Secure Application Design (SS 2024)

Content

In this lecture, we will translate the cryptographic groundwork of your Bachelor's studies into the real world. We will discuss how cryptographic keys are managed, how trust in them is established, and how protocols are built. Additionally, we will review various real-world applications, and investigate how they use cryptographic tools to address the challenges they set out to solve. The course is held on campus (HS i11); lecture recordings will be available after the fact via TUbe. At the end of the semester, a written exam will be offered on campus. After the main exam date, further exams will be oral, offered on demand. The initial KU presentations are on campus (HS i11). A recording will be available. All other KU tasks can be undertaken remotely. Discord is the primary means of communication. Private questions may be addressed via email.

Material

NOTE: The contents of this course changed significantly in SS2023 (last year). Any previous recordings you may find will likely not reflect the current state of the curriculum.

Date	Who	Lecture 14:00–16:00 (HS i11)	Recording
01.03.2024	JH	Intro & Recap: Cryptography	TUbe
08.03.2024	JH	Common Attacks & Vulnerabilities	TUbe
15.03.2024	JH	Trust & Privacy	TUbe
22.03.2024	TZ	Identity	TUbe
12.04.2024	JH	Authentication	TUbe
19.04.2024	LH	Key Management	TUbe
26.04.2024	LH	TLS Handshake Protocol	TUbe
03.05.2024	JH	OpenID Connect	TUbe
17.05.2024	TZ	ID Austria & eIDAS	TUbe (2023; part 1, part 2)
24.05.2024	PT	Green Pass, AWP & Digital Wallet	TUbe (2023)
07.06.2024	A-SIT	Current Topics Spotlight	no recording
14.06.2024	LH	Messengers	TUbe
21.06.2024	You!	Seminar: Middleware Security
28.06.2024		VO Exam

Practicals

Date	What?
01.03.2024	Introduction to the Practicals (HS i11, from 15:15) (slides)
01.03.2024	Assignment Sheet
01.03.2024	Intro Challenges Available
≤ 14.03.2024	Solve Intro Challenges
15.03.2024	Introduction to Challenge Creation (HS i11, from 15:30) (slides)
≤ 22.03.2024	Group Formation
23.03.2024	Plan & Implement Your Challenge (start of P2)
≤ 12.04.2024	Submit Design Concept
≤ 26.04.2024	Implement Your Challenges
03.05.2024	Challenges Available (start of P3)
≤ 21.06.2024	Solve Others' Challenges & Submit Write-Up

Administrative Information

Getting a Grade (VO)

There are two ways to obtain a grade for the VO. You can either take an exam or give a seminar talk. The standard way to get a grade is to take a written 60-minute exam at the end of the semester. There will be one scheduled exam date. After this date, exams will default to being oral unless there is significant coordinated student demand. To arrange an oral exam date, email us at least two weeks in advance and offer at least three potential timeslots. Both written and oral exams are partial open-book. You may bring one two-sided, hand-written, A4 sheet containing whatever information you think you will need during the exam. Only hand-written sheets are permitted. Print-outs, photocopies, etc. are not permitted. You can find & register for upcoming written exam dates in TUGRAZonline. For very motivated students, it is also possible to give a seminar talk. To do this, choose a subject related to real-world use of cryptography that you are passionate about, or find particularly interesting. Submit a brief outline of your proposal via email by March 17th. We will communicate with you to agree on a topic. You will then submit a ≥7 page report by May 19th, and give a seminar talk in the lecture on June 21st. If these tasks are completed satisfactorily, you will receive a passing VO grade without the need for an exam. The range of acceptable topics is very broad, from case studies of particularly clever cryptographic protocols to usability analyses or ethical discussions. If you are unsure about a potential topic, do not hesitate to get in touch.

Practicals (KU)

The practicals are divided into three phases. In phase 1, you will solve pre-made Capture-the-Flag (CTF) challenges from last year's course, to familiarize yourself with the concept. This is done by yourself. In phase 2, you will design and implement your own challenge. This is done in groups. In phase 3, you will solve challenges posed by the other teams. This is done by yourself. Phase 1 awards 10 points. Phase 2 awards 30 points. Phase 3 awards 60 points. You need at least 50% of points in each phase to pass the course. If you pass all phases, your grade will be determined as follows:

• ≥ 87½ points: Sehr Gut (1)
• ≥ 75 points: Gut (2)
• ≥ 62½ points: Befriedigend (3)
• ≥ 50 points: Genügend (4)

For the full details, please see the KU assignment sheet.

Contact and Communication

For questions regarding the courses we have the following communication channels:

• Discord: IAIK server, channels #sead-*-announcements for any necessary announcements and reminders.
• Discord: IAIK server, channel #sead for all questions regarding lectures and exercises.
• Discord: IAIK server, channel #sead-looking-for-team to find team members for the exercises.
• [email protected] for administrative questions specific to your situation. Please use Discord for questions that might be of interest for other students.

Lecturers