Cloudflare Research Team has restarted Crypto Talk Series! Traditionally, we’ve invited experts from academia and industry to talk about the cryptographic protocols they are working on and to share experiences around deploying cryptographic applications in the real world.
In this time, Emma Dauterman and Jon McLachlan will share with us their latest work. We want you to be part of this enriching experience.
6:45 pm - Doors Open 7:00 pm - Welcome to Cloudflare 7:15 pm - “True2F: Backdoor-resistant authentication tokens” by Emma Dauterman 7:45 pm - “Peacemakr.io” by John McLachlan 8:10 pm - Networking, drinks, and appetizers 9:00 pm - FIN
“True2F: Backdoor-resistant authentication tokens” by Emma Dauterman Bio: Emma is a Ph.D. student of Computer Science in the UC Berkeley RISELab and is broadly interested in systems security, with a focus on distributed systems and cryptography. Emma is a recipient of the NSF GRFP Fellowship and the Berkeley EECS Excellence Award.
Intro: We present the design and implementation of True2F, a system for second-factor authentication that provides the benefits of conventional U2F authentication tokens in the face of phishing and software compromise, while also providing strong protection against token faults and backdoors. To do so, we develop new lightweight two-party protocols for generating cryptographic keys and ECDSA signatures, and we implement new privacy defenses to prevent cross-origin token-fingerprinting attacks. To facilitate real-world deployment, our system is backwards-compatible with today’s U2F-enabled web services and runs on commodity hardware tokens after a firmware modification. A True2F-protected authentication takes just 57ms to complete on the token, compared with 23ms for unprotected U2F.
“Peacemakr.io” by Jon McLachlan Bio: Jon has 10+ years industry experience, and 4+ in academia experience, in Product Security that spanned everything from 2 person bootstrapped startup to large companies. He’s secured both consumer and enterprise products, across large (Apple), medium (Pure Storage), and small sized companies (UnifyID, Symphony Communications, and Peacemakr.io). Today, he is a Product Security Engineer at Pure Storage by day, and, a Founder and CEO of Peacemakr.io nights and weekends.
Intro: Don’t Key Management Services already exist? How is this different? Yes, But almost always are forced to trust them with your unencrypted data. For these services you either have to manage the keys yourself, or give these third parties your data for them to encrypt. It makes no sense, especially if you’re encrypting to mitigate the risk of a 3rd party security breach. With Peacemakr, our system never sees the data you’re encrypting because encryption occurs directly on clients. Under the hood, not only does Peacemakr take care of key lifecycle management, encryption, decryption, and ciphertext backward compatibility, but our threat model ensures that your plaintext data can not be directly compromised, even if Peacemakr’s system is compromised.