Speakers

Daniel J. Bernstein and Tanja Lange

NaCl (pronounced “salt”) is a new easy-to-use high-speed software library for encryption, decryption, signatures, etc. NaCl’s goal is to provide all of the core operations needed to build higher-level cryptographic tools. Of course, other libraries already exist for these core operations, but NaCl improves security, improves usability, and improves speed. We’ll explain how the design and implementation of NaCl avoid various types of cryptographic disasters suffered by previous cryptographic libraries such as OpenSSL.

This talk also presents TweetNaCl, a self-contained public-domain C library which reimplements the NaCl library in just 100 tweets. See https://twitter.com/tweetnacl.

We’re researchers in applied cryptography working on making secure crypto more usable and on eliminating bad crypto. This includes us sometimes breaking bad crypto but most of the time our work is constructive. We’re the core NaCl development team, along with Peter Schwabe.

We’ve designed several cryptosystems, including Salsa20, Poly1305, Curve25519, and Ed25519. These cryptosystems are designed for security, robustness, performance, and ease of implementation without data-dependent branches and without data-dependent array indices. We use these functions in NaCl to make our lives easier and the software better.

We’ve done some other things in crypto as well.

Kristen K. Greene, Joshua Franklin, and John Kelsey

Password entry on mobile devices significantly impacts both usability and security, but there is a dearth of usable security research in this area, specifically for complex password entry. To address this research gap, we set out to assign strength metricsto passwords for which we already had usability data, in an effort to have a more meaningful comparison between usability and security. A primary accomplishment of this work is our method of optimizing the input of randomly generated passwords on mobile devices via password permutation. This is done by grouping character classes (i.e., uppercase, lowercase, digit, symbol) together to minimize the total number of required keystrokes and decrease cognitive load. We propose a measurement method for quantifying effects on entropy resulting from this password permutation. Additionally, we created and are releasing python scripts, and make use of an existing publicly available NIST data visualization tool to facilitate comparison between usability and security metrics.

The authors work within the Information Technology Laboratory at the National Institute of Standards and Technology (NIST). Kristen is a Cognitive Scientist in NIST's Information Access Division and holds an M.A. and Ph.D. in Cognitive Psychology from Rice University. Joshua is an Information Security Engineer within NIST's Computer Security Division. Joshua graduated from George Mason University with a M.S. in Information Security and Assurance. John Kelsey is an experienced cryptographer at NIST and has degrees in Computer Science and Economics from the University of Missouri Columbia.