Stronger Password-Based Encryption Using I/O Hardness

Presented at BSidesLV 2015, Aug. 5, 2015, 2 p.m. (25 minutes)

Password-based encryption needs all the help it can get to withstand brute-force attacks. We repurpose an old idea to encrypt data so that each password guess requires processing all of the encrypted data. Then, we'll look at some use cases to see how the costs change for the attacker and defender. In a brute force attack, this can mean a large increase in attacker I/O, with little cost increase to defenders, who must process all of the data anyway.

Presenters:

• Greg Zaverucha - Software Engineer - Microsoft
  Greg is a software engineer in the MSR Security and Cryptography group at Microsoft. He performs research in applied cryptography, implements cryptographic primitives, and helps product teams use cryptography securely. Prior to joining Microsoft, Greg worked on applied research, standardization and product security at Certicom/Blackberry. Greg holds a PhD in CS specializing in cryptography from the University of Waterloo.

Links:

• https://bsideslv2015.sched.com/event/3uka/stronger-password-based-encryption-using-io-hardness

Similar Presentations:

• Black Hat Europe 2014 / Session Identifier are for Now, Passwords are Forever - XSS-Based Abuse of Browser Password Managers
• H2K2 (2002) / The Password Probability Matrix
• DEF CON 16 (2008) / Buying Time - What is your Data Worth? (A Generalized Solution to Distributed Brute Force Attacks)