Browsing by Author "Hauck, Fabian"

Filter results by typing the first few letters
Now showing 1 - 2 of 2
  • Thumbnail Image
    ItemOpen Access
    Enhancement of a tool for comprehensive security scanning
    (2020) Hauck, Fabian
    The demand for web applications is rapidly increasing worldwide. Since the world wide web is accessible to everyone with a connection to the internet, web-based systems are especially vulnerable to attacks. This is why cybersecurity is getting increased attention. While it is difficult to defend a system from sophisticated attacks it is rather easy to find and fix insecure system configurations. Since web applications and their infrastructure are rapidly changing, it is hard to manually detect security breaches. Therefore advanced testing software is needed to detect security leaks automatically. The present work describes several extensions of an automated security scanning tool called yesses. The yesses tool was originally designed to scan web servers for basic security properties like open ports, insecure HTTP methods and missing cookie security features. The tool is accessible open-source on GitHub. Within the scope of this work, the yesses tool was extended by seven modules. Hereby the following three main topics were investigated: Transportation Layer Security (TLS), Domain Name System Security Extensions (DNSSEC) and information leakages. Within the TLS topic, TLS scans of the TLS settings of a server are performed and the differences compared to a Mozilla TLS profile were analyzed. Among other things this gives important insights into possible insecure encryption algorithms. In the scope of DNSSEC, the DNSSEC configuration of a domain name was scanned. Hereby the tool can detect possible misconfigurations, e.g. a missing signature for a DNS resource record. Concerning information leakages, the yesses tool was extended in such a way, that it detects sensitive data exposures which are very useful for potential adversaries. The described extensions do not only make the yesses tool more powerful, they also enable it to detect security leaks that could not have been detected beforehand.
  • Thumbnail Image
    ItemOpen Access
    OpenID for Verifiable Credentials : formal security analysis using the Web Infrastructure Model
    (2023) Hauck, Fabian
    In our increasingly connected world, digital identities play a fundamental role in delivering secure online services around the globe. To enable the seamless exchange of identification data among various entities, the adoption of standardized protocols is essential. The protocol family OpenID for Verifiable Credentials (OID4VC) is ideally suited for exchanging identities. The two most important protocols in this family are OpenID for Verifiable Credential Issuance (OID4VCI) and OpenID for Verifiable Presentations (OID4VP) with a wide range of applications in e-government as well as in the private sector. A prominent example is the European Digital Identity Framework, which includes these two protocols, among others. This means that any future wallet in the European Union will implement OID4VCI and OID4VP. Therefore, it is extremely important to guarantee their security. This thesis performs a rigorous formal security analysis of both the OpenID for Verifiable Credential Issuance and the OpenID for Verifiable Presentations protocols. In particular, we focus on analyzing the security of both protocols when they interact in an ecosystem. It is not sufficient to consider the two protocols separately, because the interaction between them may introduce new vulnerabilities. Therefore, the formal model created in this thesis models both protocols simultaneously. The model is based on the Web Infrastructure Model (WIM), which closely follows existing web technologies. To describe what security means in this context, we define an authentication security property and a session integrity security property for OID4VCI and OID4VP. We prove that the model is secure with respect to the security properties under the assumption of a vigilant user. If this assumption is violated, we have discovered a number of attacks. This work makes several contributions to the protocol specifications: First, the discovered vulnera- bilities were brought to the attention of the working group. Second, several issues were filed to improve the quality and security of the specifications. Lastly, we engaged in ongoing discussions on related issues.