Most cryptographic applications crucially rely on secret keys that are chosen randomly and are unknown to an attacker. Unfortunately, the process of deriving secret keys in practice is often difficult, error-prone and riddled with security vulnerabilities. Badly generated keys offer a prevalent source of attacks that render complex cryptographic applications completely insecure, despite their sophisticated design and rigorous mathematical analysis. Even though key derivation plays a central role in the security landscape, it has received surprisingly little formal study within the cryptographic community, leading to a large disconnect between the theory and practice.
In this project, several important scenarios for key derivation are examined for their capability to improve security with provable guarantees, including the use of random number generators (RNGs), passwords, and biometrics. In particular:
- How RNGs are designed to properly combine the entropy gathering, randomness extraction and pseudorandom generation modules, while achieving the best possible subset of clearly defined security properties against a variety of adversarial scenarios.
- How to reduce the effectiveness of ?offline dictionary attacks? when generating keys from passwords.
- How biometrics can be safely reused to generate many secret keys across many applications raises several interesting questions, combining cryptographic security properties with those of error-correcting codes.
