Universität Stuttgart
Permanent URI for this communityhttps://elib.uni-stuttgart.de/handle/11682/1
Browse
85 results
Search Results
Item Open Access Formal security analysis of the OpenID FAPI 2.0 Security Profile with FAPI 2.0 Message Signing, FAPI-CIBA, Dynamic Client Registration and Management : technical report(2023) Hosseyni, Pedram; Küsters, Ralf; Würtele, TimBuilding on our recent formal security analysis of the FAPI 2.0 Security Profile, we here extend the analysis effort to FAPI 2.0 Message Signing, combined with Dynamic Client Registration, Dynamic Client Management, and FAPI-CIBA. Overall, we model an ecosystem which uses all these profiles and extensions in parallel. Like the previous work on the FAPI 2.0 Security Profile, this analysis is based on the Web Infrastructure Model, a Dolev-Yao style model of the web infrastructure - in fact, it is the most comprehensive and detailed model of the web infrastructure to date. We identify several attacks, propose fixes and prove the fixed protocols secure with respect to authorization, authentication, session integrity for both authorization and authentication, and non-repudiation for the messages covered by FAPI 2.0 Message Signing. The attacks and proposed fixes have been reported to the responsible FAPI Working Group at the OpenID Foundation, and fixes have since been incorporated into the specifications.Item Open Access Implementierung und Sicherheitsanalyse von High Mountain Range Options auf einer Blockchain(2018) Bechtold, MarvinKryptowährungen auf Basis von Blockchaintechnologie haben in den letzten Jahren immer mehr an Bedeutung und Verbreitung gewonnen. In vielen unterschiedlichen Geschäftsfeldern forschen und arbeiten Unternehmen am Einsatz dieser Technologie, um neue oder disruptive Prozesse oder gar Geschäftsmodelle zu entwickeln. Voraussetzung ist die Nutzung der richtigen Blockchain und die Entwicklung entsprechender Smart Contracts. Die Smart Contracts sollen einfache, aber auch zunehmend komplexe Sachverhalte abbilden und dabei die herkömmliche Vertrauensinstanz durch die Blockchain ersetzen. Die Anforderung an Smart Contracts ist hierbei nicht nur die korrekte Abwicklung des Sachverhalts, sondern auch, ein hohes Maß an Sicherheit zu gewährleisten. In dieser Arbeit werden eine komplexe Aktienoption aus der Gruppe der High-Mountain-Range-Optionen und ihre Prozesse wie Erstellung, Kauf und Auszahlung durch Smart Contracts abgebildet. Als Blockchainframework wurde Hyperledger Fabric verwendet. Um die Arbeit verständlicher zu machen, wurde der fachliche Hintergrund von Aktienoptionen erörtert und die Funktionsweise der Blockchain dargestellt. Durch die Implementierung einer komplexen High Mountain Range Option wurde aufgezeigt, dass beliebige Aktienoptionen, von einfachen Aktienoptionen bis hin zum komplexen Finanzderivat, mittels Smart Contracts und Blockchain abgebildet werden können. Zusätzlich wurde die Sicherheit der implementierten Smart Contracts analysiert. Dabei wurde das Analysetool Chaincode Scanner verwendet. Die Ergebnisse geben Hinweise auf mögliche Schwachstellen, die bei der Implementierung von Smart Contracts berücksichtigt werden sollten.Item Open Access OpenID for Verifiable Credentials : formal security analysis using the Web Infrastructure Model(2023) Hauck, FabianIn our increasingly connected world, digital identities play a fundamental role in delivering secure online services around the globe. To enable the seamless exchange of identification data among various entities, the adoption of standardized protocols is essential. The protocol family OpenID for Verifiable Credentials (OID4VC) is ideally suited for exchanging identities. The two most important protocols in this family are OpenID for Verifiable Credential Issuance (OID4VCI) and OpenID for Verifiable Presentations (OID4VP) with a wide range of applications in e-government as well as in the private sector. A prominent example is the European Digital Identity Framework, which includes these two protocols, among others. This means that any future wallet in the European Union will implement OID4VCI and OID4VP. Therefore, it is extremely important to guarantee their security. This thesis performs a rigorous formal security analysis of both the OpenID for Verifiable Credential Issuance and the OpenID for Verifiable Presentations protocols. In particular, we focus on analyzing the security of both protocols when they interact in an ecosystem. It is not sufficient to consider the two protocols separately, because the interaction between them may introduce new vulnerabilities. Therefore, the formal model created in this thesis models both protocols simultaneously. The model is based on the Web Infrastructure Model (WIM), which closely follows existing web technologies. To describe what security means in this context, we define an authentication security property and a session integrity security property for OID4VCI and OID4VP. We prove that the model is secure with respect to the security properties under the assumption of a vigilant user. If this assumption is violated, we have discovered a number of attacks. This work makes several contributions to the protocol specifications: First, the discovered vulnera- bilities were brought to the attention of the working group. Second, several issues were filed to improve the quality and security of the specifications. Lastly, we engaged in ongoing discussions on related issues.Item Open Access Improved usability of differential privacy in machine learning : techniques for quantifying the privacy-accuracy trade-off(2022) Bernau, Daniel; Küsters, Ralf (Prof.)Differential privacy allows bounding the influence that training data records have on a neural network. To use differential privacy in machine learning with neural networks, data scientists must choose privacy parameter epsilon. Choosing meaningful privacy parameters is key since differentially private neural networks that have been trained with weak privacy parameters might result in excessive privacy leakage, while strong privacy parameters might overly degrade model utility. However, privacy parameter values are difficult to choose for two main reasons. First, the theoretical upper bound on privacy loss epsilon might be loose, depending on the chosen sensitivity and data distribution of practical datasets. Second, legal requirements and societal norms for anonymization often refer to individual identifiability, to which epsilon is only indirectly related. Within this thesis, we address the problem of choosing epsilon from two angles. First, we quantify the empirical lower bound on the privacy loss under empirical membership inference attacks to allow data scientists to compare the empirical privacy-accuracy trade-off between local and central differential privacy. Specifically, we consider federated and non-federated discriminative models, as well as generative models. Second, we transform the privacy loss under differential privacy into an analytical bound on identifiability map legal and societal expectations w.r.t. identifiability to corresponding privacy parameters. The thesis contributes techniques for quantifying the trade-off between accuracy and privacy over epsilon. The techniques provide information for interpreting differentially private training datasets or models trained with the differentially private stochastic gradient descent to improve usability of differential privacy in machine learning. In particular, we identify preferable ranges for privacy parameter epsilon and compare local and central differential privacy mechanisms for training differentially private neural networks under membership inference adversaries. Furthermore, we contribute an implementable instance of the differential privacy adversary that can be used to audit trained models w.r.t. identifiability.Item Open Access Enhancement of a tool for comprehensive security scanning(2020) Hauck, FabianThe demand for web applications is rapidly increasing worldwide. Since the world wide web is accessible to everyone with a connection to the internet, web-based systems are especially vulnerable to attacks. This is why cybersecurity is getting increased attention. While it is difficult to defend a system from sophisticated attacks it is rather easy to find and fix insecure system configurations. Since web applications and their infrastructure are rapidly changing, it is hard to manually detect security breaches. Therefore advanced testing software is needed to detect security leaks automatically. The present work describes several extensions of an automated security scanning tool called yesses. The yesses tool was originally designed to scan web servers for basic security properties like open ports, insecure HTTP methods and missing cookie security features. The tool is accessible open-source on GitHub. Within the scope of this work, the yesses tool was extended by seven modules. Hereby the following three main topics were investigated: Transportation Layer Security (TLS), Domain Name System Security Extensions (DNSSEC) and information leakages. Within the TLS topic, TLS scans of the TLS settings of a server are performed and the differences compared to a Mozilla TLS profile were analyzed. Among other things this gives important insights into possible insecure encryption algorithms. In the scope of DNSSEC, the DNSSEC configuration of a domain name was scanned. Hereby the tool can detect possible misconfigurations, e.g. a missing signature for a DNS resource record. Concerning information leakages, the yesses tool was extended in such a way, that it detects sensitive data exposures which are very useful for potential adversaries. The described extensions do not only make the yesses tool more powerful, they also enable it to detect security leaks that could not have been detected beforehand.Item Open Access PKIs based on Blockchains(2019) Ravlija, DamirCryptographic protocols such as TLS rely on Public Key Infrastructure (PKI) to provide privacy to the users on the web. In traditional PKI a certain number of Certificate Authorities (CA) issue certificates which affirm that the CA verified the public key binding. However, since CAs in numerous cases behaved maliciously and issued unauthorized certificates, alternatives to traditional PKI model are being researched. Promising alternative is a blockchain technology which seems to be suitable for the implementation of PKIs: A blockchain is decentralized usually with only a few trust anchors. Data has to pass a consensus procedure before it becomes part of the state of the blockchain. Hence, blockchain offers a decentralized alternative to current CA-based PKI model. In this thesis we survey the current state of research into PKIs based on blockchains. Firstly, we present PKI and blockchain, two integral parts of such systems. There we concentrate on PKI models and blockchain platforms that are relevant for the existing blockchain-based PKI proposals. We then introduce, classify, and present PKI systems based on blockchains. In the following chapter we discuss security properties, prospects for adoption, underlying blockchains, and distinctive features of blockchain-based PKI systems which are in the course of this compared to each other, to conventional PKIs, and its extensions. In the end, we introduce TKI, a PKI system developed on permissionless Ethereum blockchain that extends CA-based PKI and combines it with a Web of Trust architecture.Item Open Access Joint state composition theorems for public-key encryption and digital signature functionalities with local computation(2020) Küsters, Ralf; Tuengerthal, Max; Rausch, DanielIn frameworks for universal composability, complex protocols can be built from sub-protocols in a modular way using composition theorems. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionality for digital signatures within a more complex protocol, parties have to generate new verification and signing keys for every session of the protocol. This motivates to generalize composition theorems to so-called joint state (composition) theorems, where different copies of a functionality may share some state, e.g., the same verification and signing keys. In this paper, we present a joint state theorem which is more general than the original theorem of Canetti and Rabin, for which several problems and limitations are pointed out. We apply our theorem to obtain joint state realizations for three functionalities: public-key encryption, replayable public-key encryption, and digital signatures. Unlike most other formulations, our functionalities model that ciphertexts and signatures are computed locally, rather than being provided by the adversary. To obtain the joint state realizations, the functionalities have to be designed carefully. Other formulations proposed in the literature are shown to be unsuitable. Our work is based on the IITM model. Our definitions and results demonstrate the expressivity and simplicity of this model. For example, unlike Canetti’s UC model, in the IITM model no explicit joint state operator needs to be defined and the joint state theorem follows immediately from the composition theorem in the IITM model.Item Open Access XSS in issue tracking systems(2021) Hildebrand, MoritzToday, virtually every software project, especially in a collaborative and distributed setting, is managed through an issue tracking system (ITS). As developers rely heavily on ITSs, the risk of cyberattacks and their associated impact increases. An interesting particularity of ITSs is that, compared to conventional web applications, the attack surface is extended through additional input interfaces such as email or version control systems (VCSs).This bachelor thesis develops a methodology to test ITSs for Cross-site scripting (XSS) vulnerabilities via these ITS-specific input interfaces. Exemplarily, we implement the developed methodology for the input interfaces email and Git and test it on the three open-source ITSs Redmine, MantisBT, and Trac.Item Open Access A formal analysis of hashgraph and its accountability properties(2022) Flinspach, MarcelThe Hashgraph algorithm is a distributed ledger technology (DLT) consensus algorithm that is an alternative to conventional blockchains. Generally, a distributed ledger can be seen as a database of transactions that is replicated across serveral locations, typically run by multiple parties. In order to reach an agreement on the validity and order of transactions, DLTs typically rely on consensus protocols as a key component. Participants of the Hashgraph algorithm locally manage a hashgraph. This is a directed acyclic graph of events. All events include, among other (meta)data, mainly transactions that were submitted by clients. In order to reach a consens, Hashgraph utilizes so-called virtual voting so that parties with different hashgraphs assign all events the same position in the total order of events. We call this desirable property consistency, which allows different participants to calculate and agree on the same order of transactions. Accountability is a well-known concept in distributed systems and cryptography but new to blockchains and DLTs in general. With this concept, misbehaving parties violating predefined security goals can be identified and held accountable with undeniable cryptographic evidence to incentivize participants to behave honestly. In this work, we put forward a rigorous proof that Hashgraph does achieve accountability w.r.t. consistency. That is, participants that misbehave by calculating a different order of transactions, by not following the Hashgraph protocol, can always be identified and rightfully blamed. To achieve this, we construct an iUC model of the hashgraph protocol with the necessary additions to hold dishonest participants accountable. In particular, we prove under relatively mild assumptions that honest participants, following the Hashgraph algorithm, will always assign events in their hashgraph the same order. That is, honest participants can reach a consens on the total order of events and transactions. Due to the real-world applications of Hashgraph, we believe this result is of independent interest.Item Open Access The Grant Negotiation and Authorization Protocol : attacking, fixing, and verifying an emerging standard(2023) Helmschmidt, Florian; Hosseyni, Pedram; Küsters, Ralf; Pruiksma, Klaas; Waldmann, Clara; Würtele, TimThe Grant Negotiation and Authorization Protocol (GNAP) is an emerging authorization and authentication protocol which aims to consolidate and unify several use-cases of OAuth 2.0 and many of its common extensions while providing a higher degree of security. OAuth 2.0 is an essential cornerstone of the security of authorization and authentication for the Web, IoT, and beyond, and is used, among others, by many global players, like Google, Facebook, and Microsoft. Historical limitations of OAuth 2.0 and its extensions have led prominent members of the OAuth community to create GNAP, a newly designed protocol for authorization and authentication. Given GNAP's advantages over OAuth 2.0 and its support within the OAuth community, GNAP is expected to become at least as important as OAuth 2.0. In this work, we present the first formal security analysis of GNAP. We build a detailed formal model of GNAP, based on the Web Infrastructure Model (WIM) of Fett, Küsters, and Schmitz, and provide formal statements of the key security properties of GNAP, namely authorization, authentication, and session integrity. We discovered several attacks on GNAP in the process of trying to prove these properties. We present these attacks, as well as changes to the protocol that prevent them. These modifications have been incorporated into the GNAP specification after discussion with the GNAP working group. We give the first formal security guarantees for GNAP, by proving that GNAP, with our modifications applied, satisfies the mentioned security properties. GNAP was still an early draft when we began our analysis, but is now on track to be adopted as an IETF standard. Hence, our analysis is just in time to help ensure the security of this important emerging standard.