Papers & slides
13.12.2017, Hermes, a framework for cryptographically assured access control and data security
Ignat Korchagin, Eugene Pilyankevich, Andrey Mnatsakanov
A whitepaper on distributed access control and data sharing metholodogy, Hermes.
11.02.2016, Secure Comparator: a ZKP-Based Authentication System, rev 1.2
Ignat Korchagin, Eugene Pilyankevich
A whitepaper that outlines the first stage of our efforts at securing request authentication in zero-trust environments. This is revision 1.2, which includes fixes against the possible security drawbacks flagged up by the security community. Secure Comparator is actively used in Themis
Talks and workshops
Members of the Cossack Labs team often participate in international security and development conferences as speakers, organise and co-organise local events, conduct public workshops, and support communities to share our knowledge. You can read more in our blog or twitter and below you can find a collection of video recaps and speaker slides from such events.
December 2018. Data encryption for Ruby web applications
Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. Dmytro talked about typical data security problems in web apps and about proper implementation of encryption. Dmytro reviewed the cryptographic approaches and the exact tools that ensure that no sensitive data leaks from the application or the database. The talk was presented at RubyMeditation #25.
December 2018. Cryptography & data security: protecting the data while reducing cost in distributed systems
Using cryptography for data protection is not exclusively reserved for “secure chats” and financial products. Modern cryptographic tools help to comply with the regulations and laws, help to improve control over the infrastructure, to prevent data leakages, and to reduce the risk of incidents. Eugene talked about the way modern cryptographic tools allow technology companies to reduce the security budget and to remain protected at the same time. Presented at SecurityBSides Kharkiv.
December 2018. Disagree with "I Agree". Enforcing Better GDPR Compliance Through API Documentation
The talk addresses the aspects and elements of API documentation that need to be reconsidered and restyled in the light of GDPR. The way things are, an absolute GDPR compliance is impossible, but maximal compliance is doable. Technical writers can enforce it through the language graphic elements that are used for guiding the users around the API portals. Presented at API Days Paris.
December 2018. Defensive team – who are the security engineers and how they help teams to develop secure applications
Who are the people in the "blue team" and how do they prevent business risks for company assets? What is secure development, secure architecture, secure coding? A lecture for Women in Appsec Kyiv community and infosec students.
September-December 2018. Marrying usability and security in large-scale infrastructures
Usability is often thought of as the opposite of security. However, most of the security controls inside operating systems and most of the security tools that run there are designed for being operated by humans. This talk is a summary of Eugene's experience in building and seeing engineers integrate the security tooling – how security controls and tools are mis-designed and fail once used, how poorly integrated controls decrease the overall security of a system, and how lessons learned in reliability/infrastructure engineering apply to security tooling to fix that. Presented to senior engineers at OSDN Kyiv and to technical managers at UA.SC.
September 2018. Protecting sensitive data in modern multi-component systems
A talk for solution architects and technical leads, presented at JavaZone, in which we took a deep look into data lifecycle, risk, trust, and how they affect security architecture, encryption, and key management techniques. We illustrated typical SDL patterns: narrowing trust, monitoring intrusions, zero knowledge architectures, distributing trust. The goal of the talk was to provide a general thinking framework and enough ideas about tools for senior engineers for them to be able to plan their solutions securely, in relation to the sensitive data inside.
June-August 2018. Zero Knowledge Architecture Approach for Mobile Developers [workshop]
A workshop for iOS developers that illustrates how to implement end-to-end encryption of Firebase notes application. Zero knowledge algorithms and protocols ensure that no keys, passwords, files, or any other sensitive material ever gets transferred in an unencrypted or reversible form. Workshop code contains two encryption schemes and set of general recommendations of improving the security of any iOS application.
June 2018. Making security usable: product engineer perspective
This is a story of going over the typical security challenges: how to build products that reliably deliver security guarantees, how to avoid the typical pitfalls, and how to create tools that could be usable and predictable for real users. It's a tale of balancing religious adherence to security practices while keeping the customers' needs in mind all the time, inside the development team; a story of listening to the customers and observing the actual user behaviour outside in the wild, and trying to make the best decisions when it comes to empowering the customers with easy tools for encrypting data in their apps, securely and without pain. Presented for senior software engineers at QConNYC.
May 2018. Getting secure against challenges or getting security challenges done
What it takes to make security decisions in a business environment, from the perspectives of both vendor and client, urging security engineers not only to think outside the technical box but also outside the box of engineering thinking when faced with real humans on the other side of the wire. Presented for security engineers at NoNameCon.
May 2018. X things you need to know before implementing cryptography
A "tips and tricks" talk for mobile developers. Even when developers create apps with security in mind, (at least try to) protect user secrets, and don’t reveal unencrypted data, attackers can still find ways to bypass these security measures by exploiting architectural weaknesses and non-obvious, yet very simple vulnerabilities. The talk is about all the tiny bits and pieces that are necessary for making your app secure against simple attacks way before focusing on the hard things (like cryptography). Presented for mobile developers are UIKonf and CocoaHeads Kyiv.
April 2018. Delivering security products without shooting yourself in the foot
Our senior infrastructure engineer talks about improving the infrastructure for developing, testing, and delivering security tools. Our experience of smoothing the difference between security idealism and engineering friendliness. Presented at SecurityBSides Kyiv for software engineers and the security community.
April 2018. Encryption without magic, risk management without pain
An in-depth technical inquiry about cryptography in a wider context: how it helps to narrow more significant risks to controlleable attack surfaces, enables efficient and elegant risk management, and how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated with handling the sensitive data. Presented at QCon London for solution architects.
April 2018. The Bad, The Ugly, The Good
Our Technical Writer gave a talk on refactoring the existing GitHub documentation of our products and moving it to our own proprietary documentation server. Presented at API The Docs Paris.
April 2018. GRPR – Get security done
Karen Sawrey and Eugene Pilyankevich
We co-organised a security meetup for Ukrainian companies to discuss the various technical aspects of GDPR. Our speakers gave two talks, outlining various aspects of GDPR demands and possible compliance tactics.
May 2018. Documenting the secret
A talk for Women Techmakers Lviv on creating and maintaining documentation for cryptographic software. Besides the issues of information security, such things as basic self-care and sanity were also brought up. This talk was also given in December 2017 at the one-day API The Docs Amsterdam conference.
October 2017. Zero-knowledge architectures for mobile applications
The talk focused on real-world problems that ZKA counters, typical cryptographic designs and progress in different spheres of ZKA. The talk also explained the practical approaches useful for mobile developers (implementing data sharing and user collaboration on data in a cloud in a way that makes a mobile app provably secure).
October 2017. Why decentralized social services fail
It often feels like distributed and federated services provide better resiliency, risk management, and privacy than typical star-topology systems. However, Facebook et al. provide and maintain huge, single-point-of-entry, solely owned, walled gardens with hostile privacy policies, and yet they successfully serve millions of users, attracting some of the best engineering talents along the way.
April 2017. Key management approaches for mobile applications
Trust is built around various trust tokens: keys, passwords, secrets, biometric properties, things you have and things you know. Key management is complicated when done the right way.
April 2017. DevOps and security: from the trenches to command centers
DevOps movement emerged as an attempt to build the bridge between people who write code, people who maintain the infrastructure for running it, and people who make the business decisions. These changes have put the emphasis on the new set of techniques and values. These techniques and values can either be beneficial or problematic for the security posture.
November 2016. End-to-end data turnover: building Zero-knowledge software
Our CTO's talk on the evolution of end-to-end software, survival within the "everything will be broken" model with the help of emplloying proper cryptography and trust management, plus a disclosure of some ideas and concepts behind Hermes.
May 2016. Everything will be broken
Our CTO's talk at SecurityBSides Kyiv about the classic and emerging threat models, a proper understanding of security risks, perception of technical infrastructures ranging from idealistic to realistic, and adopting stronger techniques in the face of the vanishing perimeter and the (sadly) lowering standards of security tools and overall quality of the produced software.
August 2016. Evolution of password-based authentication systems
These are the slides that accompanied the talk of our core scientific contributor. THa laks focused on on evolving from regular authentication to Zero-Knowledge Proofs (including with Secure Comparator) at DefCon Crypto Village.