Funktionen

Submit four topic preferences here.

1) Zero Trust Network Security: Enabling Technologies and Challenges

Traditional network security architecture based on perimeter defense/trust zones appears less effective in modern, highly diverse and distributed networks. A single compromised host or link could render the whole network segment after this architecture insecure. Zero Trust aims to address this shortcoming by removing the implicit placement of trust while demanding its continual evaluation. In this paper, we analyze the tenets of zero trust, provide various deployment use cases and conduct a survey on its enabling technologies and challenges.

• Rose, Scott W., et al. "Zero trust architecture." (2020)
• Kindervag, John. Build security into your network’s DNA: The zero trust network architecture. Forrester Research Inc (2010): 1-26.
• https://www.oreilly.com/library/view/zero-trust-networks/9781491962183/ch01.html
• Yan, Xiangshuai, and Huijuan Wang. "Survey on Zero-Trust Network Security." International Conference on Artificial Intelligence and Security. Springer, Singapore, 2020.

2) Deep Packet Inspection using FPGAs

An advanced technique in network security is Deep Packet Inspection (DPI), which is used to implement Intrusion Detection Systems and firewalls. For that, DPI needs to analyze vast amounts of network data in short periods. FPGAs can provide efficient, yet flexible circuits with direct network connectivity.

• Dharmapurikar, Sarang, et al. "Deep packet inspection using parallel bloom filters." 11th Symposium on High Performance Interconnects, 2003. IEEE, 2003.
• Attig, Michael, and Gordon Brebner. "400 Gb/s programmable packet parsing on a single FPGA." 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems. IEEE, 2011.
• Orosz, Péter, Tamás Tóthfalusi, and Pál Varga. "FPGA-assisted DPI systems: 100 Gbit/s and beyond." IEEE Communications Surveys & Tutorials 21.2 (2018): 2015-2040.

3) Post-Quantum-Crypto on FPGAS

Post quantum cryptography is useful for securing network communication against the possible advent of quantum computers. FPGAs (Field programmable gate arrays) may help to achieve good performance for this often highly expensive branch of cryptography.

• Koziel, Brian, et al. "Post-quantum cryptography on FPGA based on isogenies on elliptic curves." IEEE Transactions on Circuits and Systems I: Regular Papers 64.1 (2016): 86-99.
• Kuo, Po-Chun, et al. "High performance post-quantum key exchange on FPGAs." IACR Cryptology ePrint Archive 690 (2017).SVE2
• Taha, Mostafa, and Thomas Eisenbarth. "Implementation Attacks on Post-Quantum Cryptographic Schemes." IACR Cryptol. ePrint Arch. 2015 (2015): 1083

4) Quo vadis, Post-quantum cryptography?

Research on post-quantum cryptography has been going on for more than a decade. However, most online communication is not yet quantum secure. What is the current status of PQC-research? Is PQC going to be employed soon? What challenges must be overcome to make it work?

• Taha, Mostafa, and Thomas Eisenbarth. "Implementation Attacks on Post-Quantum Cryptographic Schemes." IACR Cryptol. ePrint Arch. 2015 (2015): 1083
• Cho, Joo; Gazdag, Stefan-Lukas; Gernler, Alexander von; Grießer, Helmut; Grundner-Culemann, Sophia; Guggemos, Tobias et al. (2019): Towards Quantum-resistant Virtual Private Networks. In: Marcel Selhorst, Daniel Loebenberger und Michael Nüsken (Hg.): crypto day matters 31. Bonn: Gesellschaft für Informatik e.V. / FG KRYPTO.
• Stefan-Lukas Gazdag, Sophia Grundner-Culemann, Tobias Guggemos, Tobias Heider, and Daniel Loebenberger. 2021. A formal analysis of IKEv2’s post-quantum extension. In Annual Computer Security Applications Conference (ACSAC). Association for Computing Machinery, New York, NY, USA, 91–105.
• Kris Kwiatkowski, Luke Valenta: "The TLS Post-Quantum Experiment" (Cloudflare Blogeintrag von 2019)

5) Why Johnny can't encrypt: Current state of e-mail encryption

The 2005 paper "Johnny can't encrypt" pointed out design flaws in PGP that make it hard to use. 17 years later, e-mail encryption is still not common. What are current insights about usability of message encryption tools and does e-mail encryption have a future?

• Alma Whitten and J. D. Tygar: Why Johnny Can’t Encrypt - A Usability Evaluation of PGP 5.0
• Talk by Scott Ruoti: "Johnny’s Journey Toward Usable Secure E-Mail"
• Ruoti, Scott, and Kent Seamons. "Johnny's journey toward usable secure email." IEEE Security & Privacy 17.6 (2019): 72-76.

6) The Signal messenger

The Signal messenger app has gained a reputation for being especially privacy-friendly. This topic reviews the main security features that Signal has, explaining how they work, what they are supposed to accomplish, and trying to estimate whether they achieve their goal.

• Daniel V. Bailey and Philipp Markert, Ruhr University Bochum, Germany; Adam J. Aviv, The George Washington University: "I have no idea what they're trying to accomplish:" Enthusiastic and Casual Signal Users' Understanding of Signal PINs
• Alwen J., Coretti S., Dodis Y. (2019) The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol. In: Ishai Y., Rijmen V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science, vol 11476. Springer, Cham.

7) Secure Development: Techniques and Benefits

Security often works in theory, but is impeded when programmers make mistakes and the resulting software turns out to be insecure. Are programmers aware of their role in IT security? And what techniques exist to help them do a good job?

• Kelsey R. Fulton and Anna Chan, University of Maryland; Daniel Votipka, Tufts University; Michael Hicks and Michelle L. Mazurek, University of Maryland: Benefits and Drawbacks of Adopting a Secure Programming Language: Rust as a Case Study
• Mohammad Tahaei, University of Edinburgh; Alisa Frik, ICSI and University of California, Berkeley; Kami Vaniea, University of Edinburgh: Deciding on Personalized Ads: Nudging Developers About User Privacy

8) Multi-Party Computation: Techniques and Use cases

Multi party computation allows a group of entities to communicate the result of a joint computation without disclosing each partie's input. This is useful in auctions or salary negotiations, where each individual is interested in keeping their tolerated values private, but the parties have to agree on some final value. What is the current state of the art? Where is MPC used in practice? What are the best techniques and who benefits from them?

• Kazuhiro Gomi, Multi-Party Computation: Private Inputs, Public Outputs (Forbes blog article published October 21, 2021)
• Lecture Slides from Crypt@b-it summer school 2018's speaker Mike Rosulek
• David Evans, Vladimir Kolesnikov and Mike Rosulek: A Pragmatic Introduction to Secure Multi-Party Computation
• Lucy Qin's Talk at Real World Crypto Conference 2019 on: Deploying MPC for Social Good(slides available)

9) HTTPS: Is web browsing becoming more secure?

When trying to access a website that is not secured with https, most users get a warning. What is the mechanism behind https, when (if ever) is it safe to ignore the warning, and has the adoption of https across the web made online experiences more secure?

• Adrienne Porter Felt, Google; Richard Barnes, Cisco; April King, Mozilla; Chris Palmer, Chris Bentzel, and Parisa Tabriz, Google: Measuring HTTPS Adoption on the Web

10) Digital signatures against phishing

Recently, offices were swept by a wave of phishing e-mails where the recipient was made to believe that their supervisor required them to urgently wire large amounts of money to a certain bank account. What measures are currently taken to hinder the success of such attacks? How effective are they? Why do digital signatures seem to play such a minor role here and what would it take to make them more effective, usable and commonplace?

• https://www.heise.de/ct/artikel/Ausgebootet-289538.html
• Benjamin Reinheimer, Lukas Aldag, Peter Mayer, Mattia Mossano, Reyhan Duezguen, Bettina Lofthouse, Tatiana Von Landesberger, and Melanie Volkamer. 2020. An investigation of phishing awareness and education over time: when and how to best remind users. Proceedings of the Sixteenth USENIX Conference on Usable Privacy and Security. USENIX Association, USA, Article 15, 259–284.
• Anjuli Franz, Verena Zimmermann, Gregor Albrecht, Katrin Hartwig, Christian Reuter, Alexander Benlian, and Joachim Vogt. "SoK: Still Plenty of Phish in the Sea — A Taxonomy of User-Oriented Phishing Interventions and Avenues for Future Research", SOUPS 2021, video of talk and paper paper and talk

11) Comparing the German Corona-Warn-App with the digital Covid19 tracing methods of another country

During the Covid19-pandemic, many countries developed a digital tracing method. In Germany, this was the Corona-Warn-App. The goal of this paper is to compare the German solution to that of another country, trying to answer the questions: How is tracing implemented technically? What security goals are achieved? To what extent were privacy goals considered in the development and how did the public respond?

• Maximilian Häring, Eva Gerlitz, Christian Tiefenau, Matthew Smith, Dominik Wermke, Sascha Fahl, Yasemin Acar: Never ever or no matter what: Investigating Adoption Intentions and Misconceptions about the Corona-Warn-App in Germany. SOUPS @ USENIX Security Symposium 2021: 77-98
• Erin Hale: How Taiwan Used Simple Tech to Help Contain COVID-19 (Blog entry Feb 2022)

12) Current use of Identity-based cryptography

Identity-based cryptography (IBC) was introduced in 1985 as an alternative to certificate-based public key cryptography. The idea: By using the identity (e.g., alice@e-mail.de) as a public key, certificate management could be avoided. It was not until the early 2000s however, that first practical schemes were proposed. But even so, the wide-spread adoption of IBC is still waiting to happen. What are the pro's and cons of IBC and why is it so scarcely used? What use cases are there and is there a future in either encryption or digital signatures based on IBC?

• Adi Shamir, Identity-Based Cryptosystems and Signature Schemes. Advances in Cryptology: Proceedings of CRYPTO 84, Lecture Notes in Computer Science, 7:47--53, 1984
• Alexander Würstlein, Wolfgang Schröder-Preikschat. 2019. T-IBE-T: Identity-Based Encryption for Inter-Tile Communication. In 12th European Workshop on Systems Security (EuroSec ’19), March 25–28, 2019, Dresden, Germany. ACM, New York, NY, USA
• Garfinkel, Simson L. "Email-based identification and authentication: An alternative to PKI?." IEEE security & privacy 1.6 (2003): 20-26.

13) The Democracy Live's OmniBallot platform in the context of a global shift to e-voting

In the wake of the 2020 US-american presidential election, three US states moved to allow the online voting tool OmniBallot for certain voters. Shortly after that, researchers published a detailed analysis of the system, pointing out some security and privacy risks and recommending certain measures for using the tool securely. As trust in the results of this election was famously low, we want to survey the current state of secure e-voting: What techniques are there? Which countries have moved to allow e-voting and why are others hesitant to adopt it? What are current benefits and caveats, and should we expect e-voting to become more common in the near- to far-term future?

• Specter, Michael, and J. Alex Halderman. "Security Analysis of the Democracy Live Online Voting System." 30th USENIX Security Symposium (USENIX Security 21). 2021.
• Twitter feed of @jhalderm (the same author as above), June 8th, 2020, outlining their findings

14) Physical Unclonable Functions: Practical Strong PUFs that withstand Machine Learning attacks

Physical Unclonable Functions (PUFs) are physical systems which are disordered at a nanoscale (like a piece of wood) and have a challenge/response-mechanism (like the reflection of light from a certain angle). This challenge-response-mechanism is so difficult to reproduce that it is useful for different cryptographic purposes; so-called Strong PUFs may, for example be used for key establishment or authentication. However, Machine Learning algorithms have managed to learn enough about a certain PUFs to imitate the correct behaviour well. How far along is the development of machine-learning-resilient Strong PUFs?

• Rührmair, Ulrich, and Jan Sölter. "PUF modeling attacks: An introduction and overview." 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2014.
• Rührmair, Ulrich, et al. "Modeling attacks on physical unclonable functions." Proceedings of the 17th ACM conference on Computer and communications security. 2010.

15) Distributed Identity Management

There are serious concerns about any kind of centralized identity providers as used in many areas of our daily life (e.g. in social logins). In the digital age our personal information is stored on computer systems. Databases store millions of records that are hosted on servers or in data centers which often belong to private companies. This probably sensitive information is stored centrally and is thus often at risk from data theft by hackers. A new paradigm, distributed identity, tries to let user be in direct control of the profile information they share with services. Rather than letting others provide claims towards a service, the users collects claim themselves from various sources and independently provides these when so requested by services. The services can check the validity of these claims against a central verifiable claims registry. Using new technologies like a distributed ledger enables a decentralized approach, which became so popular that even the EU is planning to implement a national identity wallet as a digital identity for citizens. The goal of this paper is to investigate this novel approach in identity management, its use cases and technologies.

• Pöhn, Daniela & Grabatin, Michael & Hommel, Wolfgang. (2021). eID and Self-Sovereign Identity Usage: An Overview. Electronics. 10. 2811. 10.3390/electronics10222811.
• Federal Office for Information Security: A brief guideline on self-sovereign identities
• SELF-SOVEREIGN IDENTITY: The Future of Identity: Self-Sovereignity, Digital Wallets, and Blockchain

16) IT-Security Frameworks Comparison

Using an established it security framework helps an organization to develop their cybersecurity programm in a structured and priotized approach. But which one to choose?! This paper aims to give an overview of existing it security frameworks and compare their application area, scope, focus and consequently their advantages for diffrent target groups. Frameworks to start with:

• The Trusted CI Framework: framework, guide
• CIS Controls, cis-benchmarks
• NIST CyberSecurity Framework

17) Information requests and cybercrime: Law enforcement meets ISP

In the wake of rising cybercrime, law enforcement agencies are increasingly making requests for information from Internet service providers (ISPs). The discussion in the paper should include the legal situation in germany and problems that stand in the way of a stringent, smooth and rapid process. It should also be examined what law enforcement agencies should consider when making requests (including timely and complete requests, encrypted communication) in order to achieve high chances of success with a request. Possible solutions - both for law enforcement agencies and telecommunications companies or ISPs - as well as procedures for efficient cooperation should be aggregated or conceptually developed in this paper.

• https://www.bundesnetzagentur.de/EVD/DE/Fachkreis/Empfehlungen/Empfehlungen-node.htm
• https://www.bundesrat.de/SharedDocs/pm/2021/009.html
• https://www.bundestag.de/dokumente/textarchiv/2021/kw02-de-bestandsdatenauskunft-813760
• https://www.bundesverfassungsgericht.de/SharedDocs/Pressemitteilungen/DE/2020/bvg20-061.html

18) Threat Landscaping

The threat landscape covers the entirety of potential and identified it security reats affecting a particular sector and group of users at a given point in time. The goal of this paper is to give an overview about the current threat landscape for a higher education data center in germany starting from a glimpse at the process of threat landscaping. The top threats should be elaborated with their with their modes of operation, effects and possible detection- and countermeasures.

• https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends
• https://encyclopedia.kaspersky.com/glossary/threat-landscape/

19) Security in SDN

Software Defined Networks (SDN) are a promising paradigm in computer networking and facilitate network policy enforcement by multiple entities through a centralized interface. The concept entails new possibilities for policy enforcement but also new problems. Policies by two applications on multiple nodes in a network can contradict and can result in connection failure or compromised security. Firewall applications are subject to new challenges due to the novel properties of SDN. Objectives:

• Analyze policy conflicts in SDN (General overview with main focus on firewall rule conflicts) local conflicts and specialized conflict environments; distributed conflicts
• Evaluate impact on existing firewall rules for multiple applications and across multiple nodes
• Draft a possible conflict solution

Preliminary work: Lehrstuhl Kommunikationssysteme Experimental Examination of Distributed Conflicts in Software Defined Networks:

• Tran, C. N. ; Danciu, V.: A General Approach to Conflict Detection in Software-Defined Networks. 1 (2020)
• Tran, C. N.: Conflict Detection in Software-Defined Networks, Ludwig-Maximilians-Universität München, Diss., 2022
• Reyes, N., Experimental Examination of Distributed Conflicts in Software Defined Networks, Ludwig-Maximilians-Universität München, Oktober, 2021.

20) Supply Chain Security Risks - Security Aspects of Cloud Services

In recent years, cloud service providers (CSP) have become increasingly popular as central IT suppliers. Due to the decreasing costs, more and more companies are outsourcing their IT services and infrastructure to them. From a security perspective, responsibility is often shifted to the CSP, but this also creates new threats and attack vectors. Supply chain risk management traditionally deals with the risks that arise from working with suppliers. How does this work in the context of CSPs? What security risks does the use of as-a-service offerings pose to companies?

• Pandey, S., Singh, R.K., Gunasekaran, A. and Kaushik, A. (2020), "Cyber security risks in globalized supply chains: conceptual framework", Journal of Global Operations and Strategic Sourcing, Vol. 13 No. 1, pp. 103-128.
• Maßnahmenkatalog Ransomware (german)
• Olusola Akinrolabu, Steve New, Andrew Martin: Cyber Supply Chain Risks in Cloud Computing – Bridging the Risk Assessment Gap

21) Ransomware - organisational aspects in times of BYOD and home offices

Over the last few years, ransomware has become an increasing threat to organizations. Especially in combination with the trend towards working from home and Bring Your Own Device (BYOD), more attack vectors are being added. Why is ransomware so successful as malware? What technical and organizational measures can companies take to protect themselves? This paper is intended to provide an overview of the topic and answer the above questions.

• Richardson, R., North, M. - Ransomware: Evolution, Mitigation and Prevention
• Maigida, A.M., Abdulhamid, S.M., Olalere, M. et al. Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms. J Reliable Intell Environ 5, 67–89
• Maßnahmenkatalog Ransomware (german)

22) Information Security Standards - does ISO 27001 improve security?

An Information Security Management System (ISMS) enables organizations to coordinate their security program. The most popular of these is ISO/IEC 27001, an international standard for setting up an ISMS. This standard also provides a list of controls and control objectives that an organization should implement. Although the adaptation of the standard is increasing and more and more organizations are getting certified, the number of security incidents on a global scale continues to rise. The question is whether the proposed measures are adequate to address the current threats? Take a critical look at the controls defined in ISO/IEC 27001 Annex A. Analyse the most frequent security incidents and threats of the last few years and compare them with the controls. Do they match and are they suitable to prevent the incidents?

• https://ieeexplore.ieee.org/abstract/document/9082865
• Isaca 2017 Implementation guideline ISOIEC27001
• Enisa threat landscape
• 2022 Global Threat Report