Kryptographie Praktikum

Praktikum im Sommersemester 2018

Lehrveranstaltung: Praktikum: Kryptographie
Veranstaltungsform: P4 / 4 SWS / 6 CP (ECTS)
Hochschullehrer: Prof. Johannes Buchmann
Beginn: 1. Vorlesungswoche
Voraussetzungen: Grundkenntnisse in Java, C/C++ und Kryptographie

Bewerbung:

PDF-Formular ausfüllen und per E-Mail verschicken an


Wunschthema bitte angeben (bei 'Anmerkungen'). Teamwünsche ebenfalls im Feld 'Anmwerkungen' angeben.

Deadline: 20.04.2018.
Benachrichtigung: 27.04.2018.
Anmeldung: TUCaN
Abgabe: (Ende 1. Woche im letzten Semestermonat)
Turnus:

regelmäßig

Betreuer / Thema / Material

# Betreuer Beschreibung
1 Dr.-Ing. Moritz Horsch Security Analysis of Password Generators
Passwords are the most widely used authentication scheme for granting access to user accounts at services on the Internet. Secure passwords are essential, because they are the sole barrier protecting the multitude of personal data stored in user accounts. The creation of secure passwords, which resist brute-force, dictionary, and social engineering attacks, is difficult. Users often tend to use passwords that are simple and easy to remember. Therefore, security experts recommend the usage of password generators in order to create secure passwords. But, do password generators really create secure passwords? The objective of this task is to analyze common password generators. The analysis consists of the following parts: First, an evaluation of the default password-composition rules of password generators. Second, an analysis of the randomness of generated passwords. Third, a brute-force attack against generated passwords. The results of the analysis must be well-documented.
2 Dr.-Ing. Moritz Horsch Password Generator for KeePass
Passwords are the most widely used authentication scheme for granting access to user accounts at services on the Internet. Secure passwords are essential, because they are the sole barrier protecting the multitude of personal data stored in user accounts. The creation of secure passwords, which resist brute-force, dictionary, and social engineering attacks, is difficult. Users often tend to use passwords that are simple and easy to remember. Therefore, security experts recommend the usage of password generators in order to create secure passwords. However, generated passwords often get rejected by services because they do not comply with the various password requirements of services. They are for instance too short, too long, or do not contain a special character. The problem is solved by Password Policy Descriptions (PPD) which describe the password requirements of services in a standardized format. Password generators can process PPDs and adapt their password generation rules. The objective of this task is to enhance the existing open-source password manager KeePass by a PPD-based password generator. The extension should use PPDs in order to create secure passwords that comply with the password requirements of services. Users should only enter the URL of a service in order to generate a password for it.
3 Dr.-Ing. Moritz Horsch Password Generator for Android
Passwords are the most widely used authentication scheme for granting access to user accounts at services on the Internet. Secure passwords are essential, because they are the sole barrier protecting the multitude of personal data stored in user accounts. The creation of secure passwords, which resist brute-force, dictionary, and social engineering attacks, is difficult. Users often tend to use passwords that are simple and easy to remember. Therefore, security experts recommend the usage of password generators in order to create secure passwords. However, generated passwords often get rejected by services because they do not comply with the various password requirements of services. They are for instance too short, too long, or do not contain a special character. The problem is solved by Password Policy Descriptions (PPD) which describe the password requirements of services in a standardized format. Password generators can process PPDs and adapt their password generation rules. The objective of this task is to develop a PPD-based password generator for Android. Users should only enter the URL of a service in order to generate a password for it.
4 Dr.-Ing. Moritz Horsch Password Knowledge Database
Passwords have various security issues. First, generating passwords that resist attacks is difficult. User- chosen passwords often include personal-related and service-related information and have patterns. This enables very efficient guessing attacks. Second, memorizing a multitude of passwords is practically impossible. Therefore, users create passwords that are easy to remember and reuse them across accounts. This bears the risk that an attacker can easily guess the passwords and get access to multiple accounts just by obtaining a single password. Third, regularly changing the passwords of all online accounts is very time consuming. Consequently, users barely change their passwords, even after security breaches at services or exceptional events like the Heartbleed bug. To solve these issues at lot of research has been conducted. However, the wealth of research results makes it hard to find out what research already exist. This bears the risk that for instance the same research is done again or research is done on assumptions that already have been proven wrong. The objective of this task is to create a knowledge database for passwords. It should consist of a database of publications about passwords as well as a website to browse through the database. Beside common information about the publications like the title, each publication should be categorized into different subareas of password research such as password generation. A tool should be developed that fills the database with existing publications and categorizes the publications automatically. Finally, the knowledge database should be used to provide an overview of the research activities over the last decades (what is the main focus in password research, what is the progress over the time, …).
5 Dr.-Ing. Moritz Horsch Password Policy Description Distribution Service
Passwords are the most widely used authentication scheme for granting access to user accounts at services on the Internet. Secure passwords are essential, because they are the sole barrier protecting the multitude of personal data stored in user accounts. The creation of secure passwords, which resist brute-force, dictionary, and social engineering attacks, is difficult. Users often tend to use passwords that are simple and easy to remember. Therefore, security experts recommend the usage of password generators in order to create secure passwords. However, generated passwords often get rejected by services because they do not comply with the various password requirements of services. They are for instance too short, too long, or do not contain a special character. The problem is solved by Password Policy Descriptions (PPD) which describe the password requirements of services in a standardized format. Password generators can process PPDs and adapt their password generation rules. The objective of this task is to develop a Password Policy Description Distribution Service (PPDDS) that makes PPDs available to password generators. The PPDDS should consists of two components. First, an API that can be used by password generators to search and receive PPDs. Second, a website that can be used by users to provide feedback to PPDs.
6 Dr.-Ing. Moritz Horsch Universal Adapter for Password Managers
Passwords are the most widely used authentication scheme for granting access to user accounts at services on the Internet. Secure passwords are essential, because they are the sole barrier protecting the multitude of personal data stored in user accounts. Moreover, it is important to change passwords on a regular basis. But, this is not possible for users in practice. To solve this problem, we developed a tool that is capable of automatically changing passwords on behalf of users. The objective of this task is to integrate the tool into existing password managers. To support a wide range of password manager a universal adapter should be developed. First, existing password managers should be analyzed to find a way to access the passwords that they manage. E.g. LassPass provides a CLI. Second, a universal adapter should be implemented that enables the tool to access the passwords stored in password managers. The tool should be able to receive a username and password from a password manager so that it is able to change the password. Finally, the tool should store the new password in the password manager.
7 Dr.-Ing. Moritz Horsch Passwordless Password Synchronization
Passwords are the most widely used authentication scheme for granting access to user accounts at services on the Internet. Secure passwords are essential, because they are the sole barrier protecting the multitude of personal data stored in user accounts. But, memorizing a multitude of passwords is practical impossible. Therefore, security experts recommend the usage of password managers to store passwords. However, with respect to multiple user devices like smartphones, computers, and tablets the passwords must be available on all devices. This problem is usually solved by storing the passwords in the cloud which bears the risk that an attacker get access to the passwords. The Passwordless Password Synchronization (PALPAS) solves this problem by synchronizing passwords between devices without storing them on servers. The objective of this task is to implement PALPAS.
8 Dr.-Ing. Moritz Horsch A system for risk assessments by using finite-State machines
Risk assessments are most commonly rough estimates of the possibility and impact of a materializing security event. Therefore, approaches usually focus on assembling focus groups and stringent documentation in order to provide traceability of decisions on considered security events, their associated impact on the business, and their probability. While the impact of a security event may be well determined by a group of business function owners, the quality of the probability estimate of an event materialization is largely depending on the risk assessor’s security competence. The goal is therefore to provide an approach that can assist the probability estimate by using attacker models as finite-state machines and by using a graph database to model these machines. The system uses a network topology that is model in a graph database, and applies the finite-state machines in order to retrieve attack paths in the network topology. In order to achieve this, the finite-state machines should encode options for compromising a security property of a network topology object. Finally, the system should enable the user to assess the probability of the resulting attack steps, in order to assess the probability of the attack paths to occur in the existing network topology.
9 Dr.-Ing. Moritz Horsch Implementation of an ETL-application for security risk analysis systems
Network topologies are usually provided in different picture-based formats. Additionally, abstract layers of the network topology, such as virtualization clusters, and the relationship between network components, applications, processes, people and even physical infrastructure such as rooms, are often modelled in different applications, such as configuration management databases (CMDB) and process management tools. Consolidation of this information is necessary in order to provide a security risk analysis of an existing organizational security system. Therefore, an extraction of the information relevant for a risk analysis, its transformation towards a unified graph-based representation and loading of the information into a unified graph-based database is required. The application should be easily extendable for use with different applications and demonstrated by providing the extraction and transformation of data from network diagrams created in visio or yFiles, and IT configurations from the CMDB i-do-it.
10 Dr.-Ing. Moritz Horsch Sicherheit im Industriellen Internet der Dinge
Im industriellen Internet der Dinge (IIoT) stellt die IT-Sicherheit eine wesentliche Herausforderung dar. Während die Umsetzung eines sicheren IIoT-Systems aufgrund der Heterogenität, Vernetzung und Dynamik schwierig ist, sind die potenziellen Folgen eines Angriffs im industriellen Umfeld potenziell drastisch. Exemplarisch soll im Projekt anhand eines realistischen Szenarios aus dem Agrarbereich die sichere Übertragung von Sensordaten realisiert werden: Ein Pflanzensensor (z.B. Messung der Bodenfeuchte) soll mit einem ESP32-Controller (https://www.espressif.com/en/products/hardware/esp32/overview) ausgelesen und über den Funkstandard LORA-WAN (https://www.lora-alliance.org) über ein Gateway an das Internet angebunden werden. Die Bereitstellung der Daten im Internet erfolgt über einen geeigneten IoT-Standard wie MQTT (http://mqtt.org). Über die gesamte Strecke hinweg soll sichergestellt werden, dass die Daten verschlüsselt, unverändert und nachvollziehbar vom tatsächlichen Sensor stammen. Der Zugriff auf die Daten ist auf Autorisierte Systeme / Personen zu beschränken. Zur Umsetzung kann, wo möglich, auf bestehenden Funktionen des Enviroments aufgebaut werden (z.B. Hardware-Verschlüsselung ESP32, MQTT-Sicherheitsmechanismen).
11 Lucas Schabhüser Implementation of Homomorphic Signature Schemes
The goal of this task is to implement a homomorphic signature scheme, that can be used to verify the correctness of an outsourced computation. This task requires using existing libraries for pairing based cryptography (Java or C, no prior knowledge of the library is required). This task is intended for one or two people. Basic knowledge of linear algebra is required.
12 Lucas Schabhüser Implementation of a Commitment Scheme
The goal of this task is to implement a cryptographic commitment scheme, that can be used to commit to a chosen message, while keeping any information about it hidden to others. This task requires using existing libraries for pairing based cryptography (Java or C, no prior knowledge of the library is required). This task is intended for one or two people. Basic knowledge of linear algebra is required.
13 Dr. Rachid El Bansarkhani Implementation of new primitives for the EJBCA Public Key Infrastructure
The goal of this task is to adapt EJBCA PKI such that it issues certificates on newly invented cryptographic algorithms. This implementation is performed on the basis of bouncycastle. This task can also be realized in groups. Strong Java programming skills required.
Please contact
14 Dr. Rachid El Bansarkhani Implementation of Cryptographic Protocols using Bouncycastle

The goal of this Lab is to implement cryptographic schemes or protocols using well-known security frameworks such as Bouncycastle.

This task can also be realized in groups. Strong Java or C# programming skills required.
Please contact
15 Dr. Rachid El Bansarkhani Implementation of Fast Polynomial Multiplication Algorithms
Some post-quantum cryptographic schemes require to use polynomial multiplication as an underlying subroutine.
For instance, lattice-based cryptography makes extensive use of polynomials due to its efficicient characteristics.
The goal of this Lab is to implement fast polynomial multiplication algorithms over the integers.
Please contact
16 Giulia Traverso Implementation of Hierarchical Secret Sharing
Secret sharing is a cryptographic primitive enabling secure storage in the cloud in a distributed fashion. Shares of a document are generated and distributed into different servers. The hierarchical version of secret sharing entails the generation of shares that are more informative then others. The implementation of this scheme is done starting from existing libraries (in Python or Java) for the general secret sharing described above. The candidate should then adapt these existing libraries to the hierarchical scenario. This task is intended for one or two people. Basic knowledge of linear algebra is required.

Modalitäten

  • Vorbesprechung, Abgabeform und Notenvergabe werden alle von den Betreuern festgelegt
  • Allgemein gilt der Termin für die letzte mögliche Abgabe (siehe oben)

Voraussetzungen

  • Kenntnisse der entsprechenden Programmiersprache bei Programmieraufgaben
  • Kenntnisse in Kryptographie sind von Vorteil

Inhalt

  • Weitere Programmierkenntnisse
  • Erfahrung in der Softwareentwicklung
  • Vertiefung von Sicherheitskonzepten und kryptographischen Kenntnissen
  • Erfahrung im Umgang mit verschiedenen Entwicklungswerkzeugen

Lernziele

Die Fähigkeit, eine professionelle Aufgabe aus den genannten Bereichen in einem Team erfolgreich nach Vorgabe zu bearbeiten und die Ergebnisse angemessen zu präsentieren. Der Schwerpunkt ergibt sich aus der konkreten Aufgabenstellung. Beispiele sind:

  • Praktischen Entwicklung von sicherheitsrelevanter Software
  • Effiziente Programmierung, i.e. erkennen und beseitigen von Flaschenhälsen
  • Lesen und Verstehen von wissenschaftlicher Literatur und technischer Dokumentation
  • Programmieren und Dokumentieren komponentenbasierter Software
  • (Java, C, C++ UML, Java-Beans)
  • Authentifikationsmechanismen und Protokolle (SSL / TLS)
  • Zertifikats- uns Schlüsselmanagement in einer PKI (LDAP)