Loading…
This event has ended. Create your own event on Sched.
Sunday, April 10 • 5:30pm - 6:10pm
Cleaning up Magical Crypto Fairy Dust with Cryptanalib and FeatherDuster

Sign up or log in to save this to your schedule and see who's attending!

The gap between academic development of cryptanalysis techniques and their practical application is wide. The application security community was in awe in 2010 when Duong and Rizzo were able to apply Vaudenay's 2002 padding oracle attack technique to not one but three major frameworks, ASP.NET, Ruby on Rails, and Java Server Faces. There are various tools being developed for certain applications of these attacks, but they tend to implement at most a handful of different attacks. One of the difficulties is that flawed cryptography can exist in lots of different kinds of technologies; cryptography can exist in pretty much any place normal data can! As a result, performing practical cryptographic attacks often requires writing your own custom tool. This can be beyond the scope of a pen test due to time restrictions. It may also be beyond the skill of a tester to implement a given attack.

Enter Cryptanalib: A library implementing various crypto attacks to make writing crypto attack tools easier! But how do you use it if you can't write code?

Enter FeatherDuster: A modular, wizard-like interface to make using cryptanalib as simple as possible, sometimes even requiring the user to write no code whatsoever!

This talk will discuss some common cryptographic mistakes and show how to use cryptanalib and featherduster to exploit them.

Speakers
avatar for Daniel Crowley

Daniel Crowley

NCC Group
Daniel Crowley is a Security Engineer for NCC Group, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. Daniel denies all allegations of unicorn smuggling and questions your character... Read More →



Sunday April 10, 2016 5:30pm - 6:10pm
Ballroom A

Attendees (4)