On This Page

Beyond the BEAST: Deep Dives Into Crypto Vulnerabilities

NCC Group's Cryptography Services | August 1-2 & 3-4


This training is focused on drawing out the foundations of cryptographic vulnerabilities. These topics are timeless, and when the last application using ECB or CBC mode has upgraded - they'll be the foundations of the next evolution of impactful and popular cryptographic vulnerabilities. We'll talk about what attacks in the past took advantage of them, how algorithms and protocols have evolved over time to address these concerns, and what they look like now where they're at the heart of the most popular bugs today. The other major areas we hit are cryptographic exploitation primitives such as chosen block boundaries, and more protocol-related topics, such as how to understand and trace authentication in complex protocols.

As we're wrapping up, because there's just so much interesting crypto out there, we'll lay out what news sources we read to keep up on the latest happenings in the cryptographic community and do a whirlwind tour of some interesting topics like wide-block constructions and hash-based digital signatures. Finally, we'll leave you with what findings and techniques have impressed us - the ones we think people will be using in the next decade of high-profile cryptographic attacks.

- Module One focuses on what the right and wrong questions are when you're talking about cryptography with people - why focusing on matching keylengths isn't going to find you something exploitable and what will.

- Module Two focuses on randomness, unpredictability, uniqueness. It covers the requisite info on spotting Random vs SecureRandom, but quickly dives deeper and talks about why randomness, uniqueness, and unpredictability are so important for constructions like GCM and stream ciphers (as well as CBC and key generation).

- Module three focuses on integrity, and covers AEAD modes, how to use them safely and how to exploit them, disk encryption, encrypt-then-mac, and unauthenticated modes like ECB/CBC/CTR.

- Module four is about complicated protocols and systems deployed at scale, and how to trace through them, following how trust is granted, what its scope is, how it can be impersonated, and how the system falls apart when anything is slightly off.

- Module five is Math. There's just no getting around it - but it also leads to some of the most impressive attacks. We look at several standards, many provably secure, and show how a slightest missing sanity check allows for an often-devastating adaptive chosen ciphertext attack on RSA, DSA, ECC, and unauthenticated block cipher modes.

- Module six tackles side channels, going in depth on the two aspects of cryptographic oracles: how the oracle is exposed and how to take advantage of what it tells you. We cover timing, error, and the CPU cache, starting off showing how to apply the attacks you've just learned, and then moving on to show how to extract key bits from hand-optimized algorithm implementations.

Matasano Security, who brought you CryptoPals.com and 'Crypto for Pen Testers', and iSEC Partners, known for its research and work on the TrueCrypt, Tor Browser, and other public and high-profile audits, have come together to form a new practice focusing specifically on just one thing. Cryptography Services exclusively performs cryptographic consulting, research, training, and tracks industry and academic movements, producing insight into both the struggles organizations face day-in and day-out on practical difficulties, and what novel work is being done on the cutting edge of the field. This training is an extension of the research done day-in and day-out on our work leading engagements in the field, developing proofs of concept of attacks, and teaching cryptography to anyone who will sit still long enough to listen to us.

Who Should Take this Course

This course is targeted at students who have a strong interest in cryptography and some measure of cryptographic understanding (such as the difference between symmetric and asymmetric crypto). The ideal student has investigated one or more recent cryptographic attacks deeply enough to be able to explain it, but has not sat down and read PKCS or NIST standards describing algorithm implementation. No explicit understanding of statistics or high-level math is required, as the focus is on the underlying causes of the vulnerabilities. Some small experience of programming is recommended.

Student Requirements

Some level of familiarity and efficiency in a programming language of their choosing

What Students Should Bring

A laptop prepared with a programming environment they are comfortable in

What Students Will Be Provided With

Course Materials, Slides, & Example Attack Implementations


Tom Ritter is a Principal Security Engineer at NCC Group North America, a strategic digital security organization, performing application penetration testing and cryptographic analysis for multiple platforms and environments. He manages the Cryptography Services (CS) arm, comprising of cryptographic-based engagements that include protocol design and analysis, implementation auditing, training, and strategic review. As part of this practice, he also runs the CS Bulletin service, which tracks academic publications, standards development, vulnerabilities, and developments in cryptography that help organizations plan for the next emergency patch and long-term investments ten years in the future. He graduated from Stevens Institute of Technology with a Masters in Computer Science; prior to iSEC, he has worked as a Security Engineer at a lead security consulting company and a Team Lead in .Net and SQL Server Development for a Financial Services company. During his tenure in application security consulting, he has led a number of multi-person projects testing web applications of varying backends including .Net, Java, C/C++, and common interpreted languages such as PHP and Python. He has also led internal and external network assessments, architecture reviews, and mobile application reviews covering Android and iOS. He has also performed reverse engineering, development on embedded devices, binary code analysis, and anti-exploitation hardening reviews. He has presented at security conferences in Europe, North and South America and is involved in IETF & W3C Standards Groups relating to secure protocols. Some of his public work can be seen in managing iSEC's work with the Open Technology Fund and the Open Crypto Audit Project, comprising public reports on TrueCrypt, TorBrowser and several other applications.

Sean Devlin is a principal consultant at Matasano Security where he works in application security consulting and the internal cryptography practice. He is an expert in cryptographic security as well as protocol analysis and design. Recently, Sean spoke at Black Hat USA 2014 on the topic of practical cryptographic vulnerabilities in application software. These included common but underreported flaws such as RSA padding oracles and subgroup confinement attacks on Diffie-Hellman. Before joining Matasano, Sean was a software developer with the Chicago-area software consultancy Clarity Consulting. At Clarity, Sean developed a number of line-of-business applications using Microsoft's .NET technologies. He is proficient in software architecture and functional programming.

Alex Balducci is a Security Consultant at Matasano Security. His experience includes security research, source code auditing, application security assessments, and software development - but his expertise is in cryptographic security including analysis and design of cryptographic protocols. In just this past year Alex has spoken at several industry conferences. At BlackHat USA 2014 he spoke on the topic of practical cryptographic vulnerabilities in application software covering RSA padding oracles and subgroup confinement attacks on elliptic curve Diffie-Hellman. At Thotcon 2014 and Toorcon 2014 he spoke on the topic of power analysis attacks, including methods to retrieve DES and AES secret keys from a device running cryptographic operations using differential power analysis. He also helped run an informal one-day cryptography training in Chicago which covered a wide range of topics including block ciphers, RSA, TLS, and elliptic curves.