Colloquium - Tales of Broken Authentication: Misguided Designs Can Hurt For Decades

April 30, 2021 - 4:00pm to 5:00pm
Zoom - See emails for details
Sze Yiu Chau
The Chinese University of Hong Kong (CUHK) | Information Engineering

In this talk, we will see several case studies of how authentication can break in practice due to poor implementation and deployment setups. First we will look at implementations of cryptographic protocols, specifically the verification of digital certificates and RSA signatures. We will discuss how implementation oversights in various systems and libraries can render cryptographic mechanisms ineffective in achieving the intended security guarantees. Next we will focus on enterprise Wi-Fi, which is used worldwide by companies and universities. We will see how both the client and server in enterprise Wi-Fi can arrive at weak configurations, opening doors to credential theft. Throughout the talk, we will also look at how the poor implementations and deployments observed in the wild were actually commissioned by the misguided and incoherent design choices embraced by security-critical components and protocols, resulting in decades of lost security.

Sze Yiu Chau portrait - submittedSze Yiu is now an Assistant Professor at The Chinese University of Hong Kong, Department of Information Engineering. Prior to moving back to his hometown, he was a postdoctoral researcher at CMU CyLab. He obtained his PhD in Computer Science from Purdue University, working primarily on network and system security, under the supervision of Prof. Ninghui Li and Prof. Aniket Kate. His research interest is mainly on the (in)security of the design, implementation, and deployment of network and cryptographic protocols. Specifically, he has been testing and measuring different aspects of TLS and PKI, which led to the discovery of many vulnerabilities and misguided designs in various systems.