{"product_id":"hacking-cryptography-ruben-gonzalez-aaron-kaiser-dctlv2026","title":"Hacking Cryptography - Ruben Gonzalez \u0026 Aaron Kaiser - DCTLV2026","description":"\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eName of Training\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e Hacking Cryptography\u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eTrainer(s)\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e Ruben Gonzalez \u0026amp; Aaron Kaiser \u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eDates\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e \u003cmeta charset=\"utf-8\"\u003eAugust 10-11, 2026\u003cbr\u003e\u003c\/span\u003e\u003cspan\u003e\u003cstrong\u003eTime:\u003c\/strong\u003e 8\u003c\/span\u003e\u003cspan\u003e:00 am to 5:00 pm \u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eVenue\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e:\u003c\/strong\u003e \u003cmeta charset=\"utf-8\"\u003eLas Vegas Convention Center\u003cbr\u003e\u003c\/span\u003e\u003cstrong\u003eCost\u003c\/strong\u003e\u003cspan\u003e\u003cstrong\u003e: \u003c\/strong\u003e$2,250 (USD)\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eShort Summary:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003eWith this course you'll join the small circle of computer wizards that can exploit one of the most common - and most feared - vulnerability classes: Cryptographic Failure. Learn how modern cryptography works under the hood, how it often times fails in practice and how you can exploit (or fix) it in your projects!\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eCourse Description: \u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003eCrypto related bugs are super common. OWASP even ranks \"Cryptographic Failure\" as the second most common security vulnerability class in software. Yet, very often these vulnerabilities are overlooked by developers, code auditors, blue teamers and penetration testers alike. Because, let's face it: Nobody knows how cryptography works.\u003c\/p\u003e\n\u003cp\u003eDuring the course you will:\u003cbr\u003e- understand how modern cryptography works.\u003cbr\u003e- find common crypto vulnerabilities in real software.\u003cbr\u003e- write crypto exploits for real software (and an IoT device).\u003c\/p\u003e\n\u003cp\u003eUsing case studies from our own pentesting and red teaming and code audit engagements, we'll introduce core concepts of applied cryptography and how they fail in practice.\u003c\/p\u003e\n\u003cp\u003eDuring the course you will work in our browser-based virtual environment to:\u003cbr\u003e- Learn everything a security professional needs to know about cryptography\u003cbr\u003e- Decrypt messages that should not be decryptable for you\u003cbr\u003e- Exploit clever side channels\u003cbr\u003e- Forge authenticated messages as they stem from another party\u003cbr\u003e- Crack \u0026amp; find weak keys that should not have been crackable\u003cbr\u003e- Exploit (web) applications misusing crypto primitives\u003cbr\u003e- Attack an IoT device that uses crypto poorly\u003cbr\u003e- Man-in-the-Middle TLS and VPN sessions as a local attacker\u003cbr\u003e- Defeat mitigations such a key pinning using instrumentation\u003cbr\u003e- Forge JWT tokens\u003cbr\u003e- Learn about Passkeys, 2FA and more - and how they fail in practice\u003cbr\u003e- Understand Post-Quantum Cryptography with its strengths and weaknesses\u003c\/p\u003e\n\u003cp\u003e\u003cspan\u003e\u003cstrong\u003eCourse Outline: \u003c\/strong\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eDay 1:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eIntroduction to Cryptography\n\u003cul\u003e\n\u003cli\u003eBasic Terminology\u003c\/li\u003e\n\u003cli\u003eSecurity Guarantees\u003c\/li\u003e\n\u003cli\u003eComposition of Primitives\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e Attack Categorization \n\u003cul\u003e\n\u003cli\u003eSecurity Objectives and Their Relation to Cryptography\u003c\/li\u003e\n\u003cli\u003eAttack Categorization\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e Working with Crypto Tools \n\u003cul\u003e\n\u003cli\u003eIntroduction to Cyber Chef\u003c\/li\u003e\n\u003cli\u003eCrypto tools: CryCry Toolkit and OpenSSL\u003c\/li\u003e\n\u003cli\u003e \u003cstrong\u003eChallenge Lab: CryCry, OpenSSL and Cyber Chef \u003c\/strong\u003e\n\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e Hacking Encryption \n\u003cul\u003e\n\u003cli\u003eStream Ciphers \n\u003cul\u003e\n\u003cli\u003e Introduction to Stream Ciphers\u003c\/li\u003e\n\u003cli\u003eReal World Examples of Vulnerabilities\u003c\/li\u003e\n\u003cli\u003eAttacks on Stream Cipher Uses\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: (Ab)using Stream Ciphers \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003eBlock Ciphers \n\u003cul\u003e\n\u003cli\u003eIntroduction to Block Ciphers\u003c\/li\u003e\n\u003cli\u003eModes of Operation\u003c\/li\u003e\n\u003cli\u003eReal World Examples of Vulnerabilities\u003c\/li\u003e\n\u003cli\u003eAttacks on Block Cipher Uses\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: (Ab)using Block Ciphers \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e Abusing Hash Functions \n\u003cul\u003e\n\u003cli\u003eIntroduction to Hash Functions\u003c\/li\u003e\n\u003cli\u003eReal World Examples of Vulnerabilities\u003c\/li\u003e\n\u003cli\u003ePassword Storage \u0026amp; Cracking\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: (Ab)using Hash Functions and PW Cracking \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e Message Authentication Codes and Authenticated Encryption \n\u003cul\u003e\n\u003cli\u003eIntroduction to Message Authentication Codes\u003c\/li\u003e\n\u003cli\u003ePitfalls on trivial constructions\u003c\/li\u003e\n\u003cli\u003eReal World Examples of Vulnerabilities\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: (Ab)using MACs and AuthEnc \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003eAttacks on Entropy and Randomness \n\u003cul\u003e\n\u003cli\u003eGenerating Secure Keys with OS Entropy Pools\u003c\/li\u003e\n\u003cli\u003eMisuse of Pseudo Random Number Generators\u003c\/li\u003e\n\u003cli\u003eBackdoors and Cleptography\u003c\/li\u003e\n\u003cli\u003eReal World Examples of Vulnerabilities\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: Keys and Randomness \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cstrong\u003eDay 2:\u003cbr\u003e\u003c\/strong\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eAsymmetric Crypto with RSA and ECC \n\u003cul\u003e\n\u003cli\u003eIntroduction to RSA and ECC\u003c\/li\u003e\n\u003cli\u003eKey Formats\u003c\/li\u003e\n\u003cli\u003eKey Sizes and Brute Force\u003c\/li\u003e\n\u003cli\u003eImplementation Pitfalls\u003c\/li\u003e\n\u003cli\u003eReal World Examples of Vulnerabilities\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: RSA and ECC \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003ePublic Key Infrastructure and Certificates \n\u003cul\u003e\n\u003cli\u003eIntroduction to Certificates\u003c\/li\u003e\n\u003cli\u003ex509 Certificate Structure and Features\u003c\/li\u003e\n\u003cli\u003eCommon Certificate Pitfall Examples\u003c\/li\u003e\n\u003cli\u003eChain of Trust and PKI services\u003c\/li\u003e\n\u003cli\u003eTOFU Principle and Man-In-The-Middle Threats\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: Certificates and PubKeys \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e TLS and Man in the Middle \n\u003cul\u003e\n\u003cli\u003eIntroduction to TLS and similar protocols\u003c\/li\u003e\n\u003cli\u003eTLS Security parameters\u003c\/li\u003e\n\u003cli\u003eExploiting a Man-In-The-Middle position for TLS and VPN\u003c\/li\u003e\n\u003cli\u003eIntercepting and Decrypting TLS Traffic for Application Testing\u003c\/li\u003e\n\u003cli\u003eDefeat Public Key Pinning with Dynamic instrumentation\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: Intercepting TLS \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e JWTs and JOSE \n\u003cul\u003e\n\u003cli\u003eIntroduction to JSON Web Tokens and Javascript Object Signing and Encryption\u003c\/li\u003e\n\u003cli\u003eReal World Examples of Vulnerabilities\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: Exploiting JWT \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e Passkeys, WebAuthn, FIDO and 2nd Factor Solutions \n\u003cul\u003e\n\u003cli\u003eIntroduction to Password-Less Authentication\u003c\/li\u003e\n\u003cli\u003eTOTP Algorithms and Seeds\u003c\/li\u003e\n\u003cli\u003ePasskeys, FIDO2 and WebAuthn\u003c\/li\u003e\n\u003cli\u003eFootguns and Examples of Vulnerabilities\u003c\/li\u003e\n\u003cli\u003e\u003cstrong\u003eChallenge Lab: (Ab)using FIDO2 \u003c\/strong\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e Post-Quantum Cryptography \n\u003cul\u003e\n\u003cli\u003ePQC Algorithm Families\u003c\/li\u003e\n\u003cli\u003eStandardization \u0026amp; Adoption\u003c\/li\u003e\n\u003cli\u003eIssues with PQC\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003eFarewell \n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePresentation of Take Home Challenges\u003c\/strong\u003e\u003c\/li\u003e\n\u003cli\u003e Recap - Cryptography\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eDifficulty Level:\u003c\/strong\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003eBeginner to Intermediate \u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003eBeginner Definition - The student has an interest in the topic presented and general technology knowledge that a power user or undergraduate student may have acquired.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eIntermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eSuggested Prerequisites:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli dir=\"ltr\"\u003eExperience in at least one programming language\u003c\/li\u003e\n\u003cli dir=\"ltr\"\u003eCommand Line experience on Linux or Mac (cd, ls, \u0026amp;\u0026amp;, pipes)\u003cbr\u003e\n\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eWhat Students Should Bring: \u003c\/strong\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli dir=\"ltr\"\u003eA laptop (please no tablets or phones) with an up to date browser to access the browser-based lab\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eWhat the Trainer Will Provide:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003e\u003cspan style=\"font-family: -apple-system, BlinkMacSystemFont, 'San Francisco', 'Segoe UI', Roboto, 'Helvetica Neue', sans-serif; font-size: 0.875rem;\"\u003e\u003c\/span\u003eAccess to the challenge lab for 3 months.\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eTrainer(s) Bio:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eRuben Gonzalez (Lead Trainer):\u003c\/strong\u003e\u003cbr\u003e- Crypto PhD\u003cbr\u003e- 10 years in offensive security research\u003cbr\u003e- Security Researcher and Trainer at Neodyme\u003cbr\u003e- Auditor of crypto code for multiple large industry projects\u003cbr\u003e- Visiting Researcher at the Max Planck Institute\u003cbr\u003e- Multi-time DEFCON CTF, Hack-A-Sat, HITB ProCTF and Google CTF finalist\u003cbr\u003e- Founder and Chair of the RedRocket Hacking Club\u003cbr\u003e- Linkedin: https:\/\/www.linkedin.com\/in\/rugond\/\u003c\/p\u003e\n\u003cp\u003e\u003cstrong\u003eAaron Kaiser (Support Trainer):\u003c\/strong\u003e\u003cbr\u003e- 3 years in offensive security research\u003cbr\u003e- Cryptography Auditor at Neodyme\u003cbr\u003e- PhD candidate for Applied Cryptography\u003cbr\u003e- Multi-time DEFCON CTF finalist\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eProficiency Exam Option:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003e\u003cmeta charset=\"utf-8\"\u003eThis course has the option for a proficiency certificate add-on. \u003c\/p\u003e\n\u003cp\u003eTo earn the proficiency certificate, trainers provide firmware of two IoT Devices that misuse cryptography and students are asked to exploit their misuse. Students must solve three out of five challenges to pass.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003ePlease reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eRegistration Terms and Conditions: \u003c\/strong\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eTrainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eBetween July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eAll trainings are non-refundable after August 5, 2026.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eTraining tickets may be transferred to another student. Please email us at training@defcon.org for specifics.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eIf a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eFailure to attend the training without prior written notification will be considered a no-show. No refund will be given.\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eDEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eBy purchasing this ticket you agree to abide by the \u003c\/span\u003e\u003ca href=\"https:\/\/defcon.org\/html\/links\/dc-code-of-conduct.html\"\u003e\u003cspan\u003eDEF CON Training Code of Conduct\u003c\/span\u003e\u003c\/a\u003e\u003cspan\u003e and the registration terms and conditions listed above.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eSeveral breaks will be included throughout the day. Please note that food is not included.\u003c\/span\u003e\u003cspan\u003e\u003cb\u003e\u003c\/b\u003e\u003c\/span\u003e\u003c\/p\u003e\n\u003cp dir=\"ltr\"\u003e\u003cspan\u003eAll courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.\u003c\/span\u003e\u003c\/p\u003e","brand":"Las Vegas 2026","offers":[{"title":"Course only - Aug 10-11","offer_id":47691380818138,"sku":null,"price":2050.0,"currency_code":"USD","in_stock":true},{"title":"Course + Proficiency Exam - Aug 10-11","offer_id":47691380850906,"sku":null,"price":2350.0,"currency_code":"USD","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0629\/2088\/4442\/files\/rubengonzales.jpg?v=1693591208","url":"https:\/\/training.defcon.org\/products\/hacking-cryptography-ruben-gonzalez-aaron-kaiser-dctlv2026","provider":"defcontrainings","version":"1.0","type":"link"}