Crypto attacks and defenses

This 2-day training will teach you how to spot and exploit crypto vulnerabilities and how to use the strongest forms of state-of-the-art cryptography to secure modern systems (like IoT or mobile applications). Beyond that it will also bring you up to speed on the latest and greatest developments in the world of cryptography, such as TLS 1.3, blockchains, and post-quantum crypto.

During the lectures you’ll acquire a solid knowledge of the fundamentals, from randomness over authenticated encryption to timing attacks, and you will learn how cryptography is used in applications such as secure messaging protocols or blockchain systems. Throughout the course, we’ll give examples of real-world failures and how they could have been avoided.

The hands-on sessions will put into practice the notions and tools encountered previously and you will be challenged to find, exploit, and fix vulnerabilities in cryptographic software. The tasks will consist of a mix of made up problems and examples of real vulnerabilities found in widely deployed systems.

Both trainers have a PhD in cryptography and have found vulnerabilities in major cryptographic software (TLS implementations, industrial systems, secure messaging applications, etc.).

This is the tentative program, which may be slightly adapted based upon participants’ requests:

Day 1, morning: lectures

  • Ciphers, key agreement protocols, and security models; the foundations of everything that follows
  • Randomness and pseudo-randomness, with numerous examples of bugs
  • Elliptic-curve cryptography, the pros and the cons
  • Quantum and post-quantum cryptography, what these all mean, and why should you care

Day 1, afternoon: hands-on

  • Exercises: breaking a weak PRNG, exploiting implementation flaws, dissecting a protocol, etc.

Day 2, morning: lectures

  • Crypto libraries and APIs, their strengths and their side-channel vulnerabilities
  • Attacks on RSA and RC4, classic vulnerabilities still observed in the wild
  • Secure messaging, an example of a state-of-the-art scalable crypto protocol
  • Password security, how to get it right
  • Blockchain technologies and how crypto makes them secure

Day 2, afternoon: hands-on

  • Exercises: finding bugs in famous crypto applications and libraries, etc.

Target Audience

This training is suitable to any security professional or security-minded developer who’s got at least some basic understanding of cryptography. You should know the difference between public-key cryptography and secret-key cryptography, but you don’t need to know how the general number field sieve algorithm is working, for example. We’ll focus on the security of software implementations as opposed to hardware implementations, hence software people will get more of it than hardware people.

About the Speakers