Learning objectives

The participants will gain a deeper understanding of the various versions of the SSL and TLS protocols. The historic development of the protocols will be explained together with their associated strengths and weaknesses. By using the current specification of TLS Version 1.3, we will look into the future in order to recognize trends and further developments. The various known attacks on SSL and TLS will be explained with reference to theoretical principles and practical exercises. Alongside the attacks, measures to protect one’s own infrastructure will be introduced.

The exercises will be done on www.hacking-lab.com. Following the course, the labor environment is available to the participants for 30 days more

Demarcation: The course focuses on SSL/TLS and the known attacks associated with them. The fundamentals of RSA, AES, Diffie-Hellman and operating modes of block encryptions are not subject of the course.

Highlights

  • Introductions of the various protocols
    • SSL v3
    • TLS 1.0
    • TLS 1.1
    • TLS 1.2
    • TLS 1.3 and relevant innovations
  • Known attacks on SSL/TLS
    • “Padding Oracle“ attacks
    • BEAST
    • Compression attacks
    • Side channel attacks
    • Heartbleed
  • Datagram Transport Layer Security (DTLS)
  • Secure configuration of an Apache HTTP Server (HPKP, HSTS)
  • Inspection proxies
  • Public Key Infrastructure

                              Target group

                              • Security Officers
                              • Technology Officers
                              • Operators of Infrastructures
                              • Developers of E-Business Applications

                               Prerequisite

                              • Familiarity with the Linux command line
                              • Basic knowledge of cryptography
                              • TCP/UDP network technology

                              CALENDAR

                              Beer-Talk in St. Gallen: Azure Security 101

                              Im Sommer 2018 kündigte Microsoft an, ihre Cloud-Lösungen aus Schweizer Rechenzentren anzubieten. Viele hiesige KMUs und Grossunternehmen haben sich... Read more

                              Swiss Cyber Hackathon 2019 / Zurich

                              Simulating Real World Cyber Scenarios – Educational Cyber Competition of Defending your Environment and Attacking your Opponents Read more

                              Internet Security Days 2019 - Game of IT-Security

                              Based on the theme "Online Security", a wide conference program and an exhibition awaits you on September 26/27, 2019. New in the programme are... Read more

                              ALL DATES

                              NEWS

                              So leicht wird dein Handy gehackt

                              Die Blick-Reporterin weiss dank Ivan Bütler, warum man auch bei einer SMS von Mami kritisch sein soll. Read more

                              Rückblick Digitaltag 2019

                              Ivan Bütler von Compass Security hat einen aufregenden Digitaltag hinter sich. Seine Live Hacks am Züricher Hauptbahnhof waren ein Publikumsmagnet. Read more

                              Wie steht es um die Sicherheit der Schweizer Stromversorgung?

                              Im Bericht der Eidgenössischen Elektrizitätskommision kommt die Schweizer Stromversorgung diesbezüglich nicht gut weg. Studerus AG hat dazu Cyrill... Read more

                              ARCHIVES

                              Compass Security Blog

                              enOcean Security

                              In this post, we are going to take a closer look at the enOcean technology, how security is implemented, and if the security measures and options available are sufficient. mehr

                              Privilege escalation in Windows Domains (3/3)

                              In this last article about privilege escalation in Windows domains, we demonstrate how to extract credentials from running systems to compromise high-privileged accounts. mehr

                              ZUM BLOG