Refine
Departments, institutes and facilities
- Institut für Cyber Security & Privacy (ICSP) (305) (remove)
Document Type
- Conference Object (201)
- Article (60)
- Part of a Book (11)
- Book (monograph, edited volume) (7)
- Contribution to a Periodical (7)
- Doctoral Thesis (5)
- Conference Proceedings (4)
- Preprint (4)
- Report (3)
- Lecture (2)
Year of publication
Keywords
- Usable Security (11)
- DPA (6)
- Privacy (6)
- Robotics (6)
- HTTP (5)
- security (5)
- Cloud (4)
- Machine Learning (4)
- Power Analysis (4)
- REST (4)
XML Encryption and XML Signature are fundamental security standards forming the core for many applications which require to process XML-based data. Due to the increased usage of XML in distributed systems and platforms such as in SOA and Cloud settings, the demand for robust and effective security mechanisms increased as well. Recent research work discovered, however, substantial vulnerabilities in these standards as well as in the vast majority of the available implementations. Amongst them, the so-called XML Signature Wrapping attack belongs to the most relevant ones. With the many possible instances of this attack type, it is feasible to annul security systems relying on XML Signature and to gain access to protected resources as has been successfully demonstrated lately for various Cloud infrastructures and services. This paper contributes a comprehensive approach to robust and effective XML Signatures for SOAP-based Web Services. An architecture is proposed, which integrates the r equired enhancements to ensure a fail-safe and robust signature generation and verification. Following this architecture, a hardened XML Signature library has been implemented. The obtained evaluation results show that the developed concept and library provide the targeted robustness against all kinds of known XML Signature Wrapping attacks. Furthermore the empirical results underline, that these security merits are obtained at low efficiency and performance costs as well as remain compliant with the underlying standards.
XML Signature Wrapping (XSW) has been a relevant threat to web services for 15 years until today. Using the Personal Health Record (PHR), which is currently under development in Germany, we investigate a current SOAP-based web services system as a case study. In doing so, we highlight several deficiencies in defending against XSW. Using this real-world contemporary example as motivation, we introduce a guideline for more secure XML signature processing that provides practitioners with easier access to the effective countermeasures identified in the current state of research.
Routing Attacks are a serious threat to communication in tactical MANETs. TOGBAD is a centralised approach, using topology graphs to detect such attacks. In this paper, we present TOGBAD's newly added wormhole detection capability. It is an adaptation of a wormhole detection method developed by Hu et al. This method is based on nodes' positions. We adapted it to the specific properties of tactical environments. Furthermore, we present simulation results which show TOGBAD's performance regarding the detection of wormhole attacks.
Der Arbeitskreis Usable Security & Privacy bietet ein Forum für den Gedankenaustausch und die interdisziplinäre Zusammenarbeit rund um das Thema benutzerfreundliche Informationssicherheit und privatheitsfördernde Technologien. Sicherheit ist bei der Anschaffung von Software und Technikprodukten zwar eines der zentralen Auswahlkriterien – aufgrund mangelnder Gebrauchstauglichkeit werden die vorhandenen Sicherheitsfunktionen und -mechanismen von den Nutzern jedoch oft falsch oder überhaupt nicht bedient. Im alltäglichen Gebrauch ergeben sich hierdurch Sicherheitsgefährdungen beim Umgang mit IKT-Systemen bzw. -Produkten und den darin enthaltenen sensiblen Daten. Im Workshop werden mit den Teilnehmern Beispiele diskutiert und es wird gemeinsam ein Stimmungsbild zum Verständnis, zum Stellenwert und zum aktuellen Grad der Umsetzung von Usable Security & Privacy erhoben. Ergebnis des Workshops ist ein Positionspapier, in dem die aktuellen Problemfelder und die wichtigsten Herausforderungen aus Sicht der Usability und UX Professionals beschrieben sind.
In education, finding the appropriate learning pace that fits to the members of a large group is a challenging task. This becomes especially evident when teaching multidisciplinary subjects such as epidemiology in medicine or computer science in most study programs, since lecturers have to face a very heterogeneous state of previous knowledge. Approaching this issue requires an individual supervision of each and every student, which is obviously bounded by the available resources. Moreover, when referring back to the second example, writing computer programs requires a complex installation and configuration of development tools. Many beginning programmers already become stuck at this entry stage. This paper introduces WHELP, a Web-based Holistic E-Learning Platform, which provides an integrated environment enabling the learning and teaching of computer science topics without the need to install any software. Moreover, WHELP includes an interactive feedback system for each programming exercise, where lecturers or tutors can supply comments, improvements, code assistance or tips helping the students to accomplish their tasks. Furthermore, WHELP offers a statistical analysis module as well as a real-time classroom polling system both promoting an overview of the state of knowledge of a course. In addition to that, WHELP enables collaborative working including code-sharing and peer-to-peer learning. This feature enables students to work on exercises simultaneously at distinct places. WHELP has been successfully deployed in the winter term 2013 at the Cologne University of Applied Sciences supporting the 120 students and 3 lecturers to learn and teach basic topics of computer science in an engineering study program.
Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge and implementations that would allow any service provider to roll out RBA protection to its users.
To close this gap, we provide a first in-depth analysis of RBA characteristics in a practical deployment. We observed N=780 users with 247 unique features on a real-world online service for over 1.8 years. Based on our collected data set, we provide (i) a behavior analysis of two RBA implementations that were apparently used by major online services in the wild, (ii) a benchmark of the features to extract a subset that is most suitable for RBA use, (iii) a new feature that has not been used in RBA before, and (iv) factors which have a significant effect on RBA performance. Our results show that RBA needs to be carefully tailored to each online service, as even small configuration adjustments can greatly impact RBA's security and usability properties. We provide insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts.
Dieses Buch führt Sie umfassend in die WebSocket-Technik und die damit einhergehenden neuen Entwicklungsmöglichkeiten ein. Unter den zahlreichen exemplarischen Anwendungen finden sich Beispiele auf Basis von Node.js, Vert.x, und JSR 356, als Programmiersprachen werden Java und JavaScript eingesetzt.
WebSocket - WS^2 2.0
(2015)
Das Websocket-Protokoll hat sich derzeit zu einer wichtigen Technologie für die Entwicklung moderner Webanwendungen durchgesetzt. Mit der Möglichkeit eine dauerhafte bidirektionale Verbindung zwischen Client und Server aufzubauen, ergeben sich neue Anwendungsszenarien, die vorher mit dem reinen HTTP nicht realisierbar waren. Die Einsatzgebiete reichen hier von einfachen Chats bis hin zu komplexen Systemen wie das kollaborative Arbeiten an Dokumenten in Echtzeit. Mittlerweile hat sogar der Instant Messaging-Dienst WhatsApp die Vorteile der WebSocket-Technologie für sich entdeckt und erlaubt Benutzern ihre Nachrichten nun auch über den Webbrowser auszutauschen.
Dieser Workshop soll den Teilnehmern zeigen wie sie die oben genannten oder andere Echzeitwebanwendungen mit der WebSocket-Technologie implementieren können. Nach einer kurzen Einführung wird gezeigt wie es in einfachen Schritten möglich ist, mehr als nur simple Chat-Anwendungen mit den WebSocket-Protokoll zu realisieren. Zudem stellt der Workshop nach Möglichkeit auch die Verwendung von Subprotokollen vor, wodurch auch RPC- sowie Publish and Subscribe-Anwendungen mit WebSockets umgesetzt werden können.
Web of Services Security
(2015)
Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.
Echtzeit-orientierte Multimedia-Kommunikation im Internet eröffnet eine Vielzahl neuer Anwendungen. Diese innovative Kommunikationsplattform ist gerade für weltweit operierende Unternehmen von Interesse. So können z.B. durch die Verwendung von VoIP-Lösungen oder Groupware-Applikationen Kosten gesenkt und gleichzeitig die Zusammenarbeit der Mitarbeiter optimiert werden. Dies trifft auch für Video-Konferenzsysteme zu. Anstelle regelmäßiger Meetings, die meist mit Dienstreisen eines Großteils der Teilnehmer verbunden sind, können Konferenzen virtuell durch die Übertragung von Sprachund Videodaten über das Internet abgehalten werden. Die Akzeptanz der beschriebenen Kommunikationsanwendungen hängt stark von den Faktoren Dienstgüte und Sicherheit ab. Die Übertragung der echtzeit-orientierten Mediendaten muss möglichst kontinuierlich erfolgen, so dass sowohl eine ruckelfreie Wiedergabe der Sprache als auch der Bewegtbilder möglich ist. Da Konferenzen firmenintern und vertraulich sind, werden sie hinter verschlossener Tür abgehalten. Das Pendant in der elektronischen Welt muss eine Entsprechung anbieten. Se- curity-Mechanismen haben allerdings einen Einfluss auf Dienstgüteparameter. Dies muss bei der Entwicklung von Techniken zum Schutz multimedialer Kommunikation berücksichtigt und abgestimmt werden. Dieser Beitrag zeigt anhand des Beispiels eines Video-Konferenzsystems für das Internet, wie Sicherheitsmechanismen in echtzeit-orientierte Multimedia-Kommunikationsanwendungen unter Berücksichtigung von Quality of Service (QoS) integriert werden können.