Training. Systematically Exploiting Network Printers

Abstract. The idea of a paperless office has been dreamed of for more than three decades. However, nowadays printers are still one of the most essential devices for daily work and common Internet users. Instead of removing them, printers evolved from simple devices into complex network computer systems, installed directly into company networks, and carrying considerable confidential data in their print jobs. This makes them to an attractive attack target, often missed by system administrators when securing their network and even by pentesters.

During our research we conducted a large scale analysis of printer attacks and systematized our knowledge by providing a general methodology for security analyses of printers. Based on our methodology, we implemented an open-source tool called PRinter Exploitation Toolkit (PRET). We used PRET to evaluate dozens of printer models from different vendors and found all of them to be vulnerable to at least one of the tested attacks. These attacks included, for example, simple DoS attacks or skilled attacks, extracting print jobs and system files.

In this training we will give an overview of the security of the two most widely supported printer languages: PCL/PJL and PostScript. Each participant gets his/her own test printer, which can be taken home further studies, and the opportunity to carry out manually the introduced attacks in a prepared environment (shipped for free). In addition, the automated PRET tool for systematic analysis and penetration tests of network printers will be introduced. Finally, we will show techniques for system administrators to mitigate the attacks by proxying all print jobs over a hardened print server.

Course Outline

First Segment
• Basics: Printing Technologies
• Basics: PCL and PJL
• Basics: PostScript
• Attack Channels – Network/Wireless Printing, Cloud Printing, Cross-Site Printing
• Attacks: Denial of Service
• Attacks: Protection Bypass

Second Segment
• Attacks: Print Job Manipulation
• Attacks: Print Job Access
• Attacks: Information Disclosure – Memory Access, File System Access
• Attacks: Remote Code Execution
• Countermeasures: Setting up a secure print server

What to bring? Laptop, VirtualBox

Prerequisites. Basic knowledge on network security

Who Should Attend? Penetration testers, network administrators, technical people interested in network/IoT security

What to expect? A very technical, very intense, in-depth course on printer hacking. Starting with an introduction on de facto standard printer languages you will learn how to use their powerful features to systematically exploit almost any printer out there. You will perform practical attacks ranging from simple DoS, to removing the device's password protection with malicious print jobs and manipulating other users' print jobs. You will learn how to access the printer's file system and capture print jobs based on 35 years vulnerabilities present in almost every laser printer. While most of the attacks carried out in the test setup will be performed over the wire (scenario of internal network pentesting) you will learn to use alternative channels to deploy malicious commands to a printer: USB sticks, wireless printing, cloud printing or even arbitrary websites. A quick peek on a small subset of attacks you will cope with can be found in this RuhrSec 2017 presentation: YouTube. Also, you will get a free printer for takeaway and further hacking.

What not to expect? Hardware and firmware hacking, abusing specific implementation flaws like a buffer overflow in the web server of a certain printer model. This course is focused on generic attacks which can be applied to a broad range of devices.

About the trainer. Jens Müller is a PhD student at the Ruhr University Bochum. His research interests are attacks on the Internet of things and applied network security in general. He has experience as a freelancer in network penetration testing and security auditing. In his spare time he develops free open source software, at present tools related to network printer exploitation.

Training. Malware Analysis using Static and Dynamic Analysis

Abstract. Modern malware uses a large number of different techniques. Packers to avoid detection, obfuscation to deter analysis and command and control communication to obtain it's goals. Further, there can be many reasons to analyze malware. Question such as "Is this sample malicious?", "What information has been compromised?", "What counter measures can be taken?" requires different approaches from. In this training we'll focus on how the analyst can choose the right tool for the job and how to use these tools efficiently. This course is a hands-on training in how to leverage virtual machine introspection, debuggers and the IDA Pro Disassembler to get the job done. The student will learn about standard malware analysis techniques including dealing with packers, obfuscation and how malware commonly interact with the operating system. Further, we'll take a look at how to work with both file based malware and samples acquired from forensic memory analysis.

Course Outline

• Setting up a save environment
• Analyzing malware with sandbox logs
• Unpacking malware with debuggers
• Static analysis with IDA Pro
• Understanding common malware techniques
• Analyzing memory only malware

What to bring? Laptop with VirtualBox or VMWare installed. At least one VM running a modern Windows operating system. A licensed version of IDA Pro is advantageous, the freeware version will do.

Prerequisites. Basic knowledge on Malware and Windows. Ideally knowledge of x86 assembler and the programming language C.

Who Should Attend? Incident responders, Penetration testers, security engineers, computer security researchers, technical people interested in inner workings of malware.

What to expect? A very technical, very intense, hands-on course starting from the very basics of how you can safely analyze malware, You’ll learn about common malware behavior and you’ll get to reverse engineer real malware yourself using debuggers, disassemblers and Virtual machine introspection.

What not to expect? Generic reverse engineering. This course goes deep in the malware analysis topic.

About the trainers. Anton Wendel is working as a security engineer at G DATA Advanced Analytics. He received a Master degree in IT-Security from Ruhr University Bochum. Prior to joining G DATA Advanced Analytics he worked on automated malware analysis systems at G DATA.

Anders Fogh has been reverse engineering stuff ranging from USB sticks over DVD-players to nation state malware over the past two decades. His research has been presented at venues such as BlackHat and CCS, but he is particularly proud of presenting at RuhrSec last year.

Training. Penetration Testing on Android Mobile Apps

Abstract. With organisations expanding their presence onto mobile devices, enabling their employees and customers to access business information wherever they are, the threat landscape has never been wider. Mobile systems offer a whole new set of challenges for security professionals, incident responders and developers to take into account including sensitive data on lost devices, applications leaking access to user accounts, data exfiltration from corporate devices to name but a few.

This training course covers Android Marshmallow devices/ apps and newer, and is designed to provide attendees with hands-on knowledge on how attackers penetrate the security around mobile applications and security policies. To achieve this it uses custom mobile applications created by Context, crafted to emulate real-world applications and provide a realistic and up-to-date look at the attack surface and vectors available to skilled attackers.

This course will teach attendees how to use advanced attack methods against mobile applications, how to reverse engineer their code to look for vulnerabilities and use this information for complex attacks. At the end of this course attendees will be able to use advanced mobile penetration testing tools, carry out injection attacks and use reverse engineering methods to deconstruct the advanced defences of modern mobile applications.

Course Outline

• Introduction to Mobile Security
• Advanced tools
• Automating attacks
• Application Logic and bypasses
• Reverse Engineering Applications
• Decompiling Android applications
• SMALI and patching
• Hunting for weaknesses with the decompiled code
• Cryptographic Weaknesses
• Manipulating Applications with Injections
• End of Course Capture the Flag

What to bring? Laptop, VirtualBox

Prerequisites. Operating system with at least 4GB of RAM (8GB recommended) and at least 25 GB of free disk space. Virtualization software capable of running OVA.

Who Should Attend? Mobile Developers, Development Managers, Penetration Testers

What to expect? This course will teach attendees how to use advanced attack methods against mobile applications, how to reverse engineer their code to look for vulnerabilities and use this information for complex attacks. At the end of this course attendees will be able to use advanced mobile penetration testing tools, carry out injection attacks and use reverse engineering methods to deconstruct the advanced defences of modern mobile applications.

What not to expect? 0days

About the trainers. Christian Becker and Tim Guenther work as penetration testers for Context Information Security in Germany. They both have several years of experience in performing penetration tests such as in the areas of application testing, infrastructure testing, testing of mobile applications and devices as well as others.

Talk. Weird machines, exploitability and unexploitability

Abstract. In spite of being central to everything that is going on in IT security, the concept of "exploit" is surprisingly poorly formalized and understood only on an intuitive level by security practitioners. This lack of clear definition has all sorts of negative side-effects: From ineffictive teaching to muddled thinking about mitigations. In this talk, I will make an attempt to more clearly define what it is that attackers do when they write an exploit – and then talk about what this means for mitigations and secure coding.

Biography. Thomas Dullien / Halvar Flake started work in reverse engineering and digital rights management in the mid-90s, and began to apply reverse engineering to vulnerability research shortly thereafter. He pioneered early windows heap exploitaiton, patch diffing / bindiffing and various other reverse engineering techniques. In 2004, he started zynamics, a company focused on reverse engineering technologies. He continued to publish about reverse engineering, ROP gadget search, and knowledge management technologies in relation to reverse engineering. In 2011, zynamics was acquired by Google, and Halvar spent the next few years working on defensive technologies that leveraged the then hot buzzwords "big data" and "machine learning". In summer 2015, Halvar received the lifetime achievement Pwnie, and decided to take a year off to travel, read, and surf. Since November 2016, he is back at Google.

Talk. Securing the Development Lifecycle in Productions Systems Engineering

Abstract. Power plants and many other industrial plants are an integral part of a country’s critical infrastructure. As systems become more automated and networked and complicated software systems control entire systems, IT security is playing an increasingly important role. Previous attacks have mostly exploited existing vulnerabilities, future attackers will strive to intervene in the development process to build in vulnerabilities themselves.

Biography. After graduating with a Ph.D. from the TU Wien, Edgar worked in a research startup for two years. He then spent one year teaching as an Assistant Professor at Beloit College, WI. From 2002 to 2004, while with the software vendor ISIS Papyrus, he worked as a consultant in New York, NY and Albany, NY, and in Frankfurt, Germany. In 2004 he joined the TU Wien and founded the research center SBA Research together with A Min Tjoa and Markus Klemen. Edgar R. Weippl (CISSP, CISA, CISM, CRISC, CSSLP, CMC) is member of the editorial board of Computers & Security (COSE), organizes the ARES conference and is General Chair of SACMAT 2015, PC Chair of Esorics 2015, General Chair of ACM CCS 2016, and PC Chair of ACM SACMAT 2017.

Talk. The ROBOT Attack

Abstract. 20 years ago Daniel Bleichenbacher discovered an attack against RSA as it was used in SSL and the padding mode PKCS #1 v1.5. Obviously such an old attack doesn't work any more today, because everyone has fixed it. Okay... That was a joke. It still works. With some minor modifications we were able to discover the ROBOT attack (Return Of Bleichenbachers Oracle Threat). It affected nine different vendors and we were able to sign a message with the private key from facebook.com. More info at https://robotattack.org/ and in the full paper at https://eprint.iacr.org/2017/1189

Biography. Hanno Böck is a freelance journalist and regularly covers IT security topics for Golem.de and other publications. He also writes the monthly Bulletproof TLS Newsletter. In 2014 he started the Fuzzing Project, an effort to improve the security of free software applications. This work is supported by the Linux Foundation's Core Infrastructure Initiative.

Talk. Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

Abstract. OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails. We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption. The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker. The attack has a large surface, since for each encrypted email sent to n recipients, there are n+1 mail clients that are susceptible to our attack.

We devise working attacks for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext.

Biography. Christian Dresen is PhD student at the University of Applied Sciences in Muenster and Ruhr-University Bochum. His field of research is IT security and he is also an enthusiastic CTF player.

Talk. Finding security vulnerabilities with modern fuzzing techniques

Abstract. Fuzzing is a very powerful technique to detect flaws and vulnerabilities in software. The aim of this talk is to demonstrate different techniques which can be used to fuzz applications or libraries. Choosing the correct and most effective fuzzing technique will be discussed with real-world examples. Moreover, hints according common problems and pitfalls during fuzzing will be given. The first part of the talk discusses general concepts of fuzzing whereas the second part covers important areas which influent the fuzzing results. A special focus of the talk will be the difference of fuzzing applications with source code available versus fuzzing closed-source applications.

Biography. René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering and exploit development. He also studies modern mitigation techniques and how they can be bypassed by attackers. In the course of that research he came across Microsofts Enhanced Mitigation Experience Toolkit and gave various talks about the (in)security of it at conferences such as RuxCon, ToorCon, ZeroNights, IT-Secx, DeepSec, 31C3 and NorthSec.

Talk. How client-side compilers help attackers to gain code execution

Abstract. Compilers of interpreter languages aim at speeding up execution in the race for web browser performance. Various compilers and analysis stages are involved to turn JavaScript code into machine code of the architecture the browser runs on. In order to maximize the performance of our indispensable browsers, Just-In-Time (JIT) compilation gained widespread adoption. It achieves near-native run time for otherwise slowly interpreted JavaScript code. But it is only the beginning, and Ahead-of-Time (AOT) compilers such as ASM.js and its successor WebAssembly are emerging and won't disappear any time soon. Despite the intended performance gain, security concerns arise.

Attackers started to abuse JIT compilers by emitting desired machine code derived from controlled script constants. Armed with the ability to fill predictable address regions with hidden assembly instructions, they invented the JIT-Spray technique. Since then, many client-side JIT-Spray primitives were developed to ease the exploitation of various memory errors, which we'll revisit in the beginning of this presentation. Furthermore, we analyze flaws we found in ASM.js of Mozilla Firefox, tracked as CVE-2017-5375 and CVE-2017-5400, allowing an attacker to jump to "JIT" sprayed executable code. Moreover, we take a look at three different Firefox CVEs and demonstrate alternative exploitation with ASM.js JIT-Spray. On the road to remote code execution, we show how arbitrary ASM.js payloads are generated and transformed automatically, allowing you to run your favorite code implant on vulnerable Firefox versions.

Biography. Robert is a security researcher at the Ruhr-University Bochum. He obtained his PhD in 2016 at the Systems Security Chair where he is currently working as PostDoc. His work focuses on various aspects of fuzzing, memory corruption vulnerabilities, and static/dynamic analysis of binary programs. He is experienced in low-level security such as detecting and analyzing client-side bugs, exploit development, and bypassing exploit mitigations.

Talk. The Story of Meltdown and Spectre

Abstract. In this talk we will tell the story of Meltdown and Spectre. We will outline how research from the past two decades was the foundation of the discovery of these vulnerabilities while providing preliminary information. We will point out and illustrate how what the root causes of Meltdown and Spectre are. In the main part of the talk we will describe how Meltdown and Spectre work. We will discuss different attack scenarios and the impact of these attacks. Finally, we will outline countermeasures against the attacks.

Biography. Daniel Gruss is a PhD Student at Graz University of Technology. He has done his master's thesis on identifying and minimizing architecture dependent code in operating system kernels. Daniel's research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating system. In July 2015, he and his colleagues demonstrated the first hardware fault attack performed through a remote website, known as Rowhammer.js.

Talk. The Story of Meltdown and Spectre

Abstract. In this talk we will tell the story of Meltdown and Spectre. We will outline how research from the past two decades was the foundation of the discovery of these vulnerabilities while providing preliminary information. We will point out and illustrate how what the root causes of Meltdown and Spectre are. In the main part of the talk we will describe how Meltdown and Spectre work. We will discuss different attack scenarios and the impact of these attacks. Finally, we will outline countermeasures against the attacks.

Biography. Jann Horn is a security researcher working with Google Project Zero. He focuses primarily on kernel and hypervisor security.

Talk. Vulnerability handling process at Joomla!

Abstract. In this talk, I will give you some first-hand insights into the work that the Joomla security team does. You will learn what attack vectors we are facing, how real-world exploits in popular web apps work and how we as a team try to keep up with these ongoing threats to keep millions of our users secure.

Biography. Born and living in Cologne, Germany, David got in touch with web development during school in 2002. After a few years working with plain HTML sites, he started to develop his own CMS in 2004 and switched to Mambo shortly after. He quickly became an active member of the German community and met them in person for the first time during JoomlaDay Germany 2006. After school, he started his business as a freelance webdeveloper and quickly got more involved in the community by giving support in the forums, co-organizing the German JoomlaDay and the J&Beyond conference, starting a Joomla Usergroup in his home town, developing own extensions and joining the board of the German Joomla association "J&Beyond e.V.". In 2012, he joined the Bug Squad and started contributing to the CMS code. In late 2012, he co-founded the CMS-Garden project, which is cooperation of 12 opensource CMS. In the CMS-Garden, volunteers from all participating systems combine their forces to improve their marketing and reach new potential users.

Talk. Don't trust the DOM: Breaking XSS mitigations via Script Gadgets

Abstract. Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.

In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.

In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.

Biography. Sebastian Lekies is a senior software engineer and a web security researcher at Google. He is specializing in client-side web application security and automated web application security testing. At Google, Sebastian is a Tech Lead of the web security scanning and the security inventory teams. Before joining Google, Sebastian was part of SAP’s Security Research team, where he conducted academic research in the area of client-side Web application security. He is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, OWASP AppSec EU, DeepSec, Usenix Security, CCS, and many more.

Talk. Is there any Security (and Privacy) in the Internet of Things?

Abstract. Embedded (IoT) devices have become commonplace in many areas of our daily life, ranging from smart home assistants to resource-constrained medical devices. Unfortunately, the firmware of such devices is often closed-source and thus, the vendor's security and privacy promises cannot be independently verified. In this talk, we will discuss techniques to address this issue, for example by means of firmware extraction and analysis.

In the first of two case studies, we focus on the Amazon Echo product line and cover methods to extract complete filesystem images from both newer and older devices. We then describe the (solid) security measures implemented in the Echo (e.g. for software updates), and will also outline how Amazon handles the transmission of voice data from and to the backend.

Our second example is the Dexcom G4, a wide-spread continous blood glucose meter used in the treatment of diabetes. Through black-box analysis of the RF interface, we find that the Dexcom G4 does not implement cryptographic protections, which enables a range of attacks, including malicious modification of the transmitted measurements.

The talk concludes with lessons learned from these (and other) case studies and with ideas how the security and privacy of future embedded devices can be improved.

Biography. David Oswald is a lecturer (assistant professor) in the Security and Privacy Group at the University of Birmingham, UK. His main field of research is the security of embedded systems in the real world. On the one hand, the focus is on attack methods that exploit weaknesses in the physical implementation of mathematically secure cryptographic algorithms. Those techniques include both (passive) side-channel analysis and (active) fault injection, as well as reverse engineering. On the other hand, David is working on the practical realization of security systems in embedded applications. He is co-founder of the Kasper & Oswald GmbH, offering innovative products and services for security engineering. His research on vulnerabilities of various wide-spread systems (e.g. DESFire RFID smartcards, Yubikey two-factor authentication tokens, electronic locks, and VW/Hitag2 RKE systems) has created awareness for the crucial importance of security among developers of embedded devices.

Talk. Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

Abstract. OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails. We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption. The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker. The attack has a large surface, since for each encrypted email sent to n recipients, there are n+1 mail clients that are susceptible to our attack.

We devise working attacks for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext.

Biography. Damian Poddebniak is a PhD student at the University of Applied Sciences in Münster. During his master's thesis he worked on fault attacks and applied them against deterministic signature schemes. He is interested in cryptography and privacy-related topics.

Talk. Consequences of Complexity in Group Instant Messaging using the Example of WhatsApp and Signal

Abstract. Group instant messaging is a complex primitive – due to the number of involved users and dynamic modifications to groups – that at the same time needs to provide high efficiency – for providing instant delivery of messages. As we show in our paper (Roesler, Mainka, Schwenk EuroS&P '18), most widespread messengers do not reach expected and required security guarantees for this primitive. This talk aims to provide an overview on the underlying reasons for this lack of security as well as on approaches how this issue can be solved, both on the constructive side and for the developers' view. After presenting the most severe attacks on WhatsApp and Signal, we aim to shed a light on the topic in a more general way. Thereby we want to motivate the reasons for end-to-end encryption more intuitively, provide an overview on what future secrecy means and how ratcheting can be used to reach this property. Of course the talk will include the protocol descriptions of the analyzed protocols and the respective attacks, but the focus will be more constructive. The talk will conclude with outlook questions (and answers): What are the expectable problems of intensive key protocols? How might they be solved by protocol and software developers? Is there a sensible threshold on which security guarantees should be achieved and which attacks can be disregarded when designing a protocol for instant messaging?

Biography. Paul Rösler is PhD student at the Chair for Network and Data Security, Ruhr-University Bochum. Instant messaging protocols and key exchange with special properties such as forward and future secrecy are some of his research topics. During his bachelor and master studies he worked for Qabel – a cloud software that converts established protocols via proxies into a security preserving wrapper-protocol.

Talk. From Discovering Vulnerabilities to Getting Them Fixed At Scale

Abstract. Security researchers are often faced with a dilemma once they have discovered a new type of flaw, potentially affecting many servers or Web sites in the wild. On the one hand, their discovery may allow adversaries to find such flawed systems with ease and attack them quickly (as famously shown by the Drupageddon attack). On the other hand, there are no well-established channels which can be used reliably to notify the affected administrators.

In this talk, we will first discuss how the Web’s security evolved over time, highlighting that the need for notifications at scale is bigger then ever. Afterwards, we present results from two experiments on notifications at scale, trying to help site operators to secure their sites from nefarious attackers. We also discuss numerous roadblocks, starting from a complete lack of a usable email address to issues of trust arising when a non-native speakers calls people in the US.

Biography. Ben Stock is a Tenure-Track Faculty at the newly founded CISPA Helmholtz Center i.G., which is built from the Center for IT-Security, Privacy and Accountability (CISPA) at Saarland University. In his PhD, Ben focussed on the detection and mitigation of Client-Side Cross-Site Scripting. During his PhD, he worked closely with SAP Research and interned with Microsoft Research. After his PhD, he joined CISPA as postdoc, focussing on both Web Security as well as Usable Security research. He currently heads the Security Web Applications Group at CISPA and is a regular speaker at academic and non-academic venues like CCS, USENIX Security, NDSS, Blackhat, and OWASP AppSec.

Talk. Revisiting the X.509 Certification Path Validation

Abstract. In this work we present a new testing tool for the X.509 certification path validation that was developed for the German Federal Office for Information Security (BSI). Furthermore, we report on the errors that were uncovered by applying the tool's default test suite to various test subjects such as cryptographic libraries and applications. The tool is free and open source, and allows the dynamic creation of test cases involving certificate chains and certificate revocation lists based on XML test specifications. It also facilitates the testing of TLS and IPsec applications as well as e-mail clients supporting S/MIME. The errors uncovered by the tool range from compatibility issues to actual security vulnerabilities.

Biography. After his physics diploma from TU Darmstadt in 2006, Falko Strenzke entered FlexSecure GmbH, where he worked in the areas of of trust center software, security certifications, cryptographic implementations and embedded security. He also led a number of security-oriented research projects. In 2013, he received his PhD in computer science for a work on efficient and secure cryptographic implementations, which he conducted in parallel to his job. Since 2014 Falko is the founder and managing director of cryptosource GmbH, a small start-up that focusses on software development and analysis in the areas of cryptography and security. His activities since then are various consulting and development projects in different industries and the development of a new TLS library for embedded systems.

Talk. Exploring ROCA: Fun & troubles with RSA keypairs

Abstract. The talk will cover our recent work which resulted in the discovery of an algorithmic flaw (CVE-2017-15361) in the construction of primes for RSA key generation in a widely-used library of a major manufacturer of cryptographic hardware. The primes generated by the library suffer from an entropy loss so severe, that practical factorization of commonly used key lengths up to 2048 bits is possible. Our method based on an extension of Coppersmith’s factorization attack requires no additional information except for the value of the public modulus and does not depend on a weak or a faulty random number generator. The library in question is found in NIST FIPS 140-2 and CC EAL 5+ certified devices used for a wide range of real-world applications, including citizens identity cards, Trusted Platform Modules, secure email, and tokens for authentication or software signing. The findings directly resulted in the revocation of millions of certificates in Estonia, Slovakia, Spain and other countries and major security update rolled by Microsoft, Google, HP, Lenovo, and others. The talk will discuss how the vulnerability was found, our experience from the responsible disclosure process and an options for mitigation including the systematic prevention using the secure multiparty computation efficient enough to run on cryptographic smartcards.

Biography. Petr is a security researcher at Masaryk University, Czech Republic. He engages in the area of cryptographic protocols for resource-limited devices like smartcards or wireless sensor networks including use and misuse of random number generators. He pushes for more openness and support for FOSS development on JavaCard platform and smartcards in general. He also focuses on a utilization of cryptographic smartcards in the complex scenarios and the development of secure applications on such platforms in Enigma Bridge, Cambridge, UK.