Esecurity: secure internet & e-passports

This course is listed in Aachen Campus as Esecurity: secure internet & e-passports and in Bonn Basis as Esecurity: secure internet & e-passports.

Responsible

Prof. Dr. Joachim von zur Gathen

Lecture

Michael Nüsken

Time & Place

Tuesday, 13³⁰-15⁰⁰, b-it bitmax.
Wednesday, 14³⁰-16⁰⁰, b-it Marshallsaal.
Tutorial: Tuesday, 15¹⁵-16⁴⁵, b-it bitmax.

First meeting: Tuesday, 08 April 2014.

Exam

Pre-exam meeting: Monday, 18 August, 14⁰⁰, b-it 1.25

Exam: Wednesday, 20 August 2014, 14⁰⁰, b-it Marschallsaal.

Post-exam meeting: Friday, 29 August 2014, 11⁰⁰, b-it 1.25 (cosec meeting room).

Exam2 (repetitions only): Monday, 20 October 2014, 14⁰⁰, b-it 1.25.

Notes

The screen notes (PDF 40.0MB) contain all handwritten stuff (last updated 17 July 2014, 11:21).

Exercises

Exercise 1 (PDF, last updated 10 April 2014, 17:42).
Exercise 2 (PDF, last updated 16 April 2014, 17:18).
Exercise 3 (PDF, last updated 23 April 2014, 16:41).
Exercise 4 (PDF, last updated 30 April 2014, 16:34).
Exercise 5 (PDF, last updated 07 May 2014, 16:28).
Exercise 6 (PDF, last updated 14 May 2014, 16:53).
Exercise 7 (PDF, last updated 22 May 2014, 11:02).
Exercise 8 (PDF, last updated 28 May 2014, 12:57).
Exercise 9 (PDF, last updated 06 June 2014, 12:55).
Exercise 10 (PDF, last updated 18 June 2014, 22:38).
Exercise 11 (PDF, last updated 26 June 2014, 11:02).
Exercise 12 (PDF, last updated 03 July 2014, 13:53).
Exercise 13 (PDF, last updated 10 July 2014, 12:31).
Exercise 14 (PDF, last updated 17 July 2014, 10:06).

Allocation

4+2 SWS.

Master in Media Informatics: Computer and Communication Technology.
8 ECTS credits.
Optionally, 3+2 SWS, 6 ECTS credits. On request a breakpoint at about 3/4 of the teaching time will be defined, and only the course material up to that point will be relevant for their exams and grades.
Master in Computer Science at University of Bonn: MA-INF 3222.
9 CP.
Students have to register this course with POS/BASIS.
Recommendation for diploma students of University of Bonn - Computer Science: A or A1, respectively.

Prerequisites

Basic knowledge in cryptography is needed, as for example the course Cryptography held in the previous winter. Compare our programme.

This course is about various aspects of security in the internet. In the first part we deal with secure connections, whereas the second part considers electronic voting schemes involving further tasks.

Who can read my email?
How do I know that eBay is eBay, or amazon is amazon?
What is the public key of Angela Merkel? Where do I get it and how do I verify that it's really hers?
...

In the internet a large variety of protocols ("chatting programs") are in use to make this or that `secure'. VPN, IPsec, SSL, PKI, PGP are just a few tokens that need explanations. We will try to understand a little of that and how things are used and made available.

Passports shall carry more and more sensitive information in a easily accessible way in the future. This information may, apart from name, origin and the like, contain fingerprints or retina scans. And it is stored in electronic form, and it can be accessed by wireless transmissions. This raises a lot of new problems:

The passport holder cannot immediately control the contents of the stored information.
Unauthorized eavesdroppers might be able to gather or actively read information from the passport unnoticed. So one could think that identifying a certain person passing at a certain place, or tracking her path through a department store might be possible.
Personal rights of a person are touched when acquiring and storing biometric information.

The course will try to give an overview what and how things are implemented. We will discuss the concerns of and threats to holders, society and government. Biometrical information has long been used to identify persons. Already, in 1901 Scotland Yard started to use fingerprints to identify criminals. Since then various other methods have been introduced: iris scan, face recognition, retina scans, hand geometry to name just the most prominent. Since about 1965 people have tried to automate all these identification methods. This has shown many difficulties. It is still not clear which information identify a person: for example, though it is widely believed that fingerprints do, only few scientific studies are available. And it turns out to be pretty difficult to find a reliable automatic pattern matcher. Mind that it is not like searching a given fixed string in a dictionary. You have to find the template(s) that are most similar to a given one, or tell that there is none within given bounds.

Literature

Phong Nguyen (2004). Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3. EUROCRYPT 2004.
D. Cooper et al. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280.
Russ Cox (2008). Lessons from the Debian/OpenSSL Fiasco.
H. D. Moore (2008). The bug.
IETF (2006). SSH.
- The Secure Shell (SSH) Transport Layer Protocol RFC4253
- The Secure Shell (SSH) Protocol Assigned Numbers RFC4250
- The Secure Shell (SSH) Protocol Architecture RFC4251
- The Secure Shell (SSH) Authentication Protocol RFC4252
- The Secure Shell (SSH) Connection Protocol RFC4254
IETF (2004-2011). TLS/SSL.
- The Transport Layer Security (TLS) Protocol Version 1.2 RFC5246
- Transport Layer Security Protocol Compression Methods RFC3749
- Transport Layer Security (TLS) Extensions: Extension Definitions RFC6066
- Using OpenPGP Keys for Transport Layer Security (TLS) Authentication RFC6091
- Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) RFC4279
- Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) RFC4492
P. Rogaway & D. Wagner (2003). A Critique of CCM.

Epassport related:

ICAO (2005-2008). Doc 9303.
BSI (-2010). BSI TR-03110: Advanced Security Mechanisms for Machine Readable Travel Documents ? Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI).
BSI (-2011). Elektronische Ausweise.
BSI (-2014). Der neue Personalausweis.
BSI, Begleitstudien zum neuen Personalausweis.

Fingerprint related:

Michael Harling (1996). The Fingerprint System. Webpage. A brief history.
FBI Identification Division Technical Section (1987). FBI Fingerprint Training Manual. Webpage.
Fingerprint Patterns. Webpage.
NIST (2011/2013). American National Standard for Information Systems; Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information. ANSI/NIST-ITL Standard, NIST Special Publication 500-290.
Distribution of NCIC FPC Including 17'951'192 Males , 4'313'521 Females .
This is a statistics about the distribution of fingerprints in a large criminal file maintained by the FBI according to a system based on the Henry classification.

Mailinglist

We will put each member on the mailing list . You can also subscribe yourself. The list is intented for all participants of the course as a platform for discussions around the topic. Furthermore, announcements regarding the course are made here.