Deirdre Connolly¹ ²
Really want boring simple cryptography with few assumptions; used Rust bc strong typing enabled misuse-resistant API design, and performance came for free
#realworldcrypto
How do we bootstrap trust in the org key? It helps to be part of a long-trusted publication
#realworldcrypto
Secure elements are great tools...except they don't expose auth attempt counters, nor enforce timeouts (they are reserved for the operating system)
#realworldcrypto
Q: Diff from SecureDrop?
A: Focused on the first contact experience; using Tor is a red flag/signal; we don't support sending files, pivot elsewhere for that
#realworldcrypto
Work with actual UX researchers; in-person user testing;
#realworldcrypto
Speaking of SecureDrop, next up is 'SecureDrop Next Generation: Lessons from a Decade of Deployment', presented by Rowen Shane, Shannon Veitch
#realworldcrypto
Deployment/maintenance burden, physical security requirement, better encryption is available
#realworldcrypto
'The real way to use deniability is in combination with other security properties of the system; there are tradeoffs against authentication'
#realworldcrypto
Client is the Tor browser; no persistent state; server is 'just' an encrypted message queue; one time keys
#realworldcrypto
Specifics about the new SecureDrop protocol
github.com/freedomofpre...
#realworldcrypto
github.com/freedomofpress...
github.com/freedomofpress...
Different organizational profiles motivate different deployment types
#realworldcrypto
Next steps, attachments, formal verification!
github.com/freedomofpre...
github.com/freedomofpre...
#realworldcrypto
GitHub - freedomofpress/secure...
GitHub - freedomofpress/secure...
Q: Target a particular journalist, key exhaustion?
A: Known, not seen in existing SecureDrop instances, so deferring doing anything for now, but there are approaches
#realworldcrypto
Next up, 'At-Compromise Security: The Case for Alert Blindness', presented by Simone Colombo
#realworldcrypto
How much are our assumptions and models actually based on the real world?
#realworldcrypto
"Cryptography is also a social science unaware of itself."
#realworldcrypto
82 abductions related to these protests
#realworldcrypto
"The abductors eventually heard the message, which put pressure on them to release the abducted person."
#realworldcrypto
At-compromise alert blindness: when they are taken, abducted people can alert their network without the adversary noticing
#realworldcrypto
Personal secrets capture the distinction of compromising people or their devices. Multiple personal secrets model that the abducted person knows they have been abducted:
they can decide which secret to use.
#realworldcrypto
Blindness: 'If I do anything now to upset these guys, I’m dead.'
#realworldcrypto
We give up confidentiality for alert: a goal only ethnography could suggest. We give a provably secure construction and we implement it.
#realworldcrypto
Ethnography proposes 'exists' statements, not 'for all' statements
#realworldcrypto
Coffee time
#realworldcrypto
'Defending the Open Internet: TLS, Passkeys, and the Privacy Stakes of Digital Identity', by Christopher Harrell
#realworldcrypto
Q: How do I resolve the dilemma that if i work on this, governments will use it to discriminate [against children, women, etc]
A: Build primitives that work with trust lists, group of issuers we trust [um we trusted the US until we didn't, oops]
#realworldcrypto
Q: Device-bound means i lose my creds
A: Cloud-based HSM [narrator: 🙄]
#realworldcrypto
Q: The nice ZKs going to PQ change the computational/privacy properties
A: Depending on the construction (BLS vs ML-DSA, relying on the symmetric guts of certain constructions)
#realworldcrypto
Next up, 'Zero Knowledge (About) Encryption: On the Security of Cloud-based Password Managers', presented by Matteo Scarlata and Giovanni Torrisi
#realworldcrypto
We don't trust the server, should only have access to the vault plaintext if you have access to the master password
#realworldcrypto
