Fortgeschrittene IT-Sicherheit - WS 2004/05

18.483		Oberseminar: Fortgeschrittene IT-Sicherheit
Organisers:		Dieter Gollmann (TU), Joachim Posegga
Time:		Montag 18-20 (2 SWS) 1st session: 25.10.2004 - 18:15
Location:		Main Campus - ESA  M Edmund-Siemers-Allee 1, 20146 Hamburg

Driving Directions & Room description

Announcements

Schedule of Talks

Abstracts of scheduled Talks

Date: 01.11.2004

Title: "Locator-Identifier Split and Middlebox Traversal"

Speaker: Aarthi Nagarajan

Abstract

Classic Internet Protocols use a single source IP address and a single destination IP address, as part of the identification for an individual data flow. This dual use of IP addresses, although originally intended, nowadays limits the flexibility with regard to multiaddressing. Some researchers try to combine mobility and security by adding an additional layer between the network and the transport layers.

The Host Identity Protocol or HIP is being developed by the IETF HIP working group. It is a Locator-Identifier separation mechanism that operates between the transport layer and the network layer. The presentation to the transport layer uses the Host Identity Tags (HIT - a hash of a public key) in place of IP addresses, while the presentation to the internet layer uses conventional IP addresses. This talk is about the Host Identity Protocol as a typical Locator-Identifier split solution to the multiaddressing problem, its security features and its compatibility issues with today's middlebox loaded internet.

Presentation slides 

Date: 08.11.2004

Title: "Trust and Security Management @ SAP Research, KA"

Project: TrustCoM: Trust and Contract Management for Virtual Organizations

Speaker 1: Haller, Jochen, SAP Research, Karlsruhe Germany

Abstract

TrustCoM (http://www.eu-trustcom.com), a European Union funded research project, intends to meet security, trust and contract management requirements for Virtual Organisations (VOs). A VO is a temporary or permanent coalition of geographically dispersed individuals, groups, organisational units or entire organisations that pool resources, capabilities and information to achieve common business objectives. The business initiative is typically supported by integrating the electronic information systems of these diverse organizations, such that many issues regarding trust and security of electronic data in storage and transit arise. Furthermore, the benefits of face-to-face transactions and contract negotiation are traded-off for the advantages of operational flexibility and efficiency. Nowadays, most of these objectives are achieved by relying on Business Processes, managing interactions from business interactions to resources and services. The speaker will first provide an overview of the TrustCoM project followed by a more focused presentation about more innovative and advanced topics in Trust Management and Security, emerging from the project.

Presentation slides 

Speaker 2: Robinson, Philip, SAP Research and TECO, University of Karlsruhe, Germany

Abstract

Information technology and networks facilitating many VO scenarios have been labeled as "pervasive and ubiquitous computing". Pervasive and ubiquitous computing refers to the accessibility, flexibility and availability of computing due to advanced networking, mobility of devices, situation awareness and user interfaces. One of the application scenarios in TrustCoM, which builds on these technical capabilities, describes spontaneous service aggregation as a means of responding to a service request that cannot be effectively handled by a single service provider. The speaker will first discuss some of the security and trust issues related to pervasive and ubiquitous computing, followed by a proposed approach to how these capabilities and service aggregation may in fact be used to enhance our everyday security.

Presentation slides 

Date: 15.11.2004

Title: "Securing IP Telephony: Secure SipFon"

Speaker: Hannah Lee

Abstract

In this "Studienarbeit", I have evaluated the current security mechanisms suggested to protect Voice over IP based on Session Initiation Protocol (SIP). Comparing advantages and disadvantages of the existing mechanisms proposed, I have derived yet another mechanism and developed it. As a generic, stand-alone encryption proxy, placed between any SIP user agent and a SIP proxy server, it provides end-to-end confidentiality of the voice traffic between the calling parties.

Date: 22.11.2004

Title: "Owner Controled Trusted Infrastructures"

Speaker: Rüdiger Weis

Curriculum Vitae

Rüdiger Weis obtained a diploma in Mathematics and a PhD in Computer Science at the University of Mannheim. At the moment he works as researcher in the group of Andy Tanenbaum at the Vrije Universiteit Amsterdam and as chief cryptographer of cryptolabs Amsterdam. His resarch mainly covers cryptography, computer security, operation systems and wireless networks. Ruediger is also a long-time member of the Chaos Computer Club.

Abstract

The Trusted Computing Group and Microsoft are working on the biggest change of the information landscape since decades. Besides positive features like a more secure hardware storage for cryptographic keys, an analysis of the proposed standards shows some problematic properties. One of main problems is that the computer owner is seen as an adversary, who no longer should have the full control over their own computers anymore. Additionally, the market domination of Microsoft, obscurities regarding the needed trust infrastructure and a heap of patents have lead to critical evaluations from cryptographers, privacy organizations and European institutions. Because of this pressure the Trusted Computing Group has modified its proposal. We discuss the recent specification TCG 1.2. We also consider the usage of some of the hardware features of a 'cleaned' TPM chip to establish a owner controled trusted infrastructure.

Presentation slides 

Date: 29.11.2004

Title: "Intellectual Foundations of Smart Card Services"

Speaker: Bertrand du Castel (Axalto)

Curriculum Vitae

Based in Austin, Texas, USA, Bertrand du Castel heads Research for Axalto Smart Cards. He is also Chairman of the Technical Committee of the Java Card Forum and of the New Card Generation consortium, and he is President of the WLAN Smart Card consortium. Bertrand holds a PhD in Computer Science from the University of Paris and an Engineer Diploma from Ecole Polytechnique, France.

Abstract

Smart cards are now the most prevalent computers in the world. The brain of 1 billion mobile phones, they embed Java, .Net, and POSIX, to bring personal, secure computing to the world population in the most egalitarian spread of advanced technology. They are now answering the challenges of global network convergence in federated architectures.

"Intellectual Foundations of Smart Card Services" illustrate how smart cards are evolving from representing the digital identity of people to now fulfill their very aspirations in the world of computers. In the new era of web services, smart cards provide the personal link that brings the human brain inside the network in a constructive explosion reminiscent of the building of intricate societies in the past millennia.

Presentation slides 

Date: 06.12.2004

Title 1: "Privacy Protection in Ubiquitous Computing"

Speaker 1: Alf Zugenmaier (Microsoft Research - Cambridge)

Curriculum Vitae

Alf Zugenmaier received a diploma in physics in 1997 from Freiburg University. He then worked as a consultant with Unisys before returning to University of Freiburg in 1998 to pursue a PhD in computer science which he received in 2003 for his thesis on "Anonymity for Users of Mobile Devices". Since 2003 he is post doctoral researcher at Microsoft Research in Cambridge, UK, working on systems security and privacy.

Abstract

Ubiquitous computing envisions a world in which our lives are enhanced by electronic gadgets. One of the issues that is always raised in this context is that of privacy. However, the notion of privacy incorporates a number of different concepts: right to be left alone, right to receive no spam, confidentiality, anonymity, misuse of data, etc. I will show examples of privacy enhancing technologies that can be used to address some of these issues (specifically "anonymity" and "misuse of data") in the context of ubiquitous computing. I present a proposal for a taxonomy showing the scope of possibilities for privacy enhancing technologies.

Title 2: Studienarbeit, mid-talk

Speaker 2: Harald Sauff

Abstract

The aim is to set up a teaching network environment for testing and researching network security issues. To protect the university network from any malicious activities on the teaching network (and to save costs), the whole network with all hosts, routers and subnets is set up as virtual machines, communicating over virtual network devices and virtual switches/hubs, integrated in a single host computer. After verifying the feasibility of this project on an actual system, I now want to present in the mid-talk of my Studienarbeit the results I got so far.

Furthermore, I'm hoping to get helpful suggestions for additional use cases to be established and for the infrastructure of the network to be more versatile and more useful for demonstrating a variety of networking issues.

Presentation slides 

Date: 13.12.2004

Title: "Security Challenges in VoIP Session Establishment"

Speaker: Jan Seedorf

Abstract

Voice over IP (VoIP) is promising a silver bullet for future voice services. There are several technical aspects which make the technology attractive, it is in particular believed to reduce operating costs and increase flexibility by converging networks.

The presentation offers a technical analysis of the security aspects of VoIP; the major differences and implications of VoIP in contrast to circuit-switched voice as it is deployed today by network operators will be discussed. The presentation will, in particular, concentrate on the "signaling" part of VoIP, and focus on the Session Initiation Protocol (SIP). The analysis largely addresses consumer scenarios, rather than VoIP deployment by/for business customers.

Presentation slides 

Date: 10.01.2005

Title: "Car Access and Immobilizers (including Demo)"

Speaker: Thomas Giesler, Philips

Curriculum Vitae

• Study of Electronic Engineering at the Technical University Karlsruhe with focus on digital systems
• Diploma work within the fields electrostatic actuators, electrostatic field theory and micro system technology
• PHD work at the Fraunhofer Institute for Biomedical Engineering in the area of chemical sensors based on Flexural Plate Wave microsystems
• Scientist at the above mentioned institute working on micromechanic systems to interface nerve signals as well as the wireless energy and data transfer through the human skin
• 1995-1999 working in the Philips Semiconductors System Laboratory Hamburg within the field of immobilizer systems
• 2000 till now: building up and managing the Hamburg Customer Application Support group of the Business Line Identification

Abstract

Due to a significant increase of car theft, Philips Semiconductors developed transponder based immobilizer systems in the early 90s. Soon after, the insurance companies enforced the implementation of these immobilizer systems into all new licensed cars. By this, transponders became a real success story for Philips. Since 1995, Philips delivered 250 million transponders into automotive applications. However, transponders are also widely spread within access control, animal identification, tagging and many other industrial applications. Electronic passports and visa are the latest examples of RFID technology.

In the first part of this seminar, the technical background of RFID transponder systems, e.g. the inductive energy and data transmission, will be explained. Also cryptologic aspects will be covered as the first generation read only systems are replaced by crypo-transponders which make attacks extremely difficult.

The second core topic covering the so called Remote Keyless Entry systems, wich is a good example for combining security and convenience in car access systems on one chip.

The latest, most modern and convenient car access systems will be presented in the third part of the seminar: Passive Entry / Passive Go. They allow the user to enter the car by just pulling the door handle and start it by pressing a simple button. No key or remote control unit has to be touched any more.

Last but not least, Body Area Networks / Intra Body Communication will be strived briefly. This is a related technique based on electic fields and capacitive communication instead of an inductive link. It allows to exchange data by just shaking hands or touching a device as well as communication of electronic devices via the human body. Supported by our group, Philips research currently investigates applications in the medical patient identification.

During the seminar, all systems (Immobilizer, Remote Keyless Entry and Passive Entry/Go) will be shown in practical presentations based on our reference designs.

Date: 17.01.2005

Title: "Analyzing smart card processor memory management security using Interacting State Machines"

Speaker: Volkmar Lotz, SAP Research, Sophia Antipolis, France

Curriculum vitae

Abstract

The Infineon SLE 88 is a smart card processor that offers strong protection mechanisms. One of them is a memory management system, typically used for sandboxing application programs dynamically loaded on the chip. High-level (Common Criteria EAL5+) evaluation of the chip requires a formal security model. We formally model the memory management system as an Interacting State Machine and prove, using Isabelle/HOL, that the associated security requirements are met. We demonstrate that our approach enables an adequate level of abstraction, which results in an efficient analysis, and points out potential pitfalls like non-injective address translation.

Presentation slides 

Date: 24.01.2005

Title: "Security policies - specification, enforcement and applications"

Speakers: Christian Schaefer and Dr. Thomas Walter

Abstract

Security policies state, especially in business, how one plans to protect his or her physical and information technology assets. Policies are a well-developed means to define the applicable security constraints and security requirements. In particular, security policies are used by corporations in a framework together with security mechanisms to enforce the stated security goals.

In this presentation we briefly discuss the foundation of security policies, their specification and enforcement. We then concentrate on the results of a recently concluded research project that looked into security policies for collaborative environments. We present details on the enforcement of policies in such an environment. Lastly, we introduce the idea of secure session transfer which takes advantage of previously presented results.

Presentation slides 

Date: 31.01.2005

Title: "XML-enabled security concepts for Computer Security Incident Response Teams"

Speakers: Karsten Behrens

Abstract

The speech explains the basics of XML and related technologies, focussing on XML signature and XML encryption. These two standards are then applied to the common Security Advisory format developed by the EISPP group.

Presentation slides 

Most Presentations are made available for download in PDF format, to view them you need the Acrobat Reader version 5 or higher.