Completed Projects at TU Darmstadt
CRISP - Center for Research in Security and Privacy
CRISP's research focus is on "Security at Large". Usually, cyber security research considered isolated characteristic and systems of manageable sizes, for instance security of individual encryption techniques, program modules, or Internet protocols. In reality, hoewever, security issues arise often in the dynamic interaction of malleable subsystems. One might think of a large IT company consisting of thousend of computers, users and applications or of Software-as-a-Service, which consist of millions lines of codes and it constantly changes. Individual subsystems can be secure, however their become unsecure and vulnerable through their composition. Hence, the main task of CRISP is the research of comprehensive security solutions of large Systems - from its individual componenents to their interactions. CRSIP is developing its research focus in both foundation and applied research. Thereby, CRSIP puts particular importance on existing, practical interdisciplinartiy of CASED and EC Spride. In CRISP it is planned to include experties from other research fields, namely mechanical engineering, law, economics, electrical engineering, philosophy, psychology and sociology, and to work with the representatives of the corresponding departments in different, interdisciplinary projects.
Within CRISP, we focus on how end users could delegate their privacy protection and the protection of their data and devices to a trusted third party (an individual or an institution) - either globally or for specific areas such as web browser settings, smartphone configuration, privacy settings in social networks. We also aim to investigate and identify, how such delegation can be made secure and verifiable.
Furthermore, we focus on how non-expert end users can communicate, in particular by using mobile devices, over the Internet in a usable, confidential fashion, while ensuring the authenticity of the communication and partners. Beside usability we also aim to explore and consider end user acceptance.
Funding body: Federal Ministry of Education and Research (BMBF)
Funding period: 01.10.2015 – 31.03.2018
Contact: Oksana Kulyk, Birgit Henhapl
Doctoral College 2050: Privacy and Trust for Mobile Users
The Doctoral College "Privacy and Trust for Mobile Users" is a highly interdisciplinary collaboration between Computer Science and the fields of Law, Economics, Sociology, and usability research. Mobile information and communication technology has become virtually ubiquitous due to the proliferation of smartphones and tablet computers; large sections of the society use it to their advantage. In reference to the relationship users-network, public debates highlight the increasing transparency of users - in the sense of a surveillance society - while the network is deemed to become increasingly nontransparent, i.e. inscrutable. As an important technological vision, the project will conduct research in to novel mobile devices that enable maximum control for the user.
Our research: AlterEgo as Assistant for Trustworthiness Assessments: The AlterEgo should decide whether to trust a service, sensor or social network or not. Therefore, it needs to know the users’ preferences. Correspondingly, during the setup phase, users configure their AlterEgo.
The first goal in this project is to identify what should be configurable – obviously not each individual possible future situation but some sort of sets of general situations. The first challenge is to identify such sets that allow users to phrase generalized preferences which at the same time are concrete enough to be applied in various actual situations. This is particularly challenging due to legal conditions, complex interrelations between different situations and related risks depending on the actual configuration, and due to the different mental models of possible users.
The second goal in this project is to handle individual situations based on individual preferences (configured during the setup). Therefore, the trustworthiness of the individual situation needs to be deduced based on multi-dimensional trust measurements. These measurements need to be adjusted to make them applicable for this project. Finally it is necessary to handle situations which users want to define as exception.
Partner: Several groups at TU Darmstadt and Kassel University
Period: 01.10.2015 - 31.09.2019
Contact: Melanie Volkamer
KMU AWARE - Awareness im Mittelstand
Small and medium sized enterprises (SME; in German: KMU) face new and emerging challenges in protecting themselves against digital attacks. This is exacerbated by the trend towards digital processing and paperless offices. Possible consequences of successful attacks are reputational damage, financial loss or reduction in customer base. The project KMU AWARE, which is supported by the Federal Ministry for Economic Affairs and Energy, aims to assist German KMUs in their ability to identify and fend off possible dangers associated with the use of the Internet.
We are working together with our project partner usd in developing an awareness and educational platform that is closely aligned with the actual needs and requirements of SME. On one hand, existing promising approaches can be adapted and incorporated into the platform. On the other hand, new and innovative concepts and measures will be developed as required, prompted by so-called Teachable Moments. The new measures will be evaluated with regard to their efficacy before being rolled out to companies countrywide.
Funding body: Federal Ministry for Economic Affairs and Energy
Partner: usd AG
Period: 1.4.2015 – 31.3.2018
Contact: Melanie Volkamer
INVOLVE - INternet Voting Usable and VErifiable
An important goal in designing secure Internet voting systems is preventing vote manipulations either by a malicious voting device or a malicious voting system component. For preventing such manipulations, the academic community introduced the concept of end-to-end verifiability. End-to-end verifiability offers mechanisms for the voter to verify whether a vote was cast-as-intended, recorded-as-cast and tallied-as-recorded. The usability of such mechanisms, however, is crucial in ensuring that the voters actually perform the verification procedures required of them correctly.
The goal of INVOLVE is to investigate and optimize the usability of verification mechanisms in Internet voting systems.
Funded by: Horst Görtz Foundation
Partner: CYSEC
Funding Period: 01.07.2017 - 30.06.2019
Contact: Karola Marky
MoPPa - Modeling the Privacy paradox from a psychological and a technical point of view
The aim of this research project is to explore the paradox and the mental models in the context of individual privacy protection in depth. It is planned to create a model by the means of computer science and psychological theories and methods. The diverse reasons for different user groups as well as systemic dependencies for use (or ignoring) of protective measures and following recommendations are to be identified and correlated. Overall one of the main goals is to evaluate how people today make decision about the usage of a service / an application / a security or privacy enhancing technology. This model covers various applications, protection measures and recommendations. We will evaluate this model in several user studies and improve the model based on the results from these user studies. If both – reasons and dependencies - are known, measures to increase the awareness for data protection in general and to increase the motivation for an individual privacy protection can be identified.
Funding body: Federal Ministry of Education and Research (BMBF)
Partners: Prof. Vogt (TU-Darmstadt)
Funding period: 01.11.2015 – 31.10.2017
Contact: Nina Gerber, Paul Gerber
IT-Seal - Scoial Engineering Analysis Labs
The project IT-Seal develops a scalable analysis that identifies and evaluates IT security problems that are caused by human behaviour. Based on this data, they provide companies with recommendations on how to decrease the threat of industrial espionage and sabotage.
IT-Seal is the first IT-Security startup of the TU Darmstadt which received the EXIST Business Start-up Grant funded with 125.000€ by the Federal Ministry of Economics and Energy (BMWi) and the European Social Fund. The initiation was a master thesis, written within the research group SECUSO in 2014.
The IT-Seal Analysis quantifies the security related behaviour of employees by simulating external attacks and analysing internal processes. In combination with employee interviews and questionnaires, IT-Seal derives an individual action plan. Thus, reasonable data can be generated and weaknesses can get identified, as a basis for investment decisions. The goal is to improve the security situation in a joint way, employees are included during the whole security process. The results are summarized and handed out in a web application and a detailed report, while the anonymity of the employees is guaranteed.
Funding body: Federal Ministry of Economics and Energy (BMWi) and cofinanced by the European Social Fund
Funding period: 01.04.2016 – 31.03.2017
Contact: Melanie Volkamer, M.Sc. M.Sc. David Kelm, M.Sc. Alex Wyllie, M.Sc. Yannic Ambach
The goal of the FlexiVote project is to conceptualise and implement a decision and configuration system, that suggests and realises appropriate internet voting systems for specified requirements on the election, which are considered from social, political, technical and economical contexts. The requirements serve as input, and the appropriate internet voting system will be configured from individual modules, implemented in the system. This system can then be used for conducting internet voting elections. Thus, it is not necessary to develop a new internet voting system each time for different set of requirements. Instead, an appropriate internet voting system can be realised in a quick, simple and cost-effective way from the implemented modules. The realisation of FlexiVote is linked to numerous research questions, that are to be addressed within the project. Such research questions are, for example, “Which cryptographic primitives and protocols exist, and which in which features they differ?”, “What are the interdependencies between modules, that influence the realisation of the requirements?”.
Funded by: LOEWE, Hessische Landes-Offensive zur Entwicklung Wissenschaftlich-ökonomischer Exzellenz, Hessen ModellProjekte
Partner: Micromata GmbH, Polyas
Funding Period: 01.10.14 - 31.12.16
Contact: Stephan Neumann,
CASED - Center for Advanced Security Research Darmstadt
An internationally important cluster for IT security research and development is established in Darmstadt. It is here where computer scientists, engineers, physicists, legal experts and experts in business administration of TU Darmstadt, Fraunhofer SIT and Hochschule Darmstadt (University of Applied Sciences) develop trend-setting IT security solutions and prepare them in order to be commercially useful. All involved partners qualify students and scientists for careers in science, business and administration.
Headquarters of that cluster is the Center for Advanced Security Research Darmstadt (CASED) which receives funds by the LOEWE program of the government of Hessen. The funds of LOEWE cover infrastructure of CASED and cooperative CASED projects of cluster partners, i.e. TU Darmstadt, Fraunhofer SIT and Hochschule Darmstadt. In these projects the cluster develops applicable basic knowledge and IT security solutions. Thanks to its broadly-based position in regards to topics and competencies, the cluster and its headquarters CASED can realize especially complex projects efficiently and sustainably.
Within CASED, we primarily focus on the intersection of usability and security in user authentication. We develop and evaluate user authentication schemes for highly critical situations such as in which a shoulder-surfer is present and only untrusted devices are available. We further investigate the usability of personal identification numbers (PIN) and develop solutions aimed at improving the practical security thereof.
Funded by: LOEWE, Hessische Landes-Offensive zur Entwicklung Wissenschaftlich-ökonomischer Exzellenz
Partner: Several groups at TU Darmstadt, Fraunhofer SIT, Hochschule Darmstadt and Kassel University
Period: 1.07.2008 - 30.06.2016
Contact: Andreas Gutmann,
ComVote - Constitutional Compliant Electronic Voting Systems
The goal of this project is to investigate and optimize electronic voting systems with regard to their constitutional compliance. The term voting system refers to voting systems in their entirety, rather than cryptographic and/or security components of these systems. To achieve this goal, several sub-goals need to be achieved throughout the research project: Given the partially contradictory nature of election principles, voting systems cannot unconditionally satisfy constitutional requirements. This fact is taken into account by opening a legal latitude for the implementation of electronic voting. Therefore, in a first step the principles of the legal latitude are studied and modeled. Due to the abstract nature of election principles, more fine-grained evaluation criteria for electronic voting systems have to be determined. To achieve its goal, in a second step, the project takes the technical requirements derived from election principles in the DFG funded ModIWa (Juristisch-informatische Modellierung von Internetwahlen) project as a basis and revises them in order to eliminate overlapping aspects of these requirements. Building upon these requirements, in a third step, well-established voting systems are studied with regard to their satisfaction of the requirements. In a forth step, identified shortcomings with regard to technical requirements are addressed and optimized (or enhanced) systems are developed.
Funded by: Horst Görtz Foundation
Partner: CASED
Funding Period: 15.10.13 - 14.10.16
Contact: Stephan Neumann
ZertApps - Certified security for mobile applications
Today's smartphones contain a host of sensitive data, ranging from contact details to email inboxes. At the same time, mobile applications allow users to extend the functionality of their smartphones. However, attacks through malicious applications showed that the current security model is insufficient and that users are prone to install suspicious applications. The project ZertApps aims to improve the assessment of mobile applications through innovative analyses and certification processes. SecUSo's part is to ensure that the results of the complex analyses can be communicated effectively to end users and to security practitioners, enabling an informed decision on whether an application is safe to install or not.
Funding body: Federal Ministry of Education and Research (BMBF)
Partners: OTARIS, datenschutz cert, SAP, Fraunhofer SIT, TZI/Universität Bremen
Funding period: 1.1.2014 – 31.12.2015
Contact: Paul Gerber
USeceMail - Usable Secure eMail Communication
The focus of this project is on improving secure email communication with respect to social and usability aspects. The project will address two different areas:
- Sending / Receiving confidential and authentic emails: This includes the following questions: How can the gap between E2E encryption and solutions like the DE-Mail concept be closed? What are users’ mental models on keys, key pairs, and PKI? What would a more usable PKI concept based on this secure email system look like, such that people are more likely to use and understand it than current solutions?
- Warnings regarding potentially dangerous attachments and phishing emails: New warnings should be developed that incorporate information about the security, the sender identity and the file type of an attachment. These warnings should support the user more precisely in making his decision about opening or ignoring an attachment.
Funded by: Horst Görtz Foundation
Partner: CASED (particularly Research Area "Secure Data" and Partner Project "Crypto and Society")
Period: 1.09.2011 - 30.08.2015
Contact: Arne Renkema-Padmos
UV-REV - Usable Verifiability in Remote Electionic Voting
Verifiable and in particular End-to-End verifiable electronic voting systems have been discussed at cryptography conferences for many years. As these processes are highly complex, they have so far been rejected as unreasonable for laymen. Instead, "black box voting systems" are used as for example in the Estonian parliamentary election. These are user-friendly but voters cannot verify the reliability and performance of the latter. In this regard, they therefore have to trust developers, operators and administrators.
Since 2009 the situation has started to change: on the one hand because of the ruling of the German Federal Constitutional Court demanding verifiability for voters and on the other hand because of the fact that with the Helios voting system, for the first time, a cryptographic voting protocol has been (prototypically) implemented. This voting system was, for example, tested at two universities and at the IACR election. However, user studies (Weber,2009) show that for an average voter the Helios system is still not usable.
Additionally, the project will be looking at whether and how already existing e-voting systems can be improved in view of verifiability. Here, the project will focus on Polyas and the Estonian Internet votingsystem.
Funded by: Micromata GmbH one of CASED - Premium Partners
Partner: CASED - Center for Advanced Security Research Darmstadt
Period: 1.01.2011 - 31.12.2013
Contact: Maina Olembo
InUse - Supporting users' decision on the trustworthiness of websites
The range of services offered on the Internet on websites is constantly increasing, as are the threats to users of online banking, online shopping or social networks. Technical security mechanisms, such as encrypted connections (HTTPS) with corresponding validation of the web server (PKI), have been proven inadequate in addressing the threats appropriately. The mechanisms require the support of the user, not only when one has to react to unusual situations ("invalid certificate"), but also because people are willing to take different levels of risk depending on the situation. At present, however, a high degree of security awareness and expertise is required for appropriate interaction with the security mechanisms, so that the mechanisms with their warnings are perceived more as disruption than as support. There is a lack of comprehensive integration of the mechanisms into the "ecosystem web", which includes users as well as service providers and technical mechanisms.
InUse meets these challenges with a multidisciplinary research approach: The expertise of the project partners in the areas of usable security (TU Darmstadt), law (University of Kassel), IT auditing (usd) and digital identity (Kobil) enables a comprehensive approach to reducing the threat: On the one hand, support for users should be more precise and communication should become more effective through greater comprehensibility. At the same time, legal and organizational aspects are considered by the security measures and mechanisms developed, such as the protection of privacy and the verification of websites for awarding them with the verification seals.
Funded by: Bundesministerium der Justiz und für Verbraucherschutz aufgrund eines Beschlusses des Deutschen Bundestages
Partner: CASED, University of Kassel, usd and Kobil
Period: 1.02.2012 - 31.01.2015
Contact: Kristoffer Braun
The interest in electronic voting constantly increases and several states started conducting legally-binding elections over the Internet. Generally, Internet voting systems rely on a solid centralized infrastructure, e.g., the setup of mix and tallying servers as well as the distribution of key material among election authorities. The deployment of such infrastructures poses a significant adminstrative effort on the election authorities. Consequently, the use of these voting systems turns out to be inadequate for a number of election scenarios, e.g., votes and elections in board rooms, where decisions often need to be taken spontaneously. Motivated by this fact, the goal of this project is the development of a secure, robust, efficient, flexible, decentralized Internet voting scheme and its prototype implementation on mobile devices. The development and implementation of such a scheme allows a group of board members to participate in an ad-hoc election over their mobile devices, while maintaining the same degree of security as centralized Internet voting systems. Ultimately, the prototype implementation will be evaluated in user studies.
Funded by: Software Campus, Bundesministerium für Bildung und Forschung
Industrial Partner: T-Systems International GmbH
Academic Partner:
Period: 1.02.2013 - 30.11.2014
Contact: Stephan Neumann
The aim of this project is to find the legal and technical measures to fulfill the requirements for the Internet-voting schemes, which were defined in the first phase of the ModIWa project. In interdisciplinary collaborations between practical/theoretical Computer Science and Researchers from the legal department, first, concrete technical solutions should be found. These would implement the design recommendations that are established for the main project using the KORA method. For this purpose, the already existing internet protocols based on the criteria derived from KORA and the design recommendations will be evaluated. Other opportunities will also be sought that fulfill the criteria and design recommendations. A particular focus of the Computer Science will consist of the evaluation of cryptographic methods, which have gained importance in secret as well as public elections. Through the continuation project, the work on reference model for the design and evaluation of Internet voting procedures will be completed and deepened. Upon completion of the project, a comprehensive and systematic concept for the legal-and technology-friendly design of Internet voting will be available.
Funded by:Deutsche Forschungsgemeinschaft (DFG)
Project manager: Prof. Dr. Johannes Buchmann, Prof. Dr. Rüdiger Grimm, Prof. Dr. Alexander Roßnagel and Prof. Dr. Melanie Volkamer
Partner: Prof. Dr. Rüdiger Grimm, University Koblenz-Landau and Prof. Dr. Alexander Roßnagel, Kassel University
Period: 15.10.2011 - 14.10.2013
Contact: Stephan Neumann
UseHelios - User-friendly Individual Verifiable Electronic Voting in the Helios Voting System
The goal of this project is to make the individual verifiability part of End-to-End verifiable voting systems usable for large scale legally binding elections. To do so, individual verifiability mechanisms will be analyzed and improved in regard to usability aspects ideally without decreasing the security. The project focuses on the open source Helios remote electronic voting system and its individual verifiability mechanisms. The general goal is to further develop the research on usable security in the context of electronic voting. Thus, the project is strongly related to the Usable Verifiability in Remote Electronic Voting project.
Funded by: Deutscher Akademischer Austausch Dienst (DAAD)
Partner: Lorrie Cranor and CUPS
Period: 1.5.2011 - 31.8.2011
Contact:
STIBET Assistenz - Usable Security
The STIBET assistantship supports Arne Renkema-Padmos in the co-supervision of students and delivery of a research methods workshop in the area of usable security. STIBET assistantships are funded by DAAD with financial support from the Foreign Office of Germany (Auswärtiges Amt). Ingenium supports international early career researchers.
Funded by: DAAD in cooperation with Ingenium
Period: 15.11.2013 - 14.04.2014
Contact: Arne Renkema-Padmos
Electronic voting machines have been in use since 1999 in Germany for parliamentary elections. This electronic election support is indispensable in relation to the very complex local election laws in many areas, as the manual counting of votes is prone to errors, time-consuming, and therefore also very expensive. On March 3rd 2009, the Federal Constitutional Court declared as unconstitutional the electronic voting machines that were previously used as well as the Federal Voting Machine Ordinance, as not all voting machine principles, which are of relevance according to constitutional law, were taken into consideration. In doing so, the Court emphasized that this statement did not apply as a matter of principal to electronic elections. The objective of this project is to ascertain how electronic elections and, in particular, verification procedures can be realized in a constitutionally compliant manner. To enable this, comprehensive legal and technical requirements were defined, formulation proposals for voting machine regulations were created, and a constitutionally compliant voting machine was developed, which, in addition to handling the submission of votes and the calculation of results, could also authenticate voters. An adequate evaluation concept was also drafted to support all of this. Such a legal and informational foundation for constitutionally compliant electronic parliamentary elections can only be provided if the planned cooperation between jurists and computer scientists is established.
Funded by: Deutsche Forschungsgemeinschaft (DFG)
Project manager: Prof. Dr. Johannes Buchmann, Prof. Dr. Alexander Roßnagel and Prof. Dr. Melanie Volkamer
Partner: Prof. Dr. Alexander Roßnagel, Kassel University
Period: 1.1.2011 - 30.09.2014
Contact: Jurlind Budurushi
VALID - VerifiAble LIquid Democracy
Liquid democracy is a form of government, whereby each voter can either cast the vote herself, or delegate it to someone else (who e.g. is more of an expert in the area of the actual poll). Each voter can also act as a delegate. This approach provides a middle ground between direct and representative democracy. The objectives of this project are: First, literature in the area of liquid democracy will be studied and categorized. Then, technical requirements for a liquid democracy system are deduced. The results will be published either at a research conference or as a technical report.
Funding body: Polyas
Partner: Polyas
Period: 1.3.2015 - 28.2.2017
Contact: , Karola Marky,