Passwords—take the red pill

Schedule

Wed Feb 08 2023 at 07:00 pm to 09:00 pm

Location

Grand Canyon University | Phoenix, AZ

Advertisement
Learn how memory-hard hashing can resist off-line attacks by specialized processors and about other technologies and standards.
About this Event

Note: This will be a hybrid meeting. you can join us in person at GCU or via Zoom. See information on parking below.

Presentation

In the late 60s computers having one user evolved to supporting multiple. That created a need for each user to prove they were that user. This was typically done with a secret shared between the user and the computer. But how to protect that secret? The first one-way cypher was likely developed by Roger Needham at the University of Cambridge. Over the years that one-way cypher evolved to hash functions such as SHA and password-based key derivation functions. The problem with hashing lies not with the strength of the hash function but with the nature of the population of the values to be hashed. If number of values is small, an attacker can hash all of them and compare the results to exfiltrated hash values. A match reveals the value. As hardware, especially specialized hardware such as ASIC, becomes more powerful it has become more feasible to hash larger populations. Salting and large iterations are no longer enough to protect hashed passwords. Using techniques and specialized processors developed for cryptocurrency mining, attackers have the cost/performance advantage in computing large quantities of password hash values. This talk will cover two approaches to address the problem—either use memory-hard hashing to make creating hashing of a selected population more difficult or storing one of an asymmetric key pair aka passwordless. The talk will look at both the management side (standards such as NIST; compliance such as PCI DSS 4.0; guidance such as CISA and the Carnegie Mellon study) and the technical side with a detailed look at how memory-hard hashing works and how to manage asymmetric key pairs, aka Passkeys, for people as opposed to systems. For the latter, the talk will take a detailed look at how Google, Microsoft, and Google are supporting Passkeys.


Presenters

Hoyt L. Kesterson II is a Senior Security & Risk Architect with Avertium in Phoenix, Arizona. He has more than 50 years of experience in information security and related technologies. For 21 years he chaired the international standards group that created the X.509 certificate. He’s been a PCI QSA since 2011. He is a founding member and co-chair of the Information Security Committee in the American Bar Association. He is a testifying expert. He holds the CISSP and CISA certifications. He had an article on post-quantum cryptography published in the Spring 2022 issue of The SciTech Lawyer.

Daniel Giebink is a Senior Security Architect at Avertium and a perpetual student of cyber security with more than ten years in information security. Over his career he has worked in many different capacities including security operations center analyst, professional service engineer, trainer, system administrator, penetration tester, and developer. Each position has contributed to a continuously expanding, well-rounded understanding of the breadth and depth of the field of information security.



Onsite Attendance:

Building 1 is about 50 yards from the parking garage on 33rd avenue. It is the closest walking distance available on campus.


Event Photos
Advertisement

Where is it happening?

Grand Canyon University, 3300 W. Camelback Rd., Phoenix, United States

Event Location & Nearby Stays:

Tickets

USD 0.00

IEEE Computer Society Phoenix Chapter

Host or Publisher IEEE Computer Society Phoenix Chapter

It's more fun with friends. Share with friends