Alexei Czeskis
February 27, 2015 at 12:00 PM in 380 Soda Hall
Every day Google needs to defend its corporate and consumer users against a variety of strong adversaries. In this talk, I will cover two ongoing efforts that Google is undertaking in order to strengthen its defenses. Specifically, I will cover Security Keys, a second-factor device based on open standards that protects users against phishing and password theft. The user carries a single device and can self-register it with any online web service that supports the standard. The devices are simple to implement and deploy, are not encumbered by patents, are simple to use, privacy preserving, and secure against strong attackers. I will also discuss the concept of “Token Binding ID”, a way to cryptographically bind a bearer token (e.g., cookies and Security Key assertions) to a specific TLS session — making them resistant to theft (e.g., through man-in-the-middle attacks).