Back To Schedule
Monday, January 26 • 8:30am - 6:00pm
Training: Cryptography For The Modern Developer

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Register for Training
Year after year, cryptography is incorporated in to more and more systems. Whether it be encrypting data in transit with off-the-shelf protocols, or implementing custom encryption mechanisms for data at rest, software developers are increasingly expected to leverage cryptography to meet security demands.

However, few developers have the experience or training to implement cryptography safely. The significant learning curve associated with using any cryptographic primitive properly, combined with the error prone APIs that most development environments expose to developers has led to countless flaws in modern applications.

This course is designed to provide attendees with the core concepts required to make informed decisions about what cryptographic primitives and APIs are safest to use in practice. Attendees will further learn that with a proper implementation, cryptography can make their development tasks easier, in addition to being more secure.

No significant background in cryptography is required to take this one-day course. However, attendees are expected to have a software development background. Lab sessions will include short exercises which ask students to write simple programs in their chosen language to solve various challenges. The content will include approximately 50% lecture and 50% labs or other exercises to reinforce the concepts presented.

Expected Outline:

0. Intro

1. Cryptography Primer/Refresher
– Symmetric Encryption
– Pseudorandom Number Generators
– Hashing and Integrity Protection
– Asymmetric Encryption
– How Crypto Makes Life Easier

1L. Crypto Basics Quiz & VM Setup

2. Overview of Modern Attacks and Common Mistakes
– PRNG issues, APIs
– Integrity Problems
– Padding Oracle Attacks
– Modern Password Cracking

2L. Exercise: Fix their Code

3. Key Exchange and PKIs
– Man-in-the-middle attacks
– PKI approaches
– Problems with PKIs
– Certificate Pinning

3L. Certificate Validation Testing

4. Practical Concerns
– Recent SSL/TLS bugs
– Standard API Overviews: Java, .NET, OpenSSL
– Better APIs: NaCl, KeyCzar,
– Ciphertext Fuzzing Techniques ?

4L. Exercise: Implement a Safe Token


Timothy D. Morgan

Blindspot Security LLC
Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime... Read More →

Monday January 26, 2015 8:30am - 6:00pm PST
Annenberg Guest House

Attendees (0)