Apple’s Passkeys aim to replace passwords, here’s why you need them – T3

Join our newsletter

All the best features, news, tips and great deals to help you live a better life through technology

Thank you for signing up to T3. You will receive a verification email shortly.

There was a problem. Please refresh the page and try again.

You'd be forgiven for missing the Passkey announcement that came as part of Apple's WWDC 2022 keynote. There was a lot of information there, even for a well-versed tech journalist to follow. Among MacOS Ventura features might not be as flashy as the new continuity camera or stage manager but it's arguably far more important.

Passkeys have the potential to completely change web security by eliminating the need for you (or even your password manager) to enter a password on a website. The theory is that if there's no password exchanged, there's nothing that can be compromised.

Perhaps the most important factor though is that Passkeys aren't a Mac-only technology. It is part of the work being done by the FIDO Alliance, which also includes Microsoft and Google, to create a passwordless internet. Apple's version, however, will be synced between your devices using the iCloud Keychain that's also secured using end-to-end encryption.

(Image credit: Apple)

The process of using a Passkey won't feel that different to using Apple's Keychain or Google's Password manager. When you sign up to a site, or update your security settings on an account, you will be given the option to use a Passkey instead of a password. Then each time you visit that site, instead of inputting a password, you will be asked to use your TouchID or FaceID to verify much as you can at the moment to access those stored passwords.

The difference is happening behind the scenes. With Passkeys, no information is actually exchanged. It's all based on a clever WebAuthn standard that includes a public key and a private key and the cryptography between them. The private key never leaves your device, it is simply verified for the site by your own device. This means it can't be phished or leaked as it isn't stored on a web server.

While Apple's Passkeys are designed to work across all Apple devices, the collaboration with the FIDO alliance means that you will be able to access websites on non-Apple devices too. In the keynote, Apple shows a QR code on a website, which can then be scanned by your iPhone to access your passkey again, without sharing it with the website or third-party device.

The beauty of this is that it mean you can still use the security on your work machine, or even a shared computer in a hotel lobby, without worrying about hackers.

While Apple admits the move to Passkeys is a journey, it's a significant one that brings genuine benefits to users. It will take time for websites to provide the facility for one, but I can't wait to ditch my password manager and use it.

Today's Best Apple MacBook deals

Follow this link:
Apple's Passkeys aim to replace passwords, here's why you need them - T3

GUEST ESSAY: We need to talk about crypto crash and its inevitable recovery – Daily Maverick

A disinterested observer may be bemused, or even gleeful at this red sea. The walls reverberate with I told you sos. I suspect if you are a stakeholder in this new ecosystem, particularly an innocent one, the humour will be lost on you.

I am one of those stakeholders, personally and professionally. But I am still smiling, albeit through gritted teeth, holding on to my optimism with whitened knuckles.

Here is why.

Cryptography has been around for thousands of years but lurched forward in the 1970s as many researchers started developing new techniques for keeping secrets. More importantly, the market for this arcane mathematics grew quickly from military, to telecommunications, to industry, to the Internet. But the industry we generally now refer to as crypto and see daily in the headlines was really borne in 2009, which was when Bitcoin was conceived.

Not to put too fine a point on it, the explosion of innovations since then has been breathtaking hard to follow, hard to digest and hard to predict. Cryptocurrencies, financial services, NFTs, crypto-secured supply chains, the metaverse, gaming, governance-communities and other wondrous things have emerged (and continue daily to do so), all built on the back of cryptography.

This is to say that the quantum of brain power committed to this industry mathematicians, statisticians, computer scientists, economists, financial engineers, innovators, inventors, developers, educators and dreamers has become voluminous and adamant. There are hundreds of thousands of them and new ideas and experiments pour out daily, most of them utterly unconnected to the world of cryptocurrencies and the token prices which so consume the news cycle.

The price of Bitcoin or Ether or any other crypto asset will be of transient consequence to these people with their heads down building new worlds and better, fairer services. At worst, less investment will pour into the sector for a brief period. At best, pretenders and grifters and dodgy projects will disappear.

So the stuff happening deep in the bowels of the cryptoverse is largely unconcerned with the price of Bitcoin. There is simply no chance of this wave ending; these are fertile plains of abundant innovation in myriad matters of human interaction.

In any event, markets have a short memory. A much more serious bear market occurred at the end of 2017 with many tokens up to 80% down from highs. Prior to that, a number of other crashes dating back to 2013, also more merciless and eye-popping than this one. The crypto market recovered quickly from all of them, as I expect it will do from this one.

More importantly, it is important to retain perspective and context here. Most tech stocks, including giants like Netflix, are down more than 50% off their highs. Even those stocks in unrelated sectors like real estate and insurance are growling like bears. So the question that needs to be asked: is crypto crashing because crypto is toxic kryptonite (in the words of one of richest men in the world), or is crypto crashing because everything is crashing?

Institutional money started pouring into crypto in the last 18 months as it became evident that the asset class was not a bubble. This means that it has started to get caught in the net of big moneys risk-on/risk-off calculations. So when money flees from high-risk bets to low-risk safe harbours, it will flee from emerging markets, high-growth stocks, fancy derivatives. And it will flee from crypto, now sadly correlated with everything else in traditional finance. Crypto is crashing mostly because everything is crashing, save for a few terrible bloopers like the Terra stablecoin of which I have previously written.

Meanwhile, it is indeed painful to watch.

I submit that no one remembers the crypto crash of 2017 because it was simply swamped by the subsequent value of crypto-fueled inventions that came in its wake, and the growth of the industry wiped memories clean.

And I submit that is what will happen again this time, sooner rather than later. DM

Steven Boykey Sidley (Professor of Practice, JBS, University of Johannesburg)

Read the original here:
GUEST ESSAY: We need to talk about crypto crash and its inevitable recovery - Daily Maverick

What Is a Hash Function Within Cryptography [Quick Guide] – Security Boulevard

Hash Function Is One Type of Computer Security That Provides Authentication & Data Integrity A Quick Guide on Hash Function and How Does It Work

Cryptography is the essential process and method thats used for maintaining the integrity, confidentiality, and security of the data. Its essential to create robust machine identities that protect machine-to-machine communications and connections. Put simply, the hash function is the mathematical process that has an essential part in public-key cryptography.

In addition, the hash function helps in:

Furthermore, hash functions are helpful in many other ways. For instance, it helps sign software applications and secure the website connection to transmit information online.

The hash function is seen differently by different people. But if youre questioning what a hash function in cryptography is, it becomes a bit different. The hash function is seen as a unique identifier for any content in cryptography. It processes the plaintext data of all sizes and converts it into a unique ciphertext of a certain length.

In other words, hashing is a mathematical function that gives an output called a hash value of ciphertext or plaintext. Its a cryptographic technique that transforms your data into a specific text string. Henceforth, once you put a plaintext within a strong hash algorithm, you get the output in a hash value.

Similarly, the hash function is a one-way cryptographic algorithm that maps your input of all the sizes to a unique output of a fixed length in bits. And the resulting output is known as a hash value, hash digest, or hash code which is the resulting unique output.

Hashing converts readable text into unreadable text, making it secure. And, once hashing is executed, its not easy to reverse, which makes it a little different from the encryption, where you can reverse the encrypted information.

The original data input is often broken down into small blocks of equal sizes in hashing methods. And, if theres not enough data within any block to make it of the same size, padding (1s and 0s) is added. Similarly, those individual data blocks are run using a hashing algorithm and give an output known as a hash value.

No doubt, the process may differ if youre hashing passwords for storing in a web server. But, the hashing of passwords for storing involves salting. Here salt is a unique random value added to the message before it undergoes the hashing algorithm. Lastly, adding one character will create a new hash value once the process is completed.

Though both hash function and encryption use cryptography, they are not similar. For instance, a hash function is a one-way function, which means once you covert readable content into ciphertext, you cant reverse it. And, when it comes to encryption, you can convert it back into a readable format, also known as decrypting, after its encrypted. But, it would help if you were authorized to decrypt the encrypted information. Similarly, hashing is mainly used for comparison reasons and not for encryption.

Some of the most commonly used hashing algorithms are:

Below are the properties of Hash Function:

Hashing secures passwords that are stored and saved on the server. Instead of storing passwords in plaintext, you store actual hash values within the hash table by hashing. Therefore, if an intruder tries to log into the system, theyll only be able to see the hash value and not the actual passwords.

Hashing is useful for verifying passwords every time you login into your account or system. Password verification shows youre the actual user of the account. Similarly, if your password matches the hash value on the server, it confirms youre authorized.

Hashing verifies data integrity. It assures you that your data is not modified and its correct. Similarly, it also ensures your information is in its original form.

Hash functions are helpful for most things. For instance, its used to sign new software and verify digital signatures to secure the website connection with the computer or mobile web browsers. Similarly, its also good for indexing and retrieving information from the online database.

For instance, the hash function is commonly seen in usage for:

In addition, the hash function is commonly found through public-key cryptography. For example, the hash function is seen in:

For instance, you are looking to digitally sign software and distribute it online on your website for download. For this, youll need to create a hash of the executable youre signing. After embedding your digital signature, youll need to hash that digital signature.

And once the user downloads that software, the browser goes to decrypt the file, and at that time, it inspects the two unique hash values. Similarly, the browser will run the same hash function with the help of the same used algorithm and hash both the signature and file once again. If the produced hash value is the same, the browser knows that both the file and signature are authentic and not altered. And, if the hash value differs, the browser will show a warning message.

Hashing is an essential tool for computer security. It helps secure data and offers visibility within alteration or modification of files and data. In addition, its unique characteristics prevent attackers from taking advantage of reverse engineering for viewing plaintext or original input data.

Lastly, in combination with other cryptographic tools like encryption, the hash function supports authentication, signatory non-repudiation, and data integrity when using digital signatures.

View post:
What Is a Hash Function Within Cryptography [Quick Guide] - Security Boulevard

Now Is the Time to Plan for Post-Quantum Cryptography – DARKReading

RSA CONFERENCE 2022 San Francisco Even the most future-facing panels at this year's RSA Conference are grounded in the lessons of the past. At the post-quantum cryptography keynote "Wells Fargo PQC Program: The Five Ws," the moderator evoked the upheaval from RSAC 1999 when a team from Electronic Frontier Foundation and Distributed.net broke the Data Encryption Standard (DES) in less than a day.

"We're trying to avoid the scramble" when classical cryptography techniques like elliptic curve and the RSA algorithm inevitably fall to quantum decrypting, said Sam Phillips, chief architect for information security architecture at Wells Fargo. And he set up the high stakes encryption battles often have: "Where were all the DES implemented? Hint: ATM machines."

"We had to set up teams to see where all we were using[was DES] and then establish the migration plan based upon using a risk-based approach," Phillips said. "We're trying to avoid that by really trying to get ahead of the game and do some planning in this case."

Phillips was joined on stage by Dale Miller, chief architect of information security architecture at Wells Fargo, and Richard Toohey, technology analyst at Wells Fargo.

Toohey, a doctoral candidate at Cornell University, handled most of the technical aspects of quantum computing during the panel.

"For most problems, if you have a quantum calculator and a regular calculator, they can add numbers just as well," he explained. "There's a very small subset of problems that are classically very hard, but for a quantum computer, they can solve [them] very efficiently."

These problems are called np-hard problems.

"A lot of cryptography, specifically in asymmetric cryptography, relies on these np-hard type problems things like elliptic curve cryptography, the RSA algorithm, famously and when quantum computers are developed enough, they'll be able to brute-force their way through these," Toohey explained. "So that breaks a lot of our modern classical cryptography."

The reason why we don't have crypto-breaking quantum computers today, despite headline-making offerings from IBM and others, is because the technology to reach that level of power has not been accomplished yet.

"To become a cryptographically relevant quantum computer, a quantum computer needs to have about 1 to 10 million logical qubits, and those logical qubits all need to be made up of about 1,000 physical qubits," Toohey said. "Today, right now, the largest quantum computers are somewhere around 120 physical qubits."

He estimated that to even muster the first logical qubit will take three years, and from there it has to scale up to "a million or so logical qubits. So it's still quite a few years away."

Another technical challenge that needs solving before we get these powerful quantum computers is the cooling systems they require.

"Qubits are incredibly sensitive; most of them have to be held at very low, cryogenic temperatures," Toohey explained. "So because of that, quantum computing architecture is incredibly expensive right now."

Other problems include decoherence and error correction. The panel agreed that the combination of these issues means crypto-cracking quantum computers are eight to10 years away. But that doesn't mean we have a decade to address PQC.

The panel was named for the journalistic model of five questions that start with the letter "w," but that didn't come up until late in the audience Q&A portion.

"Sam was asking the what, the who, the why, the where, and the when," Miller said. "So I think we've covered that in our conversations here."

Most of the titular questions were somewhat vague and a matter of judgment. However, on the concept of when you should start planning for the post-quantum future, there was complete agreement: Now.

"You've got to start the process now, and you have to move yourself forward so that you are ready when a quantum computer comes along," Miller said.

Phillips concurred.

"There is not right now a quantum computer that is commercially viable, but the amount of money and effort going into the work is there to move it forward, because people recognize the benefits that are there, and we are recognizing the risk," he said. "We feel that it's an eventuality, that we don't know the exact time, and we don't know when it'll happen."

Toohey suggested beginning preparations with a crypto inventory again, now.

"Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?" he said. "That's a big ask, to know every type of cryptography used throughout your business with all your third parties that's not trivial. That's a lot of work, and that's going to need to be started now."

Wells Fargo has a goal to beready to run post-quantum cryptography in five uears, which Miller described as"a very aggressive goal."

"So the time to start is now," he said,"and that's one of the most important takeaways from this get-together."

Pivoting is a key marker of agility for the panel, and agility is vital for being able to react to not just quantum threats, but whatever comes next.

"The goal here should be crypto agility, where you're able to modify your algorithms fairly quickly across your enterprise and be able to counter a quantum-based attack," Miller said. "And I'm really not thinking on a day-to-day basis about when is the quantum computer going to get here. For us, it's more about laying a path and a track for quantum resiliency for the organization."

Toomey agreed about the importance of agility.

"Whether it's a quantum computer or new developments in classical computing, we don't want to be put in a position where it takes us 10 years to do any kind of cryptographic transition," he said. "We want to be able to pivot and adapt to the market as new threats come out."

Because there will be computers that can break current cryptography techniques, organizations do need to develop new encryption methods that stand up to quantum brute-force attacks. But that's only the half of it.

"Don't just focus on the algorithms," Phillips said. "Start looking at your data. What data are you transiting back and forth? And look at devaluing that data. Where do you need to have that confidential information, and what can you do to remove that from the exposure? It will help a lot not only in the crypto efforts, but in terms of who has access to the data and why they have to have access."

One open question loomed over the discussion: When would NIST announce its picks for the new standards to develop for post-quantum cryptography? The answer: Not yet. But the uncertainty is no cause for inaction, Miller said.

"So NIST will continue to work with other vendors and other companies and research groups to look at algorithms that are further out there," he said. "Our job is to be able to allow those algorithms to come into place quickly, in a very orderly manner, without disrupting business or breaking your business processes and [to] be able to keep things moving along."

Phillips agreed. "That's one of the reasons for pushing on plug and play," he said. "Because we know that the first set of algorithms that come out may not satisfy the long-term need, and we don't want to keep jumping through these hoops every time somebody goes through it."

Toohey tied the standards question back into the concept of preparing now.

"That way, when NIST finally finishes publishing their recommendations, and standards get developed in the coming years, we're ready as an industry to be able to take that and tackle it," he said."That's going back to crypto agility and this mindset that we need to be able to plug and play. We need to be able to pivot as an industry very quickly to new and developing threats."

Continue reading here:
Now Is the Time to Plan for Post-Quantum Cryptography - DARKReading

Meet the trans, anarchist founder who just landed $25M to reform how crypto is stored – TechCrunch

Tux Pacific isnt your average tech founder. Theyre a self-taught cryptographer who dropped out of college, a proud member of and advocate for the transgender community and a self-described anti-capitalist anarchist who believes in free-market principles deeply rooted in the early days of crypto, when Bitcoin reigned supreme and banks had no interest in the sector.

Pacifics radically different background in comparison to other entrepreneurs is precisely what informs their unique way of thinking, they told TechCrunch in an interview. Pacific founded and serves as CEO of Entropy, a decentralized crypto custodian that says it has raised $25 million for its seed round led by Andreessen Horowitz alongside Coinbase Ventures, Robot Ventures, Dragonfly Capital, Ethereal Ventures, Variant and Inflection. Prominent angel investors from the tech community, including Naval Ravikant, Sabrina Hahn and James Prestwich, also participated in the round, according to Entropy. This latest round follows the companys $1.95 million pre-seed raise in January.

The Brooklyn, New York-based startup is aiming to disrupt the way digital assets are held through its decentralized self-custody solution, according to Pacific. Before founding Entropy last year, Pacific worked at cryptography network NuCypher while living in Berlin, Germany, where they learned advanced cryptographic techniques.

In the status quo, large crypto custodians like Fireblocks, Coinbase and Anchorage Digital that hold assets for crypto users are fundamentally centralized and function in a similar way to banks. In some cases, holding users private keys in a central location has left these custodians vulnerable to hacks, and their users cant always interact with their funds at their will.

Weve heard a number of stories that were always like, weve used people like Coinbase, or weve used like all these other custody solutions. They call them up, and theyre like, hey we need to move funds. And [the custodian responds], oh, sorry, we have to wait to get a person to do that, Pacific said. They recounted one anecdote theyd heard about a fund that was poised to lose several billion dollars in an OTC transfer because their point of contact at the custodial firm was on vacation.

Entropy, in contrast, leverages cryptographic techniques based on multiparty computation to give users a way to deposit and use cryptocurrencies across any blockchain, at any time, Pacific explained. Using Entropys protocol, users can implement their own rules for interacting with the funds, such as time-gated constraints a particularly useful feature for groups like DAOs that are trying to make decisions around a collectively determined set of rules, Pacific said.

Pacific describes Entropys solution as comparable to Google Authenticator in that it doesnt provide its own wallet or user-facing products it simply handles the process of signing their data cryptographically. Other groups, including companies and DAOs, can then use Entropy to deposit user funds for safekeeping but arent beholden to a centralized custodians constraints.

Most cryptographers start with a protocol, and then envision a user experience that fits around it, Pacific said. In the case of Entropy, Pacific conceived of the idea by reversing that process thinking about what the ideal custody experience would look like for a crypto user, and then designing the Entropy protocol to fit that.

Im approaching the problem so differently from a lot of other people There are competitors who are just building wallets and just trying to fit their cryptographic protocols that theyve come up with to do this thing. [My perspective is that] all the other people who built these cryptographic protocols before me, theres nothing super novel about them. Im just going to compose it radically different than they are and just make it super user-friendly, Pacific said.

Pacific also attributes Entropys edge to their own willingness to deviate from the traditional business model for custodians, wherein users pay them a fee to safekeep funds and to work toward finding a model that can generate revenue not just for the custodian but also for the protocol itself, as well as crypto users. They readily admit Entropys team of nine people hasnt worked out the details of that model just yet, but the companys venture backers dont seem to mind.

When we started raising money, one of the biggest things I started telling people is that we dont have a business model, Pacific said. They are, as is typical of early-stage startups, focusing on building a great product before thinking through monetization, Pacific said.

Entropy is also going after a different audience than typical custodians might, Pacific added.

This isnt like some enterprise blockchain like Qredo, Pacific said of the other decentralized digital asset custodian, which, unlike Entropy, provides users with a wallet. Were building a product thats uniquely for crypto-native people and decentralized institutions. We dont expect JPMorgan to use us, Pacific said.

Entropys focus on serving individual, crypto-native users in some ways comes from Pacifics personal connection to the crypto community. While they said they have faced some pushback for being a trans founder, for the most part, theyve found crypto to be an unusually supportive environment.

In fact, Ive never felt Ive been in a space where its been more acceptable for people to be so different. If you go to a [crypto] conference, its just filled with weird, weird people, Pacific said.

Pacific is used to forging their own path, they said, recounting how they didnt have any role models they could relate to growing up. Today, there is still almost no research on LGBTQ+ founders and how theyre funded, though VC firm Backstage Capital estimates they receive less than 1% of venture dollars overall.

Being able to see trans entrepreneurs would have been such a huge thing for me as a kid, especially trans people who are entrepreneurs who hold similar political values, Pacific said.

More:
Meet the trans, anarchist founder who just landed $25M to reform how crypto is stored - TechCrunch

RSA Conference 2022 Announces Recipients of Lifetime Achievement Award and Annual Excellence in the Field of Mathematics Award – PR Newswire

Established in 1998, the RSA Conference Awards continue to acknowledge the outstanding contributions of individuals and/or organizations whose work helps to continue the fight against cybercrime and help prepare professionals within the industry to perform their jobs at the highest possible level.

"The RSA Conference Awards celebrate inspirational people whose contributions have had a profound, long-lasting effect on the industry and influenced the next generation of industry professionals," said Linda Gray Martin, Vice President, RSA Conference. "These awards are just one way we can recognize their achievements and thank them for their dedication to advancing the field of cybersecurity."

Lifetime Achievement Award The Lifetime Achievement Award honors outstanding leaders who have made significant contributions to the advancement of the cybersecurity industry over their lifetime. Past recipients represent several of the most influential minds in the field whose work continues to have a lasting impact.

The RSA Conference 2022 Lifetime Achievement Award is posthumously awarded to: Alan Paller

Alan founded SANS in 1988, which provides advanced training for 45,000 cybersecurity technologists annually, and was the former president of SANS Technology Institute, the first regionally accredited college focused on educating future cyber stars. Alan served on the board of the National Cyber Scholarship Foundation and led CyberStart, a nationwide on-ramp that allows students to discover and demonstrate cyber talent. He testified before Congress, was a charter member of the President's National Infrastructure Assurance Council, and co-chaired both the DHS Task Force on CyberSkills and the FCC Task Force on Best Practices in Cybersecurity. In 2010, The Washington Post included Alan on its list of "seven people worth knowing in cybersecurity."

Over the years at RSA Conference, Alan led an annual keynote discussion on the most dangerous new attack vectors, to teach companies about what techniques are in use today, what is coming next, and what organizations can do to prepare. During that same session this year titled "The Five Most Dangerous New Attack Techniques," the current president of SANS Technology Institute Ed Skoudis will accept the award on his former colleague's behalf. More information about Alan Paller's legacy can be found here.

"Alan Paller was a beloved colleague and treasured mentor to countless people throughout the cybersecurity community. I can think of no one more deserving of the RSAC Lifetime Achievement Award than the man who dedicated his life to vastly improve cybersecurity practitioners' skills to thwart ever increasing threats," said Ed Skoudis, President of the SANS Technology Institute and Fellow at the SANS Institute. "It is an honor to accept the award on behalf of Alan and his family. Alan was one of the first true visionaries in cybersecurity, with an unmatched passion for educating students. Due to Alan's commitment, hard work and kindness, hundreds of thousands of students have become better cyber defenders. His legacy and lifetime dedication continue to embody the mission of the SANS Institute."

Award for Excellence in the Field of Mathematics, Co-Sponsored by IACR Each year, RSA Conference recognizes noteworthy work in cryptography and mathematics. Award recipients are determined by an esteemed judging committee who seek to recognize innovation and ongoing contributions to the industry. Dozens of nominated individuals from affiliated organizations, universities or research labs compete each year for this award.

Recipients of the RSA Conference 2022 Excellence in the Field of Mathematics award are:

Professors Cynthia Dwork and Moni Naor Cynthia Dwork, a professor of Computer Science at the John A. Paulson School of Engineering and Applied Sciences at Harvard University and a Distinguished Scientist at Microsoft Research, is known for establishing the pillars on which every fault-tolerant system has been built atop for decades. Her innovations modernized cryptography to cope with the ungoverned interactions of the internet through the development of non-malleable cryptography, formed the basis of crypto currencies through proofs of work, placed privacy-preserving data analysis on a firm mathematical foundation, and ensures statistical validity in exploratory data analysis, through differential privacy.

"RSA Conference is an important venue for the exchange of ideas in the cybersecurity ecosystem. I am deeply honored to join the ranks of past recipients of this prestigious award that recognizes foundational research," said Dwork. "The threats to privacy have never been greater, and advancements in technology means more cybersecurity risk. My research, work, students, and university will continue to play a key role in helping innovation preserve these values."

Moni Naor is a professor of Computer Science at the Weizmann Institute of Science in Israel specializing in Cryptography and Complexity. He is well known for his work connecting cryptography and data structure in adversarial environments. In 1992, he collaborated with Cynthia Dwork on "Proofs of Work" to combat denial-of-service attacks and other service abuses, such as spam, which is now famous for its use with Bitcoin and blockchain technologies. He has proposed other fundamental concepts that are at the heart of today's cryptography, including non-malleability, broadcast encryption, tracing traitors, small bias probability, and the efficiency of falsifying assumptions.

"The RSA Conference Excellence in the Field of Mathematics Awards has a long list of impressive and impactful recipients dating back to 1998 with Shafi Goldwasser receiving it. I am honored to say that I am now part of the amazing group of cryptographers who have received it," said Naor. "I strongly believe advancements in the field of cryptography will continue to prove necessary as digital communication and usage accelerates. I remain dedicated to making a lasting impact in the field."

The IACR is proud to join RSAC in co-sponsoring the Excellence in the Field of Mathematics Award. As the worldwide professional society for researchers in cryptography and cryptanalysis, we are dedicated to recognizing individuals who have excelled in our field and advancing awareness of the role cryptology plays in a modern, digitally connected life, said Michel Abdalla, President, IACR. This year we celebrate the work of Professors Dwork and Naor, and the impact they individually and collectively have had on the cryptography industry and cybersecurity at large.

RSA Conference and IACR presented the Excellence Award in the Field of Mathematics Award on Tuesday, June 7, 2022.

For more information regarding RSA Conference 2022, taking place at the Moscone Center in San Francisco from June6-9, 2022, visit http://www.rsaconference.com/usa.

About RSA Conference RSA Conference is the premier series of global events and year-round learning for the cybersecurity community. RSAC is where the security industry converges to discuss current and future concerns and have access to the experts, unbiased content and ideas that help enable individuals and companies to advance their cybersecurity posture and build stronger and smarter teams. Both in-person and online, RSAC brings the cybersecurity industry together and empowers the collective "we" to stand against cyberthreats around the world. RSAC is the ultimate marketplace for the latest technologies and hands-on educational opportunities that help industry professionals discover how to make their companies more secure while showcasing the most enterprising, influential, and thought-provoking thinkers and leaders in cybersecurity today. For the most up-to-date news pertaining to the cybersecurity industry visit http://www.rsaconference.com. Where the world talks security.

About the International Association for Cryptologic Research (IACR) The International Association for Cryptologic Research(IACR) is a non-profit organization devoted to supporting the promotion of the science of cryptology. Cryptology is the science of the making and breaking of encryption algorithms, but in the modern world it encompasses so much more. You use cryptology all the time, when banking, when using a mobile phone, when opening your car door. You are even using it now when you are reading this web page.

IACR organize aseries ofconferences and workshops. IACR publishes the Journal of Cryptology, in addition to the proceedings of its conference and workshops. IACR also maintains the Cryptology ePrint Archive, an online repository of cryptologic research papers aimed at providing rapid dissemination of results. For more information, please visit http://www.iacr.org.

SOURCE RSA Conference

Originally posted here:
RSA Conference 2022 Announces Recipients of Lifetime Achievement Award and Annual Excellence in the Field of Mathematics Award - PR Newswire

Apples passkeys could be better than passwords. Heres how theyll work. – Popular Science

Passwords stink as a security system. Humans are flat out terrible at creating long, unique, secure passwords. Most of us reuse the same short strings of meaningful information again and againand even secure passwords arent very good. Social engineering attacks like phishing can con people into giving up even the longest of passwords, or they can be leaked if an entire unencrypted database gets hacked. This is a big problem for tech companies who are on the hook for keeping your data safe, not to mention the individuals themselves who suffer a privacy breach. So, Apple, Microsoft, Google, and the other companies in the FIDO Alliance have set out to develop a better solution called passkeys.

At its Worldwide Developers Conference (WWDC) this week, Apple announced its implementation of the newly agreed upon passkey standards. It will roll out with iOS 16 and macOS Ventura, so its the first real-world look weve had at the long-promised password-less future (the FIDO Alliance, which is an industry group dedicated to solving the Worlds password problem, has been working on this for a decade).

In the WWDC keynote, Apples vice president of internet technologies, Darin Adler, called passkeys a next generation credential thats more secure, easier to use, and aims to replace passwords for good. Thats actually a pretty good summaryand doesnt even oversell it.

So how will they work? Passkeys are built on the WebAuthentication, or WebAuthn, standard. It uses a cryptographic principle called public-key cryptography to secure your accounts. Its the same idea thats used for end-to-end encryption in iMessage, Signal, and other secure communications apps. Instead of creating a password for an account, your device will create a unique pair of mathematically related keys: a public key and a private key. The public key is stored on the server (because, as the name suggests, its not a secret) and will allow the website or app to verify your accountas long as you have the matching private key. The trick is that because of how the math works, the private key never needs to get shared with the server. Your device can do all the authentication without ever revealing it. Its neat tech, and it has serious security implementations.

Although passkeys might sound complicated (and the underlying cryptography is indeed complex), in practice, they will make signing up for new accounts even simpler. You will just use Touch ID or Face ID, and your iPhone, iPad, or Mac will do the rest. You dont have to come up with a long password, add in a few $s and &s, and then try to remember it. You wont even see your public or private keys. Its all done in the background, which takes the squishy, unreliable human element out of things.

Also, passkeys cant be phished. Your public key for any given site isnt privileged information. All that matters is the private key, which never leaves your device. A fake website designed to impersonate your bank, Ebay, or some other account cant trick you into giving it up. It can set up a login prompt, but it just wont do anything.

Apples implementation of passkeysat least in the supporting docs and WWDC talksounds solid. They will be synced between your devices using iCloud Keychain (which is end-to-end encrypted itself). Even Apple wont have access to your private keys.

The system has been designed so that your logins are safe, even if your Apple ID is compromised, you lose all your devices, or a rogue Apple employee tries to hack the iCloud Keychain servers. It requires you to use two-factor authentication with your Apple ID, which makes it much harder for an attacker, even one with your iCloud password, to set things up on a new device. Theres also a system called iCloud Keychain escrow that handles restoring your passwords if you lose your devices. Its resistant to brute force attacks even by Apple.

While were still waiting to see how Microsoft, Google, and the other big tech companies roll out passkeys, they have all pledged to make them interoperable across as many different devices as possible. We got a hint of that in the WWDC announcement when Adler demonstrated using an iPhone to login to a website by scanning a QR code. This would allow you to do things like check your email on a friends computer or print something in a hotel without a password.

In short, this looks to be as secure a system as can reasonably be designed. There are always going to be attack vectors, and dedicated hackers targeting specific individuals may find and use them, but for regular people this system should solve three of the biggest problems: weak passwords, leaked passwords, and phishing.

Watch the relevant bit of WWDC, below:

Original post:
Apples passkeys could be better than passwords. Heres how theyll work. - Popular Science

Prove Partners with Financial Organisations and Mobile Carriers in the United Kingdom to Fight Scams Such as Authorised Push Payment Fraud – -…

Prove launches new Trust Score attribute in the UK centered on scam mitigation

NEW YORK(BUSINESS WIRE)Prove Identity, Inc. (Prove), the leader in digital identity, today announced that it is partnering with financial organisations and mobile carriers to use cryptographic authentication to fight authorised push payment (APP) fraud and scams in the UK. Proves Trust Score helps banks fight APP scams by determining potential fraudulent behavior during high-risk transactions using telecommunications signals.

APP fraud occurs when fraudsters trick consumers or businesses into sending payments under false pretenses to a bank account controlled by the criminal. Bad actors typically do this through phone, email, or text message, and once the consumer has authorised the payment themselves, they have no legal protection to recover the losses. Between July 2019 and the end of June 2021, 854m was lost across 306,573 cases of APP fraud, and only 42% of losses were returned to consumers.

APP scams are among a newer set of scams that rely on socially engineering humans to authorise transactions. These scams are even more detrimental since the transactions are initiated by the consumers themselves, so its imperative that we have an understanding of what constitutes unusual activity, while delivering services to legitimate consumers securely and with little friction, said Keiron Dalton, UK and EU Vice President at Prove. We are excited to be a key element of a hugely collaborative ecosystem containing both major mobile operators and financial associations, as we deliver cryptographic authentication technology to help mitigate fraud, and protect consumers from being scammed of their hard-earned savings.

Proves cryptographic authentication allows relying parties (financial institutions, companies, and governments) to trust that the data asserted by users during authentication and verification events is actually true, by leveraging cryptography as the source-of-truth.

Following the successful launch of Mobile Auth, where Prove created a method of authentication that removed the opportunity for fraudsters to compromise SMS one time passcodes via social engineering, the company is now the first to provide connectivity for scam signals with two major UK mobile operators.

Proves approach has always been one of collaboration and tangible data science to measure outcomes. Proves Mobile Auth deployments have yielded dramatic fraud cost reduction for major UK banks. With its scam signal involvement, Prove is again providing real time insight alongside high risk transactions to determine potential activity suggesting social engineering is taking place. The results are proving to be powerful as the capability matures.

Prove is the first company to provide access to APP specific cryptographic authentication solutions via two major mobile operators. For more information about the partnership or Proves cryptographic authentication technology, visit prove.com.

About Prove Identity, Inc. (Prove)

As the world moves to a mobile-first economy, businesses need to modernize how they acquire, engage with and enable consumers. Proves phone-centric identity tokenization and passive cryptographic authentication solutions reduce friction, enhance security and privacy across all digital channels, and accelerate revenues while reducing operating expenses and fraud losses. Over 1,000 enterprise customers use Proves platform to process 20 billion customer requests annually across industries, including banking, lending, healthcare, gaming, crypto, e-commerce, marketplaces, and payments. For the latest updates from Prove, follow us on LinkedIn.

Contacts

PR Contact:pr@prove.com

See the article here:
Prove Partners with Financial Organisations and Mobile Carriers in the United Kingdom to Fight Scams Such as Authorised Push Payment Fraud - -...

Privacy, Scalability, and Interoperability are the future of Blockchain for DZK – Block Telegraph

An Interview with Decentralized Zero Knowledges Rami Akeela, CEO and Weikeng Chen, CTO of DZK

First proposed in a 1985 paper, Zero-knowledge proof (ZKP) methodologies have long been applied in the fields of mathematics, cybersecurity, commercial transactions, and cryptography. Now, blockchain technology is taking a keen interest in ZKP protocols, which may add yet another layer of technological advancement to blockchains evolution. At the center of this particular development stands DZK, a company leveraging ZKP to create a blockchain-based proof platform. DZK is two very bright men: Rami Akeela and Weikeng Chen, both Ph.D. holders with deep expertise in the blockchain space. Blockleaders recently spent an evening chatting to both, to learn more about their work, and why it matters.

At the center of this particular development stands DZK, a company leveraging ZKP to create a blockchain-based proof platform.

DZK is two very bright men: Rami Akeela and Weikeng Chen, both Ph.D. holders with deep expertise in the blockchain space. Blockleaders recently spent an evening chatting to both, to learn more about their work, and why it matters.

This is our conversation:

What prompted you to start DZK?

Weikeng: We built this company because, in recent years, ZKP technology hasnt seen a lot of adoption, particularly in the blockchain area. A big issue with ZKP is that, although the technology is very powerful, it can consume a lot of computation resources. If there are not enough computation resources, then ZKP is basically not practical. Now, we feel we can use hardware and hardware-friendly algorithms to make ZKP practical for the real world. This is what DZK is all about.

Rami: Continuing with this idea, Weikeng is the cryptographer, and Im the hardware engineer. Were applying the lessons that we learned by working in previous industries, including IoT, communication -and more recently, Machine Learning-, and we can actually see the same patterns. To make anything practical, we need to look at the underlying platforms, which include hardware and software. This is what motivates us. We saw what happened before, and we can now see whats going to happen in this industry (blockchain). We decided to start DZK to address these issues.

Lets talk a bit about your backgrounds.

Rami: Im a hardware guy. Ive basically been doing hardware design andengineering for most of my professional life.

I worked on logic level, architecture level, and digital level. I got my Ph.D. from Santa Clara University, and the topic was actually field-programmable gate array (FPGA) acceleration of multiple applications. One of them was ZKP algorithms. So Ive worked in several companies doing hardware design, and about three years ago, I was introduced to blockchain and crypto by someone who was interested in my work. So I started exploring this field, back in 2019, working on FPGA acceleration applied to blockchain. Some basic algorithms, and soon after I started looking at ZKP. I created a start-up on my own to work on this, but then the pandemic happened, so everything sort of stopped.

But Im still committed to this field, I feel theres a lot to be done, and thats why Im currently working on blockchain.

Weikeng: I recently graduated from UC Berkeley with a PhD in computer science. During my time in graduate school, I focused on cryptography, mostly building practical systems for zero-knowledge proof and secure multi-party computation. To make these systems practical, I need cryptography to run fast, so I have always been interested in hardwareacceleration.

My background is mostly using cryptography to build this system, and now is the time for me to look at the hardware side to build this working platform with real-world usability.

Just as a personal curiosity, how did you two meet?

Weikeng: We actually met in Palo Alto, California. I was introduced by someone in the blockchain industry that Rami is doing some very cool stuff about zero-knowledge proofs.

Where do you see the future of blockchain?

Weikeng: My feeling about blockchain is that the technology will likely go in different directions. Firstly, privacy. People are starting to do a lot of financial transactions and playing with NFTs on blockchain, and they are looking for privacy.

Another one is scalability, because there are a lot of applications running on blockchain, the decentralization nature of the system limits its throughput. This is what we want to solve.

I would add that interoperability is another important topic todaydifferent blockchain ecosystems interacting with each other as if they were the same blockchain.

So I see blockchain developing in these three strands. And I think that all three aspects confluence in ZK: privacy, scalability, and interoperability. ZK enables proving things without disclosing secret information, thats privacy. It allows blockchain to verify whether something has been processed correctly, without needing all the validators to check it all, thats for scalability. And lately, we have started to see the needs for one blockchain to interact with many other chains. ZK can also be applied here, to this interoperability.

Rami: I think large corporations are beginning to realize that ZKP is something they can incorporate into their existing platforms and services, because of the unique position of ZKP and blockchain technology. And to capture this interest, and the wave of applications that are coming, one needs to think about how to address issues that will definitely be surfacing soon.

I mean, blockchain is still in its infancy, really, and people got caught in the excitement of developing applications without answering some basic questions first. How will the app play out in terms of processing speed or cost, for example. I think the industry will do well once those foundational questions are addressed. We firmly believe that blockchain and ZKP have a very, very interesting future. We just need to take care of the basics before we move forward. Otherwise, well get stuck at some point. If we try scaling too fast well hit the wall.

Weikeng: Thats a very good point. Actually, for all these directions, privacy, scalability, and interoperability, the problem has always been about computation. Some people might want to use ZKP to generate proof, but the proof generation is way too slow. So the actual hardware infrastructure for the blockchain is a crucial consideration to use ZKP efficiently and realistically.

DZK is collaborating with AMD-Xilinx to architect the field-programmable gate array (FPGA) division in the upcoming ZPrizecompetition. The project seeks to accelerate the Number-theoretic Transform (NTT) operations for zero-knowledge proofs. I wanted to know what this collaboration meant for DZK, both personally and professionally.

Weikeng: I think the blockchain community is starting to realize that they have a strong need to have a robust hardware infrastructure to run ZKP efficiently. The ZPrize is originally focused on CPU and GPU, so we feel it is a good time to promote awareness of FPGA. Were doing this as the next stage of blockchain acceleration. Basically, we want to use this opportunity to push the industry forward.

Rami: AMD is very passionate about this concept too. They believe that ZKP will be the killer app for FPGAs, for several reasons. FPGA will be vital in the processing of ZKP-based apps. The work that were doing with ZPrize, were actually the architects of the FPGA division, and, as Weikeng said, were taking this opportunity to promote awareness of FPGAs to get people to start looking into this.

We got a lot of attention and support from several top ZKP companies and investment firms, including Aleo, Polygon, and Jump Crypto. The prize pool for the NTT FPGA division is $725k, and the prize pool for MSM GPU/FPGA division is $910k. This is the biggest prize for ZKP research and development to date.

So this collaboration is an indication that the industry is a) acknowledging the need to look into this technology, because they believe that this is the next generation of blockchain technology. And b) this is the perfect environment for innovation. If we onboard not only university students, but also companies and developers, we have a great incentive. Its the perfect environment, and its good for us as a company, because it validates that the work were doing is going to be the future and the answer to all the problems we currently have in the ZKP and blockchain communities.

Weikeng: Just to add that our partnership in DZK, that is, a cryptographer and a hardware engineer, has long been needed in the industry, and the prize money in ZPrize also serves to create this sort of novel partnerships between individuals with expertise in seemingly disparate fields, but can come together to foster innovation.

As the last question, if you were to define DZKs mission in one sentence, what would that be?

Weikeng: Make the impossible possible.Rami: Well, I cant top that, really, so well go with Weikengs statement!

Just as we were wrapping up, Rami wanted to make an official announcement.

Rami: DZK has developed a set of end-to-end, FPGA-accelerated privacy algorithms. We have successfully created systems capable of efficiently generating proof built on FPGA servers. This is the first, and so far only, end-to-end FPGA accelerator system for ZKP.

Interesting revelation, and an interesting future for this enterprise.

View original post here:
Privacy, Scalability, and Interoperability are the future of Blockchain for DZK - Block Telegraph

Spooky Science: Quantum Computing, the Fed, and the Future – Philadelphia Fed

Ever since I was a little boy taking apart transistor radios to see the magic inside, Ive been fascinated with the way things work. Or as my family and friends have sometimes more bluntly put it, Ive always been a tech geek. Now, as president of a Reserve Bank and chair of a Federal Reserve committee focused on technology, I put my interest in the subject to work each day.

Luckily for me and my fellow techies, ours is an age of remarkable innovation. From the development of personal computers, smartphones, and the Internet to the rise of gene therapies, stem cell treatments, and carbon-zero electricity, technological development has a played a part in making the world more healthy, green, convenient, and as we all know at times distracting.

We now stand at the precipice of another great technological leap: the development and deployment of quantum computing, a potentially revolutionary technology. This is an exciting time, full of opportunity but also fraught with no small amount of risk. The Federal Reserve, as the nations central bank and a regulator, has a strong interest in fostering an environment that is conducive to innovation and that safeguards our countrys financial infrastructure.

So, what is quantum computing? To begin to answer that question, it helps to think a little bit about quantum mechanics.

Quantum mechanics is a branch of theoretical physics that is, fundamentally, the study of very, very small things specifically, the behavior of matter and light at subatomic scales. These tiniest discrete units are called quantum particles.

Once you get to such a tiny scale, things behave strangely. They dont act at all like the objects we see in our day-to-day lives.

Quantum particles can, for instance, be in a state of superposition, which is not easy to get your head around. During superposition, quantum particles are simultaneously in a combination of all of their possible states. Imagine a quarter that shows both heads, tails, and every state in between, at the same time, which would definitely complicate an NFL coin toss.

And then, theres quantum entanglement. What is it? I like this description from Cal Tech: When two particles, such as a pair of photons or electrons, become entangled, they remain connected even when separated by vast distances. In the same way that a ballet or tango emerges from individual dancers, entanglement arises from the connection between particles.

No wonder Albert Einstein once described quantum entanglement as spooky action at a distance. Or, if you prefer a more scientific term than spooky, you could also say weird.

Whats so exciting is that quantum computing is making what was formerly theoretical, real.

Heres how: Quantum computing builds on the insights found in quantum mechanics to vastly expand computing power. Instead of just zeros and ones, quantum computers employ quantum principles like superposition and entanglement. Instead of bits zeros and ones quantum computers use what are called qubits. That is, they compute using zeros, ones, and everything in between simultaneously. This makes them extraordinarily powerful when it comes to performing tasks like machine learning, search, and cryptography. These are the true supercomputers of a rapidly approaching future.

Here, I think, the opportunities and risks for governments, businesses, institutions, and even individuals are clear. Whether you call it spooky, weird, or just plain exciting, there can be no doubt that quantum computing has the potential to revolutionize our world.

Imagine, for instance, quantum computers simulating the structure, properties, and behavior of molecular structures, the building blocks of pharmaceuticals. The benefits for drug development could be profound.

Or imagine financial institutions using quantum computing to more accurately calculate risk, allowing them to promote inclusion while simultaneously strengthening their balance sheets and reducing threats to the financial system.

Closer to home, deploying quantum technologies to run economic models could greatly strengthen our understanding of the economy and the way it reacts to shifts in the Feds monetary policy.

All in all, its little wonder that some of the biggest names in technology, banking, and pharmaceuticals are making heavy investments in quantum technology.

A cause for more worry is the prospect of quantum technologies falling into the wrong hands. One thing is for certain: Current methods of encryption will not stand up to quantum cryptography. Governments, corporations, and institutions are already working hard to develop quantum-safe encryption and thats a good thing. The cyber environment is already rife with threats from malevolent state actors to online bandits, and quantum technologies will only intensify them. For our part, making sure the financial system and the Federal Reserve are secure is at the top of our priority list.

You can learnmore about quantum computing in this video and take adeeper look at some of thechallenges posed by quantum computing inthis paper from the Global Risk Institute.

Read the original here:
Spooky Science: Quantum Computing, the Fed, and the Future - Philadelphia Fed