SlideShare una empresa de Scribd logo
1 de 37
Descargar para leer sin conexión
Speaking with Cryptographic Oracles,[object Object],Daniel “unicornFurnace” Crowley,[object Object],Application Security Consultant, Trustwave - Spiderlabs,[object Object]
The Speaker and the Presentation,[object Object],A quick introduction and a few distinctions,[object Object]
The Speaker,[object Object],Daniel Crowley,[object Object],Web application security d00d,[object Object],IANAC (I am not a cryptographer),[object Object],dcrowley@trustwave.com,[object Object],@dan_crowley,[object Object]
The Presentation Topic,[object Object],Finding and exploiting:,[object Object],Encryption Oracles,[object Object],Decryption Oracles,[object Object],Padding Oracles,[object Object],With little to no cryptographic knowledge,[object Object],More crypto knowledge, more useful attacks,[object Object]
NOT the Presentation Topic,[object Object],The Oracle,[object Object],We are not being harvested for energy by robot overlords,[object Object],Maybe,[object Object],ORACLE,[object Object],If you Google “<any crypto word> oracle” it’s all you find,[object Object],Google, the Internet Oracle,[object Object],While awesome, not what we’re talking about,[object Object]
NOT the Presentation Topic,[object Object],Crypto g00r00s like Adi Shamir,[object Object],While also awesome and totally related, not the topic,[object Object],New attacks on old crypto,[object Object],Mistakes are easy enough to make in implementation,[object Object],How Padding Oracle attacks work,[object Object],Too much time to explain,[object Object],Too many good resources,[object Object]
DEFCON Drinking Game 0-day,[object Object],APT iPad,[object Object],APT China, cyber-war,[object Object],Cloud mobile botnet,[object Object],Cloud cloud Cyber-Twilight APT Sun Tzu,[object Object],RSA HBGary botnet PCI SCADA in the cloud,[object Object],Cyber-war?,[object Object],LulzSec???,[object Object],APT China cyber-war weeaboo, WikiLeaks mobile LulzSec.,[object Object]
A Primer on Cryptographic Terms,[object Object],Basic cryptographic terms, concepts and mistakes,[object Object]
Very Basic Terms,[object Object],Cipher,[object Object],A system for scrambling and unscrambling data to protect it,[object Object],Key,[object Object],A variable used to permute the cipher,[object Object],Initialization Vector (IV),[object Object],A second variable used to randomize the cipher,[object Object],Plaintext	,[object Object],The data in readable form,[object Object],Ciphertext,[object Object],The data in unreadable form,[object Object],Encryption,[object Object],Turning something you can read into something you can’t,[object Object],Decryption,[object Object],Turning something you can’t read into something you can,[object Object]
Stream and Block Ciphers,[object Object],Block,[object Object],Encrypt X characters at a time,[object Object],X is the block size,[object Object],Key is used to directly transform plaintext to ciphertext,[object Object],Stream,[object Object],Encrypt one character at a time,[object Object],Key is used to generate pseudo-random numbers,[object Object],Those numbers are used to transform plaintext to ciphertext,[object Object]
Very Basic Mistakes,[object Object],Using a keyless cipher,[object Object],Completely insecure if cipher is ever discovered,[object Object],Reusing keys and/or IVs,[object Object],Makes Oracle attacks far more dangerous,[object Object],IV reuse can seriously weaken stream ciphers,[object Object],Think WEP,[object Object],Leaking data from crypto operations,[object Object],Foundation for Oracle attacks,[object Object],Flickr Creative Commons - Rosino,[object Object]
What is an Oracle?,[object Object],A system which takes queries and provides answers,[object Object],Queries might be,[object Object],Plaintext,[object Object],Ciphertext,[object Object],Answers might be,[object Object],Corresponding plaintext,[object Object],Corresponding ciphertext,[object Object],Info about operation,[object Object],Sample from PRNG,[object Object],Picture by D Sharon Pruitt – Creative Commons,[object Object]
Seek the Oracle,[object Object],How to identify cryptographic Oracles,[object Object],From a black-box perspective,[object Object]
Decryption Oracles: Identify Input,[object Object],Identify where encrypted input occurs,[object Object],Identify all points of user input,[object Object],For Web apps: GET, POST, URL, Cookie, headers,[object Object],Identify those which may be encrypted,[object Object],Encrypted data is generally encoded,[object Object],Base64,[object Object],ASCII hex,[object Object],URL encoding,[object Object],Decoded data is likely encrypted if seemingly random,[object Object],Modification of values may result in decryption-related errors,[object Object]
Decryption Oracles: Find Decrypted Output,[object Object],May be reflected,[object Object],Normal output,[object Object],Error,[object Object],May be given in later response,[object Object],May be inferred from modified output,[object Object],May be stored and not shown,[object Object],Additional vulnerabilities may reveal output,[object Object]
Decryption Oracles: An Example,[object Object],Scenario,[object Object],Consider “GetPage.php?file=<encrypted_stuff>”,[object Object],Opens a file to be included based on encrypted input,[object Object],Allows for quick page additions,[object Object],Prevents file inclusion attacks…?,[object Object],Assumes properly encrypted input is sanitary,[object Object],Errors are verbose,[object Object],Usage,[object Object],Feed the script some ciphertext,[object Object],Record the “file” the error tells you wasn’t found,[object Object]
Encryption Oracles: Find Encrypted Data,[object Object],Often found in,[object Object],Cookies,[object Object],Hidden variables,[object Object],Databases,[object Object],File resident data,[object Object],Flickr Creative Commons – Gideon van der Stelt,[object Object]
Encryption Oracles: Determine Point of Entry,[object Object],Frequently encrypted data,[object Object],Client-side state variables,[object Object],Passwords,[object Object],Financial data,[object Object],Anything sufficiently sensitive,[object Object],Being encrypted is not enough,[object Object],We need to be able to manipulate it,[object Object],And see the ciphertext,[object Object]
Encryption Oracles: An Example,[object Object],Scenario,[object Object],Consider “auth” cookie, encrypted,[object Object],Username + “:” + password_hash + “:” + timestamp,[object Object],Assume usernames can’t contain “:” character,[object Object],No delimiter injection ,[object Object],Timestamp to control expiration,[object Object],Usage,[object Object],Register with any username, log in,[object Object],Copy cookie value and replace any encrypted input with it,[object Object],Can’t use colons or control suffix,[object Object],Might not matter,[object Object]
Padding Oracles,[object Object],Input must be encrypted,[object Object],Must be a padded block cipher,[object Object],Valid vs. invalid padding is distinguishable,[object Object],This is the essence of a padding Oracle,[object Object],Padding Oracles can be used as decryption Oracles,[object Object],Using the CBC-R technique they are also encryption Oracles,[object Object],May be limited in that the first block will be garbled,[object Object]
Exploiting Cryptographic Oracles,[object Object],Breaking bad crypto and bad crypto usage,[object Object]
Converting One Oracle Into Another,[object Object],Padding Oracles only tell you whether padding is valid,[object Object],This information can be used to decrypt data,[object Object],In some circumstances, it can also be used to encrypt,[object Object],Decryption Oracles,[object Object],Can be converted to encryption Oracles using brute force,[object Object],Far more effective with stream ciphers,[object Object],Encryption Oracles,[object Object],Can be converted to decryption Oracles using brute force,[object Object],Again, more effective with stream ciphers,[object Object]
Attack 0: Crypto Recon,[object Object],Check for static key, IV, and deterministic cipher,[object Object],Encrypt the same plaintext twice,[object Object],Check to see if they are identical,[object Object],Check for stream vs. block ciphers,[object Object],Encrypt plaintexts of various sizes,[object Object],Compare plaintext size to ciphertext size,[object Object],Check for ECB block cipher mode,[object Object],Encrypt repeating plaintext blocks,[object Object],Look for repetitive ciphertext,[object Object],Check for stream cipher feedback,[object Object],[object Object]
Change the first byte
Observe whether the following bytes change,[object Object]
And they’re not cryptographers
And it doesn’t end wellReal homespun crypto seen in the wild:,[object Object],“hello” might become “KqIKefKPrPKPrPKuJXK”,[object Object]
Attack 1: Bad Algorithms,[object Object],Is there substitution?,[object Object],Submit “AAAA” : Get “KLoKLoKLoKLoK”,[object Object],[object Object]
We can already see patterns, tooIs there transposition?,[object Object],Submit “AABB” : Get “KLoKLoKaBeKaBeK”,[object Object],[object Object]
We can see more patterns
The “K” seems to be a delimeter
Substitution doesn’t change on position
One replacement per letter,[object Object]
The Oracle tells us what each maps to,[object Object]
Attack 1.75: Bride of Bad Algorithms,[object Object],For some simple ciphers like xor,[object Object],Encryption = Decryption,[object Object],THUS,[object Object],Encryption Oracle = Decryption Oracle,[object Object],THUS,[object Object],Such ciphers are made completely useless by leaking output,[object Object],THUS,[object Object],For God’s sake stop using xor,[object Object]
Attack 1: Bad Algorithms,[object Object],DEMO,[object Object]
Attack 2: Trusted Encrypted Input,[object Object],People tend to reuse keys and IVs,[object Object],If we can encrypt arbitrary data in one place,[object Object],It may work in another,[object Object],If devs don’t think you can mess with input,[object Object],They probably won’t sanitize it,[object Object],Encrypted inputs with MAC aren’t totally tamper-proof,[object Object]

Más contenido relacionado

La actualidad más candente

php[world] 2016 - Tales From the Crypto: A Cryptography Primer
php[world] 2016 - Tales From the Crypto: A Cryptography Primerphp[world] 2016 - Tales From the Crypto: A Cryptography Primer
php[world] 2016 - Tales From the Crypto: A Cryptography PrimerAdam Englander
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKIRabei Hassan
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Google Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsGoogle Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsDr. Emin İslam Tatlı
 
Cryptography by gaurav singh
Cryptography by gaurav singhCryptography by gaurav singh
Cryptography by gaurav singhGaurav Singh
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
The Good News on Cryptography
The Good News on CryptographyThe Good News on Cryptography
The Good News on CryptographyMartijn Grooten
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherGopal Sakarkar
 

La actualidad más candente (14)

php[world] 2016 - Tales From the Crypto: A Cryptography Primer
php[world] 2016 - Tales From the Crypto: A Cryptography Primerphp[world] 2016 - Tales From the Crypto: A Cryptography Primer
php[world] 2016 - Tales From the Crypto: A Cryptography Primer
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKI
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Google Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsGoogle Hacking for Cryptographic Secrets
Google Hacking for Cryptographic Secrets
 
Cryptography by gaurav singh
Cryptography by gaurav singhCryptography by gaurav singh
Cryptography by gaurav singh
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
The Good News on Cryptography
The Good News on CryptographyThe Good News on Cryptography
The Good News on Cryptography
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar Cipher
 

Destacado

Oracle Transparent Data Encription
Oracle Transparent Data EncriptionOracle Transparent Data Encription
Oracle Transparent Data Encriptionrohit3033
 
Encryption oracle
Encryption oracleEncryption oracle
Encryption oraclemanong007
 
Jack of all Formats
Jack of all FormatsJack of all Formats
Jack of all FormatsBaronZor
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingDLT Solutions
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesConFoo
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and   “Military-Grade Encryption” on  Smartphones:...“Secure Password Managers” and   “Military-Grade Encryption” on  Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...Positive Hack Days
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to TokenizationNabeel Yoosuf
 
What is a Token Service Provider?
What is a Token Service Provider?What is a Token Service Provider?
What is a Token Service Provider?Rambus Inc
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?Rambus Inc
 
Oracle database 12c advanced security guide
Oracle database 12c advanced security guideOracle database 12c advanced security guide
Oracle database 12c advanced security guidebupbechanhgmail
 
Oracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guideOracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guidebupbechanhgmail
 

Destacado (14)

Oracle Transparent Data Encription
Oracle Transparent Data EncriptionOracle Transparent Data Encription
Oracle Transparent Data Encription
 
venture lab project 02
venture lab project 02venture lab project 02
venture lab project 02
 
Encryption oracle
Encryption oracleEncryption oracle
Encryption oracle
 
Jack of all Formats
Jack of all FormatsJack of all Formats
Jack of all Formats
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
 
Modified MD5 Algorithm for Password Encryption
Modified MD5 Algorithm for Password EncryptionModified MD5 Algorithm for Password Encryption
Modified MD5 Algorithm for Password Encryption
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServices
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and   “Military-Grade Encryption” on  Smartphones:...“Secure Password Managers” and   “Military-Grade Encryption” on  Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to Tokenization
 
What is a Token Service Provider?
What is a Token Service Provider?What is a Token Service Provider?
What is a Token Service Provider?
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?
 
Oracle database 12c advanced security guide
Oracle database 12c advanced security guideOracle database 12c advanced security guide
Oracle database 12c advanced security guide
 
Oracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guideOracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guide
 

Similar a Daniel Crowley - Speaking with Cryptographic Oracles

aacyberessential3cryptography-131067585699078884.pptx
aacyberessential3cryptography-131067585699078884.pptxaacyberessential3cryptography-131067585699078884.pptx
aacyberessential3cryptography-131067585699078884.pptxImXaib
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Cracking the crypto
Cracking the cryptoCracking the crypto
Cracking the cryptoMihir Shah
 
Cyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWCyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWChanchalHiwanj1
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingTal Melamed
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.pptUskuMusku1
 
amer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.pptamer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.pptnavidkamrava
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesSteve Poole
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly:  Common Mistakes People Make When Using Cry...How to Use Cryptography Properly:  Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
Cryptography - An Overview
Cryptography - An OverviewCryptography - An Overview
Cryptography - An Overviewppd1961
 

Similar a Daniel Crowley - Speaking with Cryptographic Oracles (20)

Encryption
EncryptionEncryption
Encryption
 
aacyberessential3cryptography-131067585699078884.pptx
aacyberessential3cryptography-131067585699078884.pptxaacyberessential3cryptography-131067585699078884.pptx
aacyberessential3cryptography-131067585699078884.pptx
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Cracking the crypto
Cracking the cryptoCracking the crypto
Cracking the crypto
 
Cyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWCyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITW
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
 
amer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.pptamer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.ppt
 
paper9.pdf
paper9.pdfpaper9.pdf
paper9.pdf
 
sheet2.pdf
sheet2.pdfsheet2.pdf
sheet2.pdf
 
doc2.pdf
doc2.pdfdoc2.pdf
doc2.pdf
 
paper2.pdf
paper2.pdfpaper2.pdf
paper2.pdf
 
lecture1.pdf
lecture1.pdflecture1.pdf
lecture1.pdf
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Information Security
Information SecurityInformation Security
Information Security
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java Vulnerabilities
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly:  Common Mistakes People Make When Using Cry...How to Use Cryptography Properly:  Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
 
Cryptography - An Overview
Cryptography - An OverviewCryptography - An Overview
Cryptography - An Overview
 

Más de BaronZor

The Patsy Proxy
The Patsy ProxyThe Patsy Proxy
The Patsy ProxyBaronZor
 
No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksBaronZor
 
Home Invasion 2.0 - DEF CON 21 - 2013
Home Invasion 2.0 - DEF CON 21 - 2013Home Invasion 2.0 - DEF CON 21 - 2013
Home Invasion 2.0 - DEF CON 21 - 2013BaronZor
 
Why UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingWhy UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingBaronZor
 
Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLolBaronZor
 
Windows File Pseudonyms
Windows File PseudonymsWindows File Pseudonyms
Windows File PseudonymsBaronZor
 

Más de BaronZor (6)

The Patsy Proxy
The Patsy ProxyThe Patsy Proxy
The Patsy Proxy
 
No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto Attacks
 
Home Invasion 2.0 - DEF CON 21 - 2013
Home Invasion 2.0 - DEF CON 21 - 2013Home Invasion 2.0 - DEF CON 21 - 2013
Home Invasion 2.0 - DEF CON 21 - 2013
 
Why UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingWhy UPnP is awesome and terrifying
Why UPnP is awesome and terrifying
 
Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLol
 
Windows File Pseudonyms
Windows File PseudonymsWindows File Pseudonyms
Windows File Pseudonyms
 

Último

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 

Último (20)

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 

Daniel Crowley - Speaking with Cryptographic Oracles

Notas del editor

  1. The first step is to identify where encrypted user input occurs. From a black box perspective, we first need to identify all of the user inputs, then determine which of them may be encrypted,