On This Page

Beyond the BEAST: Deep Dives into Crypto Vulnerabilities

NCC Group's Cryptography Services | November 10-11


This training is focused on drawing out the foundations of cryptographic vulnerabilities. These topics are timeless, and when the last application using ECB or CBC mode has upgraded - they'll be the foundations of the next evolution of impactful and popular cryptographic vulnerabilities. We'll talk about what attacks in the past took advantage of them, how algorithms and protocols have evolved over time to address these concerns, and what they look like now where they're at the heart of the most popular bugs today. The other major areas we hit are cryptographic exploitation primitives such as chosen block boundaries, and more protocol-related topics, such as how to understand and trace authentication in complex protocols. As we're wrapping up, because there's just so much interesting crypto out there, we'll lay out what news sources we read to keep up on the latest happenings in the cryptographic community and do a whirlwind tour of some interesting topics like wide-block constructions and hash-based digital signatures. Finally, we'll leave you with what findings and techniques have impressed us - the ones we think people will be using in the next decade of high-profile cryptographic attacks.

  • Module One focuses on what the right and wrong questions are when you're talking about cryptography with people - why focusing on matching keylengths isn't going to find you something exploitable and what will.
  • Module Two focuses on randomness, unpredictability, uniqueness. It covers the requisite info on spotting Random vs SecureRandom, but quickly dives deeper and talks about why randomness, uniqueness, and unpredictability are so important for constructions like GCM and stream ciphers (as well as CBC and key generation).
  • Module three focuses on integrity, and covers AEAD modes, how to use them safely and how to exploit them, disk encryption, encrypt-then-mac, and unauthenticated modes like ECB/CBC/CTR.
  • Module four is about complicated protocols and systems deployed at scale, and how to trace through them, following how trust is granted, what its scope is, how it can be impersonated, and how the system falls apart when anything is slightly off.
  • Module five is Math. There's just no getting around it - but it also leads to some of the most impressive attacks. We look at several standards, many provably secure, and show how a slightest missing sanity check allows for an often-devastating adaptive chosen ciphertext attack on RSA, DSA, ECC, and unauthenticated block cipher modes.
  • Module six tackles side channels, going in depth on the two aspects of cryptographic oracles: how the oracle is exposed and how to take advantage of what it tells you. We cover timing, error, and the CPU cache, starting off showing how to apply the attacks you've just learned, and then moving on to show how to extract key bits from hand-optimized algorithm implementations.

Matasano Security, who brought you CryptoPals.com and 'Crypto for Pen Testers', and iSEC Partners, known for its research and work on the TrueCrypt, Tor Browser, and other public and high-profile audits, have come together to form a new practice focusing specifically on just one thing. Cryptography Services exclusively performs cryptographic consulting, research, training, and tracks industry and academic movements, producing insight into both the struggles organizations face day-in and day-out on practical difficulties, and what novel work is being done on the cutting edge of the field. This training is an extension of the research done day-in and day-out on our work leading engagements in the field, developing proofs of concept of attacks, and teaching cryptography to anyone who will sit still long enough to listen to us.

Who Should Take this Course

This course is targeted at students who have a strong interest in cryptography and some measure of cryptographic understanding (such as the difference between symmetric and asymmetric crypto). The ideal student has investigated one or more recent cryptographic attacks deeply enough to be able to explain it, but has not sat down and read PKCS or NIST standards describing algorithm implementation. No explicit understanding of statistics or high-level math is required, as the focus is on the underlying causes of the vulnerabilities. Some small experience of programming is recommended.

Student Requirements

Some level of familiarity and efficiency in a programming language of their choosing

What Students Should Bring

A laptop prepared with a programming environment they are comfortable in

What Students Will Be Provided With

Course Materials, Slides, & Example Attack Implementations


Richard Turnbull is an Executive Principal at NCC Group in the UK. He has been designing, assessing, reverse-engineering and attacking cryptographic systems for fifteen years. In his current role he performs white-box and black-box application security assessments, and has reviewed cryptographic implementations in web applications, disk encryption products, DRM and licensing systems, mobile applications and embedded systems, to name but a few. He previously worked for the UK government's information assurance organisation, and then in a forensic team specialising in the recovery of encrypted data.

Alex Balducci is a Security Consultant at NCC Group's Cryptography Services. His experience includes security research, source code auditing, application security assessments, and software development - but his expertise is in cryptographic security including analysis and design of cryptographic protocols. In just this past year Alex has spoken at several industry conferences. At BlackHat USA 2014 he spoke on the topic of practical cryptographic vulnerabilities in application software covering RSA padding oracles and subgroup confinement attacks on elliptic curve Diffie-Hellman. At Thotcon 2014 and Toorcon 2014 he spoke on the topic of power analysis attacks, including methods to retrieve DES and AES secret keys from a device running cryptographic operations using differential power analysis. He also helped run an informal one-day cryptography training in Chicago which covered a wide range of topics including block ciphers, RSA, TLS, and elliptic curves.