Back to course catalog

Practical cryptography for software engineers

CL-PCR
2 days
Specific topic
Course page in PDF Inquiry

Course information

Preparedness

Professional

Exercises

No

Delivery methods

Classroom

Course Reviews

Clear and well-explained.

February 2011, Sophia-Antipolis, France

View all reviews

Description

Implementing a secure networked application can be difficult, even for developers who may have used various cryptographic building blocks (such as encryption and digital signatures) beforehand. In order to make the participants understand the role and usage of these cryptographic primitives, first a solid foundation on the main requirements of secure communication – secure acknowledgement, integrity, confidentiality, remote identification and anonymity – is given, while also presenting the typical problems that may damage these requirements along with real-world solutions.

After establishing the basics, the typical elements of cryptosystems and the most widely-used cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement are detailed. Instead of presenting an in-depth mathematical background, these elements are discussed from a developer's perspective, showing typical use-case examples and practical considerations related to the use of crypto, such as public key infrastructures. Security protocols in many different areas of secure communication are introduced, with an in-depth discussion on the most widely-used protocol families such as IPSEC and SSL/TLS.

Participants attending this course will

  • Understand basic concepts of security, IT security and secure coding
  • Have a practical understanding of cryptography
  • Understand the requirements of secure communication
  • Understand essential security protocols
  • Understand some recent attacks against cryptosystems
  • Get sources and further readings on secure coding practices

Outline

  • IT security and secure coding
  • Requirements of secure communication
  • Practical cryptography
  • Security protocols
  • Principles of security and secure coding
  • Knowledge sources

Table of Contents

  • Day 1
    • IT security and secure coding
      • Nature of security
      • What is risk?
      • IT security vs. secure coding
      • From vulnerabilities to botnets and cybercrime
        • Nature of security flaws
        • Reasons of difficulty
        • From an infected computer to targeted attacks
        • The Seven Pernicious Kingdoms
        • OWASP Top Ten 2017
    • Requirements of secure communication
      • Security levels
      • Secure acknowledgment
        • Malicious message absorption
          • Feasibility of secure acknowledgment
          • The solution: Clearing Centers
        • Inadvertent message loss
      • Integrity
        • Error detection - Inadvertent message distortion (noise)
          • Modeling message distortion
          • Error detection and correction codes
        • Authenticity - Malicious message manipulation
          • Modeling message manipulation
          • Practical integrity protection (detection)
        • Non-repudiation
          • Non-repudiation
        • Summary
          • Detecting integrity violation
      • Confidentiality
        • Model of encrypted communication
        • Encryption methods in practice
        • Strength of encryption algorithms
      • Remote identification
        • Requirements of remote identification
      • Anonymity and traffic analysis
        • Model of anonymous communication
        • Traffic analysis
        • Theoretically strong protection against traffic analysis
        • Practical protection against traffic analysis
      • Summary
        • Relationship between the requirements
    • Practical cryptography
      • Rule #1 of implementing cryptography
      • Cryptosystems
        • Elements of a cryptosystem
      • Symmetric-key cryptography
        • Providing confidentiality with symmetric cryptography
        • Symmetric encryption algorithms
        • Modes of operation
      • Other cryptographic algorithms
        • Hash or message digest
        • Hash algorithms
        • SHAttered
        • Message Authentication Code (MAC)
        • Providing integrity and authenticity with a symmetric key
        • Random numbers and cryptography
        • Cryptographically-strong PRNGs
        • Hardware-based TRNGs
  • Day 2
    • Practical cryptography
      • Asymmetric (public-key) cryptography
        • Providing confidentiality with public-key encryption
        • Rule of thumb – possession of private key
        • The RSA algorithm
          • Introduction to RSA algorithm
          • Encrypting with RSA
          • Combining symmetric and asymmetric algorithms
          • Digital signing with RSA
      • Public Key Infrastructure (PKI)
        • Man-in-the-Middle (MitM) attack
        • Digital certificates against MitM attack
        • Certificate Authorities in Public Key Infrastructure
        • X.509 digital certificate
      • Web of Trust (WoT)
        • Web of Trust (WoT) – introduction
        • WoT example
        • Challenges of Web of Trust
    • Security protocols
      • IPSEC protocol family
        • IPSEC standards
        • Security Association (SA)
        • Message formats
        • AH packet structure
        • ESP packet structure
        • Protected channels
        • More complex set-ups
        • Traffic control
        • SA structure
        • Key management
      • SSL/TLS protocols
        • Security services
        • SSL/TLS handshake
      • Protocol-level vulnerabilities
        • BEAST
        • FREAK
        • FREAK – attack against SSL/TLS
        • Logjam attack
      • Padding oracle attacks
        • Adaptive chosen-ciphertext attacks
        • Padding oracle attack
        • CBC decryption
        • Padding oracle example
        • Lucky Thirteen
        • POODLE
      • RSA timing attack
        • Implementation of encoding/decoding in RSA
        • Fast exponentiation
        • Differences in execution times
        • RSA timing attack
        • Measurements
        • RSA timing attack – principles
        • Correlation of total and partial execution times
        • RSA timing attack – in practice
        • The RSA timing attack algorithm
        • Practical exploitation using the RSA timing attack
        • Attacking SSL/TLS servers
        • Protection against timing attacks
          • Hiding: RSA timing attack countermeasures
          • Masking: using blind signature
          • Real RSA implementations
      • Improper use of security features
        • Typical problems related to the use of security features
        • Insecure randomness
          • Testing random number generators
        • Password management
          • Exercise – Weakness of hashed passwords
          • Password management and storage
          • Special purpose hash algorithms for password storage
          • Password audit
          • Exercise – using John the Ripper
          • Case study – the Ashley Madison data breach
          • Typical mistakes in password management
    • Principles of security and secure coding
      • Matt Bishop’s principles of robust programming
      • The security principles of Saltzer and Schroeder
    • Knowledge sources
      • Secure coding sources – a starter kit
      • Vulnerability databases
      • Recommended books – cloud security
Show full table of contents

Get more information