Se­cur­ing the Fin­an­cial Cloud (SFC)

Förderer Bundesministerium für Bildung und Forschung (BMBF)
Initiative Förderung von Forschungsinitiativen zum Sicheren Cloud Computing
Projektträger VDI/VDE
Förderkennzeichen 16KIS0062
Beginn 1.3.2014
Ende 27.2.2017
Partner Wincor Nixdorf
  arvato Bertelsmann
  janz IT
  Universität Paderborn

Pro­ject Goals

The SFC project aims at transferring highly sensitive financial services into the cloud, and implementing a prototype of a cloud architecture for such financial services. Achieving this goal requires an interdisciplinary approach represented by SFC's subprojects:

Cryptographic technologies

Identifying and analyzing relevant cryptographic primitives for the use in a financial cloud is a key aspect of this subproject. Based on the analysis, existing cryptographic schemes will be adapted and new schemes will be developed to match the requirements imposed by the financial cloud.

Optimized realization

This subproject aims at providing highly optimized hardware (e.g. FPGA) implementations of cryptographic schemes resultant from the previously described subproject. These implementations will be subject to extensive analyses of their resistance against side-channel attacks.

Security architecture

The financial cloud offers a highly complex infrastructure for financial services. Accordingly, special mechanisms and procedures demand high levels of security. This subproject focuses on how to specify security requirements, in particular with attribute-based cryptography in mind. Attribute-based cryptography is considered a key technology for the financial cloud. In addition to technological approaches to security, the socio-technical nature of the financial cloud requires consideration of human users, and thus, manual security processes.

Software architecture

The architecture for cloud infrastructure for financial services requires integration of the cloud solutions with standards and mechanisms, which have been established for decades in the financial sector. This integration is an important challenge that must be solved in order to achieve security and efficiency for the financial cloud.

"Codes and Cryp­to­graphy"'s con­tri­bu­tion to SFC

An important aspect of a secure cloud architecture for financial services is access control for sensitive data. In this project, attribute-based cryptography is the technology of choice to realize access control allowing for cryptographic enforcement of access structures based on attributes and policies. In contrast to classical approaches, with attribute-based encryption every user holds only one key and data needs to encrypted only once, while only users authorized to access the specific data can do so. This reduces the overhead in memory and key management and removes the need for an authority that grants access to data based on access control lists, which, in turn, simplifies processes required to achieve and maintain security.

In this project, the task of research group "Codes and Cryptography" is to develop efficient attribute-based schemes for the financial cloud and to analyze the security of such schemes. Besides efficiency and security, integration of higher level security processes is an important aspect of our work.

Cryptographic keys for the financial cloud need strong protection. For this task, special purpose hardware, like smart cards and hardware security modules (HSM), is used. Another aspect of our work is to identify bilinear pairings, as required by attribute-based schemes, to be implemented to efficiently run on such special purpose hardware.

Like other cloud systems, the financial cloud and its underlying infrastructure are subject to a potentially hostile environment. This opens up the system to side-channel attacks, i.e. leakage of information on cryptographic keys based on time or energy consumptions of concrete implementations of cryptographic schemes. Identifying side-channels is a challenging task as it requires consideration of combinations of hardware and software. We will identify side-channels of aforementioned hardware implementations of bilinear pairings. Based on our findings, software we will develop countermeasures to prevent side-channel attacks.


A Practical Second-Order Fault Attack against a Real-World Pairing Implementation

J. Blömer, R. Gomes da Silva, P. Günther, J. Krämer, J.-P. Seifert, in: Proceedings of Fault Tolerance and Diagnosis in Cryptography(FDTC), 2014, pp. 123--136.

Attributbasierte Verschlüsselung mittels Gittermethoden - Mathematische Grundlagen, Verfahren und Sicherheitsbeweise

K. Kohn, Attributbasierte Verschlüsselung mittels Gittermethoden - Mathematische Grundlagen, Verfahren und Sicherheitsbeweise, Universität Paderborn, 2013.

Attribute-Based Encryption as a Service for Access Control in Large-Scale Organizations

J. Blömer, P. Günther, V. Krummel, N. Löken, in: Foundations and Practice of Security, Springer International Publishing, Cham, 2017, pp. 3–17.

Attribute-basierte Verschlüsselung

P. Schleiter, Attribute-basierte Verschlüsselung, Universität Paderborn, 2012.

Elektromagnetische Seitenkanalangriffe auf paarungsbasierte Kryptographie

B. Gerken, Elektromagnetische Seitenkanalangriffe auf paarungsbasierte Kryptographie, Universität Paderborn, 2015.

Evaluation of Pairing Optimization for Embedded Platforms

M. Sosniak, Evaluation of Pairing Optimization for Embedded Platforms, Universität Paderborn, 2015.

Fault attacks in pairing-based cryptography

G. Liske, Fault Attacks in Pairing-Based Cryptography, Universität Paderborn, 2011.

Fujisaki-Okamoto Transformation

J. Lippert, Fujisaki-Okamoto Transformation, Universität Paderborn, 2014.

Hiding software components using functional encryption

J. Jochheim, Hiding Software Components Using Functional Encryption, Universität Paderborn, 2014.

Implementing Cryptographic Pairings on Accumulator Based Smart Card Architectures

P. Günther, V. Krummel, in: Mathematical Aspects of Computer and Information Sciences, Springer International Publishing, Cham, 2016, pp. 151–165.

Searchable Encryption with Access Control

N. Löken, in: Proceedings of the 12th International Conference on Availability, Reliability and Security  - ARES ’17, ACM Press, 2017.

Seitenkanalresistenz paarungsbasierter Kryptographie

O. Otte, Seitenkanalresistenz paarungsbasierter Kryptographie, Universität Paderborn, 2013.

Singular Curve Point Decompression Attack

J. Blömer, P. Günther, in: 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), IEEE, 2016.

Tampering attacks in pairing-based cryptography

J. Blömer, P. Günther, G. Liske, in: Proceedings of Fault Tolerance and Diagnosis in Cryptography(FDTC), 2014, pp. 1--7.

Verteilte Erstellung und Aktualisierung von Schlüsselservern in identitätsbasierten Verschlüsselungssystemen

A. Tezer, Verteilte Erstellung und Aktualisierung von Schlüsselservern in identitätsbasierten Verschlüsselungssystemen, Universität Paderborn, 2013.

Show all publications