Doctoral Thesis: Security Research for the Public Good: Case Studies on Internet Voting, Encryption Backdoors, and Deniable Messaging

SHARE:

Event Speaker: 

Michael Specter

Event Location: 

via Zoom, see details below

Event Date/Time: 

Wednesday, July 14, 2021 - 3:00pm

Abstract
 
Recent history is littered with examples of software vendors betraying
user trust by exposing them to exploitable code, data leaks, and
invasive privacy practices. Undirected security research may be
insufficient for preventing such foreseeable and preventable failures,
as these problems are often the result of misaligned vendor incentives
rather than the technical specifics of the systems themselves.

This dissertation illustrates the utility of security research that is
motivated explicitly by the goal of realigning incentives of market
actors toward providing better security. We find that a research
approach guided by a deep understanding of the economic, regulatory,
and technical attributes of the actors involved is crucial for solving
important societally-relevant problems in computer security. We
present three case studies in applying this vision:

Our first case study considers vulnerability discovery as applied to
Internet voting. We perform a security analysis of the dominant
internet voting systems used in U.S. federal elections, including
those used in the 2020 presidential race. We find that, despite
decades of research in cryptography and voting, all deployed systems
are of simplistic design and suffer basic security and privacy
problems, supporting the conclusion that the market is in failure.

Our second case study involves designing cryptography to
disincentivize (rather than prevent) bad behavior through the example
of deniability in messaging. We find that the design of Email has
inadvertently became nonrepudiable by default, incentivizing email
theft and public exposure of private data. We present cryptographic
constructions that solve this problem while fitting in with email’s
already complicated ecosystem.

Our final case study involves various government requests to mandate
government access to encrypted data, colloquially known as
‘backdooring’ encryption. These requests came at a time when a
confluence of events caused a shift in industry and began aligning
company incentives toward encrypting user communication. We perform a
security analysis of technical proposals to provide such government
exceptional access, and find that they would cause untenable security
and privacy risks.

We conclude with a discussion of security research as a public good,
and provide direction for future work.
 
Thesis committee:
  Gerald Jay Sussman (MIT, supervisor)
  Danny Weitzner (MIT, supervisor)
  Ron Rivest (MIT, reader)
  Joan Feigenbaum (Yale, reader)
  Matt Green (Johns Hopkins, reader)
 
To attend this defense, please contact the doctoral candidate at specter at mit dot edu