ZISC Worksop 2015: Information Security
Date: September 18, 2015
Place: ETH Zurich, campus Zentrum, GEP pavilion (room MM C 78.1)
The annual ZISC Workshop on Information Security brings together some of the top experts in information security to present their latest views and results and discuss the emerging trends and security technologies with security researchers and practitioners in a casual atmosphere. This year’s workshop will feature talks on topics including research advances in Public Key Infrastructures and the future Internet, security of cyberphysical systems, and security in electronic voting.
08:30h Registration ETH Zentrum, Rämistrasse 101, CH-8006 Zurich, Switzerland, in the GEP pavilion
08:55h Opening note by David Basin
09:00-10:00h: Thomas Ristenpart (Cornell Tech), Honey Encryption: Beyond the Brute-force Barrier
10:30-11:30h: Matthew Smith (University of Bonn), The Need for a Usable TLS Public Key Infrastructure
11:30-12:30h: Eran Messeri (Google), Certificate Transparency: Early Deployment Experiences of a new Certificate Accountability Infrastructure
13:30-14:30h: Ben Smyth (Huawei), Hacking voting systems for cash, fun, and power
14:30-15:30h: Srdjan Capkun (ETH Zurich), Location Based Authentication
16:00-17:00h: Dieter Gollmann (Hamburg University of Technology), Security in cyber-physical systems
Title: Location Based Authentication
Bio: Srdjan Capkun (Srđan Čapkun) is a Full Professor in the Department of Computer Science, ETH Zurich and Director of the Zurich Information Security and Privacy Center (ZISC). He was born in Split, Croatia. He received his Dipl.Ing. Degree in Electrical Engineering / Computer Science from the University of Split in 1998, and his Ph.D. degree in Communication Systems from EPFL in 2004. Prior to joining ETH Zurich in 2006 he was a postdoctoral researcher in the Networked & Embedded Systems Laboratory (NESL), University of California Los Angeles and an Assistant Professor in the Informatics and Mathematical Modelling Department, Technical University of Denmark (DTU). His research interests are in system and network security. One of his main focus areas is wireless security. He is a co-founder of 3db Access, a spin-off focusing on secure proximity-based access control.
Title: Security in cyber-physical systems
Abstract: We describe an approach for analysing and attacking the physical part (a process) of a cyber-physical system. The stages of this approach are demonstrated in a case study, a simulation of a vinyl acetate monomer plant. We want to demonstrate in particular where security has to rely on expert knowledge in the domain of the physical components and processes of a system and that there are major challenges for converting cyber attacks into successful cyber-physical attacks.
Bio: Prof. Dieter Gollmann received his Dipl.-Ing. in Engineering Mathematics (1979) and Dr.tech. (1984) from the University of Linz, Austria, where he was a research assistant in the Department for System Science. He was a Lecturer in Computer Science at Royal Holloway, University of London, and later a scientific assistant at the University of Karlsruhe, Germany, where he was awarded the ‘venia legendi’ for Computer Science in 1991. He rejoined Royal Holloway in 1990, where he was the first Course Director of the MSc in Information Security. He moved to Microsoft Research in Cambridge in 1998. In 2003, he took the chair for Security in Distributed Applications at Hamburg University of Technology, Germany. Dieter Gollmann is an editor-in-chief of the International Journal of Information Security and an associate editor of the IEEE Security & Privacy Magazine. His textbook on ‘Computer Security’ has appeared in its third edition.
Title: Certificate Transparency: Early Deployment Experiences of a new Certificate Accountability Infrastructure
Abstract: What is it like to change the Public Key Infrastructure? This talk is based on our experience deploying Certificate Transparency, which Chrome now requires for Extended Validation. I’ll explore the issues encountered when implementing a theoretical security mechanism, then the challenges for providing strong security guarantees to clients participating in Certificate Transparency. We hope that the real-world constraints described in this talk would help in design or evaluation of other security protocols.
Bio: Eran is a software engineer on the security team at Google, focusing on Certificate Transparency. Before than, Eran has improved Google’s development and testing infrastructure. He has been building software in various fields, including embedded systems, networking, file-systems and device drivers for 15 years. Eran has a master’s degree in computer science from Bar Ilan University, Israel. These days, you’re likely to find at his desk a handful of electronic components connected to some sort of microcontroller.
Title: Honey Encryption: Beyond the Brute-force Barrier
Abstract: We introduce honey encryption (HE), a general approach to encrypting messages using low min-entropy keys such as passwords. HE is designed to produce a ciphertext which, when decrypted with any of a number of incorrect keys, yields plausible-looking but bogus plaintexts called honey messages. A key benefit of HE is that it provides security in cases where too little entropy is available to withstand brute-force attacks that try every key; in this sense, HE provides security beyond conventional brute-force bounds. We argue that HE can significantly improve security in a number of practical settings. We build concrete HE schemes for password-based encryption of RSA secret keys and credit card numbers. We then go on to build a full HE-powered password vault system, like those commercially offered by companies such as LastPass, that resists offline brute-force attacks. This is joint work with Joseph Bonneau, Rahul Chatterjee, and Ari Juels.
Bio: Thomas Ristenpart is an Associate Professor at Cornell Tech and a member of the Computer Science department at Cornell University. Before joining Cornell Tech in May, 2015, he spent four and a half years as an Assistant Professor at the University of Wisconsin-Madison. His research spans a wide range of computer security topics, with recent focuses on new threats to, and improved opportunities for, cloud computing security, as well as topics in applied and theoretical cryptography. His work has been featured in the New York Times, the MIT Technology Review, ABC News, U.S. News and World Report, and elsewhere. He completed his PhD at UC San Diego in 2010. He received the UC San Diego Computer Science and Engineering Department Dissertation Award, an NSF CAREER Award, Best Paper Award at USENIX Security 2014, and a Sloan Research Fellowship.
Title: The Need for a Usable TLS Public Key Infrastructure
Abstract: Many aspects of information security combine technical and human factors. If a highly secure system is unusable, users will try to circumvent the system or move entirely to less secure but more usable systems. Problems with usability are a major contributor to many high-profile security failures today. The research domain of usable security & privacy addresses these issues. However, up until now the main focus of researcher in this field has been the end-user. After giving a brief introduction into the field the presenter will argue that the current TLS Ecosystem is rife not only with security issues but many usability issues as well. The talk will present the usability problems of TLS with the current CA based public key infrastructure for all the involved actors: users, administrators and developers and discuss the need for a better underlying infrastructure.
Bio: Matthew Smith is a Professor for Usable Security and Privacy at the Rheinische Friedrich-Wilhelms-Universität Bonn, Germany. He completed his studies of Computer Science & Electrical Engineering at the University of Siegen, Germany with distinction. Subsequently he was a full time researcher at the Philipps Universität Marburg, Germany where he completed his PhD in 2008, also with distinction. In 2009 he was awarded the PhD Prize for outstanding innovation by the Gesellschaft zur Förderung des Forschungstransfers (GFFT e.V.). His research is focused on the human factors of security and privacy mechanisms with a wide range of application areas, including SSL and network security, authentication, mobile and app security and most recently usable security for developers.
Title: Hacking voting systems for cash, fun, and power
Abstract: Traditional, paper-based voting systems are reliant on extensive trust assumptions. Unfortunately, instead of being trustworthy, many systems are vulnerable to attacks that could bring elections into disrepute. The shift to electronic voting systems has largely exasperated this problem. In this talk, I will show how cryptography can be used to secure the voting systems we use in real-life, eliminating the need for blind trust. First, I will present an informal introduction to electronic voting. Secondly, I will review the Helios electronic voting system, and highlight known attacks. Finally, I will present computational definitions of ballot secrecy and verifiability, and show that Helios can be patched to satisfy these definitions. The talk is based upon papers with David Bernhard, Michael Clarkson, Véronique Cortier, and Steven Frink (see http://bensmyth.com/publications.php for details).
Bio: Ben Smyth is responsible for establishing and leading research operations for Huawei’s Shield Lab in Paris. His research enables security properties of cryptographic protocols to be studied and he broadly focuses on the following complimentary topics: specifying and analysing properties of cryptographic protocols, and developing procedures for the evaluation of security properties. In addition, he designs cryptographic protocols and proves that they are secure. Prior to joining Huawei, Smyth has worked as: a postdoctoral researcher at LORIA, Nancy, France; a Toshiba Fellow at Toshiba’s Research & Development Center, Kawasaki, Japan; and a postdoctoral researcher at INRIA, Paris, France. More information can be found on his web page: http://www.bensmyth.com/.