs are super common. OWASP even ranks "Cryptographic Failure" as the second most common security vulnerability class in software. Yet, very often these vulnerabilities are overlooked by developers, code auditors, blue teamers and penetration testers alike. Because, let's face it: Nobody knows how cryptography works.
During the course you will:
-
understand how modern cryptography works.
-
find common crypto vulnerabilities in real software.
-
write crypto exploits for real software (and an IoT device).
Using case studies from our own pentesting and red teaming engagements, we'll introduce core concepts of applied cryptography and how they fail in practice.
This course turns you into a powerful weapon. You will know how applied cryptography works, how it's commonly misused in the field and how this leads to exploitable bugs. That means, by the end of the course you will be among the very selected group of people that can identify, avoid and exploit vulnerabilities in code using crypto.
No prior knowledge required!
Learning Objectives
-
Learn how modern cryptography operates. Learn what kind of guarantees are given by certain primitives, and which aren't.
-
Understand how crypto primitives are combined into protocols.
-
Learn how cryptography is often misused in practice and how this misuse can be exploited.
-
Write exploits for systems using cryptography in an inappropriate way.
-
Evaluate program code that uses cryptography for proper usage.
-
Identify cryptographic schemes and potential vulnerabilities in black-box tests.
Course Outline:
-
Introduction to Cryptography
-
Basic Terminology
-
Security Guarantees
-
Composition of Primitives
-
Attack Categorization
-
Security Objectives and their Relation to Cryptography
-
Attack Categorization
-
Working with Crypto Tools
-
Introduction to Cyber Chef
-
Crypto tools: CryCry Toolkit and OpenSSL
-
Challenge Lab: CryCry, OpenSSL and Cyber Chef
-
Hacking Encryption
-
Stream Ciphers
-
Introduction to Stream Ciphers
-
Real World Examples of Vulnerabilities
-
Attacks on Stream Cipher Uses
-
Challenge Lab: (Ab)using Stream Ciphers
-
Block Ciphers
-
Introduction to Block Ciphers
-
Modes of Operation
-
Real World Examples of Vulnerabilities
-
Attacks on Block Cipher Uses
-
Challenge Lab: (Ab)using Block Ciphers
-
Hash Functions
-
Introduction to Hash Functions
-
Real World Examples of Vulnerabilities
-
Password Storage & Cracking
-
Challenge Lab: (Ab)using Hash Functions and PW Cracking
-
Message Authentication Codes and Authenticated Encryption
-
Introduction to Message Authentication Codes
-
Pitfalls on Trivial Constructions
-
Real World Examples of Vulnerabilities
-
Challenge Lab: (Ab)using MACs and AuthEnc
-
Attacks on Entropy and Randomness
-
Generating Secure Keys with OS Entropy Pools
-
Misuse of Pseudo Random Number Generators
-
Backdoors and Cleptography
-
Real World Examples of Vulnerabilities
-
Challenge Lab: Keys and Randomness
-
Asymmetric Crypto with RSA
-
Introduction to RSA
-
Key Formats
-
Key Sizes and Brute Force
-
Real World Examples of Vulnerabilities
-
Challenge Lab: RSA and ECC
-
Introduction to ECC
-
Selecting Curves
-
Nonces and Bias
-
Exploiting Common Bugs
-
Challenge Lab: ECC
-
Public Key Infrastructure and Certificates
-
Introduction to Certificates
-
x509 Certificate Structure and Features
-
Common Certificate Pitfalls
-
Chain of Trust and PKI services
-
TOFU Principle and Man-In-The-Middle Threats
-
Challenge Lab: Certificates and PubKeys
-
TLS and Friends
-
Introduction to TLS and Similar Protocols
-
TLS Security parameters
-
Exploiting a Man-In-The-Middle position for TLS and VPN
-
Intercepting and Decrypting TLS Traffic for Application Testing
-
Defeat Public Key Pinning with Dynamic Instrumentation
-
Challenge Lab: Intercepting TLS
-
JWTs and JOSE
-
Introduction to JSON Web Tokens and Javascript Object Signing and Encryption
-
Real World Examples of Vulnerabilities
-
Challenge Lab: Exploiting JWT
-
Passkeys, WebAuthn, FIDO and 2nd Factor Solutions
-
Introduction to Password-Less Authentication
-
TOTP Algorithms and Seeds
-
Passkeys, FIDO2 and WebAuthn
-
Footguns and Examples of Vulnerabilities
-
Post-Quantum Cryptography
-
Introduction to Post-Quantum Algorithms
-
Post-Quantum Signatures and KEMs
-
Upcoming Post-Quantum Standards
-
Challenge Lab: Using OpenSSL with Post-Quantum
-
Farewell
-
Outlook on Future Developments
-
Presentation of Take Home Challenges
-
Recap
Difficulty Level:
Beginner to Intermediate
Suggested Prerequisites:
This is a beginner to intermediate course. Students should be familiar with at least one scripting language and have a basic understanding of computer networks.
The contents are compressed, but no prior knowledge of cryptography is needed. Every subject is introduced before attacks are presented.
What Students Should Bring:
Participants should bring a laptop with a modern browser to join the virtual learning environment.
Trainer(s) Bio:
Ruben Gonzalez (Lead Trainer)
-
10 years in offensive security research
-
Security Researcher and Trainer at Neodyme
-
Auditor of crypto code for multiple large industry projects
-
Part-time PhD candidate for applied cryptography at the Max Planck Institute
-
Multi-time DEFCON CTF, Hack-A-Sat, HITB ProCTF and Google CTF finalist
-
Founder and Chair of the RedRocket Hacking Club
-
Linkedin: https://www.linkedin.com/in/rugond/
Aaron Kaiser (Support Trainer)
-
3 years in offensive security research
-
Cryptography Auditor at Neodyme
-
PhD candidate for Applied Cryptography
-
Multi-time DEFCON CTF finalist
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.
Training Justification Request – DEF CON Training
To: [Manager Name]
From: [Employee Name]
Date: [Date]
Subject: Business Justification for Attendance at DEF CON Training
Dear [manager’s name],
I am requesting approval to attend DEF CON Training, one of the cybersecurity industry's most recognized technical training programs. I’ve reviewed the options and selected a course to expand my skills with [1-2 key skills focus areas for the course].
DEF CON has been one of the world’s leading cybersecurity communities for more than three decades, known for convening industry, government, and independent experts to exchange advanced knowledge and practical skills. Building on this tradition, DEF CON Training delivers intensive courses taught by recognized global instructors. DEF CON Training courses offer hands-on instruction in a challenging, fast-paced environment. Many of the courses offered by DEF CON Training align with the National Institute of Standards and Technology (NIST) NICE Framework and Department of Defense Cyber Workforce Framework (DCWF), and attending this course will help me build and sharpen the skills required for my role.
Training: [Name of DEF CON Training Course]
Instructor/Provider: [Trainer Name(s)]
Dates: [Training Dates]
Location: Las Vegas, NV
Cost: [Course Fee]
Travel Expenses: [estimated travel & accommodations costs]
Course Description: [Copy short description of the selected class from the website here]
Trainer Bio: [Copy bio of the trainers of the selected class from the website here]
Once I’ve completed the course, I’ll be able to:
[copy student outcomes from course page where available or choose 3-4 skills or topic areas from the outline that are applicable to your current role, will help you fill a skill gap, etc.]
Business Need
As cyber threats continue to evolve, it is critical that our organization maintains current knowledge of emerging techniques and industry best practices. The selected DEF CON training aligns directly with my responsibilities in [your role/field here - for example, security operations, incident response, threat detection and hunting, application security, cloud security, risk management, security engineering].
The course will provide practical, hands-on experience that can be immediately applied to our environment and security initiatives. DEF CON training emphasizes real-world attack and defense scenarios, enabling participants to develop skills that extend beyond traditional classroom learning.
Request for Approval
I respectfully request approval and funding to attend DEF CON Training this August in Las Vegas. The knowledge, hands-on experience, and industry insights gained will directly support our cybersecurity objectives and contribute to strengthening our organization's security capabilities.
Thank you for your consideration. Please let me know if you have questions or need additional information to support this request.
Sincerely,
[Employee name]