data security

master course // winter

The lecture deals with the topic of data security. Unlike SSL/TLS, which establishes a secure transport channel, this lecture is about protecting data directly.

As part of the lecture, various data security technologies are examined, for example:

  • JSON is a universal data description language that is supported by every modern browser, among other things. JSON messages can be protected directly with the help of JSON signature and JSON encryption. But is this enough or can these security mechanisms be bypassed?
  • REST is a very widespread technology that allows data to be accessed over the internet via http. It is not only used by all major websites such as Facebook, Google and Github, but is also used in the IoT. The lecture explains in-depth details and common errors/attacks based on the latest scientific findings and industry recommendations. Findings and industry recommendations such as the OWASP API Top 10.
  • XML is one of the oldest description languages for structured data and is still used in countless systems today. “It’s just XML. What can probably go wrong?” is one of the most famous quotes from the Python XML library defusedxml. The answer to this question is examined in detail in the lecture: from denial-of-service vulnerabilities to local file inclusion and remote code execution. XML is the Swiss army knife of every penetration tester.

The knowledge learnt is then transferred to various document formats. Examples of this are

  • Office documents such as OOXML (Microsoft) or ODF (LibreOffice) are essentially zipped XML documents. They also support additional features such as digital signatures or encryption. Students learn more about this core component of our digitalisation with a view to its security.
  • PDF is probably the most widely used universal document exchange format. Firstly, we refute the widespread opinion that PDFs are merely boring, static documents and use various so-called “interactive features” to develop attacks. The lecture then examines the security properties of PDFs. In particular, digital signatures, which are used in contracts, for example, will be analysed. Will we be able to forge an invoice signed by Amazon in such a way that it is a refund of over 1 trillion euros and still remain validly signed?