The event has been completely unnoticed, but I think it is worth to come back on it, as it is now part of the crypto history: the European patent protecting the IDEA (International Data Encryption Algorithm) block cipher has expired a few days ago, on May 16th, 2011, and hence felt into the public domain. Note however that, according to its Wikipedia page, the cipher is still protected in the US until January 7th, 2012.

IDEA is really an amazing block cipher and definitely deserves a seat in the Crypto Hall of Fame. IDEA has been designed by James L. Massey and his PhD student Xuejia Lai at ETH Zurich on behalf of the Swiss company Ascom Tech AG. The IDEA block cipher has been implemented in a variety of applications, including PGP.

Technically, IDEA can encrypt blocks of 64 bits under a 128-bit key. Its design rely on a simple, but very clever idea (!): mix three algebraically incompatible group operations on 16-bit words:

• the addition of vectors in , which can actually be computed using a simple XOR;
• the addition of 16-bit words modulo ;
• the multiplication used in the multiplicative group of , where the word 0x0000 is identified with the integer .

One salient feature of the IDEA block cipher is that, despite its (too) simple key-schedule, it has withstood 20 years of intense cryptanalysis, and IDEA is therefore a prominent counter-example to Shamir‘s law (“A cipher is generally broken after 13 years”, or something approaching). In summary, IDEA remains a very nice piece of engineering !

The program of the third (and last) HEIG-VD IT Security Day, devoted to “Security in the Cyberspace”, happening on next Thursday, April 7th, 2011, on the HEIG-VD campus in Yverdon-les-Bains, is ready! Obviously, it is never too late to register.

• 09h00: Doors opening and registration
• 09h25: Welcome words
• 09h30: Mauro Vignati, MELANI, “Cyberwarfare, Advanced Persistent Threat and Cybercrime. Modern Criminal Networks: Infrastructure and Tasks Segmentation”: In the physical world different threats are generated by different actors using different techniques. Such a separation is not necessarily valid in cyberspace. In fact actors are exploiting the same techniques, sharing knowledge and work together. This makes the use of attacked systems interchangeable and only a matter of the attackers present and future goals. To understand this framework, we will have a look into the infrastructure and the task segmentation of modern criminal networks.
• 10h30: Morning break
• 11h00: Gérald Vernez, Swiss Confederation (talk presented by Riccardo Sibilia), “The challenge of a national strategy Cyber Defense: current status and key elements”: The federal council decided on Dec. 10, 2010 that a national strategy for Cyber Defense is necessary and tasked Maj. Gen. Kurt Nydegger, former head of the Armed Forces Command Support Organization, to develop and present such a framework by the end of 2011. The conceptual work on the strategy is quite advanced. The analysis work performed and key elements considered will be presented.
• 12h15: Lunch break in the cafeteria l’Orangeraie
• 13h45: Daniel Ventre, CNRS, “Qu’est-ce que le cyberespace, et de l’impact des représentations sur les approches théoriques de la guerre de l’information et de la cyberguerre”: Les militaires considèrent aujourd’hui le cyberespace comme la nouvelle dimension du combat. De multiples acteurs en ont également fait le vecteur, la cible, ou le terrain de leurs actions, à des fins diverses (criminelle, politique, religieuse, idéologique, culturelle, économique…) mais ayant toutes en commun leur caractère agressif (on parle de cyberattaques). Certaines de ces actions sont qualifiées de « cyberguerre », d’autres de « guerre de l’information », ou de « cyberconflit ». Définir le cyberespace paraît simple. Il est souvent synonyme d’Internet. Le cyberespace est né de la science fiction (W. Gibson). Cette origine a globalement influencé jusqu’à aujourd’hui la perception que l’on en a : décrit à l’aide d’un langage métaphorique, considéré comme espace virtuel, irréel. Le cyberespace s’inscrit également dans la filiation de la télégraphie et de la téléphonie. Ces perceptions (un objet virtuel, nouveau, à construire, ou au contraire empruntant fortement au passé) conditionnent l’approche théorique du cyberconflit : dans un cas nouvelle guerre, dans le second prolongement de formes conventionnelles du conflit, sous une forme renouvelée. Nous aborderons enfin plus particulièrement le thème de la transversalité : caractéristique essentielle du cyberespace, dans laquelle le langage métaphorique de description du cyberespace trouve ses origines, mais aussi sur laquelle peuvent s’appuyer les considérations théoriques, techniques, tactiques, stratégiques du cyberconflit.
• 14h45: Afternoon break
• 15h15: Riccardo Sibilia, Swiss Confederation, “How to counter today’s Cyber-Threat: from the lab to the (cyber-)battle-field”: We are experiencing a very fast and worrisome development of the cyber-threat and both technical and operational measures need to be taken to counter it. Some technologies will help and some other will not. The current work being done within the Swiss Armed Forces both in the labs and on the field as well as an outlook on future activities will be presented.
• 16h15: End of manifestation

It is now time to announce the program of the second event of the HEIG-VD IT Security Days, devoted to “Web Applications (In-)Security”, which will happen on next Wednesday, March 16th, 2011, on the HEIG-VD campus in Yverdon-les-Bains. Obviously, it is not too late to register !

• 08h45: Doors opening and registration
• 09h15: Welcome words
• 09h20: Sylvain Maret, Maret Consulting, principal consultant, “Strong Authentication in Web Applications: State of the Art 2011“: Sylvain’s talk will focus on risk based authentication, biometry, OTP for smartphones, PKIs, Mobile-OTP, OATH-HOTP, TOTP and the open-source approach to this subjet.

• 10h20: Morning break
• 10h50: Rolf Oppliger, eSECURITY Technologies, CEO, “SSL/TLS and Web Application (In-)Security“: The terms SSL and TLS are omnipresent in todays expert discussions about Web application security. The term SSL refers to a transport layer security protocol that was developed in the 1990s to cryptographically protect data transferred by Internet applications, whereas the term TLS refers to the successive (and meanwhile standardized) security protocol. Hence, SSL/TLS provides a cryptographic solution for many security problems. But it is not a panacea, meaning that there remain problems in the way SSL/TLS is invoked as well as problems that cannot be solved cryptographically in the first place (e.g., the malware or secure platform problem). In this talk, we give a brief introduction to SSL/TLS, put the technology into perspective, explain how it can be used to secure Web applications, discuss where it is overrated, and elaborate on some of its limitations and shortcomings. The bottom line is that Web application security remains a challenge, even if the use of SSL/TLS is widely deployed.

• 12h00: Lunch break in the cafeteria l’Orangeraie
• 13h30: Antti Tikkanen, F-Secure, Senior Manager, “Malware, the Web and You“: We will go through the basics of modern malware and how it works in general. Then we will discuss things that are specific to malware and web applications, looking at examples like banking trojans and social network malware, illustrating how they work with live malware demos.

• 14h30: Antonio Fontes, L7 Security, principal consultant, “Threat modeling your web application: mitigating risks right from the start!“: Companies increasingly spend a hard time dealing with unexpected or under-estimated security vulnerabilities being found, if not exploited, in their online web applications. This approach often leads to important costs, due to recurrent fallbacks within the software development lifecycle (design, implement, verify, deploy). During this session, I will introduce the audience to threat modeling, a threat identification process, which stakeholders, architects and developers can learn to apply early in their web application projects. By answering the question “what risks shouldwe concentrate on first?”, threat modeling helps project stakeholders prioritizing their security efforts before even a single line of source code is produced.

• 15h30: Afternoon break
• 16h00: Philippe Oechslin, Objectif Sécurité SA, CEO, “Cross Site Scripting XSS for Dummies“: We will first start with classic XSS examples and illustrate them in existing web sites. We will the see how to evade classical XSS filters, how to abuse the document object model and how take advantage of available javascript frameworks. Finally we will demonstrate that XSS are not always client-side attacks but that they can also be used to penetrate servers.

• 17h00: End of manifestation