The research focus of the DCSec group is on user driven research projects. Most of our ongoing work can be found on our Projects page. The following pages contain some research prototypes, which do not directly belong to a funded project. On the Incubator page, up-and-coming and new research directions are briefly outlined.
The main aspect of our HCRYPT project for homomorphic encryption is to research practical technologies and architectures for operating on privacy related data. This means, that confidential data can remain in an encrypted state while being processed. One research branch is the development of homomorphically encrypted circuitry like memory and CPUs, where working software prototypes are currently translated into hardware designs. This helps to secure cloud services or electronic devices in industry and consumer market. In parallel we research hybrid systems in which most parts of the computation is carried out unencrypted and only privacy-related portions are actually enciphered. An interesting prototype in this field is the privacy-preserving search of encrypted sequences in a genome database with secret search terms. Visit the project website at hcrypt.com
Computer security has been intensively researched over decades. From early military applications up to state of the art technologies such as RSA tokens or even quantum cryptography, there is a theoretical solution to most computer security problems. However, an important part of many security solutions has been neglected: the user. Especially since the widespread adoption of the Internet and new communication technologies, increasingly complex applications find their way into "normal" people's homes. For these users, security is a secondary concern that is only a nuisance in satisfying their shopping or communication needs. The DCSec Group is therefore investigating usability aspects of security technologies and their application in every day life. We believe that especially in domains that are part of the daily routine, e.g. Facebook, security needs to be as unobtrusive as possible. Adopting existing and proven security mechanisms to meet this challenge is the focus of ongoing research at the DCSec group. One example of a successful adaption of message confidentiality mechanisms for Facebook can be found at cloudcrypt.me
In today's distributed computing environments, authentication and authorization decisions take place in the middleware or on the compute and storage resources themselves. Thus, in both cases the decision is felled within the local network of the hosting organization. This is due to several drawbacks in common firewalls. For one, most firewalls only utilize the 5-tupel of IP addresses, port numbers and protocol numbers to decide which connection are legitimate and which are not. This offers minimal configurability, however in complex environments like the Grid or the Cloud this information is not sufficient for optimal fine-grained decisions. Also, the inability of application level firewalls to deal with dynamically opened server ports for encrypted connections such as they are used by protocols like GridFTP require very lax firewalls rules to be set, if the Grid or Cloud is to operate unhindered. In this project a solution is presented that moves the authorization enforcement forward into the firewall. The presented system enables an authorization of each connection, based on the user's individual Grid or Cloud attributes. This offers a user and administration friendly and transparent configuration of firewalls in complex distributed HPC environments.
Grid Proxy Auditing
Grid Proxy Credentials are a major worry to secure Grid usage, since they contain a private key with which Grid resources can be consumed on behalf of a user without consent or knowledge of the user. Currently such misuse is hard to detect in a timely fashion. Our Grid Proxy Auditing work allows secure user-friendly tracking of Grid Proxy Credentials.