Mer informasjon på engelsk hjemmeside.
More information on the English home page.
Emneord:
Sikkerhet,
Personvern
Publikasjoner
-
Büttner, Andre; Pedersen, Andreas Thue; Wiefling, Stephan; Gruschka, Nils & Lo Iacono, Luigi
(2024).
Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication,
Ubiquitous Security.
Springer Nature.
ISSN 9789819712748.
doi:
10.1007/978-981-97-1274-8_26.
-
Büttner, Andre & Gruschka, Nils
(2024).
Evaluating the Influence of Multi-Factor Authentication and Recovery Settings on the Security and Accessibility of User Accounts.
ICISSP.
ISSN 2184-4356.
doi:
10.5220/0012319000003648.
-
Unsel, Vincent; Wiefling, Stephan; Gruschka, Nils & Lo Iacono, Luigi
(2023).
Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example.
I Shehab, Mohamed (Red.),
CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy.
Association for Computing Machinery (ACM).
ISSN 979-8-4007-0067-5.
s. 237–243.
doi:
10.1145/3577923.3583634.
-
Hansen, Malte; Gruschka, Nils & Jensen, Meiko
(2023).
Introducing the Concept of Data Subject Rights as a Service Under the GDPR.
I Jensen, Meiko; Ziegler, Sébastien & Schiffner, Stefan (Red.),
Privacy Symposium: Data Protection Law International Convergence and Compliance with Innovative Technologies.
Springer.
ISSN 978-3-031-44938-3.
s. 17–31.
doi:
10.1007/978-3-031-44939-0_2.
-
-
Büttner, Andre & Gruschka, Nils
(2023).
Protecting FIDO Extensions Against Man-in-the-Middle Attacks,
Emerging Technologies for Authorization and Authentication, 5th International Workshop, ETAA 2022, Copenhagen, Denmark, September 30, 2022, Revised Selected Papers.
Springer.
ISSN 978-3-031-25467-3.
s. 70–87.
doi:
10.1007/978-3-031-25467-3_5.
Vis sammendrag
FIDO authentication has many advantages over password-based authentication, since it relies on proof of possession of a security key. It eliminates the need to remember long passwords and, in particular, is resistant to phishing attacks. Beyond that, the FIDO protocols consider protocol extensions for more advanced use cases such as online transactions. FIDO extensions, however, are not well protected from Man-in-the-Middle (MitM) attacks. This is because the specifications require a secure transport between client and server, but there exists no end-to-end protection between server and authenticator.
In this paper, we discuss MitM scenarios in which FIDO extensions may be intercepted. We further propose an application-layer security protocol based on the CBOR Object Signing and Encryption (COSE) standard to mitigate these threats. This protocol was verified in a formal security evaluation using ProVerif and, finally, implemented in a proof-of-concept.
-
Sæbø, Johan Ivar; Büttner, Andre; Gruschka, Nils; Jolliffe, Bob & McGee, Austin
(2022).
Where There is No CISO.
I Zheng, Y.; Abbott, P. & Robles-Flores, J. A. (Red.),
Freedom and Social Inclusion in a Connected World
17th IFIP WG 9.4 International Conference on Implications of Information and Digital Technologies for Development.
Springer.
ISSN 978-3-031-19429-0.
doi:
10.1007/978-3-031-19429-0_12.
-
-
-
Büttner, Andre & Gruschka, Nils
(2021).
Enhancing FIDO Transaction Confirmation with Structured Data Formats.
NIKT: Norsk IKT-konferanse for forskning og utdanning.
ISSN 1892-0713.
Vis sammendrag
FIDO Transaction Confirmation is an extension for the FIDO authentication protocols to enable the verification and signing of digital transactions, e.g., for online banking. The standard currently considers only to include a transaction message text in the assertion which is signed by the user’s authenticator. However, this is not useful for more complex transactions and leaves room for ambiguities that might lead to security vulnerabilities. Therefore, we propose to include the transaction information to the FIDO protocols in a structured data format with a strictly defined schema to validate and sign transactions more reliably and securely.
-
-
Bisztray, Tamas; Gruschka, Nils; Bourlai, Thirimachos & Fritsch, Lothar
(2021).
Emerging Biometric Modalities and their Use: Loopholes in the Terminology of the GDPR and Resulting Privacy Risks.
I Brömme, Arslan; Busch, Christoph; Damer, Naser; Dantcheva, Antitza; Gomez-Barrero, Marta; Raja, Kiran; Rathgeb, Christian; Sequeira, Ana F. & Uhl, Andreas (Red.),
Proceedings of the 20th International Conference
of the Biometrics Special Interest Group (BIOSIG2021).
Gesellschaft für Informatik.
ISSN 978-1-6654-2693-0.
s. 81–90.
Vis sammendrag
Technological advancements allow biometric applications to be more omnipresent than in any other time before. This paper argues that in the current EU data protection regulation, classification applications using biometric data receive less protection compared to biometric recognition. We analyse preconditions in the regulatory language and explore how this has the potential to be the source of unique privacy risks for processing operations classifying individuals based on soft traits like emotions. This can have high impact on personal freedoms and human rights and, therefore, should be subject to data protection impact assessment.
-
Fritsch, Lothar & Gruschka, Nils
(2021).
Extraction and Accumulation of Identity Attributes from the
Internet of Things.
I Roßnagel, Heiko; Schunk, Christian & Mödersheim, Sebastian (Red.),
Open Identity Summit 2021 Proceedings.
Gesellschaft für Informatik.
ISSN 978-3-88579-706-7.
Fulltekst i vitenarkiv
Vis sammendrag
Internet of Things (IoT) devices with wireless communication provide person-relateable information usable as attributes in digital identities. By scanning and profiling these signals against location and time, identity attributes can be generated and accumulated. This article introduces the concept of harvesting identifiable information from IoT. It summarizes ongoing work that aims at assessing the amount of person-relatable attributes that can get extracted from public IoT signals. We present our experimental data collection in Oslo/Norway and discuss systematic harvesting, our preliminary results, and their implications.
-
Büttner, Andre; Nguyen, Hoai Viet; Gruschka, Nils & Lo Iacono, Luigi
(2021).
Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems.
I Jøsang, Audun; Futcher, Lynn & Hagen, Janne Merete (Red.),
ICT Systems Security and Privacy Protection.
Springer Nature.
ISSN 978-3-030-78120-0.
s. 332–347.
doi:
10.1007/978-3-030-78120-0_22.
Vis sammendrag
The web is the most wide-spread digital system in the world and is used for many crucial applications. This makes web application security extremely important and, although there are already many security measures, new vulnerabilities are constantly being discovered. One reason for some of the recent discoveries lies in the presence of intermediate systems—e.g. caches, message routers, and load balancers—on the way between a client and a web application server. The implementations of such intermediaries may interpret HTTP messages differently, which leads to a semantically different understanding of the same message. This so-called semantic gap can cause weaknesses in the entire HTTP message processing chain.
In this paper we introduce the header whitelisting (HWL) approach to address the semantic gap in HTTP message processing pipelines. The basic idea is to normalize and reduce an HTTP request header to the minimum required fields using a whitelist before processing it in an intermediary or on the server, and then restore the original request for the next hop. Our results show that HWL can avoid misinterpretations of HTTP messages in the different components and thus prevent many attacks rooted in a semantic gap including request smuggling, cache poisoning, and authentication bypass.
-
Bisztray, Tamas; Gruschka, Nils; Mavroeidis, Vasileios & Fritsch, Lothar
(2020).
Data Protection Impact Assessment in Identity Control Management with a Focus on Biometrics.
I Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, Sebastian & Hühnlein, Detlef (Red.),
Open Identity Summit 2020.
Gesellschaft für Informatik.
ISSN 978-3-88579-699-2.
s. 185–192.
doi:
10.18420/ois2020_17.
-
-
Wiefling, Stephan; Gruschka, Nils & Lo Iacono, Luigi
(2019).
Even Turing Should Sometimes Not Be Able to Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Service.
I Askarov, Aslan; Hansen, René Rydhof & Rafnsson, Willard (Red.),
Secure IT Systems - 24th Nordic Conference, NordSec 2019.
Springer Nature.
ISSN 978-3-030-35054-3.
s. 188–203.
doi:
10.1007/978-3-030-35055-0_12.
-
Gruschka, Nils & Bisztray, Tamas
(2019).
Privacy Impact Assessment: Comparing Methodologies with a Focus on Practicality.
I Askarov, Aslan; Hansen, René Rydhof & Rafnsson, Willard (Red.),
Secure IT Systems - 24th Nordic Conference, NordSec 2019.
Springer Nature.
ISSN 978-3-030-35054-3.
s. 3–19.
doi:
10.1007/978-3-030-35055-0_1.
-
Gruschka, Nils; Mavroeidis, Vasileios; Vishi, Kamer & Jensen, Meiko
(2018).
Privacy Issues and Data Protection in Big Data: A Case Study Analysis under GDPR.
I Abe, Naoki; Liu, Huan; Hu, Xiaohua; Ahmed, Nesreen; Qiao, Mu; Song, Yang; Kossmann, Donald; Liu, Bing; Lee, Kisung; Tang, Jiliang; He, Jingrui & Saltz, Jeffrey (Red.),
2018 IEEE International Conference on Big Data (Big Data), Seattle, 10-13 Dec. 2018.
IEEE (Institute of Electrical and Electronics Engineers).
ISSN 978-1-5386-5035-6.
s. 5027–5033.
doi:
10.1109/BigData.2018.8622621.
Vis sammendrag
Big data has become a great asset for many organizations, promising improved operations and new business opportunities. However, big data has increased access to sensitive information that when processed can directly jeopardize the privacy of individuals and violate data protection laws. As a consequence, data controllers and data processors may be imposed tough penalties for non-compliance that can result even to bankruptcy.
In this paper, we discuss the current state of the legal regulations and analyse different data protection and privacy-preserving techniques in the context of big data analysis. In addition, we present and analyse two real-life research projects as case studies dealing with sensitive data and actions for complying with the data regulation laws. We show which types of information might become a privacy risk, the employed privacy-preserving techniques in accordance with the legal requirements, and the influence of these techniques on the data processing phase and the research results.
-
Se alle arbeider i Cristin
-
Gruschka, Nils; Rannenberg, Kai; Antunes, Luis & Drogkaris, Prokopios
(2021).
Privacy Technologies and Policy: 9th Annual Privacy Forum, APF 2021.
Springer Nature.
ISBN 978-3-030-76662-7.
169 s.
-
Gruschka, Nils
(2018).
Secure IT Systems - 23rd Nordic Conference, NordSec 2018, Oslo, Norway, November 28-30, 2018, Proceedings.
Springer Nature.
ISBN 978-3-030-03637-9.
486 s.
Se alle arbeider i Cristin
-
-
Bisztray, Tamas; Gruschka, Nils; Bourlai, Thirimachos & Fritsch, Lothar
(2021).
Emerging Biometric Modalities and their Use: Loopholes in the Terminology of the GDPR and Resulting Privacy Risks.
Vis sammendrag
Technological advancements allow biometric applications to be more omnipresent than in any other time before. This paper argues that in the current EU data protection regulation, classification applications using biometric data receive less protection compared to biometric recognition. We analyse preconditions in the regulatory language and explore how this has the potential to be the source of unique privacy risks for processing operations classifying individuals based on soft traits like emotions. This can have high impact on personal freedoms and human rights and, therefore, should be subject to data protection impact assessment.
Se alle arbeider i Cristin
Publisert
12. feb. 2018 18:38
- Sist endret
19. feb. 2023 18:28