On the internet, there is only Alice

Nov 18, 2016 eccentric-authenticationusability

Everyone who works long enough in the field of cryptography knows about Alice and Bob: They know each other, go their separate ways and – always – are in dire need of private communication. Eve is listening in on every message and Mallory actively tries to trick them into believing her words are genuine. Then the authors of the paper explain their cryptographic protocol that makes Alice and Bob safe again.

End to End Encryption is useless

Jul 17, 2016 end-to-endauthentication

There is a lot of news about end-to-end encryption. Every chat app and their neighbours are implementing it, even the big names: the Russians with Telegram, the Americans with Allo, Facetime, Skype, Whatsapp and what not. So that’s good, isn’t it? Yes, end to end encryption is good! It makes sure that your message, your love letter, voip or telephone call can only be read by the one you intend it for and no one else.

tor made easy

Apr 6, 2016 toreccentric-authenticationusability

Tor is the well known Onion Routing network. It lets people communicate over the internet without revealing their location. Using the Tor network is easy*) if all you need is browsing. Just run Tails or Whonix and browse. The sites can’t figure out where you are. This is good for your privacy, your anonymity. And good for people in countries that censor parts of the rest of the world. Others use Tor to host a hidden server.

spot the differences

Nov 30, 2014 eccentric-authenticationpaper

As a child I liked to do puzzles. One of these was called “Spot the Differences.” Get all 15 differences correct and you may win a prize. There is an adult version of this game. It’s much more challenging: It is more difficult: Only one picture is shown at a time. Players have to rely on memory to recall the differences; It’s played by millions of people every day, yet many don’t know they are playing; The stakes are higher: If you fail to spot any differences you might lose all the money in your bank account.

talk for icann

Jun 25, 2014 talks

Today I’ll be presenting a short talk at the ICANN DNSSEC Workshop in London. It’s about how to get your computer to protect you against phishers. The presentation shows how DNSSEC and DANE form the basis on which this can be built. All it takes is a user agent that does the work for you. The presentation describes how to reach that goal. presentation

making crypto invisible

May 1, 2014 usability

Q. What good is a tool that requires complicated rituals such as key signing parties, or fingerprint verification?> A. Instant loss of security, privacy and usability. Q. What good is a tool that uses encryption in a network of plain-text connections? A. Instant suspicion. Q. What good is a tool for circumventing censorship in a country that forbids it? A. Instant confession. Our proposal Eccentric Authentication is a protocol that weaves cryptography into the normal workflow of the net.

scalability

Mar 27, 2014 eccentric-authentication

There are three types of queries to be made against the Verification service: - submit a certificate; - query a CN; - query any duplicate CN for a given domain. The biggest load on the Certificate verification service are the queries keyed on CN. These queries will be done every time a user comes across a new certificate. On a blog site where every blog and comment is signed with the users’ private key, it means one lookup for each new participant.

how to design a distributed client certificate verification service

Mar 26, 2014 eccentric-authentication

With Eccentric Authentication, the goal is to make sure that each client certificate has a globally unique, human memorable name. In other words: there are no two certificates (with different public keys) bearing the same CN. With unique CN’s, people can trust that each signed message must have been signed by the holder of the corresponding private key. This ties human memorable names to public keys. When we make it globally unique, we have squared Zooko’s Triangle.

end user trust model

Nov 24, 2013 usability

There is a huge gap between the way the current deployed crypto-tools work and the requirements of the normal end user. End User Trust Model The common user has these requirements: Don’t think, just click. Someone else must protect me. For free. On 1: Users don’t want to be bothered with anything that stands in the way of what they want to do. It won’t work. On 2: Users assume that their computer keeps them safe from all harm.

talk for brucon

Sep 28, 2013 talks

Last week the 5th BruCON was held in Ghent, Belgium. It’s a small (and friendly) security conference. Their motto is: “Hacking for b33r”. Topics ranged from a workshop on breaking old crypto algorithms to pinpointing GSM locations and how to make the compliance process less headache inducing. Too bad there was no beer brewing workshop this year due to pregnancy of the brewer. I was one of the recipients of a grant to work on an open source security project in their 5by5 program.