Presented at
Black Hat USA 2013,
Aug. 1, 2013, 10:15 a.m.
(60 minutes)
The last several years has seen an explosion of practical exploitation of widespread cryptographic weaknesses, such as BEAST, CRIME, Lucky 13 and the RC4 bias vulnerabilities. The invention of these techniques requires a lot of hard work, deep knowledge and the ability to generate a pithy acronym, but rarely involves the use of a completely unknown weakness. Cryptography researchers have known about the existence of compression oracles, RC4 biases and problems with CBC mode for years, but the general information security community has been unaware of these dangers until fully working exploits were demonstrated.
In this talk, the speakers will explain the latest breakthroughs in the academic crypto community and look ahead at what practical issues could arise for popular cryptosystems. Specifically, we will focus on the latest breakthroughs in discrete mathematics and their potential ability to undermine our trust in the most basic asymmetric primitives, including RSA. We will explain the basic theories behind RSA and the state-of-the-art in large numbering factoring, and how several recent papers may point the way to massive improvements in this area.
The talk will then switch to the practical aspects of the doomsday scenario, and will answer the question "What happens the day after RSA is broken?" We will point out the many obvious and hidden uses of RSA and related algorithms and outline how software engineers and security teams can operate in a post-RSA world. We will also discuss the results of our survey of popular products and software, and point out the ways in which individuals can prepare for the zombi^H^H^H crypto apocalypse.
Presenters:
-
Javed Samuel
- iSEC Partners
Javed Samuel is a Security Consultant at iSEC Partners, a strategic digital security organization, performing application and system penetration and architecture tests, reviews and analysis for multiple platforms and environments. He graduated with an MEng and BSc in Computer Science MIT. He also obtained a Rhodes Scholarship and completed an MSc in Applied and Computational Mathematics at Oxford University. Prior to iSEC, he worked as a Software Developer with the Oracle Database Security group. His research interests are centered around cryptography, privacy and the economics of security.
-
Thomas Ptacek
- Matasano Security
Thomas H. Ptacek cofounded Matasano Security with Dave Goldsmith and Jeremy Rauch in 2005.
-
Tom Ritter
- iSEC Partners
Tom Ritter is a Security Consultant at iSEC Partners, a strategic digital security organization, performing application and system penetration testing and analysis for multiple platforms and environments. He graduated from Stevens Institute of Technology with a Masters in Computer Science; prior to iSEC, he has worked as a Security Engineer at a lead security consulting company and a Team Lead in .Net and SQL Server Development for a Financial Services Company. He has presented at security conferences in Europe, North and South America and is involved in IETF Working Groups relating to the internet-standard secure protocols. His research interests are centered around cryptography, anonymity, and privacy.
-
Alex Stamos
- Artemis Internet
Alex Stamos is the CTO of Artemis, the division of NCC Group that is taking on hard security problems starting with the .Secure gTLD. He was the co-founder of iSEC Partners, one of the world's premier security consultancies and also a part of NCC Group. Alex has spent his career building or improving secure, trustworthy systems, and is a noted expert in Internet infrastructure, cloud computing and mobile security. He is a frequently request speaker at conferences such as Black Hat, Defcon, Amazon ZonCon, Microsoft Blue Hat, FS-ISAC and Infragard. He holds a BSEE from the University of California, Berkeley and his personal security writings are available at http://unhandled.com.
Links:
Similar Presentations: