Achtung:

Sie haben Javascript deaktiviert!
Sie haben versucht eine Funktion zu nutzen, die nur mit Javascript möglich ist. Um sämtliche Funktionalitäten unserer Internetseite zu nutzen, aktivieren Sie bitte Javascript in Ihrem Browser.

AG Codes and Kryptographie Show image information

AG Codes and Kryptographie

Securing the Financial Cloud (SFC)

Förderer Bundesministerium für Bildung und Forschung (BMBF)
Initiative Förderung von Forschungsinitiativen zum Sicheren Cloud Computing www.bmbf.de/foerderungen/18899.php
Projektträger VDI/VDE
Förderkennzeichen 16KIS0062
Beginn 1.3.2014
Ende 27.2.2017
Partner Wincor Nixdorf
  acheleos
  arvato Bertelsmann
  utimaco
  escrypt
  janz IT
  Universität Paderborn

Project Goals

The SFC project aims at transferring highly sensitive financial services into the cloud, and implementing a prototype of a cloud architecture for such financial services. Achieving this goal requires an interdisciplinary approach represented by SFC's subprojects:

Cryptographic technologies

Identifying and analyzing relevant cryptographic primitives for the use in a financial cloud is a key aspect of this subproject. Based on the analysis, existing cryptographic schemes will be adapted and new schemes will be developed to match the requirements imposed by the financial cloud.

Optimized realization

This subproject aims at providing highly optimized hardware (e.g. FPGA) implementations of cryptographic schemes resultant from the previously described subproject. These implementations will be subject to extensive analyses of their resistance against side-channel attacks.

Security architecture

The financial cloud offers a highly complex infrastructure for financial services. Accordingly, special mechanisms and procedures demand high levels of security. This subproject focuses on how to specify security requirements, in particular with attribute-based cryptography in mind. Attribute-based cryptography is considered a key technology for the financial cloud. In addition to technological approaches to security, the socio-technical nature of the financial cloud requires consideration of human users, and thus, manual security processes.

Software architecture

The architecture for cloud infrastructure for financial services requires integration of the cloud solutions with standards and mechanisms, which have been established for decades in the financial sector. This integration is an important challenge that must be solved in order to achieve security and efficiency for the financial cloud.

"Codes and Cryptography"'s contribution to SFC

An important aspect of a secure cloud architecture for financial services is access control for sensitive data. In this project, attribute-based cryptography is the technology of choice to realize access control allowing for cryptographic enforcement of access structures based on attributes and policies. In contrast to classical approaches, with attribute-based encryption every user holds only one key and data needs to encrypted only once, while only users authorized to access the specific data can do so. This reduces the overhead in memory and key management and removes the need for an authority that grants access to data based on access control lists, which, in turn, simplifies processes required to achieve and maintain security.

In this project, the task of research group "Codes and Cryptography" is to develop efficient attribute-based schemes for the financial cloud and to analyze the security of such schemes. Besides efficiency and security, integration of higher level security processes is an important aspect of our work.

Cryptographic keys for the financial cloud need strong protection. For this task, special purpose hardware, like smart cards and hardware security modules (HSM), is used. Another aspect of our work is to identify bilinear pairings, as required by attribute-based schemes, to be implemented to efficiently run on such special purpose hardware.

Like other cloud systems, the financial cloud and its underlying infrastructure are subject to a potentially hostile environment. This opens up the system to side-channel attacks, i.e. leakage of information on cryptographic keys based on time or energy consumptions of concrete implementations of cryptographic schemes. Identifying side-channels is a challenging task as it requires consideration of combinations of hardware and software. We will identify side-channels of aforementioned hardware implementations of bilinear pairings. Based on our findings, software we will develop countermeasures to prevent side-channel attacks.

Publications

  • Nils Löken
    Searchable Encryption with Access Control
    In: International Conference on Availability, Reliability and Security (ARES'17), ACM ICPS, Article 24, [DOI], [Full Version]
  • Johannes Blömer, Peter Günther, Volker Krummel, Nils Löken
    Attribute-Based Encryption as a Service for Access Control in Large-Scale Organizations
    To appear in: 10th International Symposium on Foundations & Practice of Security. Lecture Notes in Computer Science, vol 10723, Springer, Cham
  • Johannes Blömer, Peter Günther
    Effizienz und Sicherheit paarungsbasierter Kryptographie
    In: Tagungsband des 26. Fraunhofer SIT Smartcard-Workshops, 2016
  • Britta Gerken
    Elektromagnetische Seitenkanalangriffe auf paarungsbasierte Kryptographie
    Master's Thesis, Paderborn University, 2015, [Download]
  • Peter Günther, Johannes Blömer
    Singular Curve Point Decompression Attack
    In: Proceedings of Fault Tolerance and Diagnosis in Cryptography (FDTC), 2015, [DOI]
  • Volker Krummel, Peter Günther
    Implementing Cryptographic Pairings on Accumulator based Smart Card Architectures
    In: Proceedings of the Sixth International Conference on Mathematical Aspects of Computer and Information Sciences (MACIS), 2015
  • Martin Sosniak
    Evaluation of Pairing Optimization for Embedded Platforms
    Master's Thesis, Paderborn University, 2015, [Download]
  • Johannes Blömer, Peter Günther, Gennadij Liske
    Tampering Attacks in Pairing-Based Cryptography
    In: Proceedings of Fault Tolerance and Diagnosis in Cryptography (FDTC '14), 2014, [DOI]
  • Johannes Blömer, Gennadij Liske
    Constructing CCA-secure predicate encapsulation schemes from CPA-secure schemes and universal one-way hash functions
    In: Cryptology ePrint Archive, 2014, [Download]
  • Johannes Blömer, Ricardo Gomes da Silva, Peter Günther, Juliane Krämer, Jean-Pierre Seifert
    A Practical Second-Order Fault Attack against a Real-World Pairing Implementation
    In: Proceedings of Fault Tolerance and Diagnosis in Cryptography (FDTC '14), 2014, [DOI], [Download]
  • Janek Jochheim
    Hiding software components using functional encryption
    Master's Thesis, Paderborn University, 2014, [Download]
  • Jan Lippert
    Fujisaki-Okamoto Transformation
    Bachelor's Thesis, Paderborn University, 2014, [Download]
  • Johannes Blömer, Gennadij Liske
    Direct Chosen-Ciphertext Secure Attribute-Based Key Encapsulations without Random Oracles
    In: Cryptology ePrint Archive, 2013, [Download]
  • Kathlén Kohn
    Attributbasierte Verschlüsselung mittels Gittermethoden - Mathematische Grundlagen, Verfahren und Sicherheitsbeweise
    Bachelor's Thesis, Paderborn University, 2013, [Download]
  • Oliver Otte
    Seitenkanalresistenz paarungsbasierter Kryptographie
    Bachelor's Thesis, Paderborn University, 2013, [Download]
  • Alina Tezer
    Verteilte Erstellung und Aktualisierung von Schlüsselservern in identitätsbasierten Verschlüsselungssystemen
    Bachelor's Thesis, Paderborn University, 2013
  • Patrick Schleiter
    Attribute-basierte Verschlüsselung
    Bachelor's Thesis, Paderborn University, 2012, [Download]
  • Gennadij Liske
    Fault attacks in pairing-based cryptography
    Master's Thesis, Paderborn University, 2011, [Download]
  • Tim Postler
    Smart Card basierte Berechnung einer Gruppensignatur als Teil einer biometrischen Authentisierung
    Diploma Thesis, Paderborn University, 2010, [Download]

The University for the Information Society