A Formal Treatment of End-to-End Encrypted Cloud Storage
We present a formal syntax and security notions for end-to-end encrypted cloud storage and design the first, provably secure protocol for this widespread application.
Talks and presentations
Blast-RADIUS: Breaking Enterprise Authentication
Blast-RADIUS is a vulnerability that affects the RADIUS protocol, the de-facto standard protocol for enterprise authentication used in various places from Internet backbone routers to industrial control systems.
MFKDF: Multiple Factors Knocked Down Flat
We find several attacks against the idea and construction of Multi-Factor Key Derivation Function (MFKDF) that was introduced by Nair and Song at USENIX 2023.
Thriving in between theory and practice: How applied cryptography bridges the gap
Matilda Backendal and I were invited to give this talk at the NIST CRClub on where the gap between theory and practice occurs in applied cryptography.
An Empirical Analysis on the Use and Reporting of National Security Letters
We investigate the effectiveness of existing transparency mechnisms used for National Security Letters by aggregating and analyzing public information about them that is released by various sources.
Key Overwriting Attacks
This talk reflects on recent attacks where a malicious server overwrites encrypted key material outsourced by clients to learn secret information.
MEGA: Malleable Encryption Goes Awry
We found five attacks on the user-controlled end-to-end security MEGA. They show that a malicious provider can break authentication and compromise file confidentiality and integrity.
Why E2EE Cloud Storage is hard - Challenges, Attacks and Best Practices
We discuss leasons learnt from breaking MEGA for why end-to-end encrypted cloud storage is hard to design.
Climbing the Hacking /mnt/ain
This talk discusses my experience as team coach of the Swiss National Hacking Team and preparing it for the European Cyber Security Challenge 2021.
Revisiting Microarchitectural Side-Channels
This talks presents the results of applying cache side-channels to contemporary hardware and investigating AES lookup tables, AES key scheduling, and Argon2.
SGX Accurate Time Measurements
This talk briefly summarizes our improvements on time measurements inside SGX enclaves. It discusses our discovery of the “Poor man’s CMOV” phenomenon, which later led to the USENIX Security paper on the Frontal Attack.