§
When: Monday, December 05, 2016 from 11:00 AM to 12:00 PM
§
Speakers: Hugo Krawczyk
§
Location: Research Hall, Room 163
ABSTRACT
In spite of repeated catastrophic leakages of billions of passwords from popular websites (e.g., the recently published attack on 500M stolen passwords from Yahoo) and the critical
role that password vulnerabilities play in most cybersecurity attacks, password authentication is still the prevalent means of authentication in the internet, in commercial enterprises, the government, and in many other sensitive settings. Even when stronger
credentials are used for authentication, these are typically protected or retrieved using human-memorizable passwords, thus opening these secrets to phishing and offline attacks upon server compromise. As much as one would like to dismiss the use of passwords
as a bad practice, passwords are here to stay as the indisputable winners of the convenience-vs-security battle.
But is password insecurity inevitable? Fortunately, cryptography can provide a negative answer to this question. In this talk we survey progress in this area showing how to armor
password protocols against online and offline dictionary attacks by leveraging the availability of a personal device, the connectivity to an online server or via server distribution. In all cases, we achieve maximal-attainable security in the corresponding
adversarial setting.
Based on works with S. Jarecki, A. Kiayas, J. Xu N. Saxena and M. Shirvanian.
BIO
Hugo Krawczyk is a Distinguished Research Staff Member with the Cryptography Group at the IBM T.J. Watson Research Center. His areas of interest span theoretical and applied aspects
of cryptography with particular emphasis on applications to network security, privacy and authentication. Best known are his contributions to the cryptographic design of Internet standards, particularly IPsec, IKE, and TLS, and the co-invention of cryptographic
algorithms including the HMAC message authentication function. Dr. Krawczyk has also contributed to the theory and applications of pseudorandomness, zero-knowledge, key exchange, threshold and proactive cryptosystems, and search on encrypted data. His current
interests include search on encrypted data, strengthening the security of password protocols, private authentication and revamping the cryptographic design of TLS. Krawczyk is a Fellow of the International Association of Cryptologic Research (IACR) and the
recipient of numerous IBM awards, including two corporate awards, for his contributions to the information security industry. He has also been recognized with the 2015 RSA Award for Excellence in the field of Mathematics.