Publications
“Johnny, you are fired!” – Spoofing OpenPGP and S/MIME Signatures in Emails
2019 - Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, Jörg Schwenk
28th USENIX Security Symposium (USENIX Security '19) [PrePub] [Artifacts]1 Trillion Dollar Refund – How To Spoof PDF Signatures
2019 - Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe, Jörg Schwenk
26th ACM Conference on Computer and Communications Security [html] [pdf]Re: What's up Johnny? – Covert Content Attacks on Email End-to-End Encryption
2019 - Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel, Jörg Schwenk
17th International Conference on Applied Cryptography and Network Security (ACNS 2019) [draft version]Efail: Angriffe auf S/MIME und OpenPGP
2019 - Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk
16. Deutscher IT-Sicherheitskongress [pdf]Sicherheitsanalyse von eID/eIDAS-Diensten
2019 - Nils Engelbertz, Nurullah Erinola, David Herring, Juraj Somorovsky, Vladislav Mladenov, Jörg Schwenk
16. Deutscher IT-SicherheitskongressSecurity Analysis of XAdES Validation in the CEF Digital Signature Services (DSS)
2019 - Nils Engelbertz, Vladislav Mladenov, Juraj Somorovsky, Nurullah Erinnola, David Herring, Jörg Schwenk
[pdf]Extended Affine and CCZ Equivalence up to Dimension 4
2019 - Marcus Brinkmann
A complete classification of all vectorial boolean functions in up to dimension 4, up to extended affine and CCZ equivalence. Work done as part of my diploma thesis in 2008, and since then cited as personal communication. [ePrint] [pdf]Vulnerability Report: Attacks bypassing the signature validation in PDF
2019 - Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe, Jörg Schwenk
[pdf]Prime and Prejudice: Primality Testing Under Adversarial Conditions
2018 - Martin R. Albrecht, Jake Massimo, Kenneth G. Paterson, Juraj Somorovsky
ACM CCS 2018 [eprint]In Search of CurveSwap: Measuring Elliptic Curve Implementations in the Wild
2018 - Luke Valenta, Nick Sullivan, Antonio Sanso
In IEEE European Symposium on Security and Privacy (EuroS&P), 2018 [IEEE Website]Towards Bidirectional Ratcheted Key Exchange
2018 - Bertram Poettering, Paul Rösler
In Advances in Cryptology, IACR CRYPTO 2018 [extended version]Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels
2018 - Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk
27th USENIX Security Symposium (USENIX Security 18) [full version]The Dangers of Key Reuse: Practical Attacks on IPsec IKE
2018 - Dennis Felsch, Martin Grothe, Jörg Schwenk, Adam Czubak, Marcin Szymanek
27th USENIX Security Symposium, August 15–17, 2018, Baltimore, MD, USA [Original Publication] [Video of the Talk] [Paper] [Slides]Return Of Bleichenbacher’s Oracle Threat (ROBOT)
2018 - Hanno Böck, Juraj Somorovsky, Craig Young
27th USENIX Security Symposium (USENIX Security 18) [Attack website]PostScript Undead: Pwning the Web with a 35 Years Old Language
2018 - Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk
Proc. of 21st Symposium on Research in Attacks, Intrusions, and Defenses (RAID), to appear September 2018.Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe
2018 - Nils Engelbertz, Nurullah Erinola, David Herring, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk
12th USENIX Workshop on Offensive Technologies (WOOT '18) [pdf]Evaluation of eID and Trust Services
2018 - Nils Engelbertz, Nurullah Erinola, David Herring, Juraj Somorovsky, Vladislav Mladenov
[pdf]Attacking Deterministic Signature Schemes using Fault Attacks
2018 - Damian Poddebniak, Juraj Somorovsky, Sebastian Schinzel, Manfred Lochter, Paul Rösler
IEEE European Symposium on Security and Privacy, EuroS&P 2018 [full version]Is MathML Dangerous?
2018 - Christopher Späth
In: Langweg, H., Meier, M., Witt, B. C. & Reinhardt, D. (Hrsg.), SICHERHEIT 2018. Bonn: Gesellschaft für Informatik e.V.. [Link] [PDF]More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema
2018 - Paul Rösler, Christian Mainka, Jörg Schwenk
IEEE European Symposium on Security and Privacy, EuroS&P 2018 [paper] [slides (RWC 2018)] [video (RWC 2018)]On Several Verifiable Random Functions and the q-decisional Bilinear Diffie-Hellman Inversion Assumption
2018 - Sebastian Lauer
The 5th ACM ASIA Public-Key Cryptography Workshop (APKC 2018)Mehr Sicherheit und Benutzerfreundlichkeit für Fernsignaturen
2018 - Tobias Wich, Sebastian Schuberth, René Lottes, Tina Hühnlein, Detlef Hühnlein
DACH Security, 2018Out of the Dark: UI Redressing and Trustworthy Events
2017 - Marcus Niemietz, Jörg Schwenk
16th International Conference on Cryptology And Network Security (CANS 2017) [Conference] [PDF]On The (In-)Security Of JavaScript Object Signing And Encryption
2017 - Dennis Detering, Juraj Somorovsky, Christian Mainka, Vladislav Mladenov, Jörg Schwenk
ROOTS, November 16–17, 2017, Vienna, Austria [PDF]Same-Origin Policy: Evaluation in Modern Browsers
2017 - Jörg Schwenk, Marcus Niemietz, Christian Mainka
26th USENIX Security Symposium (USENIX Security 17) [PDF]Breaking and Fixing Gridcoin
2017 - Martin Grothe, Tobias Niemann, Juraj Somorovsky, Jörg Schwenk
11th USENIX Workshop on Offensive Technologies (WOOT '17) [Link] [pdf]DOMPurify: Client-Side Protection Against XSS and Markup Injection
2017 - Mario Heiderich, Christopher Späth, Jörg Schwenk
(2017, September). DOMPurify: Client-Side Protection Against XSS and Markup Injection. In European Symposium on Research in Computer Security (ESORICS), Springer, Cham.Simple Security Definitions for and Constructions of 0-RTT Key Exchange
2017 - Britta Hale, Tibor Jager, Sebastian Lauer, Jörg Schwenk
15th International Conference on Applied Cryptography and Network Security - ACNS 2017 [ePrint]Measuring small subgroup attacks against Diffie-Hellman
2017 - Luke Valenta, David Adrian, Antonio Sanso, Shaanan Cohney, Joshua Fried, Marcella Hastings, J. Alex Halderman, Nadia Heninger
In NDSS Symposium 2017 [NDSS Website] [Paper] [Slides] [Youtube Video]SECRET: On the Feasibility of a Secure, Efficient, and Collaborative Real-Time Web Editor
2017 - Dennis Felsch, Christian Mainka, Vladislav Mladenov, Jörg Schwenk
ACM Asia Conference on Computer and Communications Security (ASIACCS) 2017 [GitHub-Project] [Paper] [Slides]SoK: Exploiting Network Printers
2017 - Jens Müller, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk
38th IEEE Symposium on Security and Privacy (S&P 2017) [html] [html] [pdf]SoK: Single Sign-On Security – An Evaluation of OpenID Connect
2017 - Christian Mainka, Vladislav Mladenov, Tobias Wich, Jörg Schwenk
IEEE European Symposium on Security and Privacy (EuroS&P 2017) [pdf]0-RTT Key Exchange with Full Forward Secrecy
2017 - Felix Günther, Britta Hale, Tibor Jager, Sebastian Lauer
36th International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt 2017)Towards secure and standard-compliant implementations of the PSD2 Directive
2017 - Detlef Hühnlein, Tobias Wich, Daniel Nemmert
Open Identity Summit, 2017 [PDF]Breaking PPTP VPNs via RADIUS Encryption
2016 - Matthias Horst, Martin Grothe, Tibor Jager, Jörg Schwenk
15th International Conference on Cryptology and Network Security (CANS) [http] [pdf]Evaluating Two Methods for WS-(Security) Policy Negotiation and Decision Making
2016 - Abeer Elsafie, Jörg Schwenk
Cloud and Trusted Computing (C&TC 2016), part of: The 15th OnTheMove to Meaningful Internet Systems: (OTM 2016) Conferences, 24-28 Oct 2016, Rhodes, Greece. [Paper]DROWN: Breaking TLS using SSLv2
2016 - Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, Yuval Shavitt
USENIX Security 2016 [Website and paper] [Pwnie Awards] [Facebook Prize]Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS
2016 - Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic
WOOT 2016 [Blackhat stuff] [paper]Systematic Fuzzing and Testing of TLS Libraries
2016 - Juraj Somorovsky
ACM CCS 2016 [TLS-Attacker] [paper]SoK: XML Parser Vulnerabilities
2016 - Christopher Späth, Christian Mainka, Vladislav Mladenov, Jörg Schwenk
10th USENIX Workshop on Offensive Technologies (WOOT '16) [Paper PDF]How to Break Microsoft Rights Management Services
2016 - Martin Grothe, Christian Mainka, Paul Rösler, Jörg Schwenk
10th USENIX Workshop on Offensive Technologies (WOOT '16) [Paper PDF]Your Cloud in my Company: Modern Rights Management Services Revisited
2016 - Martin Grothe, Paul Rösler, Johanna Jupke, Jan Kaiser, Christian Mainka, Jörg Schwenk
11th International Conference on Availability, Reliability and Security (ARES 2016) [pdf]Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On
2016 - Christian Mainka, Vladislav Mladenov, Jörg Schwenk
IEEE European Symposium on Security and Privacy (EuroS&P 2016) [Paper PDF]How Secure is TextSecure?
2016 - Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jörg Schwenk, Thorsten Holz
IEEE European Symposium on Security and Privacy (EuroS&P 2016) [PDF]Architecture for Controlled Credential issuance Enhanced with Single Sign-On (ACCESSO)
2016 - Daniel Nemmert, Detlef Hühnlein, Tina Hühnlein, Tobias Wich
Open Identity Summit, 2016 [PDF]Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite
2015 - Christian Mainka, Vladislav Mladenov, Tim Guenther, Jörg Schwenk
Open Identity Summit 2015 [Paper PDF]How Private is Your Private Cloud?: Security Analysis of Cloud Control Interfaces
2015 - Dennis Felsch, Mario Heiderich, Frederic Schulz, Jörg Schwenk
ACM CCSW 2015 in conjunction with the ACM Conference on Computer and Communications Security (CCS) October 16, 2015, The Denver Marriot City Center, Denver, Colorado, USA. [paper]On Locational Privacy in the Absence of Anonymous Payments
2015 - Tilman Frosch, Sven Schäge, Martin Goll, Thorsten Holz
Gutwirth, S., Leenes R., P. De Hert and Y. Poullet, Data protection on the Move. Current Developments in ICT and Privacy/Data Protection. Springer (forthcoming, 2015), Dordrecht. [pdf]Sicherheitsanalyse der Private Cloud Interfaces von openQRM
2015 - Frederic Schulz, Dennis Felsch, Jörg Schwenk
In Proceedings of the DACH Security 2015, Bonn, Germany [Paper]