Completed Theses | UCS

Cybersecurity Kids - Crossing the street online: An evaluation of learnability of age-appropriate educational content on cybersecurity & -safety

Mon, 17 Apr 2023 00:00:00 +0000

Abstract

The Internet is full of false claims about supposedly effective preventive- and countermeasures to cybersafety and cybersecurity risks, and the majority of computer users are not well-informed on this topic. The average user utilizes the Internet to educate themselves and, among other things, to answer questions that their children ask. But when it comes to cybersecurity threats, there are plenty of risk measure recommendations on the Internet, which can be confusing. Of the few sites that provide practical measures, there are only a few that comply with current German standards. So, how are German adults (parents and teachers) supposed to qualitatively educate themselves, apply this knowledge and also pass it on to their children? Additionally, how are children, who may be just learning to research, supposed to get reliable cybersafety and cybersecurity knowledge?

This work creates a unified platform in which online risks and coherent recommendations on measures are presented in an age-appropriate manner. In doing so, the abilities of the children’s respective development level must be taken into account in order to create content that can be understood by all user groups (children, guardians, and teachers).

To this end, the informational and educational content will be embedded in a developed website, where the content will be communicated audiovisually to children and to adults in textual form. Practical examples, in the form of pictures, in order to facilitate constructivist learning, are given. Finally, the extent to which the content was able to influence the knowledge of adults and children in the field of cybersecurity risks is measured, by conducting a within-groups study consisting of two online surveys.

This study expands upon the work done by Renaud and Prior and uses the results obtained on risks and their age relevancies for children. Recommendations from numerous German ministries and government agencies were consulted to verify the accuracy and relevance of the proposed measures from the researched websites.

Privatsphären-/ und Benutzbarkeits-fördernde Softwareentwicklungsprozesse für kleine und mittelständische Unternehmen

Wed, 25 May 2022 09:29:56 +0000

Abstract

Small and medium-sized enterprises (SMEs) are dependent on the investigation of methods and development processes for software development in order to develop satisfactory applications for their end users. For this methods to integrate security, privacy, and usability are a central component. As the work of Bender et al., through a survey of publications, shows, there are currently no software development processes that are both suitable for SMEs and integrate the three criteria - security, privacy, and usability. This master thesis aims at counteracting this by proposing a privacy- and usability-enhancing software development process for SMEs.

For this purpose, starting from the work of Bender et al., the approaches from the literature are considered in order to identify suitable processes and methods for the integration of the three criteria in the software development process.

For the determination of the actually used methods, processes and possible requirements for a software development process from the point of view of SMEs, software developers from these SMEs are surveyd in the form of interviews. The findings from the literature research as well as the interviews with the developers of the SMEs are then compiled.

The interviews show that SMEs have special requirements for a software development process only in exceptional cases, but they do have a large diversity of projects. These disallow the meaningful formulation of a generally applicable software development process with concrete methods and techniques, since the choice of the suitable methods is to be made in dependence on the projects and their concrete context.

So that the SMEs are able to integrate suitable methods in their software development process, 14 principles are formulated in the result of this master thesis. These principles can be used by the companies as a guideline for the integration of security, privacy and usability. In doing so, the principles are drawn from the methods and recommendations in the literature and the methods used by SMEs. The principles are placed in the combined process model, which results from the description of the software development pro- cesses by the interviewed participants.

Performanz Evaluation von PQC in TLS 1.3 unter variierenden Netzwerkcharakteristiken

Wed, 23 Feb 2022 00:00:00 +0000

Abstract

The used cryptographic primitives rely on the computational difficulty of certain mathematical problems. In the last years there has been much research on quantum computers which could be able to efficiently solve these problems in future years. Especially asymmetric primitives, used for authentication and key exchange could be broken. The affected algorithms are actually used within many internet protocols and applications and quantum-safe alternatives are urgently needed. NIST started a process to find and standardize quantum-safe digital signature schemes and key establishment schemes, but the candidates and alternatives come along with specific characteristics and differ from classical proceedings. So, besides analyzing the security of these new algorithms, it is also necessary to evaluate their performance and integrability into existing infrastructures and applications. Especially the integration into TLS protocol, used within about 90 percent of today’s internet connections, plays an important role. The current version 1.3 uses the threatened asymmetric primitives for both, digital signatures and key establishment.

In this work, NIST candidates and alternatives for quantum-safe key establishment were evaluated while using them within TLS 1.3. The focus was on analyzing the performance trend while changing certain network parameters like rate or packetloss and examining the suitability of the PQC algorithms under different network scenarios and in the entire application context. To achieve this, the framework of Paquin, Stebila, and Tamvada was extended to emulate various network conditions while frequently establishing a TLS 1.3 connection and measuring handshake duration.

Among our key results, we observe that on the one hand the evaluated candidates Kyber, Saber and NTRU as well as the alternative NTRU Prime achieve very good overall performance and partially beat the classical ECDH. Choosing a higher security level or hybrid versions does not have a significant impact to the handshake times. On the other hand the alternatives FrodoKEM, HQC, SIKE and BIKE show individual disadvantages and the performance is linked to the used security level and variant. This applies in particular to FrodoKEM. SIKE seems to be a worthwhile alternative in specific circumstances, like rates less than 2 Mbps, due to its small key and ciphertext sizes. In general, network conditions should be taken into account while choosing the algorithm and parameter set. Furthermore, it becomes clear that the handshake performance dependents on numerous factors, like TCP mechanisms and MTU, which could compensate the disadvantages of PQC or make them obsolete.

Reifegradmodell für die Krypto-Agilität

Tue, 26 Oct 2021 00:00:00 +0000

Abstract

Quantum computers threaten to fundamentally endanger the security of cryptography used today. In addition to the development of algorithms that are resistant to attacks by quantum computers, crypto-agility is an important field of research in order to be able to exchange algorithms in time and thus be safer from the impending danger. Since there is no general guideline describing how crypto-agility should be implemented for IT systems, this thesis conducts a literature study and aggregates the requirements from existing research to develop a maturity model. The resulting model fulfills the properties identified as necessary to facilitate a crypto-agile system design. The evaluation and improvement of the crypto-agile properties are successfully tested on the example of a real system. Positive feedback from potential users of the model is collected in an initial expert survey. By gaining popularity and through extensive usage, this model supports further research into crypto-agility and ensures the future security of today’s infrastructure by enabling the simple exchange of existing cryptography with PQC methods.

Bewertung der Relevanz von Krypto-APIs auf Basis eines Scoring-Ansatzes

Mon, 22 Feb 2021 00:00:00 +0000

The main results of the work will be presented at the European Interdisciplinary Cybersecurity Conference - EICC 2022.

For detais see our upcoming paper: cryptolib: comparing and selecting cryptography libraries

Abstract

Technological advancement and ongoing digitalization are creating more and more security-critical requirements for software developers. At the same time there is a big and ever-growing amount of cryptographic APIs. Identifying why certain APIs are used more frequently than others is not an easy task. Furthermore, it is difficult to recognize the reasons behind the utilization of an certain API in software development. Which APIs are relevant and important for developers? Which attributes are involved? There are a couple of scientific contributions that analyze APIs or introduce attributes under different points of view at the time of writing. The new attributes, that have been introduced within this thesis, are following the known literature. This thesis evaluates related work for useful attributes and conducts interviews to generate new attributes for the creation of a new Scoring. The Scoring is based on 15 new attributes condensed from 78 attributes from related work and 50 attributes from interviews. The new Scoring is set up with related descriptions and information for valuating APIs. The chosen at- tributes have been evaluated, with regard to their suitability, by conducting a survey. Additionally, the scoring was used on two APIs as an example to show the rating in action. This thesis established suitable attributes for the rating of cryptographic APIs, that have been analyzed and tested. From those, a scoring was developed, that can be used as a decision support for developers. By using the scoring, existing APIs may be indexed and added to a ranking. Thus, from now on, relevant APIs may be identified and compared.

Benutzbarkeit von zustandsbehafteten, Hash-basierten Signaturverfahren

Fri, 16 Nov 2018 00:00:00 +0000

Abstract

Quantum computers pose a danger to asymmetric cryptographic schemes. As development continues, schemes such as RSA will likely be broken in a few years’ time. For this reason, different algorithms that would also withstand powerful quantum computers are already being considered today. One class of such algorithms are hash-based signature schemes, some of which, including XMSS, are stateful. This leads to additional challenges for error-free use and integration in IT systems by developers. However, the security of IT systems depends on the correct use of cryptographic algorithms. This thesis therefore proposes a usable API design for stateful signature schemes using XMSS/XMSSMT as an example. This design was developed through a series of interviews with software developers, prototypically implemented and evaluated in further user studies. It was shown that the API can manage the stateful key in a way that is transparent to the user. However, this leads to many of the study’s participants not being aware of using stateful schemes. Regarding the documentation and applicability of the API, good results could be achieved.