Secure Application Design (SS 2023)

Content

This is the 2023 version of the course. To go to the 2024 version, click here.

In this lecture, we will translate the cryptographic groundwork of your Bachelor's studies into the real world. We will discuss how cryptographic keys are managed, how trust in them is established, and how protocols are built. Additionally, we will review various real-world applications, and investigate how they use cryptographic tools to address the challenges they set out to solve. The course is held on campus (HS i11); lecture recordings will be available after the fact via TUbe. At the end of the semester, a written exam will be offered on campus. After the main exam date, further exams will be oral, offered on demand. The initial KU presentation is on campus (HS i11). A recording will be available. All other KU tasks can be undertaken remotely. Discord is the primary means of communication. Private questions may be addressed via email.

Material

NOTE: The contents of this course have significantly changed in SS2023. Any previous recordings you may find will likely not reflect the current state of the curriculum.

Date	Who	Lecture 14:00–16:00 (HS i11)	Recording
03.03.2023	JH	Intro & Recap: Cryptography	TUbe
10.03.2023	JH	Common Attacks & Vulnerabilities	TUbe
17.03.2023	HW	Introduction to the Practicals	TUbe
24.03.2023	JH	Trust & Privacy	TUbe
31.03.2023	MT	Identity	TUbe
21.04.2023	JH	Authentication	TUbe
28.04.2023	MT	Key Management	TUbe
05.05.2023	SRN	TLS Handshake Protocol	TUbe (errata)
12.05.2023	TZ	eIDAS & ID Austria	TUbe (part 1, part 2)
26.05.2023	JH	Registerkassensicherheitsverordnung	TUbe
02.06.2023	KK & SRN	The Signal Protocol & WhatsApp's Backups	TUbe
16.06.2023	PT	Green Pass & Ausweisplattform	TUbe
23.06.2023	You!	Seminar Presentation: Secure Boot	TUbe
07.07.2023		VO Exam

Practicals

Date	What?
17.03.2023	Introductory Lecture (recording)
17.03.2023	Assignment Sheet
20.03.2023	Intro Challenges Available
≤ 29.03.2023	Solve Intro Challenges
≤ 29.03.2023	Group Formation
≤ 21.04.2023	Submit Design Concept
≤ 28.04.2023	Kick-off Meeting
≤ 21.05.2023	Implement Your Challenges
≤ 29.05.2023	Deployment Meeting
≤ 30.06.2023	Solve Others' Challenges & Submit Write-Up

Administrative Information

Getting a Grade (VO)

There are two ways to obtain a grade for the VO. You can either take an exam or give a seminar talk. The standard way to get a grade is to take a written 60-minute exam at the end of the semester. There will be one scheduled exam date on the 07th of July. After this date, exams will default to being oral unless there is significant coordinated student demand. To arrange an oral exam date, email us at least two weeks in advance and offer at least three potential timeslots. Both written and oral exams are partial open-book. You may bring one two-sided, hand-written, A4 sheet containing whatever information you think you will need during the exam. Only hand-written sheets are permitted. Print-outs, photocopies, etc. are not permitted. You can find & register for upcoming written exam dates in TUGRAZonline. For very motivated students, it is also possible to give a seminar talk. To do this, choose a subject related to real-world use of cryptography that you are passionate about, or find particularly interesting. Submit a brief outline of your proposal via email by March 19th. We will communicate with you to agree on a topic. You will then submit a ≥7 page report by May 31st, and give a seminar talk in the lecture on June 23rd. If these tasks are completed satisfactorily, you will receive a passing VO grade without the need for an exam. The range of acceptable topics is very broad, from case studies of particularly clever cryptographic protocols to usability analyses or ethical discussions. If you are unsure about a potential topic, do not hesitate to get in touch.

Practicals (KU)

The practicals are divided into three phases. In phase 1, you will solve pre-made Capture-the-Flag (CTF) challenges from last year's course, to familiarize yourself with the concept. This is done by yourself. In phase 2, you will design and implement your own challenge. This is done in groups. In phase 3, you will solve challenges posed by the other teams. This is done by yourself. Phase 1 awards 10 points. Phase 2 awards 30 points. Phase 3 awards 60 points. You need at least 50% of points in each phase to pass the course. If you pass all phases, your grade will be determined as follows:

• ≥ 87½ points: Sehr Gut (1)
• ≥ 75 points: Gut (2)
• ≥ 62½ points: Befriedigend (3)
• ≥ 50 points: Genügend (4)

For the full details, please see the KU assignment sheet.

Contact and Communication

For questions regarding the courses we have the following communication channels:

• Discord: IAIK server, channels #sead-*-announcements for any necessary announcements and reminders.
• Discord: IAIK server, channel #sead for all questions regarding lectures and exercises.
• Discord: IAIK server, channel #sead-looking-for-team to find team members for the exercises.
• sead@iaik.tugraz.at for administrative questions specific to your situation. Please use Discord for questions that might be of interest for other students as well.

Lecturers