course: Message-Level Security

number:
141252
teaching methods:
lecture with tutorials
media:
Moodle, computer based presentation
responsible person:
Prof. Dr. Jörg Schwenk
Lecturers:
Dr.-Ing. Christian Mainka (ETIT), Dr.-Ing. Vladislav Mladenov (ETIT)
language:
german
HWS:
4
CP:
5
offered in:
winter term

dates in winter term

  • start: Friday the 11.10.2019
  • lecture Fridays: from 09:15 to 10.45 o'clock in ID 04/413
  • tutorial Fridays: from 11:15 to 12.45 o'clock in ID 04/413

Exam

All statements pertaining to examination modalities (for the summer/winter term of 2020) are given with reservations. Changes due to new requirements from the university will be announced as soon as possible.

Date according to prior agreement with lecturer.

Form of exam:oral
Registration for exam:FlexNow
Duration:30min

goals

After successfully completing the lecture, students will have a comprehensive understanding of the security of the following technologies: Web data formats, authentication and authorization protocols and document formats. Through the hands-on work in the exercises, students expand their research skills and continue to learn how to use various penetration tools securely. At the end of the lecture the students are able to systematically perform comprehensive security analyses and practical attacks on the covered technologies independently. Furthermore the students are able to transfer the acquired knowledge to other technologies and to find and exploit more complex attack possibilities by creative thinking.

content

The lecture deals with the topic Message-Level Security. Unlike SSL/TLS, which establishes a secure transport channel, message-level security is about protecting messages - such as HTTP requests - at message level. This depends on the correct use of cryptographic methods as well as the secure provision of API interfaces.

Within the framework of the lecture, various Message-Level Security techniques will be examined.

The lecture deals with different methods of Message-Level Security:

  • JSON is a universal data description language which is supported by every modern browser. JSON Signature and JSON Encryption directly protect JSON messages. But is that enough or can these security mechanisms be bypassed?
  • OAuth is a widespread technology for delegating permissions and it is used today by all major websites such as Facebook, Google, Twitter, Github, and many more. The lecture explains in-depth details and common errors/attacks that can occur when using OAuth.
  • OpenID Connect is an extension for OAuth to authenticate users on websites using a third-party provider (Single Sign-On, e.g. Google Login). OpenID Connect has become the de facto standard for third-party web logins in recent years. The lecture explains in detail the differences to OAuth and which attacks on OpenID Connect are possible.
  • SAML stands for Security Assertion Markup Language and is a single sign-on standard that is widely used in business scenarios. However, there are numerous attacks ranging from identity theft to Remote Code Execution.
  • PDF is probably the most widely used universal document exchange format. In this lecture the security features of PDFs will be discussed. In particular, digital signatures, which are used, for example, in contracts, will be examined. Will we succeed in forging signed documents?

The students will gain a profound understanding of the systems. Attacks from the academic world as well as from the pentesting community are presented for all investigated systems. The exercises offer the opportunity to try out the acquired knowledge in practice. The students receive a virtual machine for this purpose.

recommended knowledge

  • Basic knowledge of HTTP, HTML and cryptography
  • Basic knowledge of English, as this is the language of slides, exercises and virtual machine