The terms "rolling your own encryption" or "in-house built cryptography" should give everyone the chills. But what if a developer uses all the right tools and libraries without understanding the building blocks or cryptography in general? Just because you had Argon2, bcrypt, scrypt, AES, RSA, or any other ingredients of the cryptography acronym soup in your code, it does not make your application secure! In this talk, I will bring you fresh examples of cryptographic faliures from 2024.
From an open-source project used by millions through proprietary Java code to a Fortune 500 developer company's software product, we will look at the mistakes made by programmers to demonstrate the truth in the common (although not very elaborate) saying in the industry; "cryptography is hard!" We will try to understand why these issues were still a thing in 2024 (and most likely, they will still exist in 2025) and what we can do about them. Also, as every coin has two sides, we need to talk about the fact that defenders can also leverage these mistakes to their advantage. Whether they are fighting ransomware or attempting to decrypt C2 communications, breaking weak cryptography can be the key to success, so practical cryptanalysis is a useful skill to have.
