RuhrSec - our non-profit IT security conference

We are proud to announce our first security conference - RuhrSec. The conference takes place in Bochum at our university (28.-29.4.2016). It is a non-profit conference, i.e. all profit resulting from the sold tickets will go to Gänseblümchen NRW e.V. (thanks to our sponsors and to the great university conditions, we hope it will be much :) ). As this is our first conference, we carefully invited some top-class speakers (mainly our friends) to present their recent work. Given the program that we have now, I think we do not have to shame and we can keep up with the best conferences.

Analysis of encrypted databases with CryptDB

As part of a bachelor thesis we have taken a look at the latest version of CryptDB and compared its performance with a normal MySQL installation and adoption on different applications. In this blog post we would like to share our insights with you.
For further results and technical specifications please refer directly to the thesis 'Analysis of Encrypted Databases with CryptDB' that can be found at http://www.nds.rub.de/media/ei/arbeiten/2015/10/26/thesis.pdf.

EsPReSSO - A good morning starts with coffee!

In this posts I describe the tool, I wrote for my Bachelor thesis at the Chair for Network and Data Security, with support of Context Information Security Ltd.. EsPReSSO is a apronym for "Extension for Recognition and Processing of Single Sing on Protocols". The basic idea behind EsPReSSO is to automate standard tasks to detect and classify the Single Sign-On (SSO) Protocols OpenID, BrowserID, SAML, OAuth, OpenID-Connect, Facebook Connect and Microsoft Account. The tool is integrate with PortSwigger's HTTP Proxy, Burp Suite. Furthermore EsPReSSO integrates the WS-Attacker, to attack SAML services semi-automated or manually.

Playing with Certificates (from a Researcher's Perspective)

I often face a problem that I need to test several TLS servers. In order to make the tests consistent, I want to deploy the same keys and certificates on each server. However, this is not that easy, since there are several key formats and generation mechanisms. Deploying the same key to an OpenSSL and JSSE servers is thus a huge pain...
In the following, I will give a brief overview on basic certificate types and on few conversion possibilities.

Attacking OpenID Connect 1.0 - Malicious Endpoints Attack

In this post we show a novel attack on OpenID Connect 1.0, which compromises the security of the entire protocol - the Malicious Endpoints attack. The idea behind the attack is to influence the information flow in the Discovery and Dynamic Registration Phase in such a way that the attacker gains access to sensitive information.

Practical Invalid Curve Attacks

Next week at ESORICS, I am going to present our newest research paper on attacking elliptic curve implementations (it is a joint work with Tibor Jager and Jörg Schwenk). It might be of interest especially for people who like practical crypto attacks...or for anybody who hates Java, since the attacks were applicable to two out of eight analyzed libraries: Bouncy Castle and Java Crypto Extension (JCE). The result is quite interesting since the attacks allow an attacker to recover private EC keys from different applications, for example, TLS servers.

Not so Smart: On Smart TV Apps

One of the main characteristics of Smart TVs are apps. Apps extend the Smart TV behavior with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise a question on new attack scenarios and general security of Smart TV apps.

These reasons make it interesting enough to do some research on smart TVs. We wrote a paper with the title "Not so Smart: On Smart TV Apps", which will be presented in a few days at the "International Workshop on Secure Internet of Things" (SIoT 2015). In this paper, we investigate attack models for Smart TVs and their apps, and systematically analyze security of Smart TV devices. We point out that some popular apps, including Facebook, Ebay or Watchever, send login data over unencrypted channels. Even worse, we show that an arbitrary app installed on devices of the market share leader Samsung can gain access to the credentials of a Samsung Single Sign-On account. Therefore, such an app can hijack a complete user account including all his devices like smartphones and tablets connected with it. Based on our findings, we provide recommendations that are of general importance and applicable to areas beyond Smart TVs.