Dieses Semester wird das Seminar vom Lehrstuhl für Kryptologie und IT-Sicherheit organisiert. Untenstehend finden Sie eine Liste der geplanten Termine und Vorträge für das ganze Semester.

 23. Okt. 2008 Christian Blichmann Automatiserte Signaturgenerierung für Malware-Stämme 06. Nov. 2008 Meiko Jensen Flooding Attack Issues of Web Services and Service-Oriented Architectures 13. Nov. 2008 Mathias Herrmann Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits 20. Nov. 2008 Christian Wachsmann User Privacy in Transport Systems Based on RFID E-Tickets 27. Nov. 2008 Axel Poschmann Hash-Functions and RFID-Tags: Mind the Gap 04. Dez. 2008 Tim Güneysu High Performance ECC over NIST Primes on Commercial FPGAs 11. Dez. 2008 Vladimir Kolesnikov (Bell Labs, USA) Efficient Techniques for Securing Off-Chip Memory 18. Dez. 2008 Martin Schottenloher Whitelistung als Beitrag zur Transaktionssicherheit - der Weg der Zukunft 08. Jan. 2009 Thomas Eisenbarth Fast Hash-Based Signatures on Constrained Devices 29. Jan. 2009 Maike Ritzenhofen Implicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint 05. Feb. 2009 Mathias Herrmann A practical key recovery attack on basic TCHo 09. Mar. 2009 Domingo Gomez-Perez Cryptographic Properties of  Pseudorandom Number Sequences

Christian Blichmann Automatisierte Signaturgenerierung für Malware-Stämme

Eine ständig wachsende Zahl von Schadprogrammen, auch als Malware bezeichnet, stellt Antivirenprogramme vor die Herausforderung, diese möglichst schnell und mit niedrigen Fehlerraten zu erkennen. Eine große Anzahl zu überprüfender Signaturen führt hierbei zu einem Trade-Off zwischen hoher Erkennungsrate auf der einen und möglichst guten Antwortzeiten auf der anderen Seite. Aktuelle Signaturen sind für die Sicherheit moderner Rechensysteme jedoch unverzichtbar. Im Rahmen dieser Arbeit wird eine Methode vorgestellt, mit der herkömmliche Scanner von - für Echtzeiteinsatz häufig nicht geeigneten - automatischen Klassifikationsmethoden für Malware profitieren können. Hierbei wird für eine gegebene Familie von Schadprogrammen eine Byte-basierte Signatur für den Scanner ClamAV generiert, mit der zuverlässig die gesamte Familie erkannt werden kann. Die so erzeugte Signatur wird anschließend in Bezug auf falsche Positive und falsche Negative getestet.

Meiko Jensen Flooding Attack Issues of Web Services and Service-Oriented Architectures

The service-oriented architecture paradigm slowly matures towards some kind of "Web Service Internet" where basically everybody may use the services others provide. Though this evolution enables lots of opportunities for electronic business, it also induces many new security issues to consider. One important security threat to SOA consists in request floodings, which - being intentional or accidental - may rapidly lead to Denial-of-Service and other kinds of malfunctions. In this presentation, I will introduce a basic model for describing flooding attacks in general, reconsider some of the known flooding attacks on Web Services, advance to flooding issues of basic service compositions, and finally derive some conclusions for security considerations of service-oriented architectures in general.

Mathias Herrmann Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits.

We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is well-known that this problem is polynomial-time solvable if at most half of the bits of p are unknown and if the unknown bits are located in one consecutive block. We introduce an heuristic algorithm that extends factoring with known bits to an arbitrary number n of blocks. Surprisingly, we are able to show that ln(2) ~ 70% of the bits are sufficient for any n in order to find the factorization. The algorithm's running time is however exponential in the parameter n. Thus, our algorithm is polynomial time only for n = O(log logN) blocks.

Christian Wachsmann User Privacy in Transport Systems Based on RFID E-Tickets

Recently, operators of public transportation in many countries started to roll out electronic tickets (e-tickets). E-tickets offer several advantages to transit enterprises as well as to their customers, e.g., they aggravate forgeries by cryptographic means whereas customers benefit from fast and convenient verification of tickets or replacement of lost ones.
Existing (proprietary) e-ticket systems deployed in practice are mainly based on RFID technologies where RFID tags prove authorization by releasing spatio-temporal data that discloses customer-related data, in particular their location. Moreover, available literature on privacy-preserving RFID-based protocols lack practicability for real world scenarios. In this paper, we discuss appropriate security and privacy requirements for e-tickets and point out the shortcomings of existing proposals. We then propose solutions for practical privacy-preserving e-tickets based on known cryptographic techniques and RFID technology.

Axel Poschmann Hash-Functions and RFID-Tags: Mind the Gap

The security challenges posed by RFID-tag deployments are well- known. In response there is a rich literature on new cryptographic protocols and an on-tag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that a suitable hash function even exists. In this paper we consider the options available, including constructions based around compact block ciphers. While we describe the most compact hash functions available today, our work serves to highlight the diffculties in designing lightweight hash functions and (echoing [1]) we urge caution when routinely appealing to a hash function in an RFID-tag protocol.

[1] Feldhofer,M., Rechberger, C.: A Case Against Currently Used Hash Functions in RFID Protocols.
In: Meersman, R., Tari, Z.,Herrero, P. (eds.) OTM2006 Workshops. LNCS, vol. 4277,
pp. 372 - 381. Springer, Heidelberg (2006)

Tim GüneysuHigh Performance ECC over NIST Primes on Commercial FPGAs

Despite a wealth of research regarding high-speed software and high-speed FPGA implementation of ECC since the mid 1990s, providing truly high-performance ECC on readily available (i.e., non-ASIC) platforms remains an open challenge. This holds especially for ECC over prime fields, which are often preferred over binary fields due to standards in Europe and the US, and a somewhat clearer patent situation. We present a new architecture for an FPGA-based high performance ECC implementation over prime fields. Our architecture makes intensive use of the DSP blocks in modern FPGAs, which are embedded arithmetic units actually intended to accelerate digitial signal processing algorithms. We describe a novel parallel architecture and algorithms for performing ECC arithmetic and describe the actual implementation of standard compliant ECC based on the NIST primes P-224 and P-256.

Vladimir KolesnikovEfficient Techniques for Securing Off-Chip Memory

We consider a system architecture where a hardware-secured processor uses memory controlled by an adversary. We present a new, more efficient approach to encrypting and authenticating memory and discuss the associated trade-offs, while paying special attention to minimizing hardware costs and the reduction of DRAM latency.
Instrumental in our approach is ShMAC (Shallow MAC), a new fixed input length message authentication code that performs most of the computation prior to the availability of the message. Specifically, ShMAC's message-dependent computation is much faster and smaller in hardware than the evaluation of a PRP, and can be implemented by a small shallow circuit, while its precomputation consists of one PRP evaluation.  We describe our architecture in detail, and show the clear advantages of MAC precomputation in our system.
Striking a good cost/security balance in this resource-constrained setting is challenging; we additionally demonstrate this by uncovering critical vulnerabilities in a previously proposed low-latency DRAM system.

Martin Schottenloher Whitelisting als Beitrag zur Transaktionssicherheit - der Weg der Zukunft

Die Whitelistung-Methode lässt nur solche Prozesse zu, die erlaubt sind, alles andere wird als potenzielle Gefahr gesehen. Diesem Ansatz gehört die Zukunft, sind doch die herkömmlichen Sicherheitslösungen auf den jeweiligen Wissenstand angewiesen und daher sehr anfällig gegen neue Malware. Die Whitelistung-Methode dagegen schützt gerade die Internettransaktionen gegen Malware, sowohl auf URL-Ebene als auch auf der Applikationsebene. Der Whitelisting-Ansatz muss allerdings ergänzt werden um Methoden (z.B. durch Trusted Computing, die sicherstellen, dass das System nicht modifiziert
worden ist). In der Praxis ist hier die Verhaltens-Analyse eine große Hilfe, da ja die Malware auffällige Aktionen ausführen muss, wenn sie dabei ist, Schaden anzurichten.

Thomas Eisenbarth Fast Hash-Based Signatures on Constrained Devices

Digital signatures are one of the main application scenarios for modern cryptography, e.g., for digital certificates on the Internet or banking cards. The most widely used algorithms for digital signatures, RSA and Elliptic Curve Digital Signature Algorithm (ECDSA), are computationally expensive, making them very challenging for many embedded applications such as smart cards or RFID tags. Hence the need for better methods is highly visible.
One alternative to RSA and ECDSA is the Merkle signature scheme which provides digital signatures using hash functions only. Hash functions are orders of magnitude more efficient than the the number-theoretical based RSA and elliptic curve schemes. After a general introduction to hash-based signatures,  the strengths and weaknesses of the Merkle signature scheme are highlighted.  It will be shown that hash-based signatures are a promising alternative to the well-established signature schemes, especially for embedded systems.

Maike Ritzenhofen Implicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint

We address the problem of polynomial time factoring RSA moduli $N_1=p_1q_1$ with the help of an oracle.  As opposed to other approaches that require an oracle that {\em explicitly} outputs bits of $p_1$, we use an oracle that gives only {\em implicit} information about $p_1$. Namely, our oracle outputs a different $N_2=p_2q_2$ such that $p_1$ and $p_2$ share the $t$ least significant bits. Surprisingly, this implicit information is already sufficient to efficiently factor $N_1$, $N_2$ provided that $t$ is large enough.

Mathias Herrmann A practical key recovery attack on basic TCHo

TCHo is a public key encryption scheme based on a stream cipher components, which is particular suitable for low cost devices like RFIDs. In its basic version, TCHo offers no IND-CCA2 security, but the authors suggest to use a generic hybrid construction to achieve this security level. The implementation of this method however, significantly increases the hardware complexity of TCHo and thus annihilates the advantage of being suitable for low cost devices. In this paper we show, that TCHo cannot be used without this construction. We present a chosen ciphertext attack on basic TCHo that recovers the secret key after approximately d^(3/2) decryptions, where d is the number of bits of the secret key polynomial. The entropy of the secret key is log_2(binomial(d,w)), where w is the weight of the secret key polynomial, and w is usually small compared to d. In particular, we can break all of the parameters proposed for TCHo within hours on a standard PC.

Domingo Gomez Perez (Universidad de Cantabria): Cryptographic Properties of Pseudorandom Number Sequences

Pseudorandom numbers sequences are used in many fields. They replace random numbers for many applications for several reasons, they can be efficiently generated, they are deterministic and properties of some of them are well-understood. After a brief introduction to the topic, we will center on the study of predictability of pseudorandom number sequence with applications to cryptography. We define discrepancy and linear complexity profile and we will see how some pseudorandom number generators behave with respect these parameters. We also show that these conditions are not sufficient to proof a sequence is unpredictable.