Protecting Passwords with Oblivious Cryptography - Adam Everspaugh Cyphercon 2.0 (Hacking Illustrated Series InfoSec Tutorial Videos)
Protecting Passwords with Oblivious Cryptography
Adam Everspaugh
Encipher
Cyphercon 2.0

Current schemes to protect user passwords like bcrypt, scrypt, and iterative hashing are insufficient to resist attacks when password digests are stolen. We present a modern cloud service, called Pythia, which protects passwords using a cryptographically keyed pseudorandom function (PRF). Unlike existing schemes like HMAC, Pythia permits key updates as a response to compromises. Key updates nullify stolen password digests, enable digests to be updated to the new key, and don?t require users to change their passwords. The keystone of Pythia is a new cryptographic construction called a partially-oblivious PRF that provides these new features.

Adam Everspaugh is a PhD student at the Univ of Wisconsin researching cryptography and computer security applications for cloud computing. His research focuses on usable and sophisticated computer security designs. Adam graduates in 2017 and is currently seeking a role as a security and software engineer at a forward-looking technology company.

Back to Cyphercon 2.0 video list



If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek