[CSEE Talk] talk: Blind Hashing; a new way to secure passwords against offline attack, 11am Fri 3/27, MP101 UMBC

[Tim Finin]

			UMBC Cyber Defense Lab

  Blind Hashing; a new way to secure passwords against offline attack

			    Jeremy Spilman
			Founder/CTO of TapLink

	      11-12 Friday 27 March 2015, M/P 101, UMBC

Industry best practice is to secure passwords using a tunable hashing
algorithm; pick the right hashing algorithm, tune its cost factors so
it runs slowly and makes optimal use of your hardware, and it's
possible to protect very strong passwords from being cracked. However
when average password strength and login latency requirements face off
against bot-nets and GPU powered dictionary attacks, the vast majority
of passwords are easily cracked. Blind hashing entangles password
hashes with a massive pool of random data, so large it cannot be
stolen over the network. A simple protocol allows any number of sites
to share a centralized petabyte-scale data pool, amortizing the cost
for defenders, while protecting low-entropy passwords with minimal
run-time cost. Blind hashing can also be used as a general-purpose
PBKDF to protect against brute-force attacks, and providing the
opportunity to add server-based access policies and revocability to
the key derivation process. Following his talk, Jeremy will be happy
to discuss potential research opportunities with the company for
students interested in developing new implementations of blind hashing
for password-based authentication and encryption services.

Jeremy Spilman is the Founder and CTO of TapLink, a startup company
that is developing systems using its patented Blind Hashing technique,
which can completely protect passwords against offline attack, even if
the password database is stolen.  He was a double major in Computer
Science and Economics at Brandeis University.