Developer Support | UCS

LEAK

Sun, 01 Jan 2023 00:00:00 +0000

The ATHENE Leak project addresses side-channel-analysis-attacks (SCA) by developing a so-called natural leakage model, that is closer to the hardware than standard leakage models and thereby more precise and effective.

As full electrical simulations of complex hardware are usually to resource-intensive, common leakage models abstract the hardware on the register-transfer-level (RTL) and are thereby much more resource-friendly during simulations.

A natural leakage model combines the resource-friendliness with measured behavior of the hardware. Based on this model, the project aims to further adapt and develop performance-optimized countermeasures against SCA on PQC-Algorithms implemented on the RISC-V platform.

The intended project results (a natural leakage models and optimizations) can be used to support hardware engineers during the development, hardening and testing of hardware-based security solutions. Thereby the number of prototypes before final rollout of new hardware will be reduced, speeding up the development process and saving costs in the development and hardening process.

Contact

Nicolai Schmitt

Privatsphären-/ und Benutzbarkeits-fördernde Softwareentwicklungsprozesse für kleine und mittelständische Unternehmen

Wed, 25 May 2022 09:29:56 +0000

Abstract

Small and medium-sized enterprises (SMEs) are dependent on the investigation of methods and development processes for software development in order to develop satisfactory applications for their end users. For this methods to integrate security, privacy, and usability are a central component. As the work of Bender et al., through a survey of publications, shows, there are currently no software development processes that are both suitable for SMEs and integrate the three criteria - security, privacy, and usability. This master thesis aims at counteracting this by proposing a privacy- and usability-enhancing software development process for SMEs.

For this purpose, starting from the work of Bender et al., the approaches from the literature are considered in order to identify suitable processes and methods for the integration of the three criteria in the software development process.

For the determination of the actually used methods, processes and possible requirements for a software development process from the point of view of SMEs, software developers from these SMEs are surveyd in the form of interviews. The findings from the literature research as well as the interviews with the developers of the SMEs are then compiled.

The interviews show that SMEs have special requirements for a software development process only in exceptional cases, but they do have a large diversity of projects. These disallow the meaningful formulation of a generally applicable software development process with concrete methods and techniques, since the choice of the suitable methods is to be made in dependence on the projects and their concrete context.

So that the SMEs are able to integrate suitable methods in their software development process, 14 principles are formulated in the result of this master thesis. These principles can be used by the companies as a guideline for the integration of security, privacy and usability. In doing so, the principles are drawn from the methods and recommendations in the literature and the methods used by SMEs. The principles are placed in the combined process model, which results from the description of the software development pro- cesses by the interviewed participants.

David Konczewski verteidigt erfolgreich seine Masterarbeit (DE)

Wed, 25 May 2022 03:49:13 +0000

Im Rahmen des Abschlusskolloquiums hat Herr David Konczewski erfolgreich die Ergebnisse seiner Masterarbeit mit dem Titel “Privatsphären-/ und Benutzbarkeits-fördernde Softwareentwicklungsprozesse für kleine und mittelständische Unternehmen” vorgestellt und verteidigt. Herzlichen Glückwunsch.

Zusammenfassung / Abstract

Kleine und mittelständische Unternehmen (KMU) sind auf die Untersuchungen von Methoden und Entwicklungsprozessen für die Softwareentwicklung angewiesen, um mit ihren verfügbaren Ressourcen für ihre Endbenutzer zufriedenstellende Anwendungen zu entwickeln. Dafür sind Methoden zur Integration von Sicherheit, Privatsphäre und Benutzbarkeit zentraler Bestandteil. Wie die Arbeit von Bender et al. durch eine Untersuchung der Publikationen zeigt, liegen aktuell keine Softwareentwicklungsprozesse vor, die sowohl für KMU geeignet sind als auch die Integration der drei Kriterien - Sicherheit, Privatsphäre sowie Benutzbarkeit - fördern. Diese Masterarbeit möchte diesem Umstand durch den Vorschlag eines privatsphären- und benutzbarkeitsfördernden Softwareentwicklungsprozess für KMU entgegenwirken.

Zu diesem Zweck werden ausgehend von der Arbeit von Bender et al. die Ansätze aus der Literatur betrachtet, um so geeignete Prozesse und Methoden für die Integration der drei Kriterien in einen Softwareentwicklungsprozess zu identifizieren. Zur Ermittlung der tatsächlich eingesetzten Methoden, Prozesse sowie möglicher Anforderungen an einen Softwareent- wicklungsprozess aus Sicht von KMU werden Softwareentwickler aus eben diesen in Form von Interviews befragt. Die Erkenntnisse aus der Literaturrecherche sowie der Interviews mit den Entwicklern der KMU werden im Anschluss zusammengeführt.

Die Interviews zeigen, dass KMU zwar nur in Ausnahmefällen besondere Anforderungen an einen Softwareentwicklungsprozess stellen, jedoch einer großen Diversitiät von Projekten begegnen. Diese lassen die sinnvolle Formulierung eines allgemeingültigen Softwareentwicklungsprozesses mit konkreten Methoden und Techniken nicht zu, da die Wahl der geeigneten Methoden in starker Abhängigkeit von den Projekten und deren konkreten Kontext zu treffen ist.

Damit die KMU in der Lage sind, geeignete Methoden in ihren Softwareentwicklungsprozess zu integrieren, werden im Ergebnis dieser Masterarbeit 14 Grundsätze formuliert. Diese Grundsätze können von den Unternehmen als Leitlinie für die Integration von Sicherheit, Privatsphäre und Benutzbarkeit genutzt werden. Dabei werden die Grundsätze aus den Methoden und Empfehlungen der Literatur sowie den von den KMU eingesetzten Methoden extrapoliert. Die Grundsätze werden in das kombinierte Prozessmodell eingeordnet, welches sich aus der Beschreibung der Softwareentwicklungsprozesse durch die Interview-Teilnehmer ergibt.

Paper accepted at EICC 2022

Thu, 05 May 2022 00:00:00 +0000

Our paper “cryptolib: comparing and selecting cryptography libraries” by Jan Wohlwender, Rolf Huesmann, Andreas Heinemann and Alexander Wiesmaier will be presented at the European Interdisciplinary Cybersecurity Conference 2022 (EICC 2022) on June 15/16.

This work is based on the results of Jan Wohlwender’s Master’s thesis. Jan completed his Master’s programme at the Department of Computer Science with a focus on IT security.

Bewertung der Relevanz von Krypto-APIs auf Basis eines Scoring-Ansatzes

Mon, 22 Feb 2021 00:00:00 +0000

The main results of the work will be presented at the European Interdisciplinary Cybersecurity Conference - EICC 2022.

For detais see our upcoming paper: cryptolib: comparing and selecting cryptography libraries

Abstract

Technological advancement and ongoing digitalization are creating more and more security-critical requirements for software developers. At the same time there is a big and ever-growing amount of cryptographic APIs. Identifying why certain APIs are used more frequently than others is not an easy task. Furthermore, it is difficult to recognize the reasons behind the utilization of an certain API in software development. Which APIs are relevant and important for developers? Which attributes are involved? There are a couple of scientific contributions that analyze APIs or introduce attributes under different points of view at the time of writing. The new attributes, that have been introduced within this thesis, are following the known literature. This thesis evaluates related work for useful attributes and conducts interviews to generate new attributes for the creation of a new Scoring. The Scoring is based on 15 new attributes condensed from 78 attributes from related work and 50 attributes from interviews. The new Scoring is set up with related descriptions and information for valuating APIs. The chosen at- tributes have been evaluated, with regard to their suitability, by conducting a survey. Additionally, the scoring was used on two APIs as an example to show the rating in action. This thesis established suitable attributes for the rating of cryptographic APIs, that have been analyzed and tested. From those, a scoring was developed, that can be used as a decision support for developers. By using the scoring, existing APIs may be indexed and added to a ranking. Thus, from now on, relevant APIs may be identified and compared.

PQC Integration

Wed, 01 Jan 2020 00:00:00 +0000

Asymmetric cryptography, which is widely used everyday for authentication and key exchange in communication protocols, is threatened by the ongoing development of Quantum-Computers. Quantum Computers have the potential to defeat the security of classical algorithms like RSA or ECDH and break the underlying mathematical problems within the next view years. To further ensure security, the National Institute of Standards and Technology (NIST) started a process in 2016 to find novel, quantum-resistant algorithms (PQC) for execution on classical computers, equivalent to the classical ones. These novel algorithms have to be accessable to software-developers as well as beeing tested and integrated into existing software.

The PQC-Integration-Project develops concepts for easy and safe integration of quantum-safe cryptography with a focus on crypto-agility. Further research aspects are performance in real-world applications, usability – including safe and easy to use API’s, as well as concepts to migrate large infrastructures.