course: Message-Level Security

teaching methods:
lecture with tutorials
Moodle, computer based presentation
responsible person:
Prof. Dr. Jörg Schwenk
Dr.-Ing. Christian Mainka (ETIT), Dr.-Ing. Vladislav Mladenov (ETIT)
offered in:
winter term

dates in winter term

  • start: Friday the 11.10.2019
  • lecture Fridays: from 09:15 to 10.45 o'clock in ID 03/411
  • tutorial Fridays: from 11:15 to 12.45 o'clock in ID 03/411


Form of exam:written
Registration for exam:FlexNow
Room : ID 04/413


The students have a comprehensive knowledge regaring the benefits, usage and relevant problems of message-level security.


The lecture deals with the topic Message-Level Security. Unlike SSL/TLS, which establishes a secure transport channel, message-level security is about protecting messages - such as HTTP requests - at message level. This depends on the correct use of cryptographic methods as well as the secure provision of API interfaces.

Within the framework of the lecture, various Message-Level Security techniques will be examined.

The lecture deals with different methods of Message-Level Security:

  • JSON is a universal data description language which is supported by every modern browser. JSON Signature and JSON Encryption directly protect JSON messages. But is that enough or can these security mechanisms be bypassed?
  • OAuth is a widespread technology for delegating permissions and it is used today by all major websites such as Facebook, Google, Twitter, Github, and many more. The lecture explains in-depth details and common errors/attacks that can occur when using OAuth.
  • OpenID Connect is an extension for OAuth to authenticate users on websites using a third-party provider (Single Sign-On, e.g. Google Login). OpenID Connect has become the de facto standard for third-party web logins in recent years. The lecture explains in detail the differences to OAuth and which attacks on OpenID Connect are possible.
  • SAML stands for Security Assertion Markup Language and is a single sign-on standard that is widely used in business scenarios. However, there are numerous attacks ranging from identity theft to Remote Code Execution.
  • PDF is probably the most widely used universal document exchange format. In this lecture the security features of PDFs will be discussed. In particular, digital signatures, which are used, for example, in contracts, will be examined. Will we succeed in forging signed documents?

The students will gain a profound understanding of the systems. Attacks from the academic world as well as from the pentesting community are presented for all investigated systems. The exercises offer the opportunity to try out the acquired knowledge in practice. The students receive a virtual machine for this purpose.

Translated with

recommended knowledge

  • Basic knowledge of HTTP, HTML and cryptography