[Cryptography] "We need crypto code training" and other obviosities.
Jean-Philippe Aumasson
jeanphilippe.aumasson at gmail.com
Sat Oct 24 10:29:03 EDT 2015
On Sat, Oct 24, 2015 at 1:08 PM ianG <iang at iang.org> wrote:
> On 24/10/2015 07:37 am, Jean-Philippe Aumasson wrote:
> > Shameless plug: I'll give a course "crypto for developers" at the next
> > Troopers, where I'll address these issues (and also basics of crypto).
>
>
> For your imagined sins - perhaps you or anyone could post a topics list?
>
>
Tentative plan of my training (will be adapted):
1) Definitions (~1h)
- The building blocks: ciphers, hash functions, MACs, PRFs, RNGs,
public-key encryption, signatures, key agreement, etc.
- Attack models and goals: semantic security, perfect forward
secrecy, side-channel models, informational vs. computational security
2) Randomness (~1h30)
- What is randomness and entropy in crypto
- Examples of bugs and (epic) failures
- How to use strong randomness, depending on your needs/constraints
- Which RNG to use? Which API? Which entropy source(s)? etc.
- How (not) to test your RNG, what tests it can detect
3) Attacks and defenses (~1h30)
- Timing attacks: principle, examples of attacks, defenses
- Padding oracles: principle, examples of attacks, defenses
- Case study: AES cache-timing attacks
- Case study: RC4 failures (from WEP to TLS)
- Case study: RSA PKCS#1 v1.5 and side channels
4) Using crypto (~1h30)
- Review of libs and APIs: OpenSSL, CryptoAPI, NaCl, etc.
- Basic vulnerability searching (reviewing, static analyzing, fuzzing)
- AES-128 or AES-256? RSA or ECC? which TLS ciphersuites? etc.
- What is the right key size? for which application?
- Testing crypto (it's more than test vectors)
5) Selected topics (~1h)
- Elliptic curve crypto demystified
- Password hashing do's and don'ts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151024/89b44995/attachment.html>
More information about the cryptography
mailing list