Dieses Semester wird das Seminar vom Lehrstuhl für Systemsicherheit organisiert. Untenstehend finden Sie eine Liste der geplanten Termine und Vorträge für das ganze Semester.

Digital Signature of SOAP Attachments

Christoph Bösch, Ruhr-Universität Bochum:
Efficient Fuzzy Extractors for Reconfigurable Hardware

Physical Unclonable Functions (PUFs) provide appealing properties that make them very attractive for a variety of security-related applications. Due to their inherent dependency on the physical properties of the device that contains them, they can be used to uniquely bind an application to a particular device for the purpose of IP protection. This is crucial for the protection of FPGA applications against illegal copying and distribution. In order to exploit the physical nature of PUFs for reliable cryptography so-called fuzzy extractors are used to generate cryptographic quantities (e.g., keys) with appropriate entropy from noisy and non-uniform random PUF responses. In this paper we present for the first time efficient implementations of fuzzy extractors on FPGAs where the efficiency is measured in terms of required hardware resources. This fills the gap of the missing building block for a full FPGA IP protection solution. Moreover, in this context we propose new architectures for the decoders of Reed-Muller and Golay codes, and show that our solutions are very attractive from both an area and error correction capability points of view.

This is a joint work with Philips Research Europe.

Jesse Walker, Intel Corporation, (USA):
Distributed Trust in Community Networks

Traditionally manufacturers have treated device introduction and direct device-to-device authentication as afterthoughts, if at all. Mobility, ad hoc networking, meshes, ubiquitous computing, and other unmanaged networks have given urgency to the consideration of first class features to address these problems. In this talk, we examine reasons why the centralized authentication systems fall short for these new classes of networks and suggest some foundations for a distributed trust model to address these issues. We argue that instead of a simple label, an identity signifies a relationship the named entity has with the community. We describe a PGP-like paradigm in which every member can serve as a root to enroll and authenticate devices for the community. Members of the community share certificates they issue with each other, as well as other evidence relevant to identification. We illustrate our ideas with a technique we call identity laundering, to introduce device using existing relationships in other communities.

Giovanni Di Crescenzo, Telcordia Technologies, (NJ, USA):
Perfectly Secure Password Protocols in the Bounded Retrieval Model

We introduce a formal model, which we call the Bounded Retrieval Model, for the design and analysis of cryptographic protocols remaining secure against intruders that can retrieve a limited amount of parties’ private memory. The underlying model assumption on the intruders’ behavior is supported by real-life physical and logical considerations, such as the inherent superiority of a party’s local data bus over a remote intruder’s bandwidth-limited channel, or the detectability of voluminous resource access by any local intruder. More specifically, we assume a fixed upper bound on the amount of a party’s storage retrieved by the adversary. Our model could be considered a non-trivial variation of the well-studied Bounded Storage Model, which postulates a bound on the amount of storage available to an adversary attacking a given system. In this model we study perhaps the simplest among cryptographic tasks: user authentication via a password protocol. Specifically, we study the problem of constructing efficient password protocols that remain secure against offline dictionary attacks even when a large (but bounded) part of the storage of the server responsible for password verification is retrieved by an intruder through a remote or local connection. We show password protocols having satisfactory performance on both efficiency (in terms of the server’s running time) and provable security (making the offline dictionary attack not significantly stronger than the online attack). We also study the tradeoffs between efficiency, quantitative and qualitative security in these protocols. All our schemes achieve perfect security (security against computationally-unbounded adversaries). Our main schemes achieve the interesting efficiency property of the server’s lookup complexity being much smaller than the adversary’s retrieval bound.

Tibor Jager (Lehrstuhl für Netz- und Datensicherheit, Ruhr-Universität Bochum):
On Black-Box Ring Extraction and Integer Factorization

The black-box ring extraction problem has (at least) two important interpretations in the context of cryptography: An efficient algorithm for the black-box ring problem implies the equivalence of computing discrete logarithms and solving the Diffie-Hellman problem. At the same time this implies the inexistence of secure ring-homomorphic encryption schemes. Boneh/Lipton [BL96_BBF] and Maurer/Raub [MR07_BBExtFields] show that there exist subexponential-time algorithms in the case where the black-box ring is a field. It is unknown whether there exist more efficient algorithms.
We provide a polynomial-time reduction from factoring the ring characteristic n to the black-box ring problem for virtually any ring where computation is efficient. Under the factoring assumption, this implies the inexistence of efficient generic reductions from computing discrete logarithms to the Diffie-Hellman problem. When considered in contrast to [BL96_BBF] and [MR07_BBExtFields], this might be an indicator that secure ring-homomorphic encryption schemes may exist.

Martin Nowotny & Andy Rupp (Lehrstuhl für Eingebettete Sicherheit, Ruhr-Universität Bochum):
Realtime A5/1 Attacks with Precomputed Tables

GSM communication is encrypted with A5/1 stream cipher. Many attack scenarios against GSM have been proposed, however none of them was fully implemented. The first real-world attack appears to be the smart brute-force attack recently developed and implemented in COSY group, Ruhr-University Bochum. When using COPACOBANA machine, the cipher can be broken in several hours.
Another approach is to use precomputed tables, denoted as time-memory trade-off (TMTO) tables. This method allows for very fast attack, e.g. A5/1 cipher might be broken in a couple of minutes. However, precomputation of TMTO tables demands extensive computation power and hence it may last from several weeks up to several thousands of years, depending on both the cipher and the computation platform.
In our talk we will discuss variants of TMTO methods, their advantages and drawbacks with respect to the actual cipher and with respect to efficient hardware implementation. We will present a hardware engine calculating TMTO tables for A5/1. The engine was designed and implemented for COPACOBANA machine. We also will discuss the design tricks used to gain maximum performance of the machine.

Sandra Steinbrecher (Technische Universität Dresden):
Mehrseitige Sicherheit in Reputationssystemen

Mit den wachsenden Interaktionsmöglichkeiten für Internetnutzer, die schon lange über pure Kommunikation hinausgehen, stellt sich im Bereich mehrseitiger Sicherheit die Forschungsfrage, klassische Sicherheitsanforderungen zu überdenken und zu erweitern. In meinem Vortrag adressiere ich diese Frage für Communitysysteme und Reputationssysteme und stelle die neuen Anforderungen realisierende Bausteine vor und bewerte diese. Die Kombination von Reputationssystemen und Identitätsmanagementsystemen ist sinnvoll, da Reputation zwangsläufig mit einer digitalen Identität verknüpft ist. Identitätsmanagementsysteme versuchen Nutzer und Dienste bzgl. der bei Interaktionen zwischen ihnen auftretenden Identitätsdaten zu unterstützen. Die Entwicklung der Identitätsmanagementsysteme ist dabei in den letzten Jahren von simplen Account-Management-Systemen auf einem Server hin zu Systemen verlaufen, die Föderation von Identitäten über mehrere Server erlauben. Datenschutzfreundliches Identitätsmanagement wie PRIME (http://www.prime-project.eu/) versucht Nutzern dabei die Kontrolle über ihre Daten zu überlassen und keine automatische Föderation zu ermöglichen. Ebenso wie Identitätsmanagement für einen Dienst nicht ausreicht, gilt dies auch für Reputationsmanagement, da das soziale Netzwerk von Nutzern sich meist nicht nur auf einzelne, sondern über mehrere Communities erstreckt. Ich stelle das Design eines solchen Systems unter Berücksichtigung mehrseitiger Sicherheit vor.

Steffen Schulz (Ruhr-Universität Bochum)
Bleichenbacher-Angriff auf SSL mit RSA-PKCS#1

Die Aufgabe der diesjährigen Crypto Challenge war ein Angriff auf eine leicht modifizierte openSSL-Variante unter realen Bedingungen. Steffen Schulz konnte diese Aufgabe als schnellster lösen - und ist damit der Gewinner des Dobbertin Preis 2008.
Im Vortrag wird der Gewinner die diesjährige Challenge und sein Vorgehen bei der Lösung der Aufgabe vorstellen. Die Preisverleihung findet am 6.6. im Rahmen der HGI-Firmenkontaktmesse statt.

Amir Moradi, Thomas Eisenbarth & Timo Kasper (Lehrstuhl für Eingebettete Sicherheit, Ruhr-Universität Bochum):
On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme

KeeLoq remote keyless entry systems are widely used for access control purposes such as garage door openers or car anti-theft systems. We present the first successful differential power analysis attacks on numerous commercially available products employing KeeLoq code hopping. Our new techniques combine side-channel cryptanalysis with specific properties of the KeeLoq algorithm. They allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery in few minutes. Once knowing the manufacturer key, we demonstrate how to disclose the secret key of a remote control and replicate it from a distance, just by eavesdropping at most two messages. This key-cloning without physical access to the device has serious real-world security implications. Finally, we mount a denial-of-service attack on a KeeLoq access control system. At the end of the talk we will present a demonstration of the attack on a commercial KeeLoq product.

Eile Kiltz (CWI Amsterdam, NL):
Programmable Hash Functions and Their Applications

We introduce a new information-theoretic primitive called programmable hash functions (PHFs). PHFs can be used to program the output of a hash function such that it contains solved or unsolved discrete logarithm instances with a certain probability. This is a technique originally used for security proofs in the random oracle model. We give a variety of standard model realizations of PHFs (with different parameters).
The programmability of PHFs makes them a suitable tool to obtain black-box proofs of cryptographic protocols when considering adaptive attacks. We propose generic digital signature schemes from the strong RSA problem and from some hardness assumption on bilinear maps that can be instantiated with any PHF. Our schemes offer various improvements over known constructions. In particular, we obtain very short standard model digital signatures.

This is a joint work with D. Hofheinz.
The article will appear at CRYPTO 2008.

Ralf Benzmüller (G DATA Software AG, Bochum):
Schadcode im Internet

Immer mehr Malware wird über Webseiten verbreitet. Schadcode lauert nicht nur auf Warez- und Rotlichtseiten, sondern an vielen unverdächtigen Stellen im Netz wie z.B. in Suchmaschinen, in Werbung oder in Web 2.0 Anwendungen. Nach einem kurzen Überblick über die aktuelle Situation werden verschiedenen Wege erläutert, wie Schadcode in Webseiten eingeschmuggelt werden kann und welche Verfahren, Tricks und Tools eingesetzt werden, um die Rechner der Besucher von Webseiten zu kapern.

Kerstin Lemke-Rust
Multivariate Seitenkanalanalysen

Die Betrachtung der Seitenkanalresistenz ist heutzutage von hoher Bedeutung für die Chipsicherheit in mobilen Anwendungen. Physikalische Messgrößen wie beispielsweise die Stromaufnahme oder die elektromagnetische Abstrahlung des Chips während der Laufzeit der kryptographischen Implementierung liefern hierbei die Messdaten, die in der Seitenkanalanalyse ausgewertet werden. In dieser Veranstaltung werden multivariate Seitenkanalanalysen (Templates) betrachtet, die aus informationstheoretischer Sicht das mächtigste Werkzeug zur Prüfung der Seitenkanalresistenz darstellen und insbesondere für den Entwickler einer kryptographischen Implementierung relevant sind. Multivariate Analysen basieren auf einem zweistufigen Angriffsmodell: Profilierung und Klassifikation. Die dazugehörigen Methoden werden vorgestellt.
Es wird gezeigt, wie multivariate Methoden auch auf maskierte kryptographische Implementierungen angewendet werden können. Abschließend werden Abstufungen in dem Angreifermodell diskutiert.

Hans Löhr (Lehrstuhl für Systemsicherheit, Ruhr Universität Bochum):
Property-Based Attestation without a Trusted Third Party

The concept of Property-Based Attestation (PBA) was introduced to compensate the shortcomings of the binary attestation proposed by the Trusted Computing Group (TCG), where a computing platform with a dedicated security chip, the Trusted Platform Module (TPM), reports its state (hardware and software configuration) to remote parties. In particular, PBA aims at enhancing user privacy by allowing the trusted platform to prove to a remote entity that the platform is configured in a trustworthy manner (has certain properties) without revealing its actual configuration. The existing PBA solutions, however, require a Trusted Third Party TTP (in addition to the TPM) to provide a certificate linking configurations to properties.
We present a new privacy-preserving PBA approach that does not require such a TTP. We define a formal model, propose an efficient protocol based on the ideas of ring signatures, and prove its security. Moreover, the cryptographic technique employed in our protocol may be of independent interest: We show how ring signatures can be used for efficiently proving the knowledge of an element in a list without disclosing it.
This is joint work with Liqun Chen, Mark Manulis, and Ahmad-Reza Sadeghi.

Luigi  Lo Iacono (NEC  Labs Europe, Sankt Augustin):
Digital Signature of SOAP Attachments

Many Grid-based applications require data transfer and staging services in order to deliver input data to and output data from compute services. Security mechanisms play a central role in such services, especially when they are deployed in sensitive areas like e-health or across domain boundaries. In medical treatment or research scenarios, for example, in which medical images are transferred to simulation services, the confidentiality, integrity and authenticity of the image data as well as the returned simulation results have to be ensured.
Due to the fact that Grids are more and more converging to Web service technologies and accompanying standards, the application of WS-Security and related specifications seems to be an obvious solution to provide such security mechanisms for data transfer services. A closer look at the available technologies for data transfer using SOAP reveals, however, that it is not as straightforward as expected. This presentation introduces the available technologies for data transfer using SOAP and discusses their properties with respect to applying digital signatures according to WS-Security.

Daniel Hamburg (AuthentiDate, Düsseldorf):
Verteilte IDS für die Erkennung von Multi-Stage Angriffen

Coming soon ...

Marcel Winandy (Lehrstuhl für Systemsicherheit, Ruhr-Universität Bochum):
Property-Based TPM Virtualization

Coming soon ... 

Sebastian Gajek (Lehrstuhl für Netz- und Datensicherheit, Ruhr-Universität Bochum):
Tba

Coming soon ...