Termin:Chaotic-Congress-Cinema-28C3 Nr. 01

Aus Attraktor Wiki

Wechseln zu: Navigation, Suche


Chaotic Congress Cinema Nr. 1

Beginn:

The date "2012/01/11 20:00:00 PM" was not understood.The date "2012/01/11 20:00:00 PM" was not understood.

Ende:

The date "2012/01/11 22:00:00 PM" was not understood.The date "2012/01/11 22:00:00 PM" was not understood.


Needs to be there, but does not need to be seen by a visitor Yes

Wir schauen uns die Aufzeichnung von Congress-Vorträgen an. Du bist herzlich eingeladen, in den Clubräumen im Mexikoring 21 aufzutauchen und mit uns die Talks anzuschauen und zu diskutieren. Es wird Getränke und Knabberkram zu moderaten Preisen geben. Falls Du kein CCC-, CCCHH- oder Attraktor e.V.-Mitglied bist, macht das überhaupt nichts: Alle Gäste sind gern gesehen. :-)

Weitere Informationen unter Chaotic Congress Cinema.

Time is on my Side

Exploiting Timing Side Channel Vulnerabilities on the Web

Timing side channel attacks are non-intrusive attacks that are still widely ignored in day-to-day penetration testing, although they allow attackers to breach the confidentiality of sensitive information. The reason for this is, that timing attacks are still widely considered to be theoretical. In this talk, I present a toolkit for performing practical timing side channel attacks and showcase several timing attacks against real-world systems.

Timing side channels are vulnerabilities in software applications that leak sensitive information about secret values such as cryptographic keys. They differ from common intrusive vulnerabilities such as Buffer Overflows or SQL-Injection because the attacker sends normally looking requests to the server and infers secret information just from the time it took to process the request.

In academia, timing side channel attacks are well researched, especially against cryptographic hardware, but in day-to-day penetration testing, they are still widely ignored. One reason for this is that the timing differences are often small compared to the jitter introduced in networked environments. This makes practical timing side channel attacks challenging, because the actual timing differences blend with the jitter.

In this talk, I will present methods and tools to accurately measure response times despite the jitter in networked environments. I will introduce a programming library that enables penetration testers to measure accurate response times of requests send over networks.

Furthermore, I will describe algorithms and statistical filters to reduce the jitter from measurements. For this, I will introduce a reporting tool that takes a dataset with network measurements as input, automatically applies the algorithms and filters, and produces a report with the results. This report enables even novice penetration testers to analyze a response time dataset for timing side channel vulnerabilities.

In the end, I will show that timing side channels are practical by showing several attacks. First, I show how to determine if a given user name is an administrative user in a productive installation of the popular CMS Typo3. Second, I show how to determine how many pictures are hidden in a private album of an online gallery. Third, I show how to perform an adaptive chosen cipher text attack against implementations of the XML Encryption standard. This attack allows to decrypt any Web Service message whose body was encrypted using XML Encryption only by measuring the response time of the Web Service.


Quantum of Science

How quantum information differs from classical

Quantum systems can have very different properties from their classical analogues which allows them to have states that are not only correlated but entangled. This allows for quantum computers running algorithms more powerful than those on classical computers (represented by Turing machines) and for quantum cryptography whose safety is (in principle) guaranteed by the laws of nature.

I will explain key facts of quantum information theory from a physics perspective. In particular, I will focus on the fundamental difference between the quantum world and the classical world of everyday experience that in particular makes it provable impossible to simulate a quantum world by a classical world. This will then be applied to information processing tasks like quantum computing, quantum cryptography and possibly the human brain.

No background in theoretical physics is necessary but some familiarity with basic complexity theory and linear algebra (what is a vector? what is a matrix?) could be helpful.

Diese Seite wurde zuletzt am 10. Januar 2012 um 15:49 Uhr geändert. Diese Seite wurde bisher 1.262 mal abgerufen.