IBBT security departement security, privacy and trust of E-* Wouter Joosen IBBT - COSIC – DistriNet – ICRI 3/05/2011, We-BBT Brussel
enhance the leading positionof ICT-security research in Flandersessential objectives: • perform first class basic and applied research in key areas from ICT security (core) • transfer the acquired basic knowledge into the economy (traditional notion of valorization) • lower the cost of regulatory compliance of new hardware, software and applications (specific: valorization) • contribute actively to training of undergraduate and PhD students, and of industry (valorization too)not too different from IBBT as a whole
ICT security research:context, application and technology trends1. security research – a strong tradition in Flanders.2. security is directly related to dependability, and to trustworthiness – trustworthiness will remain essential3. security cannot be achieved as an after-thought; core to software applications and the development & deployment processes (engineering)4. security problems arise anywhere in systems (not only at front- and backdoors): end-to-end quality is required.5. trustworthiness requires full life-cycle support (management support)
security, privacy and trust of E-*• Many Future Internet Applications need the solutions: being dependable, secure and trustworthy…• For example: Future health – Future Media <IP TV and video on demand> - Smart grids - Smart infrastructures – Mobile applications – Telematics – V2V..
security expertise (1/2)• secure programming languages (Clarke, Piessens, Joosen)• security middleware and component frameworks (Piessens, Desmet, Joosen)• secure development process (Scandariato, Joosen)• security monitoring and management (Desmet, Huygens, Joosen)• security for computer networks and pervasive systems (Verbaeten, Huygens, Preneel, Verbauwhede)• security for ad-hoc and wireless networks (Preneel, Verbauwhede)• privacy enhancing technologies, identity management (De Decker, Preneel)• cryptographic software and software obfuscation (Piessens, Preneel)• cryptographic hardware and embedded systems (Verbauwhede, Preneel, Rijmen)• document security, watermarking and perceptual hashing (Preneel)• trusted computing (Verbauwhede, Preneel)• legislation, compliance & policy(Dumortier)
security expertise (2/2)• cryptographic algorithms and protocols, foundations of cryptography and provable security (Rijmen, Preneel)• risk management (Huygens. Joosen)• authorisation technologies (Piessens, Joosen, Desmet)• secure system software (Piessens, Joosen)• HW implementation of DRM, watermarking and perceptual hashing (Verbauwhede, Preneel, Rijmen)• side-channel attacks and countermeasures (Verbauwhede, Rijmen, Preneel)• embedded biometry (Verbauwhede, Tuyls)• security for RFID’s, smart-cards, sensor nodes (Verbauwhede, Batina, Preneel, Huygens, Joosen)• evaluation of system security, including requirements, security architectures, software, hardware, cryptographic libraries and smart cards (All)
“one stop shop forICT security research”
track record – a sample• about 20 FP6/FP7 projects that relate to trust and security (a separate chapter in the Framework Programmes, “alongside” for example infrastructures and service engineering)• featuring some NoE’s: • Cryptology, Bart Preneel from COSIC is currently coordinating ECRYPT II (Network of Excellence on Cryptology), which is a successor to ECRYPT. • Software and Software Engineering: Wouter Joosen (DistriNet) currently is the Research Director of NESSoS: Engineering Secure Software and Systems for Future Internet Services.• in the security and data protection area, ICRI also in a number of FP7-projects, such as PICOS, TURBINE, TAS3 and Primelife.
track record: Rijndael/AES
track record - valorizationhome of many succesfull industry training courses (e.g. secappdev.org)home of the AES cryptography standardhome of some strong spin-off companies• Utimaco• Ubizen (now part Verizon Business Solutions) • Checkout Market Analysis for Managed Security Solutions: 2009, 2010
research focusFor the business – applied to many hot applicationdomains:1. Assurance, compliance of new applications, typically Future Internet Services a. Cloud computing (the next big one after SOA) b. IoT and embedded software and systems2. Very long term: Enabling Cost and Risk AssessmentFor Society: focus on1. Privacy (Social Networks) – SBO SPION2. Long Term: Cybercrime 11
research focus - progammes• Embedded Security• Privacy and identity Management• Secure Software• Security in the engineering process• Legal Research• Distributed (Internet) Software • (middleware)• What does it mean?
one example: Bravehealth (FP7-IP 2010-2013)The BRAVEHEALTH system will enable the integration of services provided by mobileresources, legacy applications, data and computing intensive services within a mobilegrid to offer personalized e-health services to mobile, nomadic, stationary users.
another example: NextGenITS (IBBT/ICON) privacy preserving electronic tollGPS Satellites Fee Calculation Service Provider Driver OBU Updates GPS GSM Fee Reporting Bill Encrypted Location Data • only final fee transmitted to Service Provider • only driver has access to location data • authenticity of reported fee and location data • confidentiality of communications
structure of the department 15
security united >140 FTE’sCOSIC DistriNet ICRI Prof. Jos DumortierProf. Bart Preneel Prof. Dave Clarke Prof. Peggy ValckeProf. Vincent Rijmen Prof. Bart De DeckerProf. Ingrid Verbauwhede Prof. Christophe Huygens 2 postdocsProf. Claudia Diaz Prof. Wouter Joosen 15+ junior researchers Prof. Frank Piessens7 postdocs40+ junior researchers Prof. Yolande Berbers Prof. Tom Holvoet Prof. Bart Jacobs 15 postdocs 50+ junior researchers
collaboration between departments: obviousoverlapping expertise and interest in enabling technologies(FIA) – enabling service platforms- Telecom SOA (TCASE, WTE+) + (CSEMAP)- Cloud Computing (CUSTOMSS) + (DREAMaaS, PUMA)strategic application domains include- Future Health (EHIP, Share4Health)- E-Media (CUPID)- Telematica (NextGenITS)- Logistics (MultiTr@ns, DEUS, Admid)- E-government (IDEM) +(CSEMAP)- … 17
partnershipsresearch partners:• European universities: Cambridge University, ENS Paris, T.U.Graz, T.U.Eindhoven, R.U.Bochum, Danish Technical University, EPFLausanne, TUDarmstadt, ULancaster, TCD Dublin, UTwente, Univ. Trento, Open University (UK), ESRC Centre for Analysis of Risk and Regulation (Londen School of Economics), Tilburg Law and Economics Center (Tilburg University), Institute for Information Law (IViR) (Universiteit Amsterdam), Institute for European Media Law (EMR, Germany), Hans Bredow Institute (Germany), Wissenschaftliches Institut für Infrastruktur und Kommunikationsdienste (WIK, Germany), Helsinki Institute for Information Technology (HIIT, Finland).• universities outside Europe: Brown University, Korea University, Virginia Tech, Mc Gill University, University of Colorado at Boulder (USA), Annenberg School of Communications at Penn State University (USA), Center for Information Policy Research of the University of Wisconsin (USA), the University of Technology Sydney (Australia) and Hitotsubashi University (Japan).strategic partners:• Flemish companies (or companies with a strong representation in Flanders):Agfa (e-health), Alcatel-Lucent, Barco, Belgacom, Telenet, VRT• European companies: Orange Labs (telecommunications), STMicroelectronics (microelectronics), Gemalto, Giesecke & Devriendt (smart cards), Irdeto and Nagra (content protection), Philips, SAP, Siemens(HQ), Thales, ATOS and Docomo Labs.• International Industry Research Labs Microsoft, Google, and IBM; Sony and Hitachi. 18
conclusion• nature of the department: highly interdisciplinary in itself• critical mass beats (most – all?) of the European competition• international recognition is a fact• track record: long term and versatile• stable base for sustained success ..no matter what the buzz words are or will be