Crypto attacks and defenses

From March 20, 2017 to March 21, 2017

This 2-day training will teach you how to spot and exploit crypto vulnerabilities and how to use the strongest forms of state-of-the-art cryptography to secure modern systems (like IoT or mobile applications). Beyond that it will also bring you up to speed on the latest and greatest developments in the world of cryptography, such as TLS 1.3, blockchains, and post-quantum crypto.

During the lectures you'll acquire a solid knowledge of the fundamentals, from randomness over authenticated encryption to timing attacks, and you will learn how cryptography is used in applications such as secure messaging protocols or blockchain systems. Throughout the course, we'll give examples of real-world failures and how they could have been avoided.

The hands-on sessions will put into practice the notions and tools encountered previously and you will be challenged to find, exploit, and fix vulnerabilities in cryptographic software. The tasks will consist of a mix of made up problems and examples of real vulnerabilities found in widely deployed systems.

Both trainers have a PhD in cryptography and have found vulnerabilities in major cryptographic software (TLS implementations, industrial systems, secure messaging applications, etc.).

This is the tentative program, which may be slightly adapted based upon participants' requests:

Day 1, morning: lectures

Day 1, afternoon: hands-on

Day 2, morning: lectures

Day 2, afternoon: hands-on

Target Audience

This training is suitable to any security professional or security-minded developer who's got at least some basic understanding of cryptography. You should know the difference between public-key cryptography and secret-key cryptography, but you don't need to know how the general number field sieve algorithm is working, for example. We'll focus on the security of software implementations as opposed to hardware implementations, hence software people will get more of it than hardware people.

Philipp Jovanovic

Philipp Jovanovic is a cryptographer and post-doctoral researcher at the École Polytechnique Fédérale de Lausanne (EPFL), in Switzerland. He designed several cryptographic algorithms such as the authenticated ciphers NORX, OPP, and MRO, and he is involved in the development of the cothority framework for scalable, decentralized, cryptographic protocols. His research is published regularly at top crypto/security conferences such as USENIX Security, EUROCRYPT, IEEE S&P, CT-RSA, or ASIACRYPT, and he is also frequently active at non-academic conferences like the Chaos Communication Congress. Philipp tweets as @daeinar.

Jean-Philippe Aumasson

Jean-Philippe (JP) Aumasson is Principal Research Engineer at Kudelski Security, in Switzerland. He designed the popular cryptographic functions BLAKE2 and SipHash, and the new authenticated cipher NORX. He has spoken at Black Hat, DEFCON, RSA, CCC, SyScan, Troopers. He initiated the Crypto Coding Standard and the Password Hashing Competition projects, co-wrote the 2015 book "The Hash Function BLAKE", and will release a new cryptography book in 2017 for a wider audience. JP tweets as @veorq.