Spezialvorlesung
Foundations of Cryptography and Network Security II (Modul ICNS2)
Cryptography is an elementary component of any security application. The first part of the lecture covers foundations of interactive cryptographic protocols. Starting from interactive proof systems (IPs), we move on to Zero-Knowledge proof systems (ZKPs) allowing a party to prove “knowledge of something” without revealing the knowledge. Protocols like that have recently gained much interest in context of verifiable computation. For instance, one’d like to have assurance a cloud computed the promised task without disclosing the exact program code. Probabilistically checkable proofs (PCPs) are an ingenious, special case of interactive proof systems, ideal for the cloud paradigm where verifiers (e.g. smart phones) are limited in computational power. PCPs provide the powerful feature to verifying a proof by reading only some few! bits of the proof. We showcase the usefulness of IPs in context of multi-party computation protocols (MPCs). Here multiple parties wish to perform a joint computation in such a way that their input remains secret. A special case is that of a cloud that does the whole computation, but learns nothing about the input or outcome of the computation. If time remains, we show how recent advances in fully homomorphic encryption and succinct non-interactive arguments facilitate the design of cloud-centric MPC protocols.
The security of an application is always only as strong as its weakest component. Hence, no matter how strong and sophisticated an application’s cryptographic protocols are, a simple SQL injection or a mere Buffer Overflow in the application’s source code is all the adversary requires to completely undermine even the strongest cryptographic constructions. For this reason, in the second part, we leave the application specific security requirements, which can be addressed with the previously learned cryptographic primitives, and look at an application’s security as a whole in order to create secure applications that provide defense in depth. To do so, we introduce the applicable attacker models along with their respective capabilities and limitations. Furthermore, fundamental principles for secure system design and secure programming will be discussed. On this foundations, the specifics for the most common and/or severe classes of application level vulnerabilities will be explored, including SQL Injection, Remote Code Execution and Web specific flaws, including XSS and CSRF, and discussed in depth. For each of these problems, both the causing insecure coding, the resulting attack method and capabilities, as well as, the matching defenses will be taught.
Furthermore, exemplified at selected protocols, such as OAuth and BetterAuth, we will show how cryptographic methods can be implemented with Web technologies and how to avoid non-intuitive pitfalls, which occur in real life implementation. At the end of this lecture, you will be well equipped to create sophisticated applications that provide security on all level of abstraction.
Leitung
Dr. Sebastian Gajek (NEC Research Labs), Dr. Martin Johns (SAP Labs)
Angaben
Spezialvorlesung, 2 SWS
Zeit und Ort
Montag 16:00 - 18:00 Uhr, INF306 SR14
Teilnahme
Bachelor/Master Angewandte Informatik sowie HörerInnen anderer Fachrichtungen
Voraussetzungen
Empfohlene Vorlesungen: Foundations of Cryptography and Network Security I, Theoretische Informatik und Betriebssysteme und Netzwerke
Zuordnung
Kerninformatik
Übungsschein oder Leistungsnachweis
Leistungsnachweis je nach Studiengang;
Voraussetzung für die Vergabe von Leistungspunkten ist die erfolgreiche
Abgabe von Hausaufgaben und Teilnahme an der Abschlussprüfung
(mündlich oder schriftlich, je nach Anzahl der TeilnehmerInnen).
Kontakt
Prof. Dr. Barbara Paech, INF326, Raum 208
