The document describes the Mobile-ID identification protocol. It contains the following key points:
1. The protocol involves a user (U), client (C), server (S), device (D), operator (O), and provider (P). It uses the user's SIM card containing two private keys for identification and signing.
2. During activation, the provider issues certificates binding the user's public keys to their name and stating the keys' intended uses.
3. For identification, the server sends a random value to the user's device, which displays a control code for the user to approve signing with their identification private key. If approved, the signed response is sent back to the server for verification.
The document discusses linear feedback shift registers and their use in generating pseudorandom numbers for use as cryptographic keys. It describes how linear feedback shift registers can be cracked using known plaintext attacks if the plaintext and ciphertext are known. It then discusses ways to strengthen cryptography systems, including through the use of confusion and diffusion techniques. Finally, it provides an overview of the DES cryptosystem, including its history, design, and some criticisms of its security.
This document provides an overview of cryptography concepts including:
- Cryptography involves encrypting plaintext into ciphertext and decrypting ciphertext back to plaintext using cryptographic algorithms and keys.
- Symmetric key cryptography uses the same key for encryption and decryption while public key cryptography uses separate public and private keys.
- Stream ciphers generate a random keystream to encrypt plaintext bit-by-bit while block ciphers encrypt plaintext blocks using a codebook determined by the cipher key.
- The document describes the A5/1 stream cipher which uses 3 shift registers to generate a keystream and encrypt plaintext bit-by-bit.
The RSA cryptosystem is the most widely used public key cryptosystem. It uses a "trapdoor" one-way function to encrypt and decrypt messages. While textbook RSA is insecure, common implementations prepend random padding like OAEP to the message before encryption, which provides chosen ciphertext security. Despite its widespread use, RSA remains computationally intensive due to the need for large key sizes for security equivalents to modern block ciphers. Timing and fault attacks remain a concern if proper countermeasures are not implemented.
Operation-based formal verification (OFV) uses operation properties to formally verify VHDL designs at the register-transfer level. It constructs an abstract VHDL model from the code by identifying the start and end states of operations and the properties connecting them. Property checking and completeness tests are used to prove the equivalence between the VHDL code and abstract model, finding any errors. OFV supports the full verification process from pre-proof to proof to theory formation. It has been applied successfully to verify an industrial processor with over 100,000 lines of code. However, its adoption is limited by design practices focusing on integration rather than module construction, and verification methods relying more on simulation than formal analysis.
This document discusses mobile ID and different levels of assurance (LOA) for authentication using mobile devices. It presents LOA1-4 with increasing levels of required authentication factors and confidence. Mobile ID uses public/private keys to provide digital signatures for authentication and transactions on banking, e-government, healthcare and other services. Examples from Norway are given where mobile Bank ID is used for banking login, online shopping payments, and accessing government services. Open questions remain around implementing international data security standards, developing a mobile ID legal roadmap, and introducing an e-ID card in Ukraine.
The document discusses adding authentication and authorization to an externally facing service mesh application. It introduces authentication using the OAuth 2.0 framework with an API gateway and authentication service. Authorization is implemented using Open Policy Agent to define policies separately from services. The resulting architecture separates authentication, authorization, and application services for improved scalability and team autonomy.
This document provides information about Marten Meikop, including his hobbies, professional career, and role at Pipedrive. It then summarizes key details about Pipedrive's engineering including the number of employees, customers, offices, and requests processed per week. It outlines the evolution of Pipedrive's architecture from a PHP monolith to a microservices architecture running across multiple data centers.
This document discusses how microservices at Twilio have evolved into "micromonoliths" as the services grow more complex and interconnected over time. It recommends establishing dependencies between services based on functional areas rather than technical boundaries to better reflect product and organizational structure. Using generated clients from API specifications and prioritizing splitting services can help reduce complexity as the system evolves. The document advocates reducing barriers to introducing new services so that the architecture remains flexible and adaptable.
The document discusses linear feedback shift registers and their use in generating pseudorandom numbers for use as cryptographic keys. It describes how linear feedback shift registers can be cracked using known plaintext attacks if the plaintext and ciphertext are known. It then discusses ways to strengthen cryptography systems, including through the use of confusion and diffusion techniques. Finally, it provides an overview of the DES cryptosystem, including its history, design, and some criticisms of its security.
This document provides an overview of cryptography concepts including:
- Cryptography involves encrypting plaintext into ciphertext and decrypting ciphertext back to plaintext using cryptographic algorithms and keys.
- Symmetric key cryptography uses the same key for encryption and decryption while public key cryptography uses separate public and private keys.
- Stream ciphers generate a random keystream to encrypt plaintext bit-by-bit while block ciphers encrypt plaintext blocks using a codebook determined by the cipher key.
- The document describes the A5/1 stream cipher which uses 3 shift registers to generate a keystream and encrypt plaintext bit-by-bit.
The RSA cryptosystem is the most widely used public key cryptosystem. It uses a "trapdoor" one-way function to encrypt and decrypt messages. While textbook RSA is insecure, common implementations prepend random padding like OAEP to the message before encryption, which provides chosen ciphertext security. Despite its widespread use, RSA remains computationally intensive due to the need for large key sizes for security equivalents to modern block ciphers. Timing and fault attacks remain a concern if proper countermeasures are not implemented.
Operation-based formal verification (OFV) uses operation properties to formally verify VHDL designs at the register-transfer level. It constructs an abstract VHDL model from the code by identifying the start and end states of operations and the properties connecting them. Property checking and completeness tests are used to prove the equivalence between the VHDL code and abstract model, finding any errors. OFV supports the full verification process from pre-proof to proof to theory formation. It has been applied successfully to verify an industrial processor with over 100,000 lines of code. However, its adoption is limited by design practices focusing on integration rather than module construction, and verification methods relying more on simulation than formal analysis.
This document discusses mobile ID and different levels of assurance (LOA) for authentication using mobile devices. It presents LOA1-4 with increasing levels of required authentication factors and confidence. Mobile ID uses public/private keys to provide digital signatures for authentication and transactions on banking, e-government, healthcare and other services. Examples from Norway are given where mobile Bank ID is used for banking login, online shopping payments, and accessing government services. Open questions remain around implementing international data security standards, developing a mobile ID legal roadmap, and introducing an e-ID card in Ukraine.
The document discusses adding authentication and authorization to an externally facing service mesh application. It introduces authentication using the OAuth 2.0 framework with an API gateway and authentication service. Authorization is implemented using Open Policy Agent to define policies separately from services. The resulting architecture separates authentication, authorization, and application services for improved scalability and team autonomy.
This document provides information about Marten Meikop, including his hobbies, professional career, and role at Pipedrive. It then summarizes key details about Pipedrive's engineering including the number of employees, customers, offices, and requests processed per week. It outlines the evolution of Pipedrive's architecture from a PHP monolith to a microservices architecture running across multiple data centers.
This document discusses how microservices at Twilio have evolved into "micromonoliths" as the services grow more complex and interconnected over time. It recommends establishing dependencies between services based on functional areas rather than technical boundaries to better reflect product and organizational structure. Using generated clients from API specifications and prioritizing splitting services can help reduce complexity as the system evolves. The document advocates reducing barriers to introducing new services so that the architecture remains flexible and adaptable.
The document discusses migrating a monolith application to microservices. It outlines some common problems with monoliths like being hard to maintain and understand. The action plan is to gradually extract new or critical parts of the monolith into separate microservices over time, starting services for new features or critical parts of the existing application. It also recommends improving areas like monitoring, testing, and knowledge sharing as the migration occurs to more smoothly transition to a microservices architecture.
After an acquisition, Fleet Complete plans to merge the backend systems of the acquired companies by breaking up monolithic architectures into separate microservices based on feature domains. This will allow teams to independently choose technologies and processes while still coordinating product management. Proper documentation and modular code will facilitate data migration and collaboration between geographically dispersed teams using different technologies. The goal is to build flexibility for future acquisitions and place business needs over technical preferences.
Scientists meet Entrepreneurs - AI & Machine Learning, Kristjan Korjus, StarshipMobileMonday Estonia
The document discusses machine learning in industry. It describes a machine learning continuum with 5 steps from ad-hoc algorithms to deep neural networks. It discusses using data as a specification to iteratively make robots safer by increasing safety 2x, 10 times. It also mentions upcoming publication of a "Data as a specification" manifesto and conducting peer-reviewed analysis. The document is a presentation about machine learning approaches at a company that delivers packages via autonomous robots.
Scientists meet Entrepreneurs - AI & Machine Learning, Peeter Piksarv, Moonca...MobileMonday Estonia
Peeter Piksarv has a PhD in Physics from 2013 and worked as a postdoc from 2014 to 2016 before becoming a data scientist. He discusses how academics skills like taking lots of lectures to build knowledge, mastering the scientific method, conducting research, problem solving, and writing and presenting are useful for becoming a scientist. Piksarv's own work has involved bots, text classification, and a variety of projects that require an aptitude for learning, confidence facing unknown problems, and making evidence-based decisions.
Scientists meet Entrepreneurs - AI & Machine Learning, Tambet Matiisen, Unive...MobileMonday Estonia
AI is advancing rapidly and will have wide-ranging impacts. It is learning to perform tasks beyond perception like complex algorithms, databases, and user interfaces. For algorithms, neural networks can now replicate existing algorithms like Photoshop filters with constant time and memory usage, and their performance can be adjusted based on accuracy or speed needs. For databases, learned indexes can provide faster lookups and use less storage than traditional indexes. For user interfaces, AI is starting to automatically generate UI elements. To stay relevant, people should learn AI through available online courses.
Scientists meet Entrepreneurs - AI & Machine Learning, Dima Fishman, Universi...MobileMonday Estonia
The document discusses how deep learning is being applied in medicine and biology. It provides examples of deep learning being used to detect diabetic retinopathy and skin cancer at performance levels comparable to experts. While deep learning has achieved human-level performance in some medical image analysis tasks, it notes that applying deep learning to medicine faces challenges due to the complexity of medical data and difficulties obtaining large datasets due to privacy and cost issues.
The document discusses the benefits of exercise for both physical and mental health. Regular exercise can improve cardiovascular health, reduce symptoms of depression and anxiety, enhance mood, and reduce stress levels. Staying physically active for at least 30 minutes each day is recommended for significant health benefits.
This document discusses the challenges of developing space hardware and fitting into the global market. It identifies three main challenges for space hardware providers as finding customers, accessing finance, and availability of skilled staff. Additional challenges for developing space hardware in Estonia include long and expensive supply lines, restricted access to infrastructure and potential clients, and a shortage of senior space industry professionals. The document provides recommendations for addressing these challenges such as pursuing international education programs in space technology, participating in competitions, and choosing a start-up location strategically.
This document discusses Kappazeta's use of deep learning and satellite imagery to detect grassland mowing for agricultural subsidy verification. Some key points:
1) Kappazeta has developed an automated country-wide grassland mowing detection system using Sentinel-1/-2 satellite imagery time-series to help the Estonian Paying Agency verify subsidy claims as required by the EU Common Agricultural Policy.
2) The system provides 90% detection accuracy, 95% coverage of Estonia, and status updates within 24 hours using over 7TB of satellite images from 2017.
3) While the technology shows promise, the work involves many challenges including inconsistent data, limited training data, and complex software development
Copernicus is the European Union's Earth observation program that provides free and open access to data and processing tools. It includes a series of Sentinel satellites that monitor the Earth's land, atmosphere, oceans and climate. The document discusses accessing Copernicus data through tools like SNAP, QGIS and Pytroll. It also describes the six Copernicus services that provide thematic data products on topics like marine monitoring, land cover mapping, and emergency response.
Kair Käsper has worked as director of product marketing and previously ran digital projects at an advertising agency. He created and sold a digital agency, and now co-founded a SaaS company focusing on free trials. As director of product marketing, his responsibilities include customer and market research, competitor tracking, developing value propositions and messaging, pricing and packaging, and enabling sales and partnerships.
Machine learning can be used in marketing in supervised and unsupervised ways to better target customers. Supervised learning uses labeled training data to classify customers, while unsupervised learning finds hidden patterns in unlabeled data. These techniques can help analyze existing customers, detect the most valuable ones, prevent customer churn, recommend the right products to buyers, and power personalized email campaigns and creative marketing strategies.
The document discusses how marketing should focus on ideas and insights rather than directly marketing a company's product, which can be invisible to customers. It recommends that marketing generate answers to customer questions, share internal data insights, and ideas that can be packaged and marketed through blogs, syndication, social media, email marketing and retargeting to generate inbound leads for sales. An effective marketing stack is also needed that utilizes various tools to implement idea marketing and feedback loop between customers, sales, and marketing.
What Does it take to Develop Kickass Products?, Laura NoodaperaMobileMonday Estonia
This document summarizes the key findings from interviews conducted as part of a Jobs to be Done analysis of Teamweek, a project management tool. The interviews identified common habits, anxieties, and jobs among managers using paying workspaces. Key findings include that previous systems were often non-existent, creating a feeling of lost information and lack of control. Teamweek helps by providing an easy to use visual overview and collaboration features. Based on these findings, the company has rewritten its strategy and mission, is experimenting with new messaging, and has plans to create product stories and marketing opportunities.
What Does it take to Develop Kickass Products?, Britt MaasaluMobileMonday Estonia
This document discusses how to effectively work with external teams to create successful products. It identifies that external teams can include different offices within a company, freelancers, or external companies. Key obstacles include distance, cultural differences, and personal attributes. To overcome these challenges, the document recommends having team effort, self-discipline, leadership as a role model, team support, agreed upon processes, organized work, communication, and face-to-face meetings to build respect and trust. Potential downfalls include incompatibility, differing work methods, location/time zone issues, and lack of communication or motivation. With the right approach, the document concludes that external teams can be highly effective.
Triinu Sirge is an ergonomist who founded Ergoway OÜ to provide ergonomic and occupational health and safety services. She discusses how ergonomics can be used to improve work environments and reduce musculoskeletal disorders. Applying ergonomic principles such as adjustable equipment, standing desks, and taking breaks can help reduce issues like neck, back, and eye strain while increasing productivity and well-being.
The document outlines the challenges of starting a new business and surviving the "valley of death" period where many startups fail. It references several of the author's past startup attempts from 2012-2018 that ultimately failed ("R.I.P."). It quotes Jack Ma saying that while tomorrow may be bad and the next day worse, the day after tomorrow will be beautiful. The document emphasizes the need for resilience among entrepreneurs facing difficulties getting their businesses off the ground.
The document outlines the career journey of a female entrepreneur from her early career working for corporations in 2002 to founding multiple companies between 2004-2018. It shows her progression from founding her first company in 2004 to building it up and starting new ventures, including dealing with the challenges of execution, priorities, customers, and scaling businesses. The document also discusses traits common to successful female entrepreneurs like determination, building a strong team, and having a support system to fall back on during difficult periods.
This document discusses three life lessons. The first is that success comes from being prepared to seize opportunities. The second is that failure and getting hurt are normal parts of life. The third encourages the reader to be curious, pay attention, have fun, and their life will turn out well.
The document discusses migrating a monolith application to microservices. It outlines some common problems with monoliths like being hard to maintain and understand. The action plan is to gradually extract new or critical parts of the monolith into separate microservices over time, starting services for new features or critical parts of the existing application. It also recommends improving areas like monitoring, testing, and knowledge sharing as the migration occurs to more smoothly transition to a microservices architecture.
After an acquisition, Fleet Complete plans to merge the backend systems of the acquired companies by breaking up monolithic architectures into separate microservices based on feature domains. This will allow teams to independently choose technologies and processes while still coordinating product management. Proper documentation and modular code will facilitate data migration and collaboration between geographically dispersed teams using different technologies. The goal is to build flexibility for future acquisitions and place business needs over technical preferences.
Scientists meet Entrepreneurs - AI & Machine Learning, Kristjan Korjus, StarshipMobileMonday Estonia
The document discusses machine learning in industry. It describes a machine learning continuum with 5 steps from ad-hoc algorithms to deep neural networks. It discusses using data as a specification to iteratively make robots safer by increasing safety 2x, 10 times. It also mentions upcoming publication of a "Data as a specification" manifesto and conducting peer-reviewed analysis. The document is a presentation about machine learning approaches at a company that delivers packages via autonomous robots.
Scientists meet Entrepreneurs - AI & Machine Learning, Peeter Piksarv, Moonca...MobileMonday Estonia
Peeter Piksarv has a PhD in Physics from 2013 and worked as a postdoc from 2014 to 2016 before becoming a data scientist. He discusses how academics skills like taking lots of lectures to build knowledge, mastering the scientific method, conducting research, problem solving, and writing and presenting are useful for becoming a scientist. Piksarv's own work has involved bots, text classification, and a variety of projects that require an aptitude for learning, confidence facing unknown problems, and making evidence-based decisions.
Scientists meet Entrepreneurs - AI & Machine Learning, Tambet Matiisen, Unive...MobileMonday Estonia
AI is advancing rapidly and will have wide-ranging impacts. It is learning to perform tasks beyond perception like complex algorithms, databases, and user interfaces. For algorithms, neural networks can now replicate existing algorithms like Photoshop filters with constant time and memory usage, and their performance can be adjusted based on accuracy or speed needs. For databases, learned indexes can provide faster lookups and use less storage than traditional indexes. For user interfaces, AI is starting to automatically generate UI elements. To stay relevant, people should learn AI through available online courses.
Scientists meet Entrepreneurs - AI & Machine Learning, Dima Fishman, Universi...MobileMonday Estonia
The document discusses how deep learning is being applied in medicine and biology. It provides examples of deep learning being used to detect diabetic retinopathy and skin cancer at performance levels comparable to experts. While deep learning has achieved human-level performance in some medical image analysis tasks, it notes that applying deep learning to medicine faces challenges due to the complexity of medical data and difficulties obtaining large datasets due to privacy and cost issues.
The document discusses the benefits of exercise for both physical and mental health. Regular exercise can improve cardiovascular health, reduce symptoms of depression and anxiety, enhance mood, and reduce stress levels. Staying physically active for at least 30 minutes each day is recommended for significant health benefits.
This document discusses the challenges of developing space hardware and fitting into the global market. It identifies three main challenges for space hardware providers as finding customers, accessing finance, and availability of skilled staff. Additional challenges for developing space hardware in Estonia include long and expensive supply lines, restricted access to infrastructure and potential clients, and a shortage of senior space industry professionals. The document provides recommendations for addressing these challenges such as pursuing international education programs in space technology, participating in competitions, and choosing a start-up location strategically.
This document discusses Kappazeta's use of deep learning and satellite imagery to detect grassland mowing for agricultural subsidy verification. Some key points:
1) Kappazeta has developed an automated country-wide grassland mowing detection system using Sentinel-1/-2 satellite imagery time-series to help the Estonian Paying Agency verify subsidy claims as required by the EU Common Agricultural Policy.
2) The system provides 90% detection accuracy, 95% coverage of Estonia, and status updates within 24 hours using over 7TB of satellite images from 2017.
3) While the technology shows promise, the work involves many challenges including inconsistent data, limited training data, and complex software development
Copernicus is the European Union's Earth observation program that provides free and open access to data and processing tools. It includes a series of Sentinel satellites that monitor the Earth's land, atmosphere, oceans and climate. The document discusses accessing Copernicus data through tools like SNAP, QGIS and Pytroll. It also describes the six Copernicus services that provide thematic data products on topics like marine monitoring, land cover mapping, and emergency response.
Kair Käsper has worked as director of product marketing and previously ran digital projects at an advertising agency. He created and sold a digital agency, and now co-founded a SaaS company focusing on free trials. As director of product marketing, his responsibilities include customer and market research, competitor tracking, developing value propositions and messaging, pricing and packaging, and enabling sales and partnerships.
Machine learning can be used in marketing in supervised and unsupervised ways to better target customers. Supervised learning uses labeled training data to classify customers, while unsupervised learning finds hidden patterns in unlabeled data. These techniques can help analyze existing customers, detect the most valuable ones, prevent customer churn, recommend the right products to buyers, and power personalized email campaigns and creative marketing strategies.
The document discusses how marketing should focus on ideas and insights rather than directly marketing a company's product, which can be invisible to customers. It recommends that marketing generate answers to customer questions, share internal data insights, and ideas that can be packaged and marketed through blogs, syndication, social media, email marketing and retargeting to generate inbound leads for sales. An effective marketing stack is also needed that utilizes various tools to implement idea marketing and feedback loop between customers, sales, and marketing.
What Does it take to Develop Kickass Products?, Laura NoodaperaMobileMonday Estonia
This document summarizes the key findings from interviews conducted as part of a Jobs to be Done analysis of Teamweek, a project management tool. The interviews identified common habits, anxieties, and jobs among managers using paying workspaces. Key findings include that previous systems were often non-existent, creating a feeling of lost information and lack of control. Teamweek helps by providing an easy to use visual overview and collaboration features. Based on these findings, the company has rewritten its strategy and mission, is experimenting with new messaging, and has plans to create product stories and marketing opportunities.
What Does it take to Develop Kickass Products?, Britt MaasaluMobileMonday Estonia
This document discusses how to effectively work with external teams to create successful products. It identifies that external teams can include different offices within a company, freelancers, or external companies. Key obstacles include distance, cultural differences, and personal attributes. To overcome these challenges, the document recommends having team effort, self-discipline, leadership as a role model, team support, agreed upon processes, organized work, communication, and face-to-face meetings to build respect and trust. Potential downfalls include incompatibility, differing work methods, location/time zone issues, and lack of communication or motivation. With the right approach, the document concludes that external teams can be highly effective.
Triinu Sirge is an ergonomist who founded Ergoway OÜ to provide ergonomic and occupational health and safety services. She discusses how ergonomics can be used to improve work environments and reduce musculoskeletal disorders. Applying ergonomic principles such as adjustable equipment, standing desks, and taking breaks can help reduce issues like neck, back, and eye strain while increasing productivity and well-being.
The document outlines the challenges of starting a new business and surviving the "valley of death" period where many startups fail. It references several of the author's past startup attempts from 2012-2018 that ultimately failed ("R.I.P."). It quotes Jack Ma saying that while tomorrow may be bad and the next day worse, the day after tomorrow will be beautiful. The document emphasizes the need for resilience among entrepreneurs facing difficulties getting their businesses off the ground.
The document outlines the career journey of a female entrepreneur from her early career working for corporations in 2002 to founding multiple companies between 2004-2018. It shows her progression from founding her first company in 2004 to building it up and starting new ventures, including dealing with the challenges of execution, priorities, customers, and scaling businesses. The document also discusses traits common to successful female entrepreneurs like determination, building a strong team, and having a support system to fall back on during difficult periods.
This document discusses three life lessons. The first is that success comes from being prepared to seize opportunities. The second is that failure and getting hurt are normal parts of life. The third encourages the reader to be curious, pay attention, have fun, and their life will turn out well.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
High performance Serverless Java on AWS- GoTo Amsterdam 2024Vadym Kazulkin
Java is for many years one of the most popular programming languages, but it used to have hard times in the Serverless community. Java is known for its high cold start times and high memory footprint, comparing to other programming languages like Node.js and Python. In this talk I'll look at the general best practices and techniques we can use to decrease memory consumption, cold start times for Java Serverless development on AWS including GraalVM (Native Image) and AWS own offering SnapStart based on Firecracker microVM snapshot and restore and CRaC (Coordinated Restore at Checkpoint) runtime hooks. I'll also provide a lot of benchmarking on Lambda functions trying out various deployment package sizes, Lambda memory settings, Java compilation options and HTTP (a)synchronous clients and measure their impact on cold and warm start times.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Northern Engraving | Nameplate Manufacturing Process - 2024
Peeter Laud: "Formal Analysis of the Mobile-ID protocol"
1. Analysis of the network
security of the Mobile-ID
identification protocol
Peeter Laud
Cybernetica AS & Tartu University
2. The object
s A SIM-card that
x contains two private keys;
x is capable of signing with those keys;
x works like an ”‘ordinary”’ SIM-card otherwise.
s During its activation SK AS issues certificates that
x bind the corresponding public keys to your name;
x state that the use of the first key is in identification
x . . . and the use of the second key is in signing documents.
MoMo, 07.09.2009 – 2 / 14
3. The signing procedure
s The card receives (x, M ) from the mobile operator.
x x — the (short) message to sign;
s a couple of dozen bytes.
s might be the hash of the “real” message.
x M an explanatory text.
x the channel from operator to SIM-card is secure.
s The card computes the control code cc(x) of x.
x cc(x) ∈ {0000, 0001, 0002, . . . , 9999}
s The card shows cc(x) and M to the user (through the phone).
s If cc(x) and M OK, the user gives his/her PIN to the card.
x Different PIN-s for different keys.
s The card verifies PIN, sends sigsk (x) to the operator.
MoMo, 07.09.2009 – 3 / 14
4. The identification protocol
U C S D O P U
S skS skD skU
Server’s
protected
using KP
get certS VPN
˜
TLS HS
secret
Server know certD
key
U, P
TLS HS
˜
S, U, P, r1
User
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
5. The identification protocol
U C S D O P U
S skS skD skU
Phone VPN
protected
using KP
get certS
˜
TLS HS and
U, P know certSIM
D
user’s
TLS HS
secret
˜
S, U, P, r1 key
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
6. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
Client know certD
U, P
application
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
7. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
8. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
9. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS DigiDocService
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
10. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S = (S, m)
˜
S, U, P, r1 m — a message to be shown
get certU get certU
on user’s phone screen
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := 1 —1 a 2 )
r cc(r r random number (10 bytes)
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
11. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
mobile operator
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
r2 —Compare CC and CC . Check S.
a short random number ˜
1 2
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
12. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
13. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
SIM-card computes
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
14. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
DigiDocService computes
sig (r r ) PIN
skU 1 2
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
15. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
16. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
17. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
18. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
19. The identification protocol
U C S D O P U
S skS skD skU
protected
using KP
get certS VPN
˜
TLS HS
U, P know certD
TLS HS
˜
S, U, P, r1
get certU get certU
˜
S, P, r1 r2 ˜
S, r1 r2
CC1 := cc(r1 r2 )
CC2 := cc(r1 r2 )
CC1 CC1 ˜
CC1 S, CC2
˜
Compare CC1 and CC2 . Check S.
sigskU (r1 r2 ) PIN
sigskU (r1 r2 )
OK
MoMo, 07.09.2009 – 4 / 14
20. “Base” security model
s There are several users and servers, some under adversarial control.
s DigiDocService and mobile operator are honest.
x No confusion between different mobile operators.
s Client apps. and phones have no malware.
x The channels between the user and client app. / phone are
secure.
s The adversary controls the insecure channels. It can read and write
them.
s The adversary can take messages apart and construct new messages.
It can generate new keys, random numbers, etc.
s The adversary can start new sessions.
s The adversary schedules all parties.
MoMo, 07.09.2009 – 5 / 14
21. Perfect cryptography assumption
s Messages have structure
x It is their syntax tree.
s A message can be analysed only according to its structure:
x From (m1 , m2 ) find m1 and m2 .
x From enck (m) and k find m.
x etc.
s To construct a message, we need all of its parts:
x Need sk and m to construct sigsk (m).
x etc.
s Different structure ⇒ different message.
x does not apply to control codes.
s This is a constraint on the adversary!
MoMo, 07.09.2009 – 6 / 14
22. Security properties we care about
s If U and S are honest then the TLS key they agreed on will not
become known to the adversary.
s If S thinks it talks to U using key K and U is honest then U thinks
it talks to S using key K.
We are protecting an honest server
s Integrity for U follows from the properties of TLS handshake.
MoMo, 07.09.2009 – 7 / 14
23. Analysing the protocol
s We use the perfect cryptography assumption.
s The question “does protocol P” satisfy the security property S?” is
undecidable in general.
s Still, there are tools that take the description of a protocol and
output whether it is secure.
x Handle restricted classes of protocols.
x Sometimes give wrong answer.
s Only err at the side of caution.
s We have used ProVerif, http://www.proverif.ens.fr
s In the base security model the Mobile-ID identification protocol is
secure against network attacks.
MoMo, 07.09.2009 – 8 / 14
24. Relaxing the security model
s DigiDocService and Mobile Operator are just mediating parties.
s The security of the protocol should not depend on their honesty.
MoMo, 07.09.2009 – 9 / 14
27. A possible scenario
U
U
S′
S
U, S ′ , m′ , r1
′
DDS
MoMo, 07.09.2009 – 10 / 14
28. A possible scenario
U
U
S′
S
U, S ′ , m′ , r1
′
U
DDS
MoMo, 07.09.2009 – 10 / 14
29. A possible scenario
U
U
S′
S
U, S ′ , m′ , r1
′
U
U, S,
m, r1
DDS
MoMo, 07.09.2009 – 10 / 14
30. A possible scenario
U
U
Generate r2 , r2 , such that
′
S′
S
cc(r1 r2 ) = c = cc(r1 r2 )
′ ′
U, S ′ , m′ , r1
′
U
U, S,
m, r1
DDS
MoMo, 07.09.2009 – 10 / 14
31. A possible scenario
U
U
S ′ , m ′ , r1 r 2
S′
S
U, S ′ , m′ , r1
′
U
U, S,
m, r1
DDS MO
′ ′
cc(r1 r2 ) = c = cc(r1 r2 )
MoMo, 07.09.2009 – 10 / 14
32. A possible scenario
U
U
S ′ , m ′ , r1 r 2
S′
S
c
U, S ′ , m′ , r1
′
U
c
U, S,
m, r1
DDS MO
′ ′
cc(r1 r2 ) = c = cc(r1 r2 )
MoMo, 07.09.2009 – 10 / 14
33. A possible scenario
U
c
U
S ′ , m ′ , r1 r 2
S′
S
c
U, S ′ , m′ , r1
′
U
c
U, S,
m, r1
DDS MO
′ ′
cc(r1 r2 ) = c = cc(r1 r2 )
MoMo, 07.09.2009 – 10 / 14
34. A possible scenario
U
c
U
S ′ , m ′ , r1 r 2
S′
S
c
U, S ′ , m′ , r1
′
U
c
U, S,
m, r1
sigskU (r1 r2 )
DDS MO
′ ′
cc(r1 r2 ) = c = cc(r1 r2 )
MoMo, 07.09.2009 – 10 / 14
35. A possible scenario
U
c
U
S ′ , m ′ , r1 r 2
S′
S
c
sigskU (r1 r2 ) U, S ′ , m′ , r1
′
U
c
U, S,
m, r1
sigskU (r1 r2 )
DDS MO
′ ′
cc(r1 r2 ) = c = cc(r1 r2 )
MoMo, 07.09.2009 – 10 / 14
36. A possible scenario
Attack works even if the U
server computes the c
control code c U
S ′ , m ′ , r1 r 2
S′
S
c
sigskU (r1 r2 ) U, S ′ , m′ , r1
′
U
c
U, S,
m, r1
sigskU (r1 r2 )
DDS MO
′ ′
cc(r1 r2 ) = c = cc(r1 r2 )
MoMo, 07.09.2009 – 10 / 14
37. Malware in user’s computer
s Full control over the client app. means knowing the TLS keys.
s Even a keylogger can cause a lot of harm if using the ID-card.
s A similar level of control for the mobile-ID protocol might be the
control over which control code is shown to the user.
s If the display manipulator also has network access then the protocol
can be broken.
MoMo, 07.09.2009 – 11 / 14
43. A possible scenario
U
U
S
U, S, m, r1
′ U
U, S, m, r1
DDS
MoMo, 07.09.2009 – 12 / 14
44. A possible scenario
U
U
S
U, S, m, r1
c c′
′ U
U, S, m, r1
DDS
′
r 2 , r2
MoMo, 07.09.2009 – 12 / 14
45. A possible scenario
U
′ ′
S, m, r1 r2
S, m, r1 r2 U
S
MO
U, S, m, r1
c c′
′ U
U, S, m, r1
DDS
′
r 2 , r2
MoMo, 07.09.2009 – 12 / 14
46. A possible scenario
U
′ ′
S, m, r1 r2
c
S, m, r1 r2 U
S
MO
U, S, m, r1
c′
c c′
′ U
U, S, m, r1
DDS
′
r 2 , r2
MoMo, 07.09.2009 – 12 / 14
47. A possible scenario
c′
U
′ ′
S, m, r1 r2
c
S, m, r1 r2 U
S
MO
U, S, m, r1
c′
c c′
′ U
U, S, m, r1
DDS
′
r 2 , r2
MoMo, 07.09.2009 – 12 / 14
48. A possible scenario
c′
U
′ ′
sigskU (r1 r2 ) ′ ′
S, m, r1 r2
c
S, m, r1 r2 U
S
MO
U, S, m, r1
c′
c c′
′ U
U, S, m, r1
DDS ′ ′
sigskU (r1 r2 )
′
r 2 , r2
MoMo, 07.09.2009 – 12 / 14
49. Other issues
s If the user is duped to connect to a rogue site, then a
man-in-the-middle attack is possible.
x The attack gives the adversary access to the real site in the
name of the user.
x This attack is also present when authenticating with passwords
(code cards, code calculators, one-time passwords, etc.)
x This attack is not present when using the ID-card.
s The SIM-card software shows embedded newlines in m as line breaks.
x The server can construct a message m that obscures the actual
control code.
x Not exploitable if the DigiDocService is honest; but must be
considered otherwise.
MoMo, 07.09.2009 – 13 / 14
50. Suggested changes
s Instead of signing the challenge r, sign (r, S).
s Whole challenge r should be chosen and the control code CC1
computed by S.
x S must avoid control code collsions in parallel sessions with the
same U .
s Change the way m and CC2 are shown on the phone screen and/or
educate users such that CC2 will not be obscured.
Still no protection against trojans in phone or computer.
MoMo, 07.09.2009 – 14 / 14