Welcome to the Cryptography and Security Group of the Institute of Information Security and Dependability

On June 30, the federal state of Baden-Württemberg invited the laureates together with researchers to the traditional boat trip on Lake Constance at the end of the 72nd Nobel Laureate Meeting in Lindau. The final plenary session took place on the island of Mainau. The conference aims to promote the interdisciplinary dialogue between researchers. Jörn Müller-Quade and Jeremias Mechler from the KASTEL Security Research Labs at the Karlsruhe Institute of Technology presented a cryptograhic method that enables privacy-preserving computations on private data. A new feature of the method is the hardware, without having to fully trust the hardware itself. The new protocol has applications in medicine and represents a first cooperation with the recently founded KIT center HealthTech. According to Jörn Müller-Quade and Jeremias Mechler there was a very lively exchange with the participants on the boat trip. The newly developed software aroused particular interest among Science Minister Petra Olschowski.

Experts from a wide range of disciplines are dealing with the effects of the coronavirus worldwide. In addition to the activities of virologists and physicians in clinical and application-oriented studies aimed at finding an antidote and increasing understanding of the virus, the pandemic also raises questions for experts in other fields, which means that sociologists, psychologists, lawyers, economists and IT security experts are also in demand.

In order to coordinate research in Germany in this area and to strengthen basic research specifically on topics that are important in pandemics, an interdisciplinary commission was established by DFG President Prof. Dr. Katja Becker. Among the 18 members of the commission, who come from a wide variety of disciplines such as medicine, geography, virology, sociology, economics and law, the head of the Institute, Prof. Jörn Müller-Quade, will represent the side of IT security for the next two years. One of his tasks within the commission is to provide an overview of the basic research in the field and to derive the necessary research questions that should be (interdisciplinarily) researched with regard to pandemics.

Electronic tolling systems are now used all over the world. They are used not only to finance transport infrastructure, but also for more complex objectives such as congestion management and reduction of air pollution. This is achieved through an adaptive pricing scheme, which should motivate the user to prefer less congested routes.

Conventional electronic tolling systems identify the user at each payment transaction and can thus track the movements of each driver - which of course violates the user's privacy.

In a paper recently presented at the "Privacy Enhancing Technologies Symposium (PETS)", Valerie Fetzer, Matthias Nagel, and Rebecca Schwerdt (all KIT) together with Andy Rupp (Universite de Luxembourg) and Max Hoffmann (Ruhr University Bochum) describe how this can also work without invading the privacy. The article "P4TC - Provably-Secure yet Practical Privacy-Preserving Toll Collection" describes a new type of electronic toll system that respects the privacy of the user and is efficient and provably secure.

It is common practice on the Internet that websites try to identify returning users as such in order to provide them with advertising tailored to their interests. As a remedy, modern web browsers like Firefox and Chrome offer the so-called "private mode" (or "incognito mode"). This is intended to make it more difficult to track individual users over several sessions by dispensing with cookies, browser history and other identifying features.

While in incognito mode, Chrome does not store cookies, web page data, and browser history on the user's side to make tracking of web pages visited difficult, the browser still delivers much data to Google, the browser's manufacturer, and the web pages visited. The question of whether this is legal or whether it is being treated as deliberate deception and fraud is currently being investigated in the USA in court.

This is exactly the topic of an article by the Süddeutsche. In it, the head of the institute, Prof. Jörn Müller-Quade, and Prof. Thorsten Strufe from the Practical IT Security working group were interviewed. In the article, they both argue for more transparency in data collection and explore the possibility that this is a general misunderstanding: while Google argues that the private mode mode merely involves a waiver of storing data on the user's device, many users see the mode as a free ticket to anonymous surfing.

For technical reasons, however, even in incognito mode, data such as IP address and browser-specific settings are required to display the website correctly, so Prof. Strufe recommends that users who really want to surf anonymously use the Tor Browser .

In the current SARS-CoV-2 pandemic, smartphone apps for so-called "contact tracing" could give people more freedom by automatically warning people who have been in closer contact with a person infected with corona instead of the previous laborious tracing of infection chains.

The apps use Bluetooth or GPS modules via the smartphone to measure whether two people have come too close to each other. There are various proposals that claim to be privacy friendly, but there is no precise definition of this yet. Prof. Thorsten Strufe and his group have now for the first time formally defined what privacy means in the context of contact tracing apps and compared different proposed approaches in this respect.

At present, a rough distinction is made between two approaches: a centralized approach, in which all information is stored pseudonymized in a central data store, and a decentralized approach, which protects privacy more strongly from the central authorities.A central data store holds a great potential for abuse, because despite the pseudonymization, social graphs can be derived or conclusions can be drawn about the daily routine of private individuals. This is hardly compatible with the informational self-determination of the users and even the danger of abuse could greatly reduce the social acceptance - and thus the use - of such an app.

These problems were summarized in an open letter, which was also signed by the head of the institute, Prof. Jörn Müller-Quade, and Prof. Thorsten Strufe, head of the Practical IT Security (PS) working group, and was published on April 20 and signed by a total of 300 renowned scientists working in the fields of security, privacy and cryptography.

The new part-time M.Sc. program "Information Systems Engineering and Management (ISEM)" has successfully started at the HECTOR School of Engineering and Management. The program focuses on the digital transformation of products, services and organizations. Accordingly there is a new compulsory module on Security and Privacy Engineering with lectures on Information Security (Prof. Melanie Volkamer), Applied Cryptography (Prof. Jörn Müller-Quade), Network Security (Prof. Thorsten Strufe), Data Protection Regulations (Prof. Franziska Böhm) and Emerging Technologies and Critical Information Infrastructures (Prof. Ali Sunyeav).

The Master's program is characterized by a combination of management and technology topics as well as the possibility to specialize in "Digital Services" or "Autonomous Robotics". As in all HECTOR School master programs, participants in "Information Systems Engineering and Management" benefit from an interdisciplinary and international group - diversity is therefore not only a special experience, but also part of the learning experience and strengthens essential life and soft skills.

Further information about the study programme and application can be found on the HECTOR School website.

On the 12th July 2019 the second issue of acatech HORIZONTE was published with the topic "Cyber Security". The head of the institute and acatech member Prof. Jörn Müller-Quade was also represented in this issue. The issue aims in particular to inform society and politics about areas of risk on the Internet and to draw attention to the fact that the topic of cyber security affects everyone, because in the digitally networked world the number and quality of cyber attacks is increasing worldwide. This issue of the publication series is therefore dedicated to providing information about areas of risk and ways of protecting against cyber attacks.