Forging administrator cookies and crocking crypto ... for dummies

Gun security chap releases infosec 101 courseware and book

Security pro Laurens Van Houtven has created a free introduction cryptography course to help programmers lift their infosec game.

The Crypto 101 book contained everything needed to understand complete systems including block and stream ciphers; hash functions; message authentication codes; public key encryption; key agreement protocols, and signature algorithms.

Van Houtven (@lvh) said the course developed simple to more advanced primitives demonstrating the importance of each, and culminated in complete cryptosystems like Transport Layer Security (TLS), GPG, and Off The Record (OTR).

"Learn how to exploit common cryptographic flaws, armed with nothing but a little time and your favourite programming language," Van Houtven wrote of the course.

"Forge administrator cookies, recover passwords, and even backdoor your own random number generator."

"... . The goal of this book is not to make anyone a cryptographer or a security researcher. The goal of this book is to understand how complete cryptosystems work from a bird’s eye view, and how to apply them in real software."

Laurens Van Houtven

Crypto 101 contains exercises in which technology bods could test their crypto chops

Van Houtven said cryptography could no longer be deemed a game for experts given the recent large breaches resulting from borked or non-existent encryption.

"We must join them (cryptology and programming) into one world where all programmers are educated in the basic underpinnings of information security, so that they can work together with information security professionals to produce more secure software systems for everyone," he said.

Other free crypto courses exists including Stanford University's Cryptography courses that included video and homework, applied cryptography, and Open Security Training

Van Houtven built the course as an extension of his talk given last year on breaking crypto. He advised delegates at the time that "the most important thing to remember" was to use TLS for data in motion and GPG for data at rest.

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019