Monday, November 16, 2015

Teaching Crypto without the Sandworms

Patterns are bad for fictional characters and our web cryprographics


The Immunity ethos for education is that learning only comes from struggle and suffering. But suffering is always better as a team.

We’re constantly trying to balance not coddling our students with making the content achievable by most. Another key thing to understand is that at Immunity a critical part of our consulting output is exploits, so we expect our students to solve most of the exercises with PoCs. At Immunity there’s a heavy internal emphasis on each member of the technical team teaching one of our courses, and we also ensure our own team goes through each course.

Of course, the primary activity of any security consultant is web security assessments. Because of that, we've worked hard tuning our Web Hacking class.

Web Hacking is a three day course with 21 hours of hands on instruction. Unlike many classes in this area, we dedicate the entire last day to nothing but crypto. The most important element of successfully teaching this kind of material is the following rule: There cannot be more than 20 minutes of lecture before the students are doing an exercise.
"I have talked all I can talk, and now it is your turn."

The culminating exercise of each section is usually the students working independently for over an hour. Thinking in terms of constraints for crypto: we have 7 hours of classroom time to teach cryptographic attacks to a extremely varied audience. A brief pause here to acknowledge my coworker Matias Soler (@gnuler) who wrote this portion of the class - it’s the most difficult content we cover and it’s also the content we get the most positive feedback about. There's a lot of work in-between "How do I do this?" and "How do I teach this?" when it comes to some of these attacks, and we've built quite a lot of infrastructure to help us in class, from games, to sample bugs, to automation.

This is not a slide. It's a fully dynamic website to help you understand the attack.

So why learn the alphabet crypto soup that is ECB, CBC and padding oracles? It makes more sense to work backwards from padding oracle vulnerabilities. This is something we see a lot in consulting ECB gets you blocks and padding. CBC gets you IVs and IMVs. You need all of that to understand padding oracle attacks. So how do we teach that?


Each topic is covered separately, so we have two exercises on ECB, two for CBC and two for padding oracle. Students tend to get very nervous about the math but there really isn’t anything more complex than algebra in the content we cover. The only mathematical operation students probably didn’t cover in high school is xor. Since we’ve been teaching this we haven’t had any student say they got stuck on the math. Much more problematic is thinking through the CBC algorithm, I think students immediately start imagining how impossible it would be to keep all the state in your head when processing more than a handful of blocks.

We put a lot of effort into diagramming the algorithms, we wrote a pretty extensive suite of ‘helper’ web applications where students can plug values in to different parts of the process and see how it affects everything else. If a student comes into our class with 0 programming experience I can be pretty satisfied as a teacher if they can solve the exercise with the helpers. We tend to throw multi-step problems at students but we’ve built up optional content that breaks the problems down into their component steps and solutions so that if someone is REALLY struggling we can inch them forward. At least once per class a student comes up to the front and we whiteboard a problem with them.

There is a vast wealth of crypto content that is relevant to penetration testers that we could cover. ECB, CBC and padding oracle fits together neatly and within the time we have available. Internally we’ve been talking about what we might add to it, what will be covered in master class and so on. Since we make a real effort to make the content modular it’s not impossible that we may offer a course that only covers crypto at some point in the future. And of course, there's even more cryptographic work happening in the INFILTRATE Master Class, but that's something for another post. :)