T-DOSE 2024

SPHINX - A very different kind of password manager
06-01, 11:00–11:50 (Europe/Brussels), Kleine Spoel (0.31)

SPHINX (yeah yet another project with this name) is a very simple cryptographic protocol with some very powerful security guarantees that go way beyond traditional online password managers. Even if the "password database" of the server is ever compromised, the only way to bruteforce it is using an online attack - every guess must be tested against a server with the account to be guessed. This also applies to anyone hosting your "password database", even the NSA. With traditional password managers if the db is leaked offline bruteforce attacks are possible and thus much more economic. Above we referred to "password database" in quotes, because there is none! Actually with the latest version this none is also distributed between multiple servers, in a threshold setting, like Shamir's secret sharing if you know what that means. if not, come to the talk or hit me up afterwards...

I know, everyone who cares already uses a password manager, And those who don't, are actually not (yet) a target of this. It's an uphill battle, but it is totally worth it. If any of you is interested, I am looking for users (there is importers available from most popular "legacy" password managers) and more importantly i am looking for people hosting a public server. Furthermore, i am also happy if anyone starts doing clients for the Apple ecosystem, i guess i won't find much interest at a free software event, but it is necessary if we want to bring this to the masses...

See also: slides (714.8 KB)
stf

Stefan works since 8 years for RadicallyOpenSecurity as a pentester and code-auditor, there he mainly focuses on cryptographic issues, C/C++, Python, embedded systems.

In his spare time he develops free software and sometimes even free hardware, he tries to break more crypto stuff. In 2021 he reverse-engineered, proved the existence and devastated an NSA crypto backdoor. Currently he is quietly working on reverse-engineering and breaking another NSA backdoor. Sometimes he does pro-bono audits, like for the attribute-based credential system IRMA by the privacybydesign.foundation.

He is very much dedicated to digital policy, like copyright, privacy and all the other related topics, the culmination of his activities in Brussels is the most comprehensive free database on the European Parliament at parltrack.eu, which has helped the advocacy of such groups as EDRi, Corporate Europe Observatory, Transparency International.

Stefan initiated the founding of the hackerspace in Budapest, Hungary, he likes to think he also had some influence on the founding of the Bratislava and Prague hackerspaces, but that might be disputed. He is also one of the initial organisers of Camp++ a small hackercamp in Hungary, which was started after a alcohol-heated argument with one of the orga of the dutch OHM camp in 2013, and has been successfully organized every year since then.

Decades ago, when he was young and totally irresponsible, he worked for Siemens, doing reverse engineering, c++ development, security engineering, and innovation managment.