[liberationtech] Tuesday, March 8 at Stanford -- Zakir Durumeric: Cryptographic Failures in Practice

Yosem Companys companys at stanford.edu
Mon Mar 7 17:35:56 PST 2016 

From: David Wu <dwu4 at cs.stanford.edu>

Reminder: seminar tomorrow (Tuesday) afternoon at 4:15pm in Gates 463!

On 3/3/2016 5:02 PM, David Wu wrote:
>
>             Cryptographic Failures in Practice
>
>                      Zakir Durumeric
>
>                    Tuesday, March 8, 2016
>                        Talk at 4:15pm
>                          Gates 463
>
> Abstract:
>
>
> Despite advances in cryptography, there remains a significant gap between
> developed algorithms and how systems are protected in practice. In this talk,
> I will discuss two studies in which Internet-wide measurement has uncovered
> catastrophic cryptographic failures in practice. In the first, we investigate
> the Diffie-Hellman key exchange, finding it far less secure than widely
> believed. I'll present Logjam, a novel flaw in TLS that lets a man-in-the-
> middle downgrade connections to “export-grade” Diffie-Hellman, and then go on
> to consider how a small number of fixed or standardized groups may allow for
> passive eavesdropping by nation-state attackers.
>
> Next, I'll discuss our recent analysis of mail delivery security. We find that
> the top mail providers all proactively encrypt and authenticate messages.
> However, these best practices have yet to reach widespread adoption and only
> one third of top domains successfully configure encryption, and only 1%
> support mail authentication. This patchwork has led to an ecosystem where
> servers favor failing open to allow gradual deployment. However, we find that
> downgrade attacks are commonplace in the real world and highlight seven
> countries where more than 20% of inbound Gmail messages arrive in cleartext
> due to network attackers.
>
> Bio:
>
> Zakir Durumeric is a Ph.D. Candidate in Computer Science and Engineering at
> the University of Michigan and the 2014 Google Ph.D. Fellow in Computer
> Security. His research focuses on network security, particularly how global
> network measurement can improve the security of heterogeneous distributed
> systems. Zakir is widely known for creating ZMap—the Internet-wide network
> scanner capable of scanning the entire public IPv4 address space in
> minutes—and Censys—the search engine that allows researchers to analyze the
> devices that compose the public Internet. His work has been awarded numerous
> distinctions, including the IRTF Applied Networking Research Prize and best
> paper awards from USENIX Security, ACM Conference on Computer and
> Communications Security, and ACM Internet Measurement Conference. He was named
> one of this year's MIT Technology Review’s 35 Innovators under 35.

More information about the liberationtech mailing list