Achtung:

Sie haben Javascript deaktiviert!
Sie haben versucht eine Funktion zu nutzen, die nur mit Javascript möglich ist. Um sämtliche Funktionalitäten unserer Internetseite zu nutzen, aktivieren Sie bitte Javascript in Ihrem Browser.

Studierende in den Seminarräumen des O-Gebäudes, Foto: Universität Paderborn, Fotografin: Judith Kraft Show image information

Studierende in den Seminarräumen des O-Gebäudes, Foto: Universität Paderborn, Fotografin: Judith Kraft

Conference papers


Open list in Research Information System

Streaming-Based Verification of XML Signatures in SOAP Messages

J. Somorovsky, M. Jensen, J. Schwenk, in: 2010 6th World Congress on Services, 2010

DOI


On the effectiveness of XML Schema validation for countering XML Signature Wrapping attacks

M. Jensen, C. Meyer, J. Somorovsky, J. Schwenk, in: 2011 1st International Workshop on Securing Services on the Cloud (IWSSC), 2011

DOI


How to break XML encryption

T. Jager, J. Somorovsky, in: Proceedings of the 18th ACM conference on Computer and communications security - CCS '11, 2011

DOI


Sec2: Ein mobiles Nutzer-kontrolliertes Sicherheitskonzept für Cloud-Storage

C. Meyer, J. Somorovsky, B. Driessen, J. Schwenk, T. Tran, C. Wietfeld, 2011


All your clouds are belong to us: security analysis of cloud management interfaces

J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, L. Lo Iacono, in: Proceedings of the 3rd ACM workshop on Cloud computing security workshop - CCSW '11, 2011

DOI


On Breaking SAML: Be Whoever You Want to Be

J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, M. Jensen, in: Presented as part of the 21st {USENIX} Security Symposium ({USENIX} Security 12), {USENIX}, 2012, pp. 397-412



Sec2: Secure Mobile Solution for Distributed Public Cloud Storages

J. Somorovsky, C. Meyer, T. Tran, M. Sbeiti, J. Schwenk, C. Wietfeld, 2012


One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography

T. Jager, K.G. Paterson, J. Somorovsky, in: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013, 2013


A New Approach towards DoS Penetration Testing on Web Services

A. Falkenberg, C. Mainka, J. Somorovsky, J. Schwenk, in: 2013 IEEE 20th International Conference on Web Services, 2013

DOI


Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

C. Meyer, J. Somorovsky, E. Weiss, J. Schwenk, S. Schinzel, E. Tews, in: 23rd {USENIX} Security Symposium ({USENIX} Security 14), {USENIX} Association, 2014, pp. 733-748


On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption

T. Jager, J. Schwenk, J. Somorovsky, in: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15, 2015

DOI


How to Break XML Encryption -- Automatically

D. Kupser, C. Mainka, J. Schwenk, J. Somorovsky, in: 9th {USENIX} Workshop on Offensive Technologies ({WOOT} 15), {USENIX} Association, 2015


Not so Smart: On Smart TV Apps

M. Niemietz, J. Somorovsky, C. Mainka, J. Schwenk, in: International Workshop on Secure Internet of Things (SIoT), 2015

DOI


Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS

H. Böck, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic, in: 10th {USENIX} Workshop on Offensive Technologies ({WOOT} 16), {USENIX} Association, 2016


DROWN: Breaking TLS Using SSLv2

N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J.A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, Y. Shavitt, in: 25th {USENIX} Security Symposium ({USENIX} Security 16), {USENIX} Association, 2016, pp. 689-706


Systematic Fuzzing and Testing of TLS Libraries

J. Somorovsky, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS'16, 2016

DOI


SoK: Exploiting Network Printers

J. Muller, V. Mladenov, J. Somorovsky, J. Schwenk, in: 2017 IEEE Symposium on Security and Privacy (SP), 2017

DOI


Breaking and Fixing Gridcoin

M. Grothe, T. Niemann, J. Somorovsky, J. Schwenk, in: 11th {USENIX} Workshop on Offensive Technologies ({WOOT} 17), {USENIX} Association, 2017


Attacking Deterministic Signature Schemes Using Fault Attacks

D. Poddebniak, J. Somorovsky, S. Schinzel, M. Lochter, P. Rosler, in: 2018 IEEE European Symposium on Security and Privacy (EuroS&P), 2018

DOI


Return Of Bleichenbacher\textquoterights Oracle Threat (ROBOT)

H. Böck, J. Somorovsky, C. Young, in: 27th {USENIX} Security Symposium ({USENIX} Security 18), {USENIX} Association, 2018, pp. 817-849


On The (In-)Security Of JavaScript Object Signing And Encryption

D. Detering, J. Somorovsky, C. Mainka, V. Mladenov, J. Schwenk, in: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium on - ROOTS, 2018

DOI


Security Analysis of eIDAS -- The Cross-Country Authentication Scheme in Europe

N. Engelbertz, N. Erinola, D. Herring, J. Somorovsky, V. Mladenov, J. Schwenk, in: 12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18), {USENIX} Association, 2018


Prime and Prejudice: Primality Testing Under Adversarial Conditions

M.R. Albrecht, J. Massimo, K.G. Paterson, J. Somorovsky, in: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018

DOI


Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

D. Poddebniak, C. Dresen, J. Müller, F. Ising, S. Schinzel, S. Friedberger, J. Somorovsky, J. Schwenk, in: 27th {USENIX} Security Symposium ({USENIX} Security 18), {USENIX} Association, 2018, pp. 549-566


"Johnny, you are fired!" -- Spoofing OpenPGP and S/MIME Signatures in Emails

J. Müller, M. Brinkmann, D. Poddebniak, H. Böck, S. Schinzel, J. Somorovsky, J. Schwenk, in: 28th {USENIX} Security Symposium ({USENIX} Security 19), {USENIX} Association, 2019, pp. 1011-1028


Security Analysis of XAdES Validation in the CEF Digital Signature Services (DSS)

N. Engelbertz, V. Mladenov, J. Somorovsky, D. Herring, N. Erinola, J. Schwenk, in: Open Identity Summit 2019, Gesellschaft für Informatik, Bonn, 2019, pp. 95-106


Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities

R. Merget, J. Somorovsky, N. Aviram, C. Young, J. Fliegenschmidt, J. Schwenk, Y. Shavitt, in: 28th {USENIX} Security Symposium ({USENIX} Security 19), {USENIX} Association, 2019, pp. 1029-1046


Mitigation of Attacks on Email End-to-End Encryption

J. Schwenk, M. Brinkmann, D. Poddebniak, J. Müller, J. Somorovsky, S. Schinzel, in: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, 2020, pp. 1647–1664

OpenPGP and S/MIME are two major standards for securing email communication introduced in the early 1990s. Three recent classes of attacks exploit weak cipher modes (EFAIL Malleability Gadgets, or EFAIL-MG), the flexibility of the MIME email structure (EFAIL Direct Exfiltration, or EFAIL-DE), and the Reply action of the email client (REPLY attacks). Although all three break message confidentiality by using standardized email features, only EFAIL-MG has been mitigated in IETF standards with the introduction of AEAD algorithms. So far, no uniform and reliable countermeasures have been adopted by email clients to prevent EFAIL-DE and REPLY attacks. Instead, email clients implement a variety of different ad-hoc countermeasures which are only partially effective, cause interoperability problems, and fragment the secure email ecosystem.We present the first generic countermeasure against both REPLY and EFAIL-DE attacks by checking the decryption context including SMTP headers and MIME structure during decryption. The decryption context is encoded into a string DC and used as Associated Data (AD) in the AEAD encryption. Thus the proposed solution seamlessly extends the EFAIL-MG countermeasures. The decryption context changes whenever an attacker alters the email source code in a critical way, for example, if the attacker changes the MIME structure or adds a new Reply-To header. The proposed solution does not cause any interoperability problems and legacy emails can still be decrypted. We evaluate our approach by implementing the decryption contexts in Thunderbird/Enigmail and by verifying their correct functionality after the email has been transported over all major email providers, including Gmail and iCloud Mail.


Analysis of DTLS Implementations Using Protocol State Fuzzing

P. Fiterau-Brostean, B. Jonsson, R. Merget, J. de Ruiter, K. Sagonas, J. Somorovsky, in: 29th {USENIX} Security Symposium ({USENIX} Security 20), {USENIX} Association, 2020, pp. 2523-2540


ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication

M. Brinkmann, C. Dresen, R. Merget, D. Poddebniak, J. Müller, J. Somorovsky, J. Schwenk, S. Schinzel, in: 30th {USENIX} Security Symposium ({USENIX} Security 21), {USENIX} Association, 2021, pp. 4293-4310


Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)

R. Merget, M. Brinkmann, N. Aviram, J. Somorovsky, J. Mittmann, J. Schwenk, in: 30th {USENIX} Security Symposium ({USENIX} Security 21), {USENIX} Association, 2021, pp. 213-230


Open list in Research Information System

The University for the Information Society