January 9th, 2017
RealWorldCrypto 2017 took place at Columbia University in New York City from January 4th through 6th. After having presented at RWC2015 and missing RWC2016 at Stanford last year, I was happy to attend again.
The conference has rightfully gained a reputation of being amongst the top crypto conferences particularly due to its excellent mix of academia and industry topics and (IMO in no small part) in being single track and encouraging new speakers.
The 2017 program is posted here, containing links to some of the talks/papers presented. The talks were also streamed live for the first time; I believe video recordings will be posted at some point as well. The live stream website may also link to the recordings. Follow @realworldcrypto on Twitter or subscribe to the (very low volume) mailing list.
You can find several summaries of the conference via your favorite search engine; the following are some notes and take-aways from me. For talks that I don't remember in detail, was distracted by hallway conversations or work, or that I missed I'll only include if there's a link to the presentation.
If you want to follow the notes from almost every single talk, @durumcrustulum live-tweeted most of the conference.
Rich Salz from the OpenSSL presented "Software Engineering and OpenSSL is not an oxymoron", which was interesting in recapping the history of the project and in that it looks like despite being the constant butt of jokes on the internet the project is in fact getting better, healthier, and there may be light at the end of the tunnel even though there's obviously plenty of work to be done, plenty of cruft to be removed.
Thai Duong from Google presented "Scaling Crypto Testing with Project Wycheproof", which made the rounds on Twitter a few days before. It's a framework to test crypto libraries (e.g. OpenSSL, OpenJDK's crypto parts, Bouncy Castle etc.).
L Jean Camp from Indiana University presented "X.509 in Practice (It's worse than you think)", which looked at the SSL and TLS protocols, ciphers, and other properties observed in the wild, including the use of these by phishing sites, how sites changed algorithms (e.g. signature and kex) over time, etc.
I found this particularly interesting because it reflected to some degree the findings I made last year in my analysis of Yahoo's use of algorithms, protocols, and certificates internally and externally.
The speaker did lament the fact that phishing sites could easily get valid certificates (for e.g. homograph collisions or confusing/misleading names), and push-back from the audience noted that CAs are not in the business of endorsing use, just in verifying ownership. Adam Langley commented that [Google's] goal is to eliminate the green lock in the browser UI.
(I happen to agree with both.)
Quan Nguyen from Google presented "Practical Cryptanalysis of Json Web Token and Galois Counter Mode's Implementations".
Sharon Goldberg from Boston University presented "NSEC5: Provably Preventing DNSSEC Zone Enumeration", which nicely discussed the problem and possible solutions and which I found generally interesting (despite not using DNSSEC myself).
Daniel Franke of Akamai presented "Cryptographically Securing the Network Time Protocol", which had the notable correlation of NTP failures to wide-spread beach panic: in Australia, certain groups of sharks are tracked via GPS; when an NTP failure lead to geo data that then put them much closer to a popular beach, the observing grad student phoned his buddy, a lifeguard there. Much hilarity ensued...
This was one of my favorite talks of the conference, because it so nicely stressed the importance of a much-overlooked critical service (i.e. NTP) and illustrated the complexities of running such a service at scale, given the peculiarities of the protocol.
RealWorldCrypto gave out the second annual Levchin Prize to Joan Daemen for the development of AES and SHA3 as well as to Moxie Marlinspike and Trevor Perrin for the development and wide deployment of the Signal protocol.
Joppe Bos presented "Security assessment of software security: A closer look at white-box cryptographic implementations". Since I couldn't quite figure out how "white-box cryptography" is different from "security by obscurity", I kinda tuned out.
Rene Peralta from NIST presented NIST's Post-Quantum Cryptography Project; Tancr&egraph;de Lepoint from SRI presented "CRYSTAL - a Cryptographic Suite for Algebraic Lattices"; Valeria Nikolaenko from Stanford presented "Practical post-quantum key agreement from both ideal and generic lattices"; Michael Naehrig from Microsoft Research presented "Supersingular Isogeny Diffie-Hellman" and Patrick Longa from Microsoft Research presented "FourQ-based cryptography for high-performance and low-power applications".
Jon Millican from Facebook presented "Challenges of E2E Encryption in Facebook Messenger", which was rather interesting. FB allows opt-in to E2E in Messenger, but wanted to retain the ability for parties to be able to report (and prove) abuse, meaning Bob needs to be able to prove to FB that the abusive message from Alice was in fact sent by Alice, not altered etc.
Another challenge was multi-device management (e.g. allowing a user access to encrypted messages on multiple devices, even if one was added later).
The issues described may sound familiar to anybody who has thought about adding e2e to e.g. emails or any other messaging system.
I don't recall the details right now, but I gather that FB solved the abuse issue by using something they called "message franking", which is described in more detail in the FB Messenger Secret Conversations Whitepaper
As I understand it, this, notably, excludes general deniability from the requirements to become "third-party deniability". This then also seemed to suggest that Facebook might be able to (be compelled to) at least verify authenticity of E2E messages; it was not clear to me (without having fully read the above whitepaper) if additional access was possible.
I chatted with Jon a bit after his talk; unfortunately, he was not able to give me an idea of how many of Facebook's users might have opted into E2E, nor whether or not they have considered deployment of any techniques to process encrypted content (e.g. for malware analysis, link spam, or Evil Government Spying Actions).
Given the predicted small percentage of users opting into E2E, it seemed the motivation for FB to deploy E2E was (a) engineers wanted to do it and (b) keeping up with the Joneses (i.e. peer pressure, other apps offering it, ...). The question of whether or not Facebook would have rolled out E2E for messenger as an opt-out feature remains unanswered. (WhatsApp is a different story.)
Moti Yung from Snapchat presented "Memories for Your Eyes Only", which had slightly different goals, including not caring if users enroll additional devices later or Snapchat being able to verify message authenticity.
Unfortunately, I missed most of this talk while chatting with Jon (see above). However, Moti did note that the techniques employed by Snapchat are not perfect, but are at least improving things. He cited this as "industrial correctness", which I liked a fair bit, as it jells with my own "Am I making things worse? Am I making things better?" nirvana-fallacy philosophy.
Mitch Stoltz from the EFF gave a nice rundown / history / reminder of the DMCA. Nothing really new here, but always good to get a lawyer's view.
During lightning talks, most people noted that they're hiring, but Colm MacCárthaigh from Amazon did remind people that Amazon is now offering "F1" type EC2 instances, which have FPGAs.
Trevor Perrin gave a nice summary of the state and history of Message Encryption.
Luke Garrat from the Univserity of Oxford gave a talk entitled "A Formal Security Analysis of the Signal Messaging Protocol", which noted that Signal is trying to remain "post-compromise secure", but which I primarily remember to be unremarkable in its conclusion: "there is more to investigate".
Felix Günther from the TU Darmstadt presented " 0-RTT Key Exchange with Full Forward Secrecy". I have to re-read the paper to grok this, but they claim to have found a way to perform a 0-RTT kex with replay protection and forward secrecy, which ends with the ever-academic question "Can we make this practical?"
Cristina Onete from the Univserit&eague; de Rennes presented "Towards 5G Authenticated Key-Exchange: the security and privacy of the AKA Protocol".
Evan Jeffrey from Google presented "The physics of building a quantum computer". I still can't quite wrap my head around Quantum Computing, qbits, and especially entanglement, but it seems everybody's pretty cool with the idea that Google wants to (and is on its way to) achieve "quantum supremacy", which sounds like an installment in the Bourne series.
Laurent Simon presented "Erasing secrets from RAM", which included the release/reference of secretgrind, a Valgrind analysis tool to detect secrets in memory.
Anja Lehmann from IBM presented "Direct Anonymous Attestation and TPM 2.0: Getting Provably-Secure Crypto into the Real-World", which specifically noted that cryptographers' "real world" and the "real real world" are not entirely in sync all the time.
The problem of revealing information during attestation is not directly applicable to my current work, but I remain generally interested in seeing TPMs and related technologies to bootstrap trust gain wider adoption and discussion.
Helena Handschuh presented "Differential Power Analysis (DPA) Resistance for Real People". This was interesting to me primarily in the way most side-channel attacks are interesting (ie "whoa, how on earth are we expected to keep anything secure if that's possible?").
David Cash of Rutgers University presented "What Else is Revealed by Order-Revealing Encryption?", which was another of my favorite talks. It very nicely illustrated that across multiple dimensions mere order revealing leads to specific patterns being revealed.
Paul Grubbs from Cornell University presented "Breaking Web Applications Built On Top of Encrypted Data", which was entertainingly scheduled right before Raluca Ada Popa (from UCB) presented "Building web applications on top of encrypted data". Both used as examples the Mylar and Verena; the former nicely showed a number of attacks on the system leading to information disclosure against the guarantees supposedly provided by the systems. The second talk suggested some of the attacks of the previous speaker were outside its threat model; the systems also appeared to depend to some degree on the users' ability to accurately configure/tune them.
This triggered the (apt, but biting) comment that "Users are not capable of making reasonable security decisions. If you let them, the system will break."
David McGrew from Cisco presented "PRNG Failures and TLS Vulnerabilities in the Wild"; Olivier Levillain from ANSSI presented "concerto: A Methodology Towards Reproducible Analyses of TLS Datasets" and Eva Sarafianou from the University of Athens presented "Productizing TLS Attacks: The Rupture API" with the release of https://ruptureit.com/, a compression side-channel attack framework (CRIME and BREACH say hi) based on work previously presented at BlackHatAsia.
There were other talks I didn't catch, plenty of good hallway discussions, all the usual suspects, experts, rabble-rousers, anarchists, academics, and knowitalls in one place.
The talk line-up seemed to reflect an improved gender balance compared to other conferences in the field: 12 out of 41 talks were co-authored or presented by women.
RealWorldCrypto 2018 will be in Zurich. Maybe I'll see you there...
January 9th, 2017