Research profile

Cryptography is essential for the protection of digital data within IT systems. It provides confidentiality, integrity, and authenticity. Confidential data is often encrypted to only allow access by the intended recipients. Integrity ensures that any manipulation of data is detectable, and authenticity verifies that the data was created at the cited origin.

At CYSEC, researchers create cryptographic procedures that guarantee robust security – including defense against attacks from quantum computers – together with much-needed efficiency in new and diverse application fields.

Current software systems are inherently insecure, as shown by emerging vulnerabilities and resulting near-daily break-ins. These problems arise from a development process that considers security only after the fact. A holistic solution to today's security demands cannot be created at such a late stage. We develop methods, tools, and techniques, including proactive and reactive approaches to software system security. Proactive approaches, typically based on enhanced programming languages and tools, allow developers to create software with built-in security measures, by design avoiding large classes of attack vectors. Reactive approaches are more suitable for legacy applications. Such approaches typically analyze the existing system's code base or runtime traces to identify vulnerabilities and counter their detrimental effects through enforcement techniques. We also combine proactive and reactive approaches, preventing vulnerabilities from the outset for some components of a program while securely encapsulating potential vulnerabilities in other areas.

CYSEC researchers observe and optimize software development processes. We seek to answer questions such as: Why do vulnerabilities arise? How can these situations be avoided in the future? Which methods and tools are the most successful in this situation?

The Internet enables the effective operation of critical infrastructure within our economic and public life. This includes monetary circulation, the health system, food supply chains, and much more. Our electricity network is becoming a “smart grid,” and internet-based smart water supply networks are in our near future. Cybersecurity must be significantly improved: Countless cyberattacks are warded off on a daily basis, while the rest cause serious damage carried out simultaneously by millions of hijacked – computers, SmartTVs and other networked devices. Independent protective walls are needed, including by-design high-security systems, smart virus scanners and attack guards at the server entrances.

The monoculture of the Internet could lead to a “digital pandemic.” We aim to make the Internet resilient by introducing independent, diversified emergency mechanisms that operate offline and on contaminated computers.This requires a joint effort between research organizations, businesses, administrators and the general population. The gains in efficiency achieved by increasing digitalization have enabled dramatic cost savings in many areas, but assume the absence of unknown threats. Resilience against attackers will incurr expense, but the resulting protection of our most critical infrastrucutres is invaluable.

There are two distinct aspects of IT Security: safety and security. Safety deals with risks involving people, the environment, society, and political and technological systems. In this sense, safety means risk-reduction via technical solutions. Security deals with the level of trustworthiness of a technology within a certain context, for example, protection against improper or criminal use. While “safety” makes the causes of possible damage through technology manageable, “security” creates the conditions for trust in them.

In order to establish trustworthiness and security against misuse of a technology, there must be inherent values influencing its development, such as transparency or non-violence. The means to resolve technology-related conflicts must be provided. In contrast to a reduction of IT security to only safety aspects, e.g. merely defensive data protection, research on the ethics of IT security enables social values to be integrated into the research process. The concept of “Privacy by design” demonstrates the inadequacy of operationalizing only the legal requirements for data protection in order to generate trust in the overall context of use. How can collaborative interdisciplinary research contribute to realizing IT security as an interaction between safety and security in its duality of meaning?

The increasing digitalization and the ubiquitous availability and use of Internet-based services have altered the economic environment, the daily life of individuals and society as a whole. Meanwhile, vulnerability increases and many companies and users are worried about their safety and privacy. To reduce the probability of unpleasant incidents better technical solutions are constantly being developed. However, for further distribution it is crucial these solutions are designed both in a user-friendly and cost-effective manner. CYSEC addresses the issue of IT security from an economic perspective, from both the user's and provider's perspective.

The user’s perspective is summarized by the privacy paradox. This paradox states that although there is a need for privacy and security, users still behave imprudently. Mathematical modeling of IT security risks aims to quantify levels of risk and to derive recommendations for or against the use of alternative security technologies. In this context, most often a technology-driven objective is targeted, i.e. to establish the highest possible level of security. The Nobel Prize winner in Economics, Herbert Simon, commented on such efforts by stating “perfect is the enemy of perfectly good enough.”

From the provider’s perpective there is a need to determine the benefits of investments in higher IT security thus creating a competitive advantage for the supplier. We aim to develop security solutions that will be accepted by users. User goals and requirements must be the core of the design process and an interdisciplinary approach is essential

Another exciting topic CYSEC is researching is the profitability of the use of AI algorithms to combat cyberattacks.

In recent years, significant or even spectacular successes have been achieved in the areas of the Internet of Things, machine learning and artificial intelligence. Cognitive systems and machines collect digital information from sensor data and networks, deriving conclusions, decisions and taking actions. Learning algorithms work in harmony with their environment to verify and optimize automated speech, image and text recognition. These algorithms advance medical diagnostics, improve translation and text analysis, and make autonomous driving a reality.

CYSEC researches the application of IT security in many areas such as anomaly and attack detection in networks and IT systems, biometric-based authentication procedures and cryptographic issues. The use of machine learning processes and artificial intelligence can help networked IT systems adapt independently to new threats in the future. However, the use of procedures based on AI is extremely demanding. Commissioning such systems is often time consuming. To what extent should humans intervene in the recognition and defense processes?

Decentralized systems offer a promising alternative to centrally acting data monomers and platforms. Since no individual participant has full control over the entire system, data abuse and censorship become more difficult. By dispensing with “single-point-of-failures,” security against cyberattacks can be improved significantly. From an economic and social point of view, decentralized systems facilitate cooperation across organizational boundaries. This opens up new fields of application and increases the data sovereignty of citizens and companies. CYSEC’s research in the field of decentralized cybersecurity deals with the development and analysis of securely distributed software and hardware systems. New programming models and hardware platforms (e.g. in the IoT context) come into play. Another focus is the development of distributed cryptographic protocols and their use in new fields of application, such as machine learning. In addition, CYSEC researchers investigate secure blockchain technologies and smart contracts. Essential challenges such as scalability, privacy, and practical applications of the technology are under examination.

Computer-based systems are secure only when both the technical aspects (e.g. reliability) and the practical aspects (e.g. usability) of their interactions are adequately taken into account. Good usability is a central component for improving system security. CYSEC’s research on the interface between security and human-computer interaction considers both dimensions of the concept of security: Safety (protection against unintentional events, also: functional safety) and security (protection against attacks, also: information security).

Usable security grapples with the usability of security concepts and develops strategies to increase the security awareness of users. Useable safety deals with human-computer interaction in safety-critical contexts, such as in control rooms, medicine, disaster control or in automobiles, taking into account both possible threat scenarios as well as functional safety.