#ASFWS Crypto for developers

This is a course of applied cryptography aimed at anyone implementing crypto, using crypto libraries or APIs, reviewing Crypto implementations, selecting crypto schemes, or even designing new ones. In order to best understand how to build software with secure crypto, we will focus on attacks, with theory and principles supported with real-world examples of recent crypto bugs. We plan to have an interactive course, with everyone sharing experiences and asking questions or suggesting discussion topics.

The course can be given in French or English, depending on the audience.

A tentative roadmap is as follows (to be adapted depending on the participants’ expertise and preferences):

- The building blocks: ciphers, hash functions, MACs, PRFs, RNGs, public-key encryption, signatures, key agreement, etc.
- Security notions and models: semantic security, perfect forward secrecy, black boxes vs. side channels, etc.
- Examples of bugs and (epic) failures
- How to use strong randomness, depending on your needs/constraints: Which RNG to use? Which API? Which entropy source(s)? etc.
- How (not) to test your RNG, what tests it will (not) detect
Attacks and defenses
- Timing attacks: principle, examples of attacks, defenses
- Padding oracles: principle, examples of attacks, defenses
- Case study: AES cache-timing attacks
- Case study: RC4 failures (from WEP to TLS)
- Case study: RSA PKCS#1 v1.5 and side channels
Using crypto
- Libraries and APIs: when (not) to use OpenSSL, CryptoAPI, NaCl, etc.
- AES-128 or AES-256? RSA or ECC? which TLS ciphersuites? etc.
- What is the right key size? for which application?
- Testing crypto (it’s more than test vectors)
- Elliptic curve crypto demystified

Useful references to check before the training:


A presentation brochure is available at https://131002.net/data/training/cryptofordev.pdf

Price: CHF 500
Open in Google Maps