Skip to content
defcontrainings
Shopping Cart 0
Close Back
  • Call for Trainers 2023
  • Training Review Board
  • Code of Conduct
    • Login
    Close
    Your cart is currently empty.
    0

    Total: $0.00

    Shipping & taxes are calculated at checkout.
    View Cart
    Continue browsing
    Ruben Gonzalez - Hacking Cryptography $2,000

    DEF CON Training

    Ruben Gonzalez - Hacking Cryptography $2,000

     Hacking Cryptography

    Cryptography is everywhere, whether you like it or not. Our laptops, phones, printers, cars, bank cards and washing machines use cryptography to authenticate, keep things confidential and make sure messages aren’t tampered with. However, very often developers, pentesters, system designers and code auditors are confronted with cryptography without having the gear to properly assess security of a specific use case.

    During this training we'll deep-dive into modern cryptography. We'll learn how it works, how it is often times misused and how that leads to exploitable bugs.
    Moreover, participants will learn how common cryptography screwups can be exploited. To foster skills, participants will write their own exploits and use them on real world systems provided by us.

    The first day will prepare you for (ab)using cryptography in products and services by going over the basic terminology, explaining modern primitives and showing common misuses of those primitives. You'll learn about tools and techniques to abuse such misuses along the way. On day two, we'll move on to more advanced primitives used in asymmetric cryptography and see how everything we have learned is employed in protocols and standards (such as TLS, JWT and FIDO).

     Outline

    * Introduction to Cryptography
    * Basic Terminology
    * Security Guarantees
    * Composition of Primitives
    * Attack Categorization

    * Working with Crypto Tools
    * Manipulating Raw Bits and Bytes in the Terminal
    * Using OpenSSL on the command line
    * Introduction to Cyber Chef
    * **Challenge Lab: OpenSSL and Cyber Chef**

    * Symmetric Crypto
    * Stream Ciphers
    * Introduction to Stream Ciphers
    * The One Time Pad and XOR Ciphers
    * Leveraging Partially Known Plaintext
    * Modern Stream Ciphers: Salsa20/Chacha, RC4
    * Nonce Reuse Attacks
    * **Challenge Lab: (Ab)using Stream Ciphers**
    * Block Ciphers
    * Introduction to Block Ciphers (AES, 3DES)
    * Modes of Operation (ECB, CBC, CTR, XTS)
    * Bit Flipping & Nonce Reuse Attacks
    * Padding Oracle Attacks
    * **Challenge Lab: (Ab)using Block Ciphers**
    * Encrypting Data at Rest
    * (Compression) Side Channel Attacks

    * Hash Functions and Message Authentication Codes
    * Introduction to Hash Functions
    * Collision Attacks (SHA1/MD5)
    * Length Extension Attacks
    * Password Recovery with Rainbow Table Attacks
    * SHA3, SHAKE and Sponge Constructions
    * **Challenge Lab: (Ab)using Hash Functions and PW Cracking**

    * Introduction to Message Authentication Codes
    * Introduction to Message Authentication Codes
    * Pitfalls on trivial constructions
    * Authenticated Encryption Modes
    * **Challenge Lab: (Ab)using MACs and AuthEnc**

    * Entropy and Randomness
    * Generating Secure Keys
    * Introduction to the Linux Entropy Pool
    * Misuse of Pseudo Random Number Generators
    * Linear Congruential Generators
    * Mersenne Twister
    * Linear Feedback Shift Registers
    * The Dual EC DRBG Backdoor
    * **Challenge Lab: Keys and Randomness**

    Day 2:

    * Asymmetric Crypto / RSA
    * Introduction to RSA
    * Key Formats
    * Basic Attacks on (Textbook) RSA
    * Key Sizes and Brute Force
    * RSA PKCS1.5 Signatures
    * Padding/Bleichenbacher Attacks on RSA
    * **Challenge Lab: RSA**

    * Asymmetric Crypto / ECC
    * Introduction to Elliptic Curve Cryptography
    * The Java ECC Screwup
    * Exploiting ecDSA Nonce Reuse
    * Invalid Point Attacks
    * **Challenge Lab: ECC**

    * Public Key Infrastructure and Certificates
    * Introduction to Certificates
    * x509 Certificate Structure and Features
    * Common Certificate Pitfall Examples
    * Chain of Trust and PKI services
    * TOFU Principle and Man-In-The-Middle Threats
    * **Challenge Lab: Certificates and PubKeys**

    * Crypto Applications / Protocols
    * High-level view on TLS
    * High-level view on VPNs: IKE and Wireguard
    * Choosing Security Parameters for Protocols

    * Crypto Applications / JWT
    * Introduction to JWT
    * Common JWT Implementation Bugs
    * **Challenge Lab: Exploiting JWT**

    * Crypto Applications / WebAuthn, FIDO and TOTPs
    * Introduction to Password-Less Authentication
    * TOTP Algorithms and Seeds
    * Understanding and Deploying FIDO2 and WebAuthn
    * Footguns Regarding Password-Less
    * **Challenge Lab: (Ab)using FIDO**

    * Outlook
    * Sneak Peak at Post Quantum Crypto
    * Upcoming Protocols and Primitives

    * Farewell
    * **Presentation of Take Home Challenges**
    * Recap - Cryptography

     Prerequisites
    This is a beginner to intermediate course. The contents are compressed, but no prior knowledge of cryptography is needed. Every subject is introduced before attacks are presented.
    Students should be familiar with at least one scripting language (e.g. Bash or Python) and have a basic understanding of computer networks.

     Equipment Requirements
    Participants should bring a laptop with administrator/root access to install software.

     Certificate
    At the end of the course participants can take a test to certify their knowledge.

     Previous Training
    This training was previously held at private corporations.

     Trainers

    Ruben Gonzalez (Lead Trainer, He/Him):

    * 10 years in offensive security research
    * Bug hunter for cryptography code
    * Lead trainer at Neodyme.io
    * Auditor of crypto code for multiple large industry projects
    * Part-time PhD candidate for cryptographic implementations at the Max Planck Institute
    * Multi-time DEFCON CTF finalist (team Sauercloud)
    * Twitter: redrocket_ctf

    Tim Schmidt (Support Trainer, He/Him):

    * 5 years in vulnerability research
    * Tinkerer and Hardware Hacker
    * Profound interest in real-world attacks on cryptography
    * Multi-time DEFCON CTF finalist (team Sauercloud)
    * Trainer at Neodyme.io

     

    DATE: August 14th-15th 2023
    TIME: 8am to 5pm PDT
    VENUE: Caesars Forum, Las Vegas, NV
    TRAINER: Ruben Gonzalez

    - 16 hours of training with a certificate of completion.

    - 2 coffee breaks are provided per day
    - Note: Food is not included

     

    Registration terms and conditions:

    Trainings are refundable before July 1st, the processing fee is $250.

    Trainings are non-refundable after July 10th, 2023.

    Training tickets may be transferred. Please email us for specifics.

    Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

    By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.

     

    $2,000.00

    DEF CON Communications, Inc.

    1100 Bellevue way NE

    8A-85

    Bellevue, WA 98004

    American Express Apple Pay Diners ClubDiscoverMeta Pay Google Pay MastercardShop PayVisa
    Copyright © 2023 defcontrainings. Powered by Shopify
    Attention!

    This site uses cookies to provide you with the best user experience possible. By continuing to use this site, you accept our use of cookies.

    Read our privacy policy.

    }