Date: Fri, 3 Jun 2016 19:55:59 +0200 From: Per Thorsheim <per@...rsheim.net> To: passwords@...ts.openwall.com Subject: BSidesLV / #passwords16 keynote + 3 talks I am very happy to announce Lorrie Faith Cranor as the opening keynote of BSidesLV. You can learn more about Lorrie here: http://lorrie.cranor.org/ I am also very happy to announce these "early bird" selected talks for our #passwords16 track. More to come in the next few days. --------- Arnold Reinhold Arnold Reinhold has been involved with password and passphrase security since the mid-1990s. He is the developer of Diceware, CipherSaber and HEKS, the first password hash designed to consume memory resources as well as CPU time. "Rock Salt: A Method for Securely Storing and Utilizing Password Validation Data" Rock Salt™ is a method for storing and accessing password verification data on multi-user computer systems that resists remote attacks. Along with commonly-employed measures that limit the number of unsuccessful attempts to login or otherwise verify a password, it allows users to choose relatively simple passwords with full security. The secret component cannot be easily leaked or exfiltrated by malware, does not require periodic backup and is isolated in a way that allows it to be protected by conventional security measures, such as safes, alarm systems and video surveillance, from attackers who somehow gain access to the computing facility. --------- Nick Sullivan Nick is the head of crypto at CloudFlare. PAL is your pal: Bootstrapping secrets in Docker Many services that run in Docker containers need to have highly sensitive secrets installed on them. Examples of this include SSL certificates and API keys. Services like Vault and Keywhiz were developed to manage secrets to central authority, however, most of these secret management services require a secret to be present. This presents a bootstrapping problem. To solve this, CloudFlare created PAL: a new tool for bootstrapping secrets in Docker containers. PAL (Permissive Action Link, named after a tool used to prevent unauthorized detonation of nuclear devices) works by binding identity secrets to Docker containers and decrypting them at launch time through a service running on the host. Permissions require M of N authorization and are handled through a service called Red October. This allows you to simply and transparently bootstrap service-specific secrets. In this talk I’ll describe the design and implementation of this service and how we use it at CloudFlare to protect secrets for our billing platform and private key infrastructure. We’ll also briefly discuss our plans to use PAL for password hashing and service authorization. --------- Jim Fenton (No bio provided. Personally I think Jim is *awesome*) Toward better password requirements While we often discuss examples of poor password requirements, it’s also useful to consider a sample set of good requirements and practices. NIST Special Publication 800-63, which defines authentication requirements for Federal Government agencies, is currently being revised and seeks to establish requirements that are aligned with current understanding of threats and user behavior. This talk will discuss the rationale for these changes and opportunities for comment. As authentication threats have evolved and we have learned more about user behavior, what were considered best practices several years ago are no longer current. For this reason, guidance on user authentication needs periodic revision. NIST Special Publication 800-63, which sets technical requirements for authentication and identity proofing by the Federal Government, is currently in the process of such a revision. SP 800-63B, subtitled “Authentication and Lifecycle Management”, is a new document dealing specifically with user authentication. It changes the requirements for memorized secrets (passwords) in several ways: - Emphasis on long, memorable passwords - No use of composition rules - No hints and prompts (name of first pet, etc.) - Use of dictionary of compromised passwords to disallow poor choices - No arbitrary (e.g., periodic) password changes Beyond the realm of passwords per se, SP 800-63B also clarifies and strengthens the requirements for two-factor authentication and account recovery. The use of SMS (text messaging) as an out-of-band authentication mechanism has been deprecated due to security issues that have been seen with this technique. Requirements for account recovery have also been strengthened, in an effort to avoid having account recovery act as an authentication back door, particular for two-factor authentication. -- Best regards, Per Thorsheim CISA, CISM, CISSP, ISSAP Founder of PasswordsCon.org CEO of godpraksis.no Phone: +47 90 99 92 59 Twitter: @thorsheim
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.