On This Page

Beyond the Beast: A Broad Survey of Crypto Vulnerabilities



This training is focused on drawing out the foundations of cryptographic vulnerabilities. These topics are timeless, and when the last application using ECB or CBC mode has upgraded - they'll be the foundations of the next evolution of impactful and popular cryptographic vulnerabilities. We'll talk about what attacks in the past took advantage of them, how algorithms and protocols have evolved over time to address these concerns, and what they look like now: where they're at the heart of the most popular bugs today. The other major areas we hit are cryptographic exploitation primitives such as chosen block boundaries, and more protocol-related topics, such as how to understand and trace authentication in complex protocols.

  • Module One focuses on what the right and wrong questions are when you're talking about cryptography with people - why focusing on matching keylengths, and other 'mundane' questions, isn't going to find you something exploitable and what will.

  • Module Two focuses on randomness, unpredictability, uniqueness. It covers the requisite info on spotting Random vs SecureRandom, but quickly dives deeper and discusses about why randomness, uniqueness, and unpredictability are so important for constructions like GCM and stream ciphers (as well as CBC and key generation).

  • Module Three focuses on integrity, and covers AEAD modes, how to use them safely and how to exploit them, disk encryption, encrypt-then-mac, and unauthenticated modes like ECB/CBC/CTR.

  • Module Four is all about signatures. We talk about signature reuse, reinterpretation, and more - including one of our favorite flaws: the SSL 3 omission that persisted and was exploited in new ways for a full 19 years before finally being fixed.

  • Module Five is about complicated protocols and systems deployed at scale, and how to trace through them, following how trust is granted, what its scope is, how it can be impersonated, and how the system falls apart when anything is slightly off.

  • Module Six is Math. There's just no getting around it - but it also leads to some of the most impressive attacks. We look at several standards, many provably secure, and show how a slightest missing sanity check allows for an often-devastating adaptive chosen ciphertext attack on RSA, DSA, ECC, and unauthenticated block cipher modes.

  • Module Seven tackles side channels, going in depth on the two aspects of cryptographic oracles: how the oracle is exposed and how to take advantage of what it tells you. We cover timing, error, and the CPU cache, starting off showing how to apply the attacks you've just learned, and then moving on to show how to extract key bits from hand-optimized algorithm implementations.

As we're wrapping up, because there's just so much interesting crypto out there, we'll lay out what news sources we read to keep up on the latest happenings in the cryptographic community and do a whirlwind tour of some interesting topics like wide-block constructions and hash-based digital signatures. Finally, we'll leave you with what findings and techniques have impressed us - the ones we think people will be using in the next decade of high-profile cryptographic attacks.

NCC Group is a world-wide organization that has brought together some of the biggest names in cryptography in North America. Matasano Security, who brought you CryptoPals.com and 'Crypto for Pen Testers', and iSEC Partners, known for its research and work on the TrueCrypt, Tor Browser, and other public and high-profile audits, have come together as NCC Group with a specialized Cryptography Services practice. Cryptography Services exclusively performs cryptographic consulting, research, training, and tracks industry and academic movements, producing insight into both the struggles organizations face day-in and day-out on practical difficulties, and what novel work is being done on the cutting edge of the field. This training is an extension of the research done day-in and day-out on our work leading engagements in the field, developing proofs of concept of attacks, and teaching cryptography to anyone who will sit still long enough to listen to us.

Who Should Take this Course

This course is targeted at students who have a strong interest in cryptography and some measure of cryptographic understanding (such as the difference between symmetric and asymmetric crypto). Cryptography is a very nuanced subject, but in the real world often falls to those without 20 years of study in the field. Students leave the course with a breadth of information that empowers them to better design and review cryptographic implementations and protocols. The ideal student has investigated one or more recent cryptographic attacks deeply enough to be able to explain it, but has not sat down and read PKCS or NIST standards describing algorithm implementation. No explicit understanding of statistics or high-level math is required, as the focus is on the underlying causes of the vulnerabilities. Programming experience is recommended.

Student Requirements

Some level of familiarity and efficiency in a programming language of their choosing.

What Students Should Bring

A laptop prepared with Python 2.7 and if they object to Python, an additional programming environment they are comfortable in.

What Students Will Be Provided With

Course Materials, Slides, Summary of Main Concepts & Example Attack Implementations


Alex Balducci is a Principal Security Consultant at NCC Group's Cryptography Services. His experience includes security research, source code auditing, application security assessments, and software development - but his expertise is in cryptographic security including analysis and design of cryptographic protocols. Alex has given numerous presentations at several industry conferences. Through 2017-2015 he delivered NCC Group's "Beyond the Beast: Deep Dives in Cryptography" course at Blackhat USA as well as at Blackhat EU in 2015. This two day course examines modern issues affecting cryptographic implementations and protocols and delves into the nitty gritty implementation details. At BlackHat USA 2014 he spoke on the topic of practical cryptographic vulnerabilities in application software covering RSA padding oracles and subgroup confinement attacks on elliptic curve Diffie-Hellman.