HGI-Kolloquium

Jedes Semester wird das HGI-Kolloquium zu aktuellen Themen der IT-Sicherheit angeboten. Es wird von den Lehrstühlen des Institutes organisiert und ist für alle interessierten Personen offen, externe Gäste sind immer willkommen. Wenn Sie den HGI-Newsletter abonnieren, bekommen Sie die Vortragsankündigungen rechtzeitig per E-Mail.

Das Seminar findet in der Regel donnerstags um 11:00 Uhr im Gebäude ID auf Etage 04 in Raum 653 statt Wegbeschreibung.

Dieses Semester wird das Seminar vom Lehrstuhl für Systemsicherheit organisiert. Untenstehend finden Sie eine ­Liste der geplante­n Termine und Vorträge für das ganze Semester. Falls nicht anders angekündigt, finden alle Vorträge um 11.00 Uhr s.t. statt.

Datum Vortragende Person Zugehörigkeit Titel Raumnummer Beginn
15. November 2012 Dan Bailey EMC Product Security Office Threat Modelling for Secure Manufacturing ID 03/463 11.00 Uhr
29. November 2012 Saqib A. Kakvi RUB Certifying RSA ID 04/653 11.00 Uhr
20. December 2012 Nils Ole Tippenhauer Institute of Information Security, ETH Zurich Physical-Layer Security in Wireless Localization and Ranging ID 04/653 11.00 Uhr
10. January 2013 Christian Becker Ruhr-Universität Bochum Dob­ber­tin Chal­len­ge 2012 Solution ID 04/653 11.00 Uhr
16. January 2013 Christiane Peters Technische Universität Dänemark Algebraic-Geometric codes for Code-based Cryptography NA 02/257 11:00 Uhr
31. January 2013 Pawel Swierczynski Ruhr-University Bochum Security Analysis of the Bitstream Encryption Scheme of Altera FPGAs ID 04/653 11:00 Uhr
21. Februar 2013 André Matuschek SSDeV Lockpicking and mechanical Security ID 04/653 11.00 Uhr
19. März 2013 Christina Brzuska Tel Aviv University Notions of Black-Box Reductions, Revisited ID 04/653 11.00 Uhr

TBA

Inhalte des Vortrags werden bald bekannt gegeben.

Threat Modelling for Secure Manufacturing

Dan Bai­ley

Abstract: In response to 2011's breach of data relating to RSA's SecurID token, the organization undertook a thorough review of the security of its manufacturing operation. This presentation details the process of threat modelling a product or process beyond the crypto and into the supply chain. In addition, this presentation presents lessons learned in conducting this type of review in a real-world product-manufacturing organization. Attendees will learn about threat modelling and some challenges to being an effective security advocate in industry.

Certifying RSA

Saqib A. Kakvi

Abstract: We propose an algorithm that, given an arbitrary $N$ of unknown factorization and prime e >= N^{0.25+epsilon}, certifies whether the RSA function RSA(N,e,x) := x^e mod N defines a permutation over Z_N^* or not. The algorithm uses Coppersmith's method to find small solutions of polynomial equations and runs in time O(epsilon^{-8} log^2 N). Previous certification techniques required e > N. This is joint work with Eike Kiltz and Alexander May.

Physical-Layer Security in Wireless Localization and Ranging

Nils Ole Tippenhauer

Abstract: Localization systems have become increasingly popular in recent years due to the emergence of mobile phones, public GPS, and smartphones. Nowadays, such hand-held devices allow the user to find his position via GSM triangulation, GPS or WLAN-based localization. From a security perspective, most localization protocols are inherently insecure as they use physical-layer characteristics such a message propagation delay, received signal strength, or angle-of-arrival to estimate the location. Such physical-layer characteristics cannot be protected by cryptographic measures only--even if such measures are applied, attackers can influence the localization result by selective forwarding and replay of the signals, or other manipulations. In this talk, Nils presents his recent work on physical-layer security of localization systems and secure distance bounding.

Dob­ber­tin Chal­len­ge 2012 Solution

Abstract: Vorgestellt werden zwei verschiedene Lösungswege für die Dobbertin Challenge 2012, bei welcher es galt einen Webservice anzugreifen und eine geheime Nachricht zu entschlüsseln. Bei diesen Angriffen handelt es sich um Seitenkanalangriffe, auf ein symmetrisches und asymmetrisches Kryptosystem.

Algebraic-Geometric codes for Code-based Cryptography

One objective in code-based cryptography is to replace classical Goppa codes in McEliece's cryptosystem in order to have smaller keys without loosing structural security. This talk investigates algebraic-geometric codes for code-based cryptography. We provide the mathematical background as well as a discussion of possible setups, attacks etc.

Security Analysis of the Bitstream Encryption Scheme of Altera FPGAs

Pawel Swierczynski

Altera provides custom logic solutions and is, besides Xilinx, one of the biggest vendors in their sector. Altera’s Field Programmable Gate Arrays (FPGAs) are SRAM-based devices and thus volatile, which implies that they load their configuration from a configuration device or a flash memory at each new power-up. The FPGA designs are given in the form of a bitstream. In order to protect such a configuration design from being intercepted and thus cloned or modified, a solution called design security is offered. It is a feature based on the Advanced Encryption Standard (AES) encryption, and is available for the low-cost Cyclone III LS FPGAs, for the midrange FPGAs Aria II, and especially for the high-end FPGAs Stratix II, Stratix III, Stratix IV, and Stratix V. The design security is offered in two versions: A non-volatile variant that stores a one-time programmable AES key or a volatile solution based on a backup battery, allowing to re-program the AES key or to erase it. The utilized AES engine is embedded on the FPGA as an additional unit. Its task is to decrypt previously encrypted configuration designs while they are downloaded from an external source. Stratix II and Stratix II GX FPGAs use AES-128, while all other solutions provide AES-256. From a mathematical point of view, algorithms like AES or 3DES are highly secure. However, recently, it was shown that the bitstream encryption feature of several FPGA product lines is susceptible to side-channel attacks that monitor the power consumption of the cryptographic module. In this thesis, we present the first successful side-channel attack on the bitstream encryption of the Altera Stratix II FPGA, which uses the non-volatile solution. For this, we reverse-engineered the details of the proprietary and unpublished Stratix II bitstream encryption scheme (and that of Stratix III) from the Quartus II software. Based on this information, we present how we obtained the full 128-bit AES key of a Stratix II by means of side-channel analysis with 30,000 measurements, which can be acquired in less than three hours. The complete unencrypted configuration bitstream of a Stratix II that is (seemingly) protected by the design security feature can hence fall into the hands of a competitor or criminal — possibly implying system-wide damage if confidential information such as proprietary encryption schemes or keys programmed into the FPGA are extracted. In addition to lost Intellectual Property (IP), reprogramming the attacked FPGA with modified code, for instance, to secretly plant a hardware Trojan, is a particularly dangerous scenario for many security-critical applications. Moreover, we outline a potential problem due to the Initialization Vectors (IVs) that are used in a disadvantageous way by the encryption engine.

Lockpicking and mechanical Security

André Matuschek

Lockpicker sind Menschen mit einer Vorliebe für Feinmechanik die ein Schloss als Herausforderung des Herstellers sehen und nicht als Gebrauchsgegenstand. Lockpicker sind keine Panzerknacker sondern Forscher. Das Wissen um Lockpicking und die mechanische Sicherheit von Schlössern ist wichtig für alle Bereiche bei denen es um Sicherheit geht. Auch für Computersicherheit. Was nützt der Sicherste Server, wenn jeder mit USB-Stick bewaffnet zur Tastatur gehen kann. Der Vortrag soll einen Einblick in die spannende Welt des Lockpickings geben und die wichtigsten Grundlagen eines Angriffs auf ein mechanisches Schloss zeigen.

Notions of Black-Box Reductions, Revisited

Reductions are the common technique to prove security of cryptographic constructions based on a primitive. They take an allegedly successful adversary against the construction and turn it into a successful adversary against the underlying primitive. To a large extent, these reductions are black-box in the sense that they consider the primitive and/or the adversary against the construction only via the input-output behavior, but do not depend on internals like the code of the primitive or of the adversary. Reingold, Trevisan, and Vadhan (TCC, 2004) provided a widely adopted framework, called the RTV framework from hereon, to classify and relate diff erent notions of black-box reductions. Having precise notions for such reductions is very important when it comes to black-box separations, where one shows that black-box reductions cannot exist. An impossibility result, which clearly specifi es the type of reduction it rules out, enables us to identify the potential leverages to bypass the separation. We acknowledge this by extending the RTV framework in several respects using a more fi ne-grained approach. First, we capture a type of reduction -- frequently ruled out by so-called meta-reductions -- which escapes the RTV framework so far. Second, we consider notions that are "almost black-box", i.e., where the reduction receives additional information about the adversary, such as its success probability. Third, we distinguish explicitly between e fficient and ineffi cient primitives and adversaries, allowing us to determine how relativizing reductions in the sense of Impagliazzo and Rudich (STOC, 1989) fit into the picture. This is joint work with Paul Baecher and Marc Fischlin from Darmstadt University of Technology