Creating trustworthy IT systems using cryptography
Banking, emails, shopping: increasing volumes of data are being collected, processed and stored online. The challenge of ensuring that they are securely encrypted is similarly increasing, because in the future, quantum computers will be able to crack current encryptions. There is a need for solutions to enable trustworthy IT systems, both now and in the years to come. The Collaborative Research Center (CRC) ‘CROSSING’ (Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments) sees researchers working to develop cryptography-based security solutions that will be able to withstand even high-performance quantum computers. This joint project is a collaboration between TU Darmstadt, Paderborn University, the University of Duisburg-Essen, the University of Regensburg, and the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt. More than 65 researchers from the fields of quantum physics, cryptography, system security and software engineering are working together in an interdisciplinary collaboration to develop new security solutions that create trust in the current and next generation of computing environments. Last year, the CRC – which has been funded by the German Research Foundation (DFG) since 2014 – was extended for a third term until 2026 with ten million euros of funding.
Prof. Dr. Eric Bodden of the Heinz Nixdorf Institute and Department of Computer Science at Paderborn University is heading the ‘Secure Integration of Cryptographic Software’ sub-project under the CRC’s ‘Engineering’ section. With his team, he is developing methods and technologies to enable encryption technology to be securely integrated into various applications. This means that even people who are not experts in the field should be able to correctly use cryptographic processes.
Improved information security: freely available platform for developers
During the first two funding phases, the CRC researchers have already managed to develop secure encryption and signature processes to combat quantum attacks. But although cryptography offers a variety of solutions to protect sensitive data, implementing it poses some challenges. Software developers are therefore having to tackle issues relating to the choice, composition and integration of cryptographic components. Among other things, this creates a danger of insecure combinations.
To overcome this hurdle, Prof. Bodden and his team are tackling the objective of assisting developers using automation tools. The researchers have designed various software development and analysis techniques to achieve this. The tools are being made freely accessible to all via the intelligent open-source platform ‘CogniCrypt’, developed jointly by the CRC researchers. In doing so, they are seeking to help application developers choose suitable cryptographic components, as well as incorporate them securely into their software to prevent vulnerabilities and errors from the outset.
Avoid security loopholes right from the start
To raise awareness of the proper way of dealing with these security solutions, the researchers have documented some cryptography regulations. This is because if any elements within an application are not executed in a specific way, security loopholes quickly arise that can cause considerable damage.
The researchers have followed the ‘allowlisting’ approach in this: ‘“allowlisting” is a form of application control that reduces malicious security attacks by only allowing correct cryptography to be executed’, explains Michael Schlichtig, a researcher in the ‘Secure Software Engineering’ research group at the Heinz Nixdorf Institute. Researchers consider this as offering a major advantage over ‘denylisting’, which prohibits executions based on known threats: ‘If I need to list all potential threats, it is very easy to overlook something, making the solution insecure. “Allowlisting”, on the other hand, allows us to ensure that only the secure use of cryptography is permitted’, Schlichtig explains.
In this third and final phase of funding, the researchers in the various project groups are currently working to combine their research findings as optimally as possible, so that the newly developed cryptography-based security solutions are easy but also effective for IT developers, administrators and end users to employ.