Crypto for Pentesters

Crypto for Pentesters

Some people, when confronted with a problem, think "I know, I'll use cryptography." Now they have two hundred problems.

People test cryptography and think about the wrong things. How often are keys rotated? How big should the RSA keys be? Is it safe to use SHA-1 or do they need to use SHA-256? In the real world, these questions don't matter. They're like looking at 1995-era C code and asking whether it's const-correct. It's 1995 out there for crypto. Everything is wide open.

Think of a crypto primitive, like AES or SHA-1. Key exchange. Signatures. I'd like to show you something that goes wrong with it. Something so bad you can break a cryptosystem in seconds inside a Ruby interpreter. The slow kind of Ruby interpreter. Then I'd like to show you how to use simple tools, like that interpreter and Webscarab, to test for those flaws in real apps. Without knowing anything about the crypto they're using. I think you might be surprised. Especially if you thought you needed a math degree to break real-world crypto.

I'm going to demonstrate testing techniques and explain and then generalize real-world flaws, so you can reuse the ideas behind them on applications you come into contact with. This talk comes with code, and with a sandbox app to try the attacks out on. This is the coolest stuff I've learned in the past several years. Picking these tricks up feels like it did to learn stack overflows in '95. I'm psyched to share it.

Presented by