This group meets as needed in the Provo/Orem area for lunchtime discussions of current topics of interest in cryptography. Contact Hilarie Orman for information. Information about the mailing list is available, too.
We welcome volunteers who are interested in crypto and computer security and wish to present original work or explications of noteworthy topics. Please contact us by joining the mailing list, or, if you prefer not to join but want to communicate a question, send a note to uvcrypto at mailman.xmission.com; non-members will receive an automatic note saying that the moderator will review the message, and with any luck, someone will reply to your note.
Next Meeting: Tuesday, January 20, 2009 (Inauguration Day), at the Novell Bon Appetit Cafeteria, 1800 S. east of I-15, Provo. At noon, in the small conference room on the south side of the cafeteria. We'll discuss the upcoming NIST SHA3 competition, rogue CA's, and weaknesses in WEP keys. Arrive by 11:45 in order to get through the cafeteria lunch lines by noon.
Abstract for Password Pattern Strength:
Despite the many authentication alternatives, user-chosen passwords
will ever be with us. This proposal is an effort to "raise the bar"
in password analysis. Identified patterns in a password help
determine the strength of the password. The proposed measurement of
password strength is the number of passwords that could fit within the
identified patterns. Using Password Pattern Strength provides a more
accurate method to implement "good" password policies.
Title: Surrogate Secure Remote Password (sSRP)
Abstract:
Surrogate Secure Remote Password (sSRP) protocol is a new decentralized authentication scheme that enables users to authenticate to personal messaging identifiers (e.g., email addresses, IM handles, cell phone numbers) and facilitates dynamic user bases. sSRP was originally developed to provide convenient and secure authentication to wireless networks without the requirement of client-side Internet or IP-connectivity. sSRP is a hybrid protocol that combines the principles of Simple Authentication for the Web (SAW) with the Secure Remote Password (SRP) protocol. The use of SRP in sSRP enables users to authenticate to relying parties using existing personal messaging account identifiers and passwords, without the fear that relying parties or eavesdroppers can compromise their login credentials.
This presentation also includes several significant improvements to the original sSRP protocol as well as how it can be adapted to easily replace existing website logins. It also introduces two modes of operation for this protocol. The first mode provides protection from passive eavesdropping without requiring PKI. Although this mode does not provide authentication of relying parties and identity providers, it is still valuable because it provides strong protections to user login credentials and from passive eavesdroppers. The second mode, a simple, intuitive addition to the first mode, brings the assurances of server-side digital certificates to authenticate relying parties and identity providers.
On May 1, 2007 our speaker was Tim van der Horst, a graduate student
at BYU, who explained his work on multi-path credentials. We'll
meet at Thai Ruby, 744 E 820 North, Provo, at noon. Visitors are
welcome.
Abstract:
Automated email-based password reestablishment (EBPR) is an efficient,
cost-effective means to deal with forgotten passwords. In this technique,
email providers authenticate users on behalf of web sites. This method works
because web sites trust email providers to deliver messages to their
intended recipients. Simple Authentication for the Web (SAW) improves upon
this basic approach to user authentication to create an alternative to
password-based logins.
SAW:
The 2007 spring meeting is
Somos Sequences and Cryptographic Applications
Hilarie Orman and Richard Schroeppel
Come hear about the odd properties of Somos4 and Somos5 and how they lead to a unique version of Diffie-Hellman key exchange. Learn what an elliptic divisibility sequence is! Slides
Noon, Tuesday, March 27
We met for lunch on Thursday to hear about the recent PKI workshop
held at NIST. Place was the Osaka Restaurant, 46 W. Center St., Provo.
Jason Holt held forth on nym:
Title: nym: practical pseudonymity for anonymous networks
Abstract:
nym is an extremely simple way to allow pseudonymous access to internet services via anonymizing networks like tor, without losing the ability to limit vandalism using popular techniques such as blocking owners of offending IP or email addresses. nym uses a very straightforward application of blind signatures to create a pseudonymity system with extremely low barriers to adoption. Clients use an entirely browser-based application to pseudonymously obtain a blinded token which can be anonymously exchanged for an ordinary TLS client certificate. In the appendix, we give the complete Javascript application and the necessary patch to use client certificates in the popular web application MediaWiki, which powers the popular free encyclopedia Wikipedia. Thus, nym is a complete solution, able to be deployed with a bare minimum of time and infrastructure support.
This was a great renaissance for UVCrypto, and I give many thanks to Peter for leading an interesting discussion. Yes, there are photos.
Peter Boucher will be speaking the topic of Secure Storage on the Trusted Platform Computing Architecture. He has contributed several documents for members who want to familiarize themselves with the specifications beforehand. We will meet at noon at Thai Ruby in "the small room", 744 E 820 North, Provo; 801-375-6840.
We welcomed former Utahn and UVCrypto member Tolga Acar. He
spoke on the topic of digital rights management.
Abstract: Many Single-Sign-On (SSO) technologies exists and are being developed. These are mostly closed systems limited to direct trust relationships or circles of trust. These relationships are currently set manually with legal contracts. Using trust negotiation with SSO allows this trust establishment to be automated and open. The primary challenge to this approach is establishing automated trust that is legally binding. In addition to negotiated trust between SSO providers, trust negotiation can occur on an individual basis. This negotiation would occur for each user. The attribute provider proxies for the user and negotiates access to a service provider. There are several benefits of this approach: 1) Users need only a standard web browser; 2) Users can set policies that protect the privacy of their attributes; and 3) Service providers have a flexible, attribute based access control mechanism.
The Utah Valley, indeed the state of Utah, loses a big chunk of its cryptographic expertise in early January 2004 as Tolga Acar moves to Redmond, Washington to work for a software development corporation of unlimited reach. Tolga has been an important part of the UV Crypto group and we wish him well in his new position. We had a going away lunch for Tolga.
Jason Holt and Robert Bradshaw presented "Hidden Credentials" at WPES October 31. You heard about them here first!
Recent activities: the annual Crypto conference in Santa Barbara featured three short talks by UV Crypto members. Richard Schroeppel showed the Manticore cipher with a new authenticating mode, Jason Holt presented Hidden Credentials (photo), and Hilarie Orman showed photos relevant to "Cryptography and Espionage in Paris".
We have short synopses of Crypto 2002 by Tolga Acar online here.
There was a lunch meeting on April 30 in Provo with the topic of an authenticated Diffie-Hellman password protocol presented by Pete Boucher.
A lunch meeting on "Block Cipher Variations" was held Wednesday, March 27. Tolga Acar explained the designed principles by which he modified RC5 to accept larger block sizes with improved per round diffusion. Secondary topics included Kent Seamons' work in trust negotiation, and Rich Schroeppel discussed the Bernstein factoring machine.
The first meeting, in February 2002, featured a talk by Richard Schroeppel explaining how quantum computing was used to apply Schor's algorithm to factor 15. Attendees included Pete Boucher, Baber Amin, Tolga Acar, and Hilarie Orman.
