Presented at LayerOne 2017
May 28, 2017, 2 p.m.
In an almost shockingly nihilistic talk, Becker Polverini will explain why just telling people not to “roll your own crypto” is not enough to prevent blowing your legs off in applied cryptography. He will explain why no programming language smart enough, no crypto library battle-tested enough, exists to prevent people from using upvoted, incorrect StackOverflow crypto posts to devastating effect. He will present a smorgasbord of incredibly broken PBKDFs, timing-safe equality, cipher modes, HMACs, and other crypto primitives, from the PKC Security consulting archives, as a means of educating developers on how to use trusted cryptography libraries safely. Get ready to laugh, then cry, as you realize these vulnerabilities sit in your favorite web and mobile apps.
Becker Polverini is the CEO and co-founder of PKC Security, a custom software development and cybersecurity consulting firm. He leads PKC’s work in applied cryptography, web application architecture, and operating system security. He previously worked with Microsoft Research on Chinese censorship and espionage, Princeton University’s Center for Information and Technology Policy on Chinese surveillance algorithms, at the Columbia University Intrusion Detection Systems Laboratory on the insider threat problem, and in kinetic warzones to provide secure communications with allies. Published research includes NSF funded work in machine learning and censorship analysis.