Ruben A. Gonzalez - Personal Website

Ruben A. Gonzalez

Cryptographer with a focus on implementation security. PhD in cryptography engineering.

Security Researcher, Neodyme AG

ruben@neodyme.io [GPG key]

Visiting Researcher, Max Planck Institute S&P

mail@ruben-gonzalez.de [GPG key]

Blog

Interests

Cryptography Engineering
Post-Quantum Cryptography
Advanced Crypto Constructions and Protocols
Vulnerability Research & Hacking

Publications

Select Publications

Stateless Hash-Based Signatures for Post-Quantum Security Keys, Applied Cryptography and Network Security Conference (ACNS SCI)

Ruben Gonzalez

blog code pdf

High-assurance zeroization, Transactions on Cryptographic Hardware and Embedded Systems

R Gonzalez , S Arranz Olmos , G Barthe , B Grégoire , V Laporte , J Léchenet , T Oliveira , P Schwabe

code pdf

Rambox TLS Plaintext Recovery - CVE-2023-43972, MITRE

Ruben Gonzalez

KEMTLS vs. Post-quantum TLS: Performance on Embedded Systems, SPACE Conference

R Gonzalez , T Wiggers

code pdf

Croc Full Plaintext Recovery - CVE-2021-31603, MITRE/RedRocket Blog

Ruben Gonzalez , Aaron Kaiser

blog

How to Hack a Satellite (German), P.M. Magazin

P.M. , Ruben Gonzalez

web

Kyber - How does it work? The Inner Workings of the Post-Quantum KEM, Blog Post

Ruben Gonzalez

blog

Reversing and Hacking Age of Empires 2: Definitive Edition, Microsoft/RedRocket Blog

Ruben Gonzalez , F. Stotz

blog

TinyDTLS Full Key Recovery - CVE-2021-34430, NIST/Eclipse

Ruben Gonzalez

web

Verifying Post-Quantum Signatures in 8 kB of RAM, PQCrypto Conference

R Gonzalez , A Hülsing , M Kannwischer , J Krämer , T Lange , M Stöttinger , E Waitz , T Wiggers , Bo-Yin Yan

code pdf slides video

BigBlueButton Local File Inclusion/Privilege Escalation - CVE-2020-12112, MITRE/RedRocket Blog

L. Schauer , Ruben Gonzalez

writeup

Teaching

Trainings, Seminars and further Academic Work

Coach: German National Hacking Team , European Cyber Security Challenge
Hacking Cryptography , DEFCON Trainings
Black Hat Cryptography , Black Hat Trainings
Cry.College: Online Lecture on Modern Cryptography
Cryptography in the Real World , devSec Conference
Cryptography: Hacking and Cracking , Hack in the Box Conference
Modern Authentication , Heise Academy
Crypto Basics , Golem Karrierewelt
WebSecSeminar: Research Seminar on Web Security , Bonn UAS
HookFTW: A Windows Hooking Library , Master Project Supervision, Bonn UAS
Syntax Aware Fuzzing For Indentifying Parser Differentials , Bachelor Thesis Supervision, Bonn UAS
Reviewer , Paper on Improving Schindler Style Error Correction, CARDIS
Offensive Security: Online Lecture on Hacking Techniques , Bonn UAS
Tutor for Lecture Operating Systems , Constance UAS

Talks

Presentations Held (Selection)

Hacking Corporations: A Defender’s Guide , SecIT, Hannover
Better Information Security Management in Hospital , DMEA
Post-Quantum Migration , BDEW Bundesverband der Energie- und Wasserwirtschaft/German Association of Energy and Water Supply
Cyber Security for Judges and Prosecutors , Deutscher Juristentag/German Attorneys Association
Web Application Security , Malta Information Technology Agency
Kyber and Post-Quantum Crypto - How does it work? , Chaos Communication Congress
Foundations of Modern Cryptography , Fraunhofer Academy Training.
Laymen’s Guide to Information Security , Fraunhofer Academy Training.
Information Security for Endusers , German Farmers Day
Curveball - Mircosoft’s Crypto Screwup , Cooleleute.live.
Real World Crypto in The Actual Real World , DS Lunch Colloquium, Radboud University.
How to Learn (and Teach) Hacking , OWASP AppSec.
News On Error Correction Methods for SPA on Blinded Modular Exponentiation , JIL Hardware-Related Attacks Subgroup, Brussels
AI, Heuristics and NP in Laymen’s Terms , Datenburg
Hosting CTFs with Berlyne , FrOSCon, 2017.

Press

Selection Of Interviews And Press Coverage

Spiegel Article about Car Hacking (German) , Spiegel
Gamestar Podcast about RedRocket and Game Hacking (German) , Gamestar
How to Hack a Satellite (German) , PM Wissen
US Competition: Hackerteam of Bonn UAS Wins (German) , Cologne Messenger
Nobody hears you hack in space (German) , Der Spiegel
Competetive Hacking Team from Bonn (German) , Generalanzeiger Bonn
THIRD PLACE: FLUXREPEATROCKET AT HACK-A-SAT (German) , Press Release Bonn UAS
RedRocket Hacks at ProCTF in Abu Dhabi (German) , Bonn UAS Press Release
RedRocket Team finding Vulnerabilities (German) , Cologne Messenger
Sauercloud Qualifies for DEFCON CTF (German) , Bonn UAS Press Release
TV Report about RedRocket winning the CyberSecRumble (German) , WDR Lokalzeit Bonn
Team RedRocket Rocks Cyber Security Rumble In Bonn (German) , Bonn UAS Press Release

Projects

Involved Projects

Board Member - Nachwuchsförderung IT-Sicherheit e.V.

website

Chairman - RedRocket Hacking Club

website

Co-Organizer - Cyber Security Rumble

website

Hackfest - Problem Based Learning Platform for Interactive Course Work

code website

Organizer - German Hacking Championship

website

Edu25519 - Curve25519 Implementation Optimized For Readability

code

Cry.College-Lib - Python Library implementing many crypto primitives.

code

eccfun - Python Library For Interactively Exploring Elliptic Curves

code

CTF Tasks

Hacking Challenges Authored

BfLol, CyberSecurityRumble

Binary Exploitation, Brainfuck Interpreter PWNing, 300/500

challenge writeup

Blow, CyberSecurityRumble

Crypto, Inavlid Curve Attack On Faulty JWT Usage, 500/500

challenge writeup

CyberWall, CyberSecurityRumble

Web, Code Injection, 100/500

challenge writeup

DLog, CyberSecurityRumble

Crypto, Invalid Point Submission Attack, 200/500

challenge writeup

DTlS, CyberSecurityRumble

Crypto, Exploit Faulty DTLS Implementation, 400/500

challenge

EzDSA, CyberSecurityRumble

Crypto, EcDSA Nonce Reuse Attack, 200/500

challenge writeup

Secure Secret Sharing, CyberSecurityRumble

Web, NoSQL Injection Attack, 300/500

challenge writeup

CityRSA, P.W.N. University CTF

Crypto, Exploit Faulty RSA-CRT Implementation, 300/500

writeup

Converter, P.W.N. University CTF

Crypto, Exploit CBC Padding Oracle, 200/500

writeup

H!pster Startup, P.W.N. University CTF

Web, ArangoDB Injection Attack, 300/500

writeup

Whistle, P.W.N. University CTF

Crypto, Exploit Invalid Padding via Coppersmith Attack, 300/500

writeup