Dennis Kügler

Security Analysis of the PACE Key-Agreement Protocol

We analyze the Password Authenticated Connection Establishment (PACE) protocol for authenticated key agreement, recently proposed by the German Federal Office for Information Security (BSI) for the deployment in machine readable travel documents. We show that the PACE protocol is secure in the real-or-random sense of Abdalla, Fouque and Pointcheval, under a number-theoretic assumption related to the Diffie-Hellman problem and assuming random oracles and ideal ciphers.

Man in the Middle Attacks on Bluetooth

Bluetooth is a short range wireless communication technology that has been designed to eliminate wires between both stationary and mobile devices. As wireless communication is much more vulnerable to attacks, Bluetooth provides authentication and encryption on the link level. However, the employed frequency hopping spread spectrum method can be exploited for sophisticated man in the middle attacks. While the built-in point-to-point encryption could have offered some protection against man in the middle attacks, a flaw in the specification nullifies this countermeasure.

An analysis of GNUnet and the implications for anonymous, censorship-resistant networks

Peer-to-peer networks are a popular platform for file sharing, but only few of them offer strong anonymity to their users. GNUnet is a new peer-to-peer network that claims to provide practical anonymous and censorship-resistant file sharing. In this paper we show that GNUnet’s performance-enhancing features can be exploited to determine the initiator of a download. We also present an efficient filter mechanism for GNUnet. Assuming that content filtering is legally enforced, GNUnet can be censored at a large scale.

Domain-Specific pseudonymous signatures for the german identity card

The restricted identification protocol for the new German identity card basically provides a method to use pseudonyms such that they can be linked by individual service providers, but not across different service providers (even not malicious ones). The protocol can be augmented to allow also for signatures under the pseudonyms. In this paper, we thus view --and define-- this idea more abstractly as a new cryptographic signature primitive with some form of anonymity, and use the term domain-specific pseudonymous signatures. We then analyze the restricted identification solutions in terms of the formal security requirements.

The PACE|AA Protocol for Machine Readable Travel Documents, and Its Security

We discuss an efficient combination of the cryptographic protocols adopted by the International Civil Aviation Organization (ICAO) for securing the communication of machine readable travel documents and readers. Roughly, in the original protocol the parties first run the Password-Authenticated Connection Establishment (PACE) protocol to establish a shared key and then the reader (optionally) invokes the Active Authentication (AA) protocol to verify the passport’s validity. Here we show that by carefully re-using some of the secret data of the PACE protocol for the AA protocol one can save one exponentiation on the passports’s side. We call this the PACE|AA protocol. We then formally prove that this more efficient combination not only preserves the desirable security properties of the two individual protocols but also increases privacy by preventing misuse of the challenge in the Active Authentication protocol. We finally discuss a solution which allows deniable authentication in the sense that the interaction cannot be used as a proof towards third parties.

Sicherheitsmechanismen für kontaktlose Chips im deutschen elektronischen Personalausweis: Ein Überblick über Sicherheitsmerkmale, Risiken und Gegenmaßnahmen

ZusammenfassungDieser Artikel gibt einen Überblick über die Ziele und die Funktion der Sicherheitsmechanismen, wie sie voraussichtlich im deutschen elektronischen Personalausweis zur Anwendung kommen.

Privacy-friendly revocation management without unique chip identifiers for the German national ID card

On 1 November 2010, Germany will start issuing new identity cards. One of the main differences compared with the previous version, besides the different physical format, is the integration of an ISO14443-compliant chip that contains a government-only application for identification purposes and two commercial applications, one of which is an optional electronic signature application.

Security concept of the EU-Passport

With the introduction of biometrics into passports, the next generation of passport books will become pervasive computing devices. In more detail passports will be equipped with contactless RF-chips not only storing digitized biometrics of the holder but also providing fundamental security mechanisms to protect the authenticity, originality, and confidentiality of the data stored on the chip.

On the anonymity of banknotes

In this paper we analyze the anonymity of banknote based payments. We show how to model intermediary-chains and present statistical methods that can be used by banks to extract information on the length of the chain from deposited banknotes. If the bank has discovered a chain of length zero, the anonymity of the payment is immediately revoked. To protect against such deanonymizations, customers have to be very careful when spending banknotes.

Das Sperrmanagement im neuen deutschen Personalausweis

ZusammenfassungDieser Artikel beschreibt im Detail die datenschutzfreundliche Ausgestaltung des Sperrmanagements, wie es im neuen deutschen Personalausweis zum Einsatz kommt.