Stanford Security Lunch
Spring 2014


April 2, 2014 Organizational meeting

Organizational meeting:  Sign up to give a talk!

April 9, 2014 Efficient One-Round PAKE Protocols

Speaker:  Fabrice Benhamouda (École normale supérieure)

Abstract:  Password-authenticated key exchange (PAKE) protocols allow two players to agree on a shared high entropy secret key, that depends on their own passwords only. Following the Gennaro and Lindell's approach, with a new kind of smooth-projective hash functions (SPHFs), Katz and Vaikuntanathan recently came up with the first concrete one-round PAKE protocols, where the two players just have to send simultaneous flows to each other. The first one is secure in the Bellare-Pointcheval-Rogaway (BPR) model and the second one in the Canetti's UC framework, but at the cost of simulation-sound non-interactive zero-knowledge (SS-NIZK) proofs (one for the BPR-secure protocol and two for the UC-secure one), which make the overall constructions not really efficient. We follow their path with, first, a new efficient instantiation of SPHF on Cramer-Shoup ciphertexts, which allows to get rid of the SS-NIZK proof and leads to the design of the most efficient one-round PAKE known so far, in the BPR model, and in addition without pairings. In the UC framework, the security proof required the simulator to be able to extract the hashing key of the SPHF, hence the additional SS-NIZK proof. We improve the way the latter extractability is obtained by introducing the notion of trapdoor smooth projective hash functions (TSPHFs). Our concrete instantiation leads to the most efficient one-round PAKE UC-secure against static corruptions to date.

Joint work with:  Olivier Blazy, Céline Chevalier, David Pointcheval and Damien Vergnaud

Published at:  CRYPTO '13

Paper available at:  ePrint 2013/341 and 2013/034

Food Requested:  164

April 16, 2014 Stanford Authentication in Practice

Speaker:  Russ Allbery (Stanford Administrative Systems)

Abstract:  Stanford's own university-wide authentication systems provide an interesting case study in the interplay between security protocols and techniques and the many constraints and requirements of authentication in a diverse and decentralized community. An overview of Stanford's authentication systems will be used as a framework for a discussion of the challenges of deploying and maintaining authentication systems for a wide variety of protocols, applications, clients, and users in a university environment.

Food Requested:  174

April 23, 2014 Fully Key-Homomorphic Encryption

Speaker:  Valeria Nikolaenko

Abstract:  The concept of Fully-Homomorphic Encryption (FHE) was first introduced in 1978. The first construction discovered by C. Gentry in 2009 was a major breakthrough in the world of cryptography. FHE is a public key encryption system that allows to carry arbitrary computations on encrypted data. We introduced a new concept that we called Fully Key-Homomorphic Encryption (FKHE) which is an Identity-Based Encryption system1 (IBE) where anyone can carry out computations on the public key. We built such a primitive based on a hard lattice problem called learning with errors (LWE).

In this talk I will show the construction of FKHE and two of it's applications:

1 IBE is an encryption scheme where the public key of the user is his/her the identity, i.e. an email or a name

2 ABE is an encryption scheme where the ciphertexts are labeled with sets of attributes and private keys are associated with access structures that control which ciphertexts a user is able to decrypt.

To appear at:  Eurocrypt 2014

Food Requested:  212

April 30, 2014 Terms of Abuse

Speaker:  Jonathan Mayer

Abstract:  This talk previews a paper for the Privacy Law Scholars Conference. I'll discuss empirical findings on the Computer Fraud and Abuse Act (CFAA), the federal computer misuse statute. Most civil and criminal cases that invoke CFAA look nothing like hacking, and the law provides little recourse for cloud service breaches or consumer privacy mishaps. These results call into question how the legal system has addressed computer security, with a myopic focus on attacker liability and scant scrutiny of defender incentives.

Food Requested:  169

May 7, 2014 Efficiently Discovering Privacy-Leaking Association Rules in Large Medical Discharge Databases

Speaker:  Eric Lam

Abstract:  Patient privacy protection can encourage patients with embarrassing but serious sensitive medical conditions such as STDs, substance abuse or mental health disorders to seek necessary medical help without fearing stigma. We present an initial study on what common patterns of medical codes may suggest the presence of a sensitive condition to someone outside a patient’s care team, even if the primary codes have been masked from the original record for privacy protection. We develop an algorithm to find such associations efficiently in large medical databases.

Our study suggests that some sensitive chronic disease conditions may co-occur with patterns of related medical codes that can be more identifiable to parties with access to medical domain or statistical knowledge. We evaluate the risk of such inferences and discuss possible techniques to defend against them.

Joint work with:  Ellick Chan and John C Mitchell

Food Requested:  78

May 14, 2014 Towards a Better Language for the Implementation of Cryptographic Protocols

Speaker:  Edward Z. Yang

Abstract:  Every software engineer has been taught the mantra: "never implement your own crypto." Why? One can think of all the advanced, hazardous interactions which could lead to silent vulnerabilities. Yet, if one had to construct a mixer of the vulnerabilities that have been discovered in OpenSSL, the recipe might look like this: one part denial of service attacks, one part logic errors, one part null dereferences, one part timing attacks, and two parts memory errors. The contradiction of cryptography implementation is that C is both unsuitable (from a memory safety perspective) as well as obligatory (from a control over timing and interoperability perspective). In this talk, I'd like to share some of the initial survey work we've done on designing a replacement language for cryptography. I'll touch upon historical vulnerabilities in OpenSSL, the LibreSSL project, the various "levels" of cryptography, information flow control to prevent timing attacks, and the daunting task of actually implementing such a language.

This is preliminary work with:  Joe Zimmerman, David Wu, Benjamin Braun, and Dan Boneh.

Food Requested:  74

May 21, 2014 GyroPhone: Recognizing Speech from Gyroscope Signals

Speaker:  Yan Michalevsky

Abstract:  We show that the MEMS gyroscopes found on modern smart phones are sufficiently sensitive to measure acoustic signals in the vicinity of the phone. The resulting signals contain only very low-frequency information (<200Hz). Nevertheless we show, using signal processing and machine learning, that this information is sufficient to identify speaker information and even parse speech. Since iOS and Android require no special permissions to access the gyro, our results show that apps and active web content that cannot access the microphone can nevertheless eavesdrop on speech in the vicinity of the phone.

Food Requested:  153

May 28, 2014 Cryptographic Protocol Design For Real-World Policies

Speaker:  Joe Zimmerman

Abstract:  In designing cryptographic protocols tailored to real-world security policies, we often face complicated constraints. Policies require different guarantees for different parties, and must be robust to a wide variety of compromise scenarios -- with some parties malicious, some covert, and some semi-honest. It is almost always impractical to deploy general-purpose secure multiparty computation for every protocol interaction. Thus, navigating these policy requirements requires careful attention to design, and often requires fairly heavyweight cryptographic tools, such as zero-knowledge proofs and identity-based encryption (IBE). In this talk, as a case study, I will walk through the design of a few such protocols from recent literature.

Food Requested:  158

June 4, 2014 Cryptographically Enforced Control Flow Integrity

Speaker:  Ali Jose Mashtizadeh

Abstract:  Recent Pwn2Own competitions have demonstrated the continued effectiveness of control hijacking attacks despite deployed countermeasures including stack canaries and ASLR. A powerful defense called Control flow Integrity (CFI) offers a principled approach to preventing such attacks. However, prior CFI implementations use static analysis and must limit protection to remain practical. These limitations have enabled attacks against all known CFI systems, as demonstrated in recent work.

We present a cryptographic approach to control flow integrity (CCFI) that is both precise and practical: using message authentication codes (MAC) to protect control flow elements such as return addresses, function pointers, and vtable pointers. MACs on these elements prevent even powerful attackers with random read/write access to memory from tampering with program control flow. We implemented CCFI in Clang/LLVM, taking advantage of recently available cryptographic CPU instructions. We evaluate our system on several large software packages (including nginx, Apache and memcache) as well as all their dependencies. The cost of protection ranges from a 3–18% decrease in request rate.

Joint work with:  Andrea Bittau, David Mazieres, Dan Boneh

Food Requested:  81