Cornell University
What's new

I design and build secure systems to make digital technologies safe and secure for everyone. My research methodlogy combines empiricism with theoretical analsis. See below for my research portfolio. I joined UW—Madison as an Assistant Professor in Fall 2019. My full CV is here.

My research has been published in top security conferences, such as IEEE S&P '15, '16, '18, USENIX Security '15, CCS '17, and Crypto '17, and has been featured in many media outlets including The New York Times, MIT Tech Review, and SSL.com.

Selected Publications

For the ranking of computer security conferences see here.
Acceptance rate of the IEEE S&P is around 12%, USENIX Security is 16%, ACM CCS is 18%, and Crypto is 22%. More statistics can be found here.
  1. Lucy Li, Bijeeta Pal, Junade Ali, Nick Sullivan, Rahul Chatterjee, and Thomas Ristenpart, Protocols for Checking Compromised Credentials, ACM CCS 2019 (to appear)
  2. Diana Freed, Sam Havron, Emily Tseng, Andrea Gallardo, Rahul Chatterjee, Thomas Ristenpart, and Nicola Dell. "Is my phone hacked?" Analyzing Clinical Computer Security Interventions with Survivors of Intimate Partner Violence, ACM CSCW, 2019 (to appear)
  3. Sam Havron, Diana Freed, Rahul Chatterjee, Damon McCoy, Nicola Dell, Thomas Ristenpart, Clinical Computer Security for Victims of Intimate Partner Violence, USENIX Security, 2019
  4. Bijeeta Pal, Tal Daniel, Rahul Chatterjee, Thomas Ristenpart, Beyond Credential Stuffing: Password Similarity Models using Neural Networks, IEEE Symposium on Security and Privacy (S&P) — Oakland, 2019 (PDF)
  5. Rahul Chatterjee, Periwinkle Doerfler, Hadas Orgad, Sam Havron, Jackeline Palmer, Diana Freed, Karen Levy, Nicola Dell, Damon McCoy, Thomas Ristenpart, The Spyware Used in Intimate Partner Violence, IEEE Symposium on Security and Privacy (S&P) — Oakland, 2018 (PDF, Slides (pptx), Slides (pdf), Talk at S&P '18, Project Page)
    Media coverage: The New York Times, Vox, Freedom to Tinker (Princeton CITP), CNN Espanol, SC Media, Global News , Security Baron.
  6. Rahul Chatterjee, Joanne Woodage, Yuval Pnueli, Anusha Chowdhury, Thomas Ristenpart, The TypTop System: Personalized Typo-tolerant Password Checking, ACM CCS 2017. (PDF, Slides (pptx), Slides (pdf), Talk at CCS '17, Project Page)
  7. Joanne Woodage, Rahul Chatterjee, Yevgeniy Dodis, Ari Juels, and Thomas Ristenpart, A New Distribution-Sensitive Secure Sketch and Popularity-Proportional Hashing. In Annual International Cryptology Conference (Crypto), 2017. (PDF)
  8. Rahul Chatterjee, Anish Athalye, Devdatta Akhawe, Ari Juels, Thomas Ristenpart, pASSWORD tYPOS and How to Correct Them Securely, IEEE Symposium on Security and Privacy (S&P) — Oakland, 2016. (PDF, Slides, Talk at S&P '16, Project Page) Distinguished Student Paper Award
    Media coverage: MIT Tech Review, Threat Post, Hacker News, and others.
  9. Adam Everspaugh, Rahul Chatterjee, Samuel Scott, Air Juels, Thomas Ristenpart, The Pythia PRF Service, USENIX Security 2015. (PDF, Project Page)
    Used by: Virgil Security
  10. Rahul Chatterjee, Joseph Bonneau, Ari Juels, Thomas Ristenpart, Cracking-Resistant Password Vaults using Natural Language Encoders, IEEE Symposium on Security and Privacy (S&P) — Oakland, 2015. (PDF, Slides, Talk at S&P'15, Project Page)

    Media coverage: IT World, SSL.com .

Projects

  • Stopping Credential Tweaking Attacks ( S&P '19)

    Users regularly choose the same or similar passwords across multiple accounts. Leak of password from one web-service, therefore, jeopardize the security of others. A popular form of such attack is credential stuffing attack, where an attacker use leaked password from one website to impersonate a user in other websites. A generalized version of such attack is what we call credential tweaking attack: an attacker uses a tailored list of guesses based on a previously leaked password for an account.

    I am working on building defense against the risk of account compromise via credential tweaking attacks. I am working with a team of very talented researchers at Cornell Tech. We built the most damaging credential tweaking attack known so far using neural networks, and showed that about 15% of user accounts are still vulnerable to credential tweaking attack in 1000 guesses, despite the target passwords being different from the ones that are leaked to the attacker. We are also working on building a personalized password strength meter (PPSM) and a compromised credential check as a service (C3S) that will help web-services and users learn if any of their existing or newly chosen passwords are vulnerable to credential tweaking attacks.
  • Technology Abuse in Intimate Partner Violence ( S&P '18)

    We looked at the ecosystem of spyware tools and resources available in the open web and in official application stores that can be used for non-consensual intimate partner surveillance (IPS). We found thousands of apps, many of them what we call dual-use --- apps built for some legitimate purpose, but their functionality can be easily used for spying on an intimate partner. There are plenty of resources in the form of blogposts, forums, and videos to help an abuser use these tools for spying.

    We are actively working on this project with NYC Mayor's Office to End Domestic and Gender-Based Violence (ENDGBV) to help IPV victims identify if they are being tracked or spied on using their mobile phones. Feel free to reach out to me if you want the list of apps we identified as IPS relevant.
  • Correcting Password Typos ( S&P '16, CCS '17, Crypto '17)

    To typo is human, but it is extremely annoying when you make typographical mistakes in typing your long and complex login password and get rejected by the server for that small typo. Things become worse if you are using a touch-pad device, such as a tablet or smart phone. Wouldn't it be great if the server tolerates some small typos that users make frequently while entering their passwords?

    We investigated the impact of correcting some small set of typos in Dropbox production authentication server. We show that it is possible to allow a small set of typos to improve user experience without degrading the security (not more than a negligible amount). In 24 hours study at Dropbox, we show 3% of all users fail to log in to Dropbox despite making only some small typographical mistakes, while many more are delayed for their login. We also show tolerating these carefully chosen set of typos will increase an attacker's success probability in breaking into a user account by less than 0.02%, which is practically negligible. For more details visit the project page.

    Seeing the benefit of correcting few popular typos, we designed a password checking system that securely monitors password typing behaviors of a user, and allow log in with frequent typos of that user that are safe to do so. We call this system TypTop. We show nearly 70% of all typos can be corrected by TypTop at the cost of zero loss in security. More details about the project can be found in the project page.


  • Cracking Resistant Password Vault ( S&P '15 )

    This is a new kind of password manager (a.k.a. password vault), that encrypts user-credentials under a master password, but resists offline brute-force decryption. Dictionary attack on stolen password vaults, where users store all of their usernames and passwords, is an increasing threat for password managers. Thanks to poor choice of passwords by significant portion of internet users, and easy repudiation of successful decryption under a candidate master password, it is easy to mount a dictionary attack on any ciphertext encrypted under traditional encryption schemes with human chosen master password as key.

    NoCrack solves this problem to great extent. When one tries to decrypt a NoCrack ciphertext with wrong master password, NoCrack generates fake, plausible looking passwords (decoys) making it hard for the attacker to figure out offline whether or not his guess was correct. Unlike traditional password vaults, it never fails to decrypt and always outputs passwords which looks correct.


  • Oblivious Password Hardening ( USENIX '16 )

    Passwords normally are hashed using a cryptographic hash function before storing in a database. However, such hashes are computatble offline, in the sense that an attacker, after stealing a password database, can mount a full fledged guessing attack without needing to communicate with any service over the internet. We build an partially oblivious pseudo random function (POPRF) function, called Pythia, that can be used to harden passwords. The attacker, even after stealing the password database, has to contact Pythia (a service separate from the password storage) to check a guess. This makes the offline password guessing attack detectable to Pythia, which can implement some smart blocking and alerting systems. Pythia can do all these without ever seeing the users' passwords (in plaintext). Also, Pythia allows key rotation, that will enable a service to rotate keys after a breach and make the old copy of the password hash database completely useless, by cryptographically erasing them for the attacker. The service however, can update it's copy of the password database using a special update token and continue normal operation.


Service

Program committee: Other reviewing works: WAY 2019

Teaching

  • CS642 (Introduction to Information Security) — Fall 2019