Time+Place: Wednesday 02/04/2014 11:30 Room 337-8 Taub Bld.
Title: The Password That Never Was
Speaker: Ari Juels - Colloquium Lecture - Note unusual day and time http://www.arijuels.com/
Host: Shmuel Katz

Abstract:


Breaches of databases with millions of passwords are becoming a
commonplace threat to consumer security. Compromised passwords are also a
feature of sophisticated targeted attacks, as the New York Times, for
instance, reported of its own intrusions early this year. The most common
defense is hashing, a cryptographic transformation of stored passwords that
makes verification of incoming passwords easy, but extraction of stored ones
hard. "Hard," though, often isn't hard enough: Password cracking tools (such
as "John the Ripper") often easily defeat hashing. 

I'll describe a new defense called honeywords. Honeywords are decoys
designed to be indistinguishable from legitimate passwords. When seeded in a
password database, honeywords offer protection against an adversary that
compromises the database and cracks its hashed passwords. The adversary must
still guess which passwords are legitimate, and is very likely to pick a
honeyword instead, creating a detectible event signaling a breach. I'll also
discuss a related idea, called honey encryption, which creates ciphertexts
that decrypt under incorrect keys to seemingly valid messages. 

Broadly speaking, Honeywords and honey encryption represent some of the
first steps toward the principled use of decoys, a time-honored and
increasingly important defense in a world of frequent and sophisticated
security breaches.

Honeywords are honey encryption are joint work respectively with Ron Rivest
(MIT) and Tom Ristenpart (U. Wisc).

Short Bio:

Dr. Ari Juels is a roving chief scientist specializing in computer
security.
He was Chief Scientist of RSA (The Security Division of EMC), Director
of RSA Laboratories, and a Distinguished Engineer at EMC, where he
worked until September 2013. He joined RSA in 1996 after receiving his
Ph.D. in computer science from U.C. Berkeley.
His recent areas of interest include "big data" security analytics,
cybersecurity, cloud security, user authentication, privacy,
medical-device security, biometric security, and RFID / NFC security. As
an industry scientist, Dr. Juels has helped incubate innovative new
product features and products and advised on the science behind
security-industry strategy. 

Deserts will be served from 11:15
Lecture starts at 11:30