Dieses Semester wird das Seminar vom Lehrstuhl für Embedded Security organisiert. Untenstehend finden Sie eine ­Liste der geplante­n Termine und Vorträge für das ganze Semester.

15. Oktober 2009 David Oswald EmSec Development of an Integrated Environment for Side-Channel Analysis and Fault Injection
22. Oktober 2009 Enrico Thomae Universität Dresden Permutations among the HFE Polynomials
3. November 2009 Andreas Noack NDS Group Key Agreement for Wireless Mesh Networks
5. November 2009 Birgit Pfitzmann IBM Watson Galapagos: Application-Dependency Discovery in Services Research
12. November 2009 Georg Becker EmSec Constructive use of side-channels
26. November 2009, ­IC 4/39 Stefan Heyse EmSec Coding based crypto for embedded devices: Performance, Sidechannels and Countermeasures
3. Dezember 2009, ­IC 4/39 Mathias Herrmann CITS Attacking Power Generators Using Unravelled Linearization
10. Dezember 2009 Michael Silbermann EmSec Security Analysis of Contactless Payment Systems in Practice
17. Dezember 2009 Henrich C. Pöhls ISL Passau Digital Signatures and Context-Loss - How Digital Signatures might facilitate Data Protection Claims in SOA
14. Januar 2010, 11-13 Wilfried Karden Innenministerium NRW Wirtschaftsspionage
21. Januar 2010 Martin Novotný FEE CTU Praque Implementing MQ cryptosystems - Problems and Challenges
28. Januar 2010 Meiko Jensen NDS On Technical Security Issues in Cloud Computing
4. Februar 2010 Florian Kerschbaum SAP Security Challenges in Supply Chain Management
3. März 2010 (Mittwoch!) Axel Poschmann Nanyang Technological University, Singapore Side-Channel Resistant Crypto for less than 2,300 GE
25. März 2010 Sergey Cherementsev, Alexander Vernigora, Ekaterina Shchetkina, Oxana Bulynina, Anton Rechkov Taganrog, Russia Kernel-level Antirootkit for Linux, eToken Smart-Cards in Banking and eCommerce, The BIND Birthday Attack, Splitting variables for machine byte code

Development of an Integrated Environment for Side-Channel Analysis and Fault Injection

David Oswald

We present a unifed framework for advanced implementation attacks that allows for conducting automated side-channel analysis and fault injection targeting all kinds of embedded cryptographic devices including RFIDs. Our proposed low-cost setup consists of modular functional units that can be interchanged, depending on the demands of a concrete attack scenario.To demonstrate the capabilities of our framework, we practi­cally performed a full-key recovery on a commercial contactless smartcard, and injected multiple faults in a widespread microcontroller. In doing so, we disprove the common belief that highly sophisticated and expensive equipment is required to conduct such attacks.

Permutations among the HFE Polynomials

Enrico Thomae

The development of the quantum computer is progressing and so the threat for the two most popular asymmetric cryptosystems RSA and ElGamal grows. Even if there is no reason to panic yet, the current program on "IT-Sicherheitsforschung" (by BMI and BMBF) points out, that already today post quantum cryptosystems are of high importance if we want to encrypt data, that are supposed to be secure for more than 20 years. The problem of todays post quantum cryptosystems is, that their key size is too large (McEliece) or their performance is bad (HFE) (or they are even not secure). In order to increase the performance of HFE, it is of great interest to determine the permutation polynomials (and their inverse) among the HFE polynomials proposed by Patarin. If such polynomials are known, there is no need to use perturbations anymore.

The presentation introduces post quantum cryptography, especially multivariate public key cryptography, and shows the results of my diploma thesis, i.e. how to determine special classes of permutation polynomials among the HFE polynomials and specify their inverse.

Group Key Agreement for Wireless Mesh Networks

Andreas Noack

Wireless mesh networks consist of stationary nodes that communicate over wireless connections. Since WLAN security standards are only applicable in the standard scenario where the access points are connected by a cable-bound backbone, nearly all mesh networks broacast messages in the clear. To secure these networks, and to reduce the amount of reencryption of messages, we propose to use group key agreement (GKA) protocols to agree on a common key for all nodes. In a mesh network, a message sent by a certain node can only be received directly by nodes within the broadcast range of the ?rst node. Thus we have neither direct point-to-point connections between nodes, nor do we have a perfect broadcast channel. We therefore compare the suitability of different GKA protocols proposed in the literature for mesh networks.

Galapagos: Application-Dependency Discovery in Services Research


Many enterprises perform data-center transformations, consolidations, and migrations to reduce costs and make IT greener. These projects start with a discovery phase where infrastructure and applications are analyzed to detect software and data dependencies across different servers.

Galapagos is a project at IBM Research for performing this discovery, with a focus on minimizing the overall time and risk for this important engagement phase. We describe technology choices resulting from this focus, some of the rather surprising, and we show discovery and use case results from some real engagements.

Galapagos is also an example of Services Research, i.e., research for IT services providers, which is a new and growing area in industrial research.

Constructive use of side-channels

Georg T. ­Becker

Side-channel attacks, such as power analysis attacks, have been studied now for 10 years. Side-channel attacks are still one of the biggest security threats to real-world applications. In this talk we will look at side channels from a new perspective. Instead of seeing side-channels only as a threat to security, we will look at the constructive use of side-channels.

At CHESS 09, the idea of building hardware trojans using side-channels was first introduced. But to embed side-channels into the hardware design is not only lucrative for attackers who want to leak out secret information. Side-channels can be used to set up a hidden and encrypted communication channel. This can be achieved by transmitting the information under the noise level of the side-channel, e.g. the power-consumption. The information is hidden in the noise and can only be revealed with the knowledge of a secret. The advantage of using side-channels such as the power consumption to set up a communication channel is that no additional I/O periphery is needed and that they can be implemented using only a few gates. As an example application for the constructive use of such a hidden communication channel we show how an authentication mechanisms for integrated circuits can be build using side-channels. Such an authentication mechanism could be used to detect IP theft.

Coding based crypto for embedded devices: Performance, Sidechannels and Countermeasures

Stefan Heyse (EmSec)

Coding based cryptosystems are one of the (so far) four candidates for alternate public key schemes that are resistant against attacks with quantum computers. Their main caveat is the large key. This makes it hard to implement them on very constrained devices. While already proposed in 1978, the original McEliece scheme withstood all attacks, except for a small security reduction. Derived from McEliece, the Niedereiter scheme was proposed in 1986. It has the same security level, but benefits from smaller keys. Additionally, it can be transformed into a signature scheme. We give a short introduction into both schemes and the underlying goppa codes. Afterwards, we explain ways to reduce the memory footprint to a level, which allows an implementation on small microcontrollers of the AVR family. Finally, we point out possible side channels and how to exploit them.

Attacking Power Generators Using Unravelled Linearization

Mathias Herrmann

We look at iterated power generators $s_i = s_{i-1}^e mmod N$ for a random seed $s_0 in Z_N$ that in each iteration output a certain amount of bits. We show that heuristically an output of $(1-frac 1 e)log N$ most significant bits per iteration allows for efficient recovery of the whole sequence. This means in particular that the Blum-Blum-Shub generator should be used with an output of less than half of the bits per iteration and the RSA generator with $e=3$ with less than a $frac 1 3$-fraction of the bits. Our method is lattice-based and introduces a new technique, which combines the benefits of two techniques, namely the method of linearization and the method of Coppersmith for finding small roots of polynomial equations. We call this new technique unravelled linearization.

Security Analysis of Contactless Payment Systems in Practice

Michael Silbermann

We investigated a real-world contactless payment application based on Mifare Classic cards. In order to analyze the security of the payment system, we combined previous cryptanalytical results and implemented an improved card-only attack with customized low-cost tools, that is to our knowledge the most efficient practical attack to date. We found several flaws implying severe security vulnerabilities on the system level that allow for devastating attacks including card cloning, recharging and identity theft, and demonstrate these attacks in practice. Finally, we propose improvements that increase the overall security of the system, and hence can minimize losses due to fraud, with only small effort and cost.

Digital Signatures and Context-Loss - How Digital Signatures might facilitate Data Protection Claims in SOA

Henrich C. Pöhls

Digitale Signaturen werden heute häufig technisch angewandt, ohne die genauen semantischen Probleme der Anwendung zu berücksichtigen (Signatur und Verifikations-Komponenten als Black-Box). Im Vortrag wird dieses Problem generalisiert als "Context Loss" oder "Context Attacks" dargestellt. Auch die Angriffe welche als XML-Signature-Wrapping-Attacks bezeichnet werden sind ein Beispiel hierfür. Der Vortrag wird als aktuelles "Problem" die Datenschutz-Auskunfts-Ansprüche, welche Nutzer nach den einschlägigen Datenschutzbestimmungen in Bezug auf Ihre personenbezogenen Daten haben, und deren automatisierte Behandlung im Umfeld von WebServices vorstellen. Anhand dieses Beispiels sollen die Möglichkeiten die Digitale Signaturen bei richtiger Anwendung und in moderneren Anwendungsformen (wie Sanitizable Signatures) bieten können diskutiert werden. Es geht hier im speziellen darum zu klären wie Kontexte für Daten zunächst aufgebaut werden können und prüfbar zu erhalten sind. Der Vortrag soll zu einer anregenden Diskussion mit den Teilnehmern führen um aktuelle Forschungsfragen weiter zu vertiefen.


Wilfried Karden

Spionage ist heute in vielen Bereichen der Wirtschaft ein aktuelles Thema. Die Schäden bedrohen Unternehmen, aber auch die Volkswirtschaft insgesamt. Daher hat das Innenministerium NRW - Spionageabwehr, das Thema aufgenommen und möchte Firmen hierzu informieren und sensibilisieren. In meinem Vortrag wird daher - anhand aufschlussreicher und jeweils aktueller Beispiele aus der Praxis - den Feldern:

  • Wer sind die Auftraggeber,
  • mit welchen Methoden wird gearbeitet - und natürlich ganz besonders interessant -
  • wie können Unternehmen ihr wertvolles Know-how schützen?



Security Challenges in Supply Chain Management

Florian Kerschbaum

Supply Chain Management (SCM) concerns the planning, execution and monitoring of goods exchanged between companies. Although companies need to collaborate in order to produce the final good satisfying customer demand, they do not trust each other beyond the necessary exchanges.  SCM research has recognized for a long time that enhanced collaboration can reduce costs and increase service levels, but this is prevented due to the lack of trust.  Modern cryptographic techniques can help protect data against unauthorized disclosure and modification lowering the hurdle for adoption.  We examine applications in item-level tracking using radio frequency identification (RFID).  Goods are equipped with uniquely identifiable RFID tags which are read by the companies throughout the supply chain and stored in the company's local database.  Supply chain partners may later access data at their partners, but need to authenticate. Storing a shared password on the tag is clearly insecure, since it may be accessed by a rogue reader o­r untracably leaked by an insider.  We present an advanced construction.  In some cases companies are reluctant to share data in their databases even with their partners. Then stronger security mechanisms are needed in which case one must carefully balance security, performance and functionality.

Bio: Florian is a senior researcher and p­roject lead at SAP Research Karlsruhe.  His research is concerned with security for collaborative business applications with minimal trust assumptions about the business partner's behaviour.  His approach is interdisciplinary in nature between business administration, computer science and economics and his methodology ranges from theoretical analysis to practical experimentation.  In his Ph.D. he designed and built a privacy-preserving benchmarking platform.  Afterwards he became coordinator of the EU funded collaborative research project SecureSCM. nbsp;He also holds a teaching appointment at the Baden-Wurttemberg Cooperative State University Mannheim.

Implementing MQ cryptosystems - Problems and Challenges

Martin Novotný

The Multivariate Quadratic (MQ) Cryptosystems represent the novel scheme for a public key cryptography. Upon request from Rupp, Eisenbarth and Wolf we have implemented their proposal for the MQ Cryptosystem, presented in CHES 2008 (Andrey Bogdanov, Thomas Eisenbarth, Andy Rupp, Christopher Wolf: "Time-Area Optimized Public-Key Engines: MQ-Cryptosystems as Replacement for Elliptic Curves?"). We focused mainly on the Unbalanced Oils and Vinegar (UOV) scheme. In our presentation we discuss design choices for the basic building blocks of the system, we present the implementation results, as well as the challenges and problems we faced. We also discuss possible improvements of the system. The presence of the authors would be valuable. The brainstorming is highly welcome.

On Technical Security Issues in Cloud Computing

Meiko Jensen

The Cloud Computing concept offers dynamically scalable resources provisioned as a service over the Internet. Economic benefits are the main driver for the Cloud, since it promises the reduction of capital expenditure (CapEx) and operational expenditure (OpEx). In order for this to become reality, however, there are still some challenges to be solved. Amongst these are security and trust issues, since the user?s data has to be released to the Cloud and thus leaves the protectionsphere of the data owner. Most of the discussions on this topics are mainly driven by arguments related to organisational means. This talk wants to focus on technical security issues arising from the usage of Cloud services and especially by the underlying technologies used to build these cross-domain Internet-connected collaborations.

Side-Channel Resistant Crypto for less than 2,300 GE

Axel Poschmann

A provably secure countermeasure against first order side-channel attacks has been proposed by Nikova et al. in 2006. We have implemented the lightweight block cipher PRESENT using the proposed countermeasure. For this purpose we had to decompose the S-box used in PRESENT and split it into three shares that fulfill the properties of the scheme presented by Nikova et al. in 2008. Our experimental results on real-world power traces show that this countermeasure provides additional security. Post-synthesis figures for an ASIC implementation require only 2,300 GE, which makes this implementation suitable for low-cost passive RFID-tags.

Kernel-level Antirootkit for Linux, eToken Smart-Cards in Banking and eCommerce, The BIND Birthday Attack, Splitting variables for machine byte code

  1. Sergey Cherementsev: Kernel-level Antirootkit for Linux

Nowadays there are no antirootkits, which are able to resist kernel-level rootkits in Linux effectively. I am proposing an antirootkit, which is characterized by the following features: 1) kernel service information integrity control; 2) kernel image control on hard disk; 3) executable kernel code integrity control in RAM; and 4) executable kernel code analysis (searching for branches out of kernel). The first two points can be implemented easily, so the presentation will focus on the latter two.

  1. Alexander Vernigora: eToken Smart-Cards in Banking and eCommerce

This presentation summarizes my diploma project, which is devoted to smart-cards, particularly the products of "Aladdin" company eToken smart-cards in banking and eCommerce. My goal is to develop a client-server system for eCommerce where eToken smart-cards will perform majority of the protection and cryptographic functions and provide reliability. I will show how it works and discuss its advantages.

  1. Ekaterina Shchetkina, Oxana Bulynina: The BIND Birthday Attack

To perform this attack, one needs to send a sufficient number of queries to a vulnerable nameserver, while sending an equal number of phony replies at the same time. Because the flaw in the BIND software generates multiple queries for the same domain name at the same time, one encounters statistically improved odds of hitting the exact transaction ID. This is the classic "Birthday Attack", which is derived from the "Birthday Paradox". Our presentation also includes an explanation of Birthday Paradox, paradox application to weak hash-functions, attacks on the basis of paradox are considered.

  1. Anton Rechkov: Splitting variables for machine byte code

In modern obfuscators one can often find such methods as dead code, transformation cycles, conversion static to procedural data, but splitting variables has not be encountered by me in public sources. I would like to present my decisions for this method.