Loading…
SecAppDev 2019 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Cryptography [clear filter]
Tuesday, February 19
 

16:00

Cryptographic algorithms
Cryptographic algorithms include stream/block ciphers, hash functions, MAC algorithms, authenticated/public key encryption schemes, and digital signatures. This session focuses on their properties, and on what they can and cannot do for you.


Abstract
The cryptographic algorithm zoo includes stream ciphers, block ciphers, hash functions, MAC algorithms, authenticated encryption schemes, public key encryption, and digital signature schemes. These cryptographic building blocks can be used to offer strong security properties. However, each of these algorithms has different security properties and serves a specific purpose. To avoid creating vulnerabilities, a good understanding of these algorithms is essential.

In this session, we zoom in on each of these algorithm types. We will investigate their properties, what they can and cannot do for you, and how to use them correctly. In the end, you will be able to select the right algorithm for the challenges you're trying to solve. In essence, you will be able to find your way in the algorithm zoo.


This session is intended for anyone building, designing or securing applications.

Speakers
BP

Bart Preneel

Full professor, KU Leuven


Tuesday February 19, 2019 16:00 - 17:30
Main building (room Lemaire)
 
Wednesday, February 20
 

09:00

Entity authentication
Entity authentication goes further than verifying passwords. This session focuses on the properties of various authentication factors and protocols, including securely establishing cryptographic keys.


Abstract
Entity authentication is about providing proof related to an identity. The most straightforward example of entity authentication is a password. Passwords are a vulnerable, but cheap and convenient way of authenticating an entity. However, in today’s reality, passwords on their own are not enough.

That's where authentication protocols and key establishment protocols come into the picture.
In this session, we dive deep into entity authentication. We discuss common authentication factors, such as smart cards, tokens or biometrics. These authentication factors play an important role in deploying multifactor authentication schemes. We investigate the use of authentication servers and authentication protocols. Finally, we analyze the challenges faced by key establishment protocols.


This session is intended for anyone building, designing or securing applications.

Speakers
RP

Roel Peeters

CTO, NextAuth


Wednesday February 20, 2019 09:00 - 10:30
West wing (room Lemaître)

14:00

Public Key Infrastructure (PKI) fundamentals
PKIs ensure the secure delivery and management of public keys. One example is the ecosystem supporting HTTPS, but PKIs are also used in payment systems (EMV) or intranets. This session covers how to manage keys, certificates, and revocation.


Abstract
The function of a Public Key Infrastructure (PKI) is to ensure secure delivery and management of public keys. The most widely used PKI is the ecosystem supporting HTTPS. This ecosystem heavily depends on certificate authorities to ensure the validity of a certificate, but alternative trust models exist as well. In fact, different trust models lead to different key architectures.

In this session, you will discover what is needed to build and deploy a PKI. At its core, a PKI is about publishing public keys using digitally signed certificates. However, when a private key may be compromised, you also need to be able to revoke a certificate. As history has shown us, revocation is harder than you may imagine. We explore a couple of alternatives, including Certificate Revocation Lists (CRL), and the Online Certificate Status Protocol (OCSP). In the end, you will understand how public PKIs work. You will also have a list of requirements and best practices for setting up a private PKI system.


This session is intended for anyone building, designing or securing applications.

Speakers
BP

Bart Preneel

Full professor, KU Leuven


Wednesday February 20, 2019 14:00 - 15:30
Main building (room Lemaire)

16:00

Behind the scenes of blockchain, cryptocurrencies, and smart contracts
Today, blockchain applications dominate the tech news. But what are the underlying security properties of these mechanisms? In this lecture, we look at the technology, its strengths, and its weaknesses.


Abstract
The Bitcoin ecosystem had a bumpy start, but today, it dominates the news cycles. Next to financial applications, we also see the adoption of smart contract platforms, such as Ethereum. Overall, these technologies have inspired novel solutions to distributed trust based on blockchains (or distributed ledgers). But how do these technologies work in practice? Is every product based on the blockchain today useful?

This lecture, we take a look at the core principles behind cryptocurrencies and smart contracts. Additionally, we look at real-world use cases for these technologies. Additionally, we look at a more controlled form of a blockchain, known as a permissioned ledger. Rest assured, we will see past the hype and highlight the strengths and weaknesses of these approaches.


This session is intended for anyone building, designing or securing applications.

Speakers
BP

Bart Preneel

Full professor, KU Leuven


Wednesday February 20, 2019 16:00 - 17:30
Main building (room Lemaire)
 
Thursday, February 21
 

14:00

Cryptography best practices
Cryptography is often used in an incorrect or insecure fashion. This session outlines the current best practices, including an extensive list of recommended protocols and algorithms.


Abstract
All too often, cryptography is misunderstood and misused. As a result, systems often suffer from complex and hard-to-find vulnerabilities. However, even when used correctly, selecting the right algorithm from a list of similar options is a hard task. To use cryptography well, application architects and developers need to make informed choices.

This session provides the proper information to make well-informed choices. Throughout this session, we will compile a set of best practices for using and deploying cryptographic algorithms. We cover topics such as cipher strength, key management, cryptographic libraries, and different PKI architectures. However, we also look at innovative ways of using cryptography, such as obfuscation and watermarking. In the end, you will walk away with a set of best practices for using modern cryptographic algorithms.


This session is intended for anyone building, designing or securing applications.

Speakers
BP

Bart Preneel

Full professor, KU Leuven


Thursday February 21, 2019 14:00 - 15:30
Main building (room Lemaire)
 
Friday, February 22
 

09:00

Modern HTTPS deployments
HTTPS and SSL/TLS have been under fire for years. In this session, we explore the impact of several attacks. We also discuss several new browser defenses to mitigate these attacks.


Abstract
HTTPS/SSL/TLS has been under fire for years. FREAK, POODLE, BEAST, and CRIME represent practical cryptographic attacks. Add to that an inherently weak CA system, and you end up with a large number of insecure HTTPS deployments.

However, recent browser-based defenses significantly improve the security properties of HTTPS. This session dives deep into the security properties of the HTTPS protocol. We explore problems with legacy features and their impact. And most important, we will talk about new defenses to improve your HTTPS deployment. You will walk away with a set of best practices to offer your users the most secure HTTPS experience possible.


This session is intended for anyone working on network-based applications.

Speakers
JM

Jim Manico

CEO, Manicode Security


Friday February 22, 2019 09:00 - 10:30
Main building (room Lemaire)

14:00

Security features of TLS 1.3
TLS is one of the most widespread secure communication protocol on the Internet. We present the formal guarantees that its latest iteration provides for its users.


Abstract
The history of SSL/TLS goes all the way back to SSL 2.0. Since the original protocol, the standard for secure communication on the internet has seen many iterations. Currently, many systems run on TLS 1.2. Unfortunately, this evolution has been principally driven by a break-and-fix cycle. Often, the users of these protocols suffer the damaging consequences. In August 2018, the latest iteration, TLS 1.3 was released. This was the result of a long process which grouped the expertise of both engineering and security researchers.

In this session, we will look at the different formal guarantees that this new iteration provides. Concretely, we look at mutual authentication, forward secrecy or secure channels. We will make use of the building blocks of cryptography (public-key encryption, DH key exchange, AEAD, etc.) to explain which elements of the protocol help in providing the different guarantees. We show how TLS 1.3 brings significant improvements over older versions. In the end, you will be able to select the most appropriate security for your applications.


This session is intended for anyone wishing to approach TLS for research or deployment.

Speakers
CD

Cyprien Delpech de Saint Guilhem

Research associate, KU Leuven


Friday February 22, 2019 14:00 - 15:30
Main building (room Lemaire)