€1,194 – €2,154

Crypto Risk - Training by Cryptosense - 26 & 27 October 2017

Event Information

Share this event

Date and Time

Location

Location

University Ca' Foscari

3246 Venice

Italy

View Map

Event description

Description

Cryptosense Crypto Risk Training

Two-day training course - Venice, Italy - 26 & 27 October 2017

Day 1 - Crypto Risk

Audience

  • Security/Risk managers

  • Application Security auditors

  • Pen-testers

  • Security Architects

Required background

The course is for professionals working in application security. Some basic familiarity with cryptography is required to get the most out of the training. There is no practical exercise, so up to date coding skills are not required. Examples will be given in Java.

What you will learn

  • When to use crypto and why

  • Mistakes to avoid in common operations and protocols

  • Best practices for key-management, and common vulnerabilities

  • Real-world examples of attacks exploiting crypto flaws to obtain secret data, achieve remote code execution, reset passwords to known values, etc.


Day 1 Syllabus in Detail

Cryptography recap

  • Why (not) use cryptography?

  • Not just SSL - how crypto is found everywhere in modern applications

Encryption

  • Algorithms

  • Keylengths

  • Modes of operation and padding modes - what to use and why

  • Common and not-so-common mode usage errors

  • Padding oracle attacks

Hashing and Signing

  • Hash functions

  • HMAC

  • Asymmetric signature modes

  • Attacks on weak hash functions

  • Attacking weak signature modes

Password-based key derivation

  • Algorithms, parameters, hash functions

  • Attacks on weak PBKDFs

  • Password-based Encryption

Key-Management

  • The importance of key management

  • Attacks on software keystores

  • Alternative key-management techniques

Using common protocols

  • TLS client and server configuration

  • Certificate verification

  • Attacks on weak TLS and SSH configurations and how to fix them

Day 2 - Crypto Exploits


Audience

  • Application Security auditors

  • Pen-testers

  • Security Architects

  • Developers

Required background

The course is for professionals working in application security. Some basic familiarity with cryptography is required to get the most out of the training. This part of the training includes practical exercises, so some coding skills are required, and familiarity with crypto APIs will help. The training examples will be given in Java, but developers with good experience of another widely-used high-level language like Python may prefer to use that. Cryptosense trainers will support Java and Python, but can’t guarantee support for more exotic languages.

What you will learn

  • How to write exploits for vulnerabilities resulting from common crypto errors

Day 2 Syllabus in Detail

Warm-up

  • Writing a password cracker for a weak proprietary key derivation scheme

Breaking Encryption

  • Padding oracle attack on CBC encryption (Vaudenary attack)

  • Real-world examples of variations including fixed IV, key as IV

  • Padding oracle attack on PKCS#1v1.5 encryption (Bleichenbacher attack)

  • Real world-variations including optimisations for stronger/weaker oracles

Key-management attacks (time permitting)

  • Key extraction attacks on PKCS#11 (HSM) APIs

Share with friends

Date and Time

Location

University Ca' Foscari

3246 Venice

Italy

View Map

Save This Event

Event Saved