Krypto pr SS 19

Kryptographie Praktikum im Sommersemester 2019

Lehrveranstaltung: Praktikum: Kryptographie
Veranstaltungsform: P4 / 4 SWS / 6 CP (ECTS)
Hochschullehrer: Prof. Johannes Buchmann
Beginn: 1. Vorlesungswoche
Voraussetzungen: Grundkenntnisse in Java, C/C++ und Kryptographie
Bewerbung: PDF-Formular ausfüllen und per E-Mail verschicken an


Wunschthema bitte angeben (bei 'Anmerkungen'). Teamwünsche ebenfalls im Feld 'Anmwerkungen' angeben.

Deadline: 28.04.2019
Benachrichtigung: 29.04.2019
Anmeldung: TUCaN
Abgabe: (Ende 1. Woche im letzten Semestermonat)
Turnus: regelmäßig

Themen

# Betreuer Beschreibung
1 Dr.-Ing. Moritz Horsch Passwordless Password Synchronization
Passwords are the most widely used authentication scheme for granting access to user accounts at services on the Internet. Secure passwords are essential, because they are the sole barrier protecting the multitude of personal data stored in user accounts. But, memorizing a multitude of passwords is practical impossible. Therefore, security experts recommend the usage of password managers to store passwords. However, with respect to multiple user devices like smartphones, computers, and tablets the passwords must be available on all devices. This problem is usually solved by storing the passwords in the cloud which bears the risk that an attacker get access to the passwords. The Passwordless Password Synchronization (PALPAS) solves this problem by synchronizing passwords between devices without storing them on servers. The objective of this task is to implement PALPAS.
2 Dr.-Ing. Moritz Horsch Password Knowledge Database
Passwords have various security issues. First, generating passwords that resist attacks is difficult. User- chosen passwords often include personal-related and service-related information and have patterns. This enables very efficient guessing attacks. Second, memorizing a multitude of passwords is practically impossible. Therefore, users create passwords that are easy to remember and reuse them across accounts. This bears the risk that an attacker can easily guess the passwords and get access to multiple accounts just by obtaining a single password. Third, regularly changing the passwords of all online accounts is very time consuming. Consequently, users barely change their passwords, even after security breaches at services or exceptional events like the Heartbleed bug. To solve these issues at lot of research has been conducted. However, the wealth of research results makes it hard to find out what research already exist. This bears the risk that for instance the same research is done again or research is done on assumptions that already have been proven wrong. The objective of this task is to create a knowledge database for passwords. It should consist of a database of publications about passwords as well as a website to browse through the database. Beside common information about the publications like the title, each publication should be categorized into different subareas of password research such as password generation. A tool should be developed that fills the database with existing publications and categorizes the publications automatically. Finally, the knowledge database should be used to provide an overview of the research activities over the last decades (what is the main focus in password research, what is the progress over the time, …).
3 Dr.-Ing. Moritz Horsch Password Policy Description Distribution Service
Passwords are the most widely used authentication scheme for granting access to user accounts at services on the Internet. Secure passwords are essential, because they are the sole barrier protecting the multitude of personal data stored in user accounts. The creation of secure passwords, which resist brute-force, dictionary, and social engineering attacks, is difficult. Users often tend to use passwords that are simple and easy to remember. Therefore, security experts recommend the usage of password generators in order to create secure passwords. However, generated passwords often get rejected by services because they do not comply with the various password requirements of services. They are for instance too short, too long, or do not contain a special character. The problem is solved by Password Policy Descriptions (PPD) which describe the password requirements of services in a standardized format. Password generators can process PPDs and adapt their password generation rules. The objective of this task is to develop a Password Policy Description Distribution Service (PPDDS) that makes PPDs available to password generators. The PPDDS should consists of two components. First, an API that can be used by password generators to search and receive PPDs. Second, a website that can be used by users to provide feedback to PPDs.
4 Dr.-Ing. Moritz Horsch Two-Factor Authentication Detector
Two-Factor authentication provides a secure authentication at services on the Internet. However, for users it is often unclear whether a service supports two-factor authentication or not. The objective of this task is to develop a tool that is capable of automatically detecting if a service supports two-factor authentication by analyzing the service’ website. The tool should be used to set up a public database of service supporting two-factor authentication.

Modalitäten

  • Vorbesprechung, Abgabeform und Notenvergabe werden alle von den Betreuern festgelegt
  • Allgemein gilt der Termin für die letzte mögliche Abgabe (siehe oben)

Voraussetzungen

  • Kenntnisse der entsprechenden Programmiersprache bei Programmieraufgaben
  • Kenntnisse in Kryptographie sind von Vorteil

Inhalt

  • Weitere Programmierkenntnisse
  • Erfahrung in der Softwareentwicklung
  • Vertiefung von Sicherheitskonzepten und kryptographischen Kenntnissen
  • Erfahrung im Umgang mit verschiedenen Entwicklungswerkzeugen

Lernziele

Die Fähigkeit, eine professionelle Aufgabe aus den genannten Bereichen in einem Team erfolgreich nach Vorgabe zu bearbeiten und die Ergebnisse angemessen zu präsentieren. Der Schwerpunkt ergibt sich aus der konkreten Aufgabenstellung. Beispiele sind:

Praktischen Entwicklung von sicherheitsrelevanter Software

Effiziente Programmierung, i.e. erkennen und beseitigen von Flaschenhälsen

Lesen und Verstehen von wissenschaftlicher Literatur und technischer Dokumentation

Programmieren und Dokumentieren komponentenbasierter Software

(Java, C, C++ UML, Java-Beans)

Authentifikationsmechanismen und Protokolle (SSL / TLS)

Zertifikats- uns Schlüsselmanagement in einer PKI (LDAP)