Securing Deployed Cryptographic Systems

Christina Garman, Johns Hopkins University

In 2015 more than 150 million records and $400 billion were lost due to publicly reported criminal and nation-state cyberattacks in the United States alone. The failure of our existing security infrastructure motivates the need for improved technologies, and cryptography provides a powerful tool for doing this. There is a misperception that the cryptography we use today is a “solved problem” and the real security weaknesses are in software or other areas of the system. This is, in fact, not true at all, and over the past several years we have seen a number of serious vulnerabilities in the cryptographic pieces of systems, some with large consequences.

This talk will discuss three aspects of securing deployed cryptographic systems. We will first explore the evaluation of systems in the wild, using the example of how to efficiently and effectively recover user passwords submitted over TLS encrypted with RC4, with applications to many methods of web authentication as well as the popular IMAP protocol for email. We will then address my work on developing tools to design and create cryptographic systems and bridge the often large gap between theory and practice by introducing AutoGroup+, a tool that automatically translates cryptographic schemes from the mathematical setting used in the literature to that typically used in practice, giving both a secure and optimal output. We will conclude with an exploration of how to actually build real world deployable systems by discussing my work on developing decentralized anonymous credentials in order to increase the security and deployability of existing anonymous credentials systems.

Speaker Biography

Christina Garman received the Bachelor of Science in Computer Science and Engineering and Bachelor of Arts in Mathematics from Bucknell University in 2011 and completed the Masters of Engineering in Computer Science from Johns Hopkins in 2013. Her research interests focus largely on practical and applied cryptography. More specifically, her work has focused on the security of deployed cryptographic systems from all aspects, including the evaluation of real systems, improving the tools that we have to design and create them, and actually creating real, deployable systems. Some of her recent work has been on the weaknesses of RC4 in TLS, cryptographic automation, decentralized anonymous e-cash, and decentralized anonymous credentials. She is also one of the co-founders of ZCash, a startup building a cryptocurrency based on Zerocash. Her work has been publicized in The Washington Post, Wired, and The Economist, and she received a 2016 ACM CCS Best Paper Award. After graduation, Christina will join the faculty at Purdue University as an Assistant Professor.