Veranstaltung: Bachelor-Seminar Netz- und Datensicherheit

Nummer:
143241
Lehrform:
Seminar
Medienform:
rechnerbasierte Präsentation
Verantwortlicher:
Prof. Dr. Jörg Schwenk
Dozenten:
Prof. Dr. Jörg Schwenk (ETIT), M. Sc. Martin Grothe (ETIT), M. Sc. Sebastian Lauer (ETIT)
Sprache:
Deutsch
SWS:
3
LP:
3
Angeboten im:
Wintersemester und Sommersemester

Termine im Wintersemester

  • Vorbesprechung: Dienstag den 09.10.2018 ab 14:15 im ID 04/413
  • Seminar Dienstags: ab 14:15 bis 16.45 Uhr im ID 04/413

Termine im Sommersemester

  • Beginn: Dienstag den 10.04.2018 ab 15:00 im ID 03/471
  • Seminar Dienstags: ab 15:00 bis 16.45 Uhr im ID 03/471

Prüfung

Prüfungsform:Seminarbeitrag
Prüfungsanmeldung:Direkt bei der Dozentin bzw. dem Dozenten
Datum:None
studienbegleitend

Ziele

Die Teilnehmer können technische und wissenschafltiche Literatur finden, beschaffen verstehen und auswerten.

Inhalt

Ausgewählte Themen der IT-Sicherheit mit Bezug zur Netz- und Datensicherheit werden von den Studierenden eigenständig erarbeitet. Soweit möglich werden Themen in Anlehnung an eine gerade laufende Wahlpflichtveranstaltung gewählt, um didaktische Synergieeffekte zu nutzen.

Voraussetzungen

keine

Empfohlene Vorkenntnisse

Grundlegende Kenntnisse der Kryptographie

Materialien

Folien:

Musterlösungen:

Sonstiges

Diese Veranstaltung wird im Block angeboten.

Vorläufige Termine/Meilensteine

  • Vorbesprechung und Themenvergabe 09.10.18 14:15 Uhr
  • Bewerbung mit einem Exposee 26.10.18
  • Acceptence notification 31.10.18
  • Abgabetermin einer Preversion der schriftlichen Ausarbeitung 11.01.19
  • Präsentationen wird per Doodle Umfrage festgelet
  • Abgabetermin der finalen Version der schriftlichen Ausarbeitung 01.02.19

Hinweis: Es werden keine Teilnahme-/Leistungsscheine ausgestellt. Die Ergebnisse werden direkt an das Prüfungsamt gemeldet.

Fragen (Allgemein): Sebastian Lauer (vorname.nachname[at]rub.de)

Bei Fragen zu eurem Thema bitte den Betreuer direkt kontaktieren.

Ausarbeitungen: Beispiele: http://nds.rub.de/teaching/BestStudentPaperAward/ Vorlage: http://nds.rub.de/teaching/theses/seminar/

Anmerkungen:

Ziel des Seminars ist die Vorstellung einer wissenschaftlichen Veröffentlichung. Hierzu werden bereits veröffentliche Artikel zur Auswahl angeboten.

Die Seminarteilnehmer sollen die Veröffentlichung im Rahmen des Seminars verständlich erarbeiten und evtl. benötigte Grundlagen kurz und präzise einführen.

Vor der Zuteilung des vorausgewählten Seminarthemas ist von allen Kandidaten für das Seminarthema ein zweiseitiges Exposee beim jeweiligen Betreuer einzureichen. Dieser wählt anhand der Exposees den Kandidaten aus der das Seminarthema bearbeitet.

Die Ausarbeitung sollte einen Umfang von ca. 15 Seiten haben, Ausnahmen oder Abweichungen sind mit dem jeweiligen Betreuer abzustimmen. Vor dem Präsentationstermin muss dem Betreuer eine Preversion der schriftlichen Ausarbeitung vorliegen. Diese wird durch den jeweiligen Betreuer einmalig korrigiert. Die Korrekturen sind in die finale Version der Ausarbeitung einzuarbeiten.

Ein Seminarvortrag umfasst üblicherweise 20-30 Minuten, einschließlich einer anschließenden Fragerunde. Das Foliendesign sowie die Vortragssprache (deutsch, englisch) sind freigestellt. Bitte reichen Sie Ihre Ausarbeitung und Präsentation im PDF Format ein. Fragen und Korrekturen durch die Betreuer sind während des Vortrags möglich, sofern Nachbesserungs- oder Klärungsbedarf besteht.

Anwesenheitspflicht: Am Ende des Semesters werden die Vorträge innerhalb eine Blocktermins abgehalten (KEINE WÖCHENTLICHEN TERMINE!). An diesem Termin besteht Anwesenheitspflicht

free TBA

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange

Tight security is increasingly gaining importance in real-world cryptography, as it allows to choose cryptographic parameters in a way that is supported by a security proof, without the need to sacrifice efficiency by compensating the security loss of a reduction with larger parameters. However, for many important cryptographic primitives, including digital signatures and authenticated key exchange (AKE), we are still lacking constructions that are suitable for real-world deployment. We construct the first truly practical signature scheme with tight security in a real- world multi-user setting with adaptive corruptions. The scheme is based on a new way of applying the Fiat-Shamir approach to construct tightly-secure signatures from certain identification schemes. Then we use this scheme as a building block to construct the first practical AKE protocol with tight security. It allows the establishment of a key within 1 RTT in a practical client-server setting, provides forward security, is simple and easy to implement, and thus very suitable for practical deployment. It is essentially the ``signed Diffie-Hellman'' protocol, but with an additional message, which is crucial to achieve tight security. This additional message is used to overcome a technical difficulty in constructing tightly-secure AKE protocols. For a theoretically-sound choice of parameters and a moderate number of users and sessions, our protocol has comparable computational efficiency to the simple signed Diffie-Hellman protocol with EC-DSA, while for large-scale settings our protocol has even better computational performance, at moderately increased communication complexity.

https://eprint.iacr.org/2018/543

Lauer
free TBA

Social Engineering Attacks on Government Opponents: Target Perspectives

New methods of dissident surveillance employed by repressive nation-states increasingly involve socially engineering targets into unwitting cooperation (e.g., by convincing them to open a malicious attachment or link). While a fair amount is understood about the nature of these threat actors and the types of tools they use, there is comparatively little understood about targets’ perceptions of the risks associated with their online activity, and their security posture. We conducted in- depth interviews of 30 potential targets of Middle Eastern and Horn of Africa-based governments, also examining settings and software on their computers and phones. Our engagement illuminates the ways that likely targets are vulnerable to the types of social engineering employed by nation-states.

https://petsymposium.org/2017/papers/issue2/paper51-2017-2-source.pdf

Lauer
free TBA

Turtles, Locks, and Bathrooms: Understanding Mental Models of Privacy Through Illustration

Are the many formal definitions and frameworks of privacy consistent with a layperson’s understanding of privacy? We explored this question and identified mental models and metaphors of privacy, conceptual tools that can be used to improve privacy tools, communication, and design for everyday users. Our investigation focused on a qualitative analysis of 366 drawings of privacy from laypeople, privacy experts, children, and adults. Illustrators all responded to the prompt “What does privacy mean to you?” We codedeach image for content, identifying themes from established privacy frameworks and defining the visualand conceptual metaphors illustrators used to model privacy. We found that many non- expert drawings illustrated a strong divide between public and private physical spaces, while experts were more likely to drawnuanced data privacy spaces. Young children’s drawings focused on bedrooms, bathrooms, or cheating on schoolwork, and seldom addressed data privacy. The metaphors, themes, and symbols identified by these findings can be used for improving privacy communication, education, and design by inspiring and informing visual and conceptual strategies for reaching laypeople

https://petsymposium.org/2018/files/papers/issue4/popets-2018-0029.pdf

Lauer
free TBA

The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli

We report on our discovery of an algorithmic flaw in the construction of primes for RSA key generation in a widely-used library of a major manufacturer of cryptographic hardware. The primes generated by the library suffer from a significant loss of entropy. We propose a practical factorization method for various key lengths including 1024 and 2048 bits. Our method requires no additional information except for the value of the public modulus and does not depend on a weak or a faulty random number generator. We devised an extension of Coppersmith's factorization attack utilizing an alternative form of the primes in question. The library in question is found in NIST FIPS 140-2 and CC~EAL~5+ certified devices used for a wide range of real-world applications, including identity cards, passports, Trusted Platform Modules, PGP and tokens for authentication or software signing. As the relevant library code was introduced in 2012 at the latest (and probably earlier), the impacted devices are now widespread. Tens of thousands of such keys were directly identified, many with significant impacts, especially for electronic identity documents, software signing, Trusted Computing and PGP. We estimate the number of affected devices to be in the order of at least tens of millions. The worst cases for the factorization of 1024 and 2048-bit keys are less than 3 CPU-months and 100 CPU-years on single core of common recent CPUs, respectively, while the expected time is half of that of the worst case. The attack can be parallelized on multiple CPUs. Worse still, all susceptible keys contain a strong fingerprint that is verifiable in microseconds on an ordinary laptop -- meaning that all vulnerable keys can be quickly identified, even in very large datasets.

https://acmccs.github.io/papers/p1631-nemecA.pdf

Grothe
free TBA

On the (in)security of IPsec in MAC-then-encrypt configurations

IPsec allows a huge amount of flexibility in the ways in which its component cryptographic mechanisms can be combined to build a secure communications service. This may be good for supporting different security requirements but is potentially bad for security. We demonstrate the reality of this by describing efficient, plaintext-recovering attacks against all configurations of IPsec in which integrity protection is applied {em prior} to encryption -- so-called MAC-then-encrypt configurations. We report on the implementation of our attacks against a specific IPsec implementation, and reflect on the implications of our attacks for real-world IPsec deployments as well as for theoretical cryptography.

http://www.isg.rhul.ac.uk/~kp/CCSIPsecfinal.pdf

Grothe
free TBA

Measuring small subgroup attacks against Diffie-Hellman

Several recent standards, including NIST SP 800- 56A and RFC 5114, advocate the use of DSA parameters for Diffie-Hellman key exchange. While it is possible to use such parameters securely, additional validation checks are necessary to prevent well-known and potentially devastating attacks. In this paper, we observe that many Diffie-Hellman implementations do not properly validate key exchange inputs. Combined with other protocol properties and implementation choices, this can radically decrease security. We measure the prevalence of these parameter choices in the wild for HTTPS, POP3S, SMTP with STARTTLS, SSH, IKEv1, and IKEv2, finding millions of hosts using DSA and other non- safe primes for Diffie-Hellman key exchange, many of them in combination with potentially vulnerable behaviors. We examine over 20 open-source cryptographic libraries and applications and observe that until January 2016, not a single one validated subgroup orders by default. We found feasible full or partial key recovery vulnerabilities in OpenSSL, the Exim mail server, the Unbound DNS client, and Amazon s load balancer, as well as susceptibility to weaker attacks in many other applications.

https://bit.ly/2QyduSj

Grothe
free TBA

TEETHER: Gnawing at Ethereum to Automatically Exploit Smart Contracts

Cryptocurrencies like Bitcoin not only provide a decentralized currency, but also provide a programmatic way to process transactions. Ethereum, the second largest cryptocurrency next to Bitcoin, is the first to provide a Turing-complete language to specify transaction processing, thereby enabling so-called smart contracts. This provides an opportune setting for attackers, as security vulnerabilities are tightly intertwined with financial gain. In this paper, we consider the problem of automatic vulnerability identification and exploit generation for smart contracts. We develop a generic definition of vulnerable contracts and use this to build teEther, a tool that allows creating an exploit for a contract given only its binary bytecode. We perform a large-scale analysis of all 38,757 unique Ethereum contracts, 815 out of which our tool finds working exploits for—completely automated.

https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-krupp.pdf

Grothe
free TBA

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.

https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

Grothe