Skip to main content
    CONTACT

    This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.
    ruben_gonzales_def_con_training
    Hacking Cryptography - Ruben Gonzalez & Aaron Kaiser - DCTLV2026
    ruben_gonzales_def_con_training
    ruben_gonzales_def_con_training
    Hacking Cryptography - Ruben Gonzalez & Aaron Kaiser - DCTLV2026

    Hacking Cryptography - Ruben Gonzalez & Aaron Kaiser - DCTLV2026

    Las Vegas 2026

    Name of Training: Hacking Cryptography
    Trainer(s): Ruben Gonzalez & Aaron Kaiser 
    Dates: August 10-11, 2026
    Time: 8:00 am to 5:00 pm 
    Venue: Las Vegas Convention Center
    Cost: $2,250 (USD)

    Short Summary:

    With this course you'll join the small circle of computer wizards that can exploit one of the most common - and most feared - vulnerability classes: Cryptographic Failure. Learn how modern cryptography works under the hood, how it often times fails in practice and how you can exploit (or fix) it in your projects!

    Course Description: 

    Crypto related bugs are super common. OWASP even ranks "Cryptographic Failure" as the second most common security vulnerability class in software. Yet, very often these vulnerabilities are overlooked by developers, code auditors, blue teamers and penetration testers alike. Because, let's face it: Nobody knows how cryptography works.

    During the course you will:
    - understand how modern cryptography works.
    - find common crypto vulnerabilities in real software.
    - write crypto exploits for real software (and an IoT device).

    Using case studies from our own pentesting and red teaming and code audit engagements, we'll introduce core concepts of applied cryptography and how they fail in practice.

    During the course you will work in our browser-based virtual environment to:
    - Learn everything a security professional needs to know about cryptography
    - Decrypt messages that should not be decryptable for you
    - Exploit clever side channels
    - Forge authenticated messages as they stem from another party
    - Crack & find weak keys that should not have been crackable
    - Exploit (web) applications misusing crypto primitives
    - Attack an IoT device that uses crypto poorly
    - Man-in-the-Middle TLS and VPN sessions as a local attacker
    - Defeat mitigations such a key pinning using instrumentation
    - Forge JWT tokens
    - Learn about Passkeys, 2FA and more - and how they fail in practice
    - Understand Post-Quantum Cryptography with its strengths and weaknesses

    Course Outline:

    Day 1:

    • Introduction to Cryptography
      • Basic Terminology
      • Security Guarantees
      • Composition of Primitives
    •  Attack Categorization 
      • Security Objectives and Their Relation to Cryptography
      • Attack Categorization
    •  Working with Crypto Tools 
      • Introduction to Cyber Chef
      • Crypto tools: CryCry Toolkit and OpenSSL
      •  Challenge Lab: CryCry, OpenSSL and Cyber Chef 
    •  Hacking Encryption 
      • Stream Ciphers 
        •  Introduction to Stream Ciphers
        • Real World Examples of Vulnerabilities
        • Attacks on Stream Cipher Uses
        • Challenge Lab: (Ab)using Stream Ciphers 
      • Block Ciphers 
        • Introduction to Block Ciphers
        • Modes of Operation
        • Real World Examples of Vulnerabilities
        • Attacks on Block Cipher Uses
        • Challenge Lab: (Ab)using Block Ciphers 
    •  Abusing Hash Functions 
      • Introduction to Hash Functions
      • Real World Examples of Vulnerabilities
      • Password Storage & Cracking
      • Challenge Lab: (Ab)using Hash Functions and PW Cracking 
    •  Message Authentication Codes and Authenticated Encryption 
      • Introduction to Message Authentication Codes
      • Pitfalls on trivial constructions
      • Real World Examples of Vulnerabilities
      • Challenge Lab: (Ab)using MACs and AuthEnc 
    • Attacks on Entropy and Randomness 
      • Generating Secure Keys with OS Entropy Pools
      • Misuse of Pseudo Random Number Generators
      • Backdoors and Cleptography
      • Real World Examples of Vulnerabilities
      • Challenge Lab: Keys and Randomness 

    Day 2:

    • Asymmetric Crypto with RSA and ECC 
      • Introduction to RSA and ECC
      • Key Formats
      • Key Sizes and Brute Force
      • Implementation Pitfalls
      • Real World Examples of Vulnerabilities
      • Challenge Lab: RSA and ECC 
    • Public Key Infrastructure and Certificates 
      • Introduction to Certificates
      • x509 Certificate Structure and Features
      • Common Certificate Pitfall Examples
      • Chain of Trust and PKI services
      • TOFU Principle and Man-In-The-Middle Threats
      • Challenge Lab: Certificates and PubKeys 
    •  TLS and Man in the Middle 
      • Introduction to TLS and similar protocols
      • TLS Security parameters
      • Exploiting a Man-In-The-Middle position for TLS and VPN
      • Intercepting and Decrypting TLS Traffic for Application Testing
      • Defeat Public Key Pinning with Dynamic instrumentation
      • Challenge Lab: Intercepting TLS 
    •  JWTs and JOSE 
      • Introduction to JSON Web Tokens and Javascript Object Signing and Encryption
      • Real World Examples of Vulnerabilities
      • Challenge Lab: Exploiting JWT 
    •  Passkeys, WebAuthn, FIDO and 2nd Factor Solutions 
      • Introduction to Password-Less Authentication
      • TOTP Algorithms and Seeds
      • Passkeys, FIDO2 and WebAuthn
      • Footguns and Examples of Vulnerabilities
      • Challenge Lab: (Ab)using FIDO2 
    •  Post-Quantum Cryptography 
      • PQC Algorithm Families
      • Standardization & Adoption
      • Issues with PQC
    • Farewell 
      • Presentation of Take Home Challenges
      •  Recap - Cryptography

    Difficulty Level:

    Beginner to Intermediate 

    Beginner Definition - The student has an interest in the topic presented and general technology knowledge that a power user or undergraduate student may have acquired.

    Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

    Suggested Prerequisites:

    • Experience in at least one programming language
    • Command Line experience on Linux or Mac (cd, ls, &&, pipes)

    What Students Should Bring:

    • A laptop (please no tablets or phones) with an up to date browser to access the browser-based lab

    What the Trainer Will Provide:

    Access to the challenge lab for 3 months.

    Trainer(s) Bio:

    Ruben Gonzalez (Lead Trainer):
    - Crypto PhD
    - 10 years in offensive security research
    - Security Researcher and Trainer at Neodyme
    - Auditor of crypto code for multiple large industry projects
    - Visiting Researcher at the Max Planck Institute
    - Multi-time DEFCON CTF, Hack-A-Sat, HITB ProCTF and Google CTF finalist
    - Founder and Chair of the RedRocket Hacking Club
    - Linkedin: https://www.linkedin.com/in/rugond/

    Aaron Kaiser (Support Trainer):
    - 3 years in offensive security research
    - Cryptography Auditor at Neodyme
    - PhD candidate for Applied Cryptography
    - Multi-time DEFCON CTF finalist

    Proficiency Exam Option:

    This course has the option for a proficiency certificate add-on. 

    To earn the proficiency certificate, trainers provide firmware of two IoT Devices that misuse cryptography and students are asked to exploit their misuse. Students must solve three out of five challenges to pass.

    Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.

    Registration Terms and Conditions: 

    Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

    Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

    All trainings are non-refundable after August 5, 2026.

    Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

    If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

    Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

    DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

    By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

    Several breaks will be included throughout the day. Please note that food is not included.

    All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.

    $2,050.00
    $2,250.00