Protecting Passwords with Oblivious Cryptography

Explore password protection techniques using oblivious cryptography in this conference talk from CypherCon 2.0. Delve into the vulnerabilities of ubiquitous passwords and learn about Pseudorandom Functions (PRF) and their role in enhancing security. Examine password database compromises and Facebook's Password Onion approach. Discover the concept of Remote HMAC for distributing trust and the innovative Pythia PRF approach. Understand the PRF query process for new users and strategies for compromise recovery. Analyze why existing crypto primitives fall short and explore the construction and advantages of Partially Oblivious PRF. Learn about fast, scalable PRF services and their applications beyond web servers. Conclude with an overview of the open-source Pythia implementation, equipping you with cutting-edge knowledge to bolster password protection in various digital environments.

Intro
Summary Passwords: Ubiquitous, but vulnerable to offline attack
Pseudorandom Function (PRF)
Password Database Compromises
Facebook's Password Onion
Remote HMAC Distributes Trust
Our Approach: Pythia PRF
PRF Query – New User
Compromise Recovery
Existing Crypto Primitives are Insufficient
Partially Obl. PRF Construction
Advantages of Partially Obl. PRF
Fast, Scalable PRF Service
Beyond Web Servers
Conclusion
Pythia Open Source Implementation