Chris Eng: Breaking Crypto Without Keys: Analyzing Data in Web Applications
Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference
English - June 04, 2006 23:10 - 1 hour - 140 KB Video - ★★★★ - 4 ratingsTechnology News Tech News blackhat usa 2006 black hat vegas blackhat vegas hacking convention computer security speeches presentations spoken word video Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it?
This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience.
This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers."