Karthikeyan Bhargavan’s international career path and his research bringing benefits across the world have both been pivotal in his success. After graduating in India, this specialist in online data security studied for a PhD at the University of Pennsylvania in the USA. He got his first job as a researcher with Microsoft in Cambridge (United Kingdom), before gravitating towards academic research, joining Inria in Paris in 2009. Bhargavan’s wealth of experience is matched only by the range of different subjects he has tackled, with his expertise in programming language allied to his knowledge of internet protocols and cryptography.
In 2012, the researcher launched Prosecco (Programming Securely with Cryptography), a team set up to study cryptographic mechanisms for making internet communication more secure. This expertise was to prove attractive to the world of industry. Bhargavan has worked extensively on internet protocols developed by manufacturers, ensuring their systems are fully secure prior to being rolled out.
It’s very rewarding being able to apply the results from your research to commercial or opensource software programs and to show that they can be applied to real-life situations, for example detecting the Logjam vulnerability, and bridging the gap between theory and IT attacks
This relationship with the world of industry has been bolstered through shared objectives and regular catch-up sessions within the working groups of the IETF1, the body governing internet standards.
Expertise with a global impact
The Prosecco team was set up to make the web a safer place. In order to achieve this aim, it’s not enough simply to detect and correct bugs - all you're doing there is putting on a bandage, when what we really need to be doing is treating the wound itself.
Instead, this ten-person team decided to focus on long-term solutions, developing new programming languages such as F*, and tools for verifying the security of existing systems (CryptoVerif) in order to identify and correct vulnerabilities that could otherwise be exploited by malware. This research, which was funded by an ERC Grant, was undertaken as part of the Crysp project (Collaborative Cryptographic Security Proofs for Programs).2.
Promising initial results: the tools developed by the project team detected sizeable security breaches in the cryptographic protocol used by all web browsers (Chrome, Firefox, etc.). When you’re doing online banking or checking your emails, for example, you'll see a small padlock next to the address bar. Behind this padlock can be found what is called TLS (Transport Layer Security), an IT protocol which maintains a secure chain between the web browser and the site you’re using. “What we realised was that the 1.2 version of TLS was using cryptography mechanisms dating back to the 80s and 90s, meaning they weren’t suitable for current systems”, explains the researcher. The analysis work carried out on this protocol by the team convinced the IETF to develop a new, more effective and more secure system to replace the old one.
In order to do this, the Prosecco researchers, working alongside a number of international partners, built the TLS 1.3 protocol, which has been in use since 2018. They developed a range of tools and techniques leading to a defect-free security system which is capable of being verified mathematically. The new protocol delivers enhanced security, and is also quicker. While access to a mailbox previously required two connections to the servers of the messaging service, this can now be done using just one.
In my field of research, it is rare to get the opportunity to observe the impact our work has on society, but TLS 1.3 had an immediate effect on the web and its billions of users.
explains Karthikeyan. In a more general sense, he is hopeful that this research will inspire other IETF groups to work in collaboration with academic researchers to develop a new methodology for analysing and verifying existing protocols.
Users probably didn’t notice anything different the next time they logged in, but this behind-the-scenes work did not go unnoticed by the European Commission. This research was enough to win Karthikeyan Bhargavan the Horizon Impact Award , a new award set up for projects funded by the European Union which go on to make a significant social impact, both within Europe and elsewhere in the world. The prize comes on the back of the awarding to Karthikeyan Bhargavan of European Research Council (ERC) grants in 2010 and 2015, testimony to the impact of the work carried out within Inria.
New ambitious projects
Cryptography and cybersecurity throw up a range of different challenges, which Karthikeyan Bhargavan has already set about tackling. “The next step will involve developing new security protocols for messaging services such as WhatsApp. We are currently working on a system that would prevent a hacker from being able to view the content of messages, even if they managed to access the servers of the messaging service.” At a time when the world is drifting towards software programs based on artificial intelligence (decision support tools, biometrics, etc.), the researcher is also keen to extend the use of cryptography to these new, still relatively unprotected systems, inviting young researchers to get involved in these two fields.
1 Internet Engineering Task Force
2 Subsequently followed by the Circus project