> so this is for interested amateurs - i don't think the nsa is going to be very excited learning who has completed the course...
Yes. Though: I studied cryptography as part of mathematics in university, and while we studied much more sophisticated attacks and ways to break your ciphers, we never actually ended up coding up the breaks even of comparatively trivial attacks.
What's an example of sophisticated class of attacks we have poor coverage on? (If you like, mail me directly; we're not publishing exactly what the challenges are).
I'd appreciate leads on places we should expand our coverage. Sean is already working on set 7, and we're pulling attacks out of the recent literature to do that.
Do you have anything on certificate verification? Not that I actually know anything about it, but.. here, I think these words from Moxie Marlinspike about sum it up:
"I’m not actually a supporter of the general adage “never roll your own crypto.” I believe that cryptography is a fairly closed system, and that it’s relatively straightforward to learn how to carefully use cryptographic primitives to build protocols securely. Certificate validation, on the other hand, is something that I would recommend people avoid doing themselves, if possible. It’s mired in cruft and gotchas."[1]
Moxie covers a few examples in the link, but it would be interesting to see some more along those lines.
I think very highly of Marlinspike, and he is clearly smarter than I am, but he is wrong on this point. No, one thing I will say about our challenges: we don't spend time on certificate parsing. We thought about it, but decided people were unlikely to run into a lot of new X.509 implementations that can't handle a NUL byte (and things like that), at least not as likely as the other bugs we showcase.
Edit: I read this comment out of context. Sorry. Obviously, I asked for examples of flaws we could cover. Thanks for offering one up.
I've only just started the first 8 of the series of challenges. (Thanks!)
One thing I remember breaking (in theory) in university was a crypto-system based on the knapsack problem. But it is not in use in practice (because it has been broken). I don't know whether you included it.
Yes. Though: I studied cryptography as part of mathematics in university, and while we studied much more sophisticated attacks and ways to break your ciphers, we never actually ended up coding up the breaks even of comparatively trivial attacks.