Posts by Tags

CTF

ECSC Prague 2021

less than 1 minute read

Published:

The European Cyber Security Challenge 2021 in Prague is over! This is a yearly reoccuring event with around 20 (mostly) European countries. Every year, a different state hosts the onsite CTF competition. This year, we had two competition days with over 50 challenges in the categories crypto, reversing, web, forensics, misc, and hardware. Furthermore, there was an escape room and international team challenges.

ECSC

ECSC Prague 2021

less than 1 minute read

Published:

The European Cyber Security Challenge 2021 in Prague is over! This is a yearly reoccuring event with around 20 (mostly) European countries. Every year, a different state hosts the onsite CTF competition. This year, we had two competition days with over 50 challenges in the categories crypto, reversing, web, forensics, misc, and hardware. Furthermore, there was an escape room and international team challenges.

FHE

HOTP bias

MFKDF: Multiple Factors Knocked Down Flat

1 minute read

Published:

We present multiple attacks against Multi-Factor Key Derivation Function, a novel cryptographic primitive presented at USENIX’23.

Hacking

ECSC Prague 2021

less than 1 minute read

Published:

The European Cyber Security Challenge 2021 in Prague is over! This is a yearly reoccuring event with around 20 (mostly) European countries. Every year, a different state hosts the onsite CTF competition. This year, we had two competition days with over 50 challenges in the categories crypto, reversing, web, forensics, misc, and hardware. Furthermore, there was an escape room and international team challenges.

MD5

RADIUS/UDP considered harmful

1 minute read

Published:

Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is a very common protocol used for authentication, authorization, and accounting (AAA) for networked devices on enterprise and telecommunication networks.

RADIUS

RADIUS/UDP considered harmful

1 minute read

Published:

Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is a very common protocol used for authentication, authorization, and accounting (AAA) for networked devices on enterprise and telecommunication networks.

SGX enclaves

SHC

ECSC Prague 2021

less than 1 minute read

Published:

The European Cyber Security Challenge 2021 in Prague is over! This is a yearly reoccuring event with around 20 (mostly) European countries. Every year, a different state hosts the onsite CTF competition. This year, we had two competition days with over 50 challenges in the categories crypto, reversing, web, forensics, misc, and hardware. Furthermore, there was an escape room and international team challenges.

aes

Revisiting Microarchitectural Side-Channels

2 minute read

Published:

This project revisits cache side-channels on contemporary hardware and contributes CacheSC, a tool for L1 and L2 Prime+Probe attacks. Furthermore, we apply it to AES lookup tables, AES key scheduling, and acquire first insights on Argon2.

argon2

Revisiting Microarchitectural Side-Channels

2 minute read

Published:

This project revisits cache side-channels on contemporary hardware and contributes CacheSC, a tool for L1 and L2 Prime+Probe attacks. Furthermore, we apply it to AES lookup tables, AES key scheduling, and acquire first insights on Argon2.

attacks

MFKDF: Multiple Factors Knocked Down Flat

1 minute read

Published:

We present multiple attacks against Multi-Factor Key Derivation Function, a novel cryptographic primitive presented at USENIX’23.

RADIUS/UDP considered harmful

1 minute read

Published:

Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is a very common protocol used for authentication, authorization, and accounting (AAA) for networked devices on enterprise and telecommunication networks.

automation

Applied Security Lab

1 minute read

Published:

In this course, our task was to implement a typical IT system based on a set of functional and security requirements in a team of four people. For this purpose, we needed to design a certificate authority for a fictional company while analyzing the security and take appropriate measures. Furthermore, we needed to introduce two backdoors in the system. In the middle of the semester, we switched to analyze another team’s system and assess their security. This, of course, included finding their backdoors as well as any other vulnerabilities.

caches

Revisiting Microarchitectural Side-Channels

2 minute read

Published:

This project revisits cache side-channels on contemporary hardware and contributes CacheSC, a tool for L1 and L2 Prime+Probe attacks. Furthermore, we apply it to AES lookup tables, AES key scheduling, and acquire first insights on Argon2.

certificates

Applied Security Lab

1 minute read

Published:

In this course, our task was to implement a typical IT system based on a set of functional and security requirements in a team of four people. For this purpose, we needed to design a certificate authority for a fictional company while analyzing the security and take appropriate measures. Furthermore, we needed to introduce two backdoors in the system. In the middle of the semester, we switched to analyze another team’s system and assess their security. This, of course, included finding their backdoors as well as any other vulnerabilities.

cloud storage

End-to-End Encrypted Cloud Storage

less than 1 minute read

Published:

Copyright notice. This article is accepted to IEEE Security and Privacy. DOI: 10.1109/MSEC.2024.3352788. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Cloud Storage Systems: From Bad Practice to Practical Attacks

4 minute read

Published:

We show that the cryptographic design of the cloud storage system MEGA does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files.

compiler

cryptanalysis

Cloud Storage Systems: From Bad Practice to Practical Attacks

4 minute read

Published:

We show that the cryptographic design of the cloud storage system MEGA does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files.

game-based proofs

key-overwriting attack

MFKDF: Multiple Factors Knocked Down Flat

1 minute read

Published:

We present multiple attacks against Multi-Factor Key Derivation Function, a novel cryptographic primitive presented at USENIX’23.

law

measurement

openssl

Revisiting Microarchitectural Side-Channels

2 minute read

Published:

This project revisits cache side-channels on contemporary hardware and contributes CacheSC, a tool for L1 and L2 Prime+Probe attacks. Furthermore, we apply it to AES lookup tables, AES key scheduling, and acquire first insights on Argon2.

pentesting

Applied Security Lab

1 minute read

Published:

In this course, our task was to implement a typical IT system based on a set of functional and security requirements in a team of four people. For this purpose, we needed to design a certificate authority for a fictional company while analyzing the security and take appropriate measures. Furthermore, we needed to introduce two backdoors in the system. In the middle of the semester, we switched to analyze another team’s system and assess their security. This, of course, included finding their backdoors as well as any other vulnerabilities.

risk analysis

Applied Security Lab

1 minute read

Published:

In this course, our task was to implement a typical IT system based on a set of functional and security requirements in a team of four people. For this purpose, we needed to design a certificate authority for a fictional company while analyzing the security and take appropriate measures. Furthermore, we needed to introduce two backdoors in the system. In the middle of the semester, we switched to analyze another team’s system and assess their security. This, of course, included finding their backdoors as well as any other vulnerabilities.

security

MFKDF: Multiple Factors Knocked Down Flat

1 minute read

Published:

We present multiple attacks against Multi-Factor Key Derivation Function, a novel cryptographic primitive presented at USENIX’23.

RADIUS/UDP considered harmful

1 minute read

Published:

Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is a very common protocol used for authentication, authorization, and accounting (AAA) for networked devices on enterprise and telecommunication networks.

End-to-End Encrypted Cloud Storage

less than 1 minute read

Published:

Copyright notice. This article is accepted to IEEE Security and Privacy. DOI: 10.1109/MSEC.2024.3352788. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

side-channel

Revisiting Microarchitectural Side-Channels

2 minute read

Published:

This project revisits cache side-channels on contemporary hardware and contributes CacheSC, a tool for L1 and L2 Prime+Probe attacks. Furthermore, we apply it to AES lookup tables, AES key scheduling, and acquire first insights on Argon2.

thesis

Cloud Storage Systems: From Bad Practice to Practical Attacks

4 minute read

Published:

We show that the cryptographic design of the cloud storage system MEGA does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files.

Revisiting Microarchitectural Side-Channels

2 minute read

Published:

This project revisits cache side-channels on contemporary hardware and contributes CacheSC, a tool for L1 and L2 Prime+Probe attacks. Furthermore, we apply it to AES lookup tables, AES key scheduling, and acquire first insights on Argon2.

timing

Revisiting Microarchitectural Side-Channels

2 minute read

Published:

This project revisits cache side-channels on contemporary hardware and contributes CacheSC, a tool for L1 and L2 Prime+Probe attacks. Furthermore, we apply it to AES lookup tables, AES key scheduling, and acquire first insights on Argon2.