Ongoing projects and activities
CANVAS – Constructing an Alliance for Value-driven Cybersecurity – H2020 CSA (2016–2019)
The consortium will take three domains of application with unique value-profiles and complementing cybersecurity exigencies – the health system, finance, and police / national security – as starting point for outlining problems related to value-driven cybersecurity. Using a three-step process, CANVAS will (1) structure existing knowledge, (2) design a network for exchanging knowledge and generating insights across domains, and (3) disseminate the insights gained through three means: A reference curriculum for value-driven cybersecurity with a focus on industry-training, briefing packages for policy stakeholders, and a MOOC (massive open online course) on value-driven cybersecurity. More details can be found on the CANVAS Website.
AN.ON-Next – Anonymity Online Next Generation – BMBF (2016–2019)
This project has the long-term vision to integrate privacy enhancing technologies into the infrastructure of the Internet to make them available and usable for everyone. To this end, the project will look into lightweight techniques that provide a basic level of protection as well as fundamental approaches that allow to provide strong protection without sacrificing bandwidth and latency. The concepts will be implemented and pilots will be evaluated with business partners. More details can be found on the AN.ON-Next Website.
AppPETs – Privacy Enhancing Technologies for Mobile Apps – BMBF (2016–2019)
This project aims to make it easier for developers to integrate privacy enhancing technologies into their smartphone apps. The project will set up a privacy infrastructure, which enables users to verify the protection of their personal data. Moreover, the project will study fair business models that are accepted by both vendors and users. More details can be found on the AppPETs Website.
DREI – Datenschutzrespektierende Erkennung von Insidern – BMBF (2016–2018)
We will design a distributed solution for security control centers that allows to detect insider attacks via anomaly detection. The project strives for high acceptance by implementing legal requirements regarding the privacy rights of employees. More details can be found on the DREI Website.
EnEff:Wärme – Sichere IKT-Infrastruktur für Energie-Effizienz-Verbünde – BMWi (2016–2019)
The core goal of this project is to investigate on the security of information and communication technology (ICT) infrastructure, which is used for the intelligent control of decentralized energy systems in energy efficiency networks in Germany and to develop appropriate security measures. The results from the previous project "EnEff: Wärme – SmartPower Hamburg" will be applied and utilized in this follow-up project. The security of ICT infrastructure is a critical requirement for the implementation and setup of intelligent control and optimization. The project results will – considering the cost-effectiveness – enable regions, cities and districts to benefit from secure and intelligent control solutions of decentralized energy systems. At the same time, they are enabled to identify and minimize threats to the greater energy system (critical infrastructure) through missing or incorrect security mechanisms for the ICT infrastructure. Thus, the economic risk for market participants can be estimated and minimized. Furthermore and if necessary, new perspectives (advisory services to other participants, marketing own sample solutions, further research projects) can be deduced.
Selected finished pojects and activities
Economic Principle Oriented Security Management
Modern security management should be based upon economic principles. For this purpose organisations need data, tools and techniques for the cost-benefit-analysis of security investments as well as methods to integrate the results of that kind of analysis into their overall information security management systems. Our research in this area has three main goals:
- Identifying methods for providing organisations with accurate data for evaluating security investments and building a system for the sharing of information security relevant data among organisations.
- Evaluation and development of metrics, tools and techniques for an economically oriented security management.
- Integrating economic principles into information security management and building a new process model for information security management.
Website Fingerprinting and User Linkability
It is rather easy to protect the confidentiality of the contents of messages using encryption techniques. It is fundamentally more difficult to hide the relationship between sender and receiver of messages, though, because addresses may be required for message routing and thus cannot be encrypted. Protecting communication relationships is especially important on the Internet and similar networks as destination addresses often reveal a lot about the actual contents of the messages.
Our goal is to protect users against traffic analysis attacks infringing users' privacy. Those attacks may allow a passive observer on a network to induce communication relationships and contents of messages via pattern matching and classification techniques from the data mining field. Such attacks may constitute a serious risk for users' privacy as they are difficult to detect and counter. We analyse the extent and risks of two particular attacks, namely website fingerprinting attacks, which allow the identification of websites retrieved over an encrypted line, and user linkability attacks, which enable an attacker to track individual users over multiple sessions solely based on the users' characteristic surfing behaviour. Early results indicate that both attacks can be perpetrated under certain circumstances successfully. We measure the effectiveness of the two attacks for various systems and circumstances using real-life datasets.
Designing and deploying countermeasures that protect users from such attacks is challenging: effective protection usually involves additional traffic or considerably delays, which is inacceptable in many cases. Wide-spread adoption of privacy-enhancing techniques depends on good usability and high efficiency, though. We approach this challenge from two sides: on the one hand we analyse the integration of protective measures like padding and dummy traffic into protocols and systems that already exist today; on the other hand we propose next generation systems that are incompatible with legacy technologies, but may offer superior privacy properties to their users.
gMix: A generic Open Source Framework for Mixes
Mixes are a technique to realize anonymous and unobservable communication. Numerous mixing strategies have been proposed since David Chaum suggested the basic mix concept in 1981. While some practical systems are available, the majority of the proposed mix techniques has never been deployed publically. Our goals are to
- provide a comprehensive code repository of compatible and easily extensible mix implementations,
- simplify the process of building new practical mix systems,
- evaluate existing and new mixing strategies under the same conditions,
- provide easily accessible solutions for educational purposes.
The implementations are organized in a framework. All source code is released under the GPLv3 on the project website [URL
Security in Vehicular Ad Hoc Networks
Vehicular ad hoc networks (VANETs) have the potential to increase road safety and comfort. Especially because of the road safety functions, there is a strong demand for security in VANETs. Simply using digital signatures and a public key infrastructure (PKI) to protect message integrity is insufficient taking into account multilateral security. Our main goal is to develop a security architecture for VANETs that balances security requirements of all participants. We also try to identify and - if necessary - develop feasible mechanisms that fit in this architecture. Finally, we evaluate the architecture and mechanisms in simulations.
Conference: Privacy Enhancing Technologies Symposium 2010
We organised the annual conference of the Privacy Enhancing Technologies community in Berlin.
AN.ON: Anonymity.Online (Starke Unbeobachtbarkeit und Anonymität im Internet) sponsored by BMWI
The realization of anonymous and unobservable communication in the Internet is a difficult problem. Most existing systems reduce the security to achieve higher performance. To evaluate the feasibility and costs of anonymity in the Internet and to explore several deployment opportunities we are developing an anonymity system that withstands traffic analysis. Our goal is to develop, implement, evaluate and provide a secure and scaleable technical infrastructure for anonymous communication. [URL]
Visual cryptography was introduced by Moni Naor und Adi Shamir in 1994. In 2005 we dedicated theoretical and practical student projects to this fascinating topic. The projects analysed the underlying mechanisms as well as potential applications for visual cryptography. In addition to that an easy to use GUI-based java program has been developed that can be used to demonstrate the mechanisms behind visual cryptography. The program encrypts and decrypts user-defined images and supports various encryption modes (including threshold schemes as well as encryption of colour and greyscale images) which makes it an ideal choice for teaching and experimenting.
Conference: Sicherheit 2005 sponsored by Gesellschaft für Informatik e.V.(GI) (2005)
We organised the annual meeting and conference of the Gesellschaft für Informatik e.V.(GI) in Regensburg. It included workshops, tutorials, talks and discussions from, with and for IT professionals and was held in the University and in the University Hospital of Regensburg.
There have been many years of intensive research on biometric methods that can be used for the purpose of feature-based authentication. A typical application scenario is an access control system that grants access to authorized persons by recognition of their biometric characteristics. This project examined the requirements for biometric authentication, depending on their intended use. Specifically, it was analyzed whether the established methods of face-recognition meet the developed requirements and where the weaknesses of these methods are. For demonstration purposes, a prototype of a face recognition system was developed and tested. In addition, fingerprint systems in the consumer segment were tested regarding their reliability.
Anti Phishing Project
In 2004, a sharp increase in phishing attempts was observed. Therefore this project was initiated to categorize, analyze and evaluate the existing ways to protect against phishing. Based on that a proposal for a new protection mechanism was developed.