i'm a third of the way through these are they're really entertaining - i am going to recommend them to my colleagues at the next weekly meeting.
i "knew" some of attacks were possible, but had no real idea of how to go about exploiting them "for real" - this course works you through practical applications (and i found it to be pitched at an almost perfect level - it moves fast enough to be interesting, but not so fast you get lost).
they're quite meaty - doing one email (out of the 6) takes at least a day for me (but there's also some slack - you've got quite a bit of freedom and i think you could spend more or less time, depending on exactly what you choose to do.)
i haven't needed any deep technical knowledge or hard maths (but i already knew, for example, what a "block cipher" was and what "modes of operation" were, even if i couldn't tell you which did what without looking at wikipedia). the hardest part has just been "bookkeeping" in the code - tracking which offset in the array of data i am modifying, etc. the usual programming details.
so this is for interested amateurs - i don't think the nsa is going to be very excited learning who has completed the course...
(also, fwiw, i'm using python 3.3 (the new "yield from" is very useful when writing code that modifies sequences) and it's plenty fast enough so far)
> so this is for interested amateurs - i don't think the nsa is going to be very excited learning who has completed the course...
Yes. Though: I studied cryptography as part of mathematics in university, and while we studied much more sophisticated attacks and ways to break your ciphers, we never actually ended up coding up the breaks even of comparatively trivial attacks.
What's an example of sophisticated class of attacks we have poor coverage on? (If you like, mail me directly; we're not publishing exactly what the challenges are).
I'd appreciate leads on places we should expand our coverage. Sean is already working on set 7, and we're pulling attacks out of the recent literature to do that.
Do you have anything on certificate verification? Not that I actually know anything about it, but.. here, I think these words from Moxie Marlinspike about sum it up:
"I’m not actually a supporter of the general adage “never roll your own crypto.” I believe that cryptography is a fairly closed system, and that it’s relatively straightforward to learn how to carefully use cryptographic primitives to build protocols securely. Certificate validation, on the other hand, is something that I would recommend people avoid doing themselves, if possible. It’s mired in cruft and gotchas."[1]
Moxie covers a few examples in the link, but it would be interesting to see some more along those lines.
I think very highly of Marlinspike, and he is clearly smarter than I am, but he is wrong on this point. No, one thing I will say about our challenges: we don't spend time on certificate parsing. We thought about it, but decided people were unlikely to run into a lot of new X.509 implementations that can't handle a NUL byte (and things like that), at least not as likely as the other bugs we showcase.
Edit: I read this comment out of context. Sorry. Obviously, I asked for examples of flaws we could cover. Thanks for offering one up.
I've only just started the first 8 of the series of challenges. (Thanks!)
One thing I remember breaking (in theory) in university was a crypto-system based on the knapsack problem. But it is not in use in practice (because it has been broken). I don't know whether you included it.
i "knew" some of attacks were possible, but had no real idea of how to go about exploiting them "for real" - this course works you through practical applications (and i found it to be pitched at an almost perfect level - it moves fast enough to be interesting, but not so fast you get lost).
they're quite meaty - doing one email (out of the 6) takes at least a day for me (but there's also some slack - you've got quite a bit of freedom and i think you could spend more or less time, depending on exactly what you choose to do.)
i haven't needed any deep technical knowledge or hard maths (but i already knew, for example, what a "block cipher" was and what "modes of operation" were, even if i couldn't tell you which did what without looking at wikipedia). the hardest part has just been "bookkeeping" in the code - tracking which offset in the array of data i am modifying, etc. the usual programming details.
so this is for interested amateurs - i don't think the nsa is going to be very excited learning who has completed the course...
(also, fwiw, i'm using python 3.3 (the new "yield from" is very useful when writing code that modifies sequences) and it's plenty fast enough so far)