Cornell Tech Professors To Build Stronger Password Protections With $1.2M NSF Award

The National Science Foundation (NSF) recently announced a round of awards to support interdisciplinary cybersecurity research, including a $1.2 million grant whose recipients include Jacobs Institute and Cornell Tech Professors Ari Juels and Tom Ristenpart and University of Florida Professor Tom Shrimpton. The research team will use this award to build better protections for passwords using a technique called “honey encryption,” to create more robust censorship-evasion tools, and to devise techniques for making security systems more resilient to error.

Here are some of the motivating problems behind their work:

• Brute-force password cracking attacks: Users tend to select weak passwords that are vulnerable to brute-force password cracking attacks that try to decrypt encrypted messages by guessing passwords. This problem is serious and pervasive, given today’s frequent compromise of mobile devices and cloud systems. The team is developing new techniques that prevent brute-force cracking by causing incorrectly decrypted ciphertexts to yield fake but real-looking messages.
• Censorship of encrypted protocols: Censorship is so heavy-handed in some nations that Reporters Without Borders labels them “Internet Black Holes.” Deep-packet inspection (DPI) helps censors identify and block encrypted network protocols. Anti-censorship tools require encryption primitives capable of producing ciphertexts that appear to be distributed like “benign” cover traffic to deceive the censors. Some existing steganographic tools can achieve this, but are largely impractical. The research team is devised new techniques that are both principled and practical.
• Securing human-generated authentication secrets: Users make typos when they key in passwords. Biometrics, such as fingerprints, are noisy. Conventional crypto, however, is fragile in the face of error-prone data. Existing approaches for cryptographic error-correcting seek to address this problem, but leak too much information about low-entropy user secrets to be of practical use. The team has been working with industry partners to build tools that achieve both good error-tolerance and low information leakage.

Taken together, these problems come under the banner of a powerful, general notion that the researchers call distribution-sensitive cryptography (DSC). DSC promises to make cryptography more practical for a spectrum of applications by leveraging contextual information in new ways.