BSidesVienna 0x7E6

Nothing To Hide: Privacy-Preserving Cryptographic Authentication In Practice
11-19, 14:45–15:15 (Europe/Vienna), Urania Dachsaal

Governments, email vendors, social media websites, and even your favorite food recipes forum require account registrations where you pass your secret, often the same, password over insecure channels, riddled with sniffing agents while subjecting your online identity to theft, data breaches, and a whole bag of privacy concerns.

This doesn't need to be the case. With the massive explosion of fast, secure, and privacy-preserving cryptographic protocols, your credentials need never leave your device and websites don't need to store your passwords for authentication to complete.

In this talk, I'll introduce zero-knowledge password protocols; a well-established field of cryptography that puts privacy first, as well as demo a full implementation of such a protocol live.


The problem and the reason I made the project is very nicely put forth by the famous cryptographer Matthew Green: https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/. The protocol I'm working with was very recently standardized by IETF (mid 2020) right here: https://datatracker.ietf.org/doc/html/draft-krawczyk-cfrg-opaque-06.

The goal of this talk is to share the knowledge regarding this new protocol (namely, OPAQUE) and the field of zero-knowledge cryptography. The benefits for it in the terms of password authentication and privacy are tremendous and they're well studied. My contribution to the space will be a Go implementation of the protocol that can be used in any form, a backend, and a frontend JS SDK, as well as sharing a simplified explanation of the math behind it.

The protocol, backend and frontend codes are open-sourced with a prototype. See here https://github.com/afjoseph/plissken.

Abdullah Joseph is a software engineer with a special interest in security and over a decade of experience. He worked as the mobile security team lead of Adjust, providing a secure mobile analytics service to clients around the globe, while overseeing the security of the company's open-source libraries integrated in over 25,000 mobile apps, totalling over 400+ billion data points and 25 petabytes of traffic per month.

He is also the holder of GREM, GMOB, GPEN and GXPN security certifications and a speaker at OWASP, CodeMotion, Hack-in-the-box, R2Con and Android Security Symposium conferences.

He currently works as a senior software engineer for an internet technologies nonprofit implementing secure and uncensored protocols for dissidents and journalists to communicate with the free internet.