Alexandra Dirksen

Alexandra Dirksen is a PhD Candidate since May 2018 and is currently working in the field of Web Security & Privacy, Web PKI and Large Scale Adversaries.
Her further interests are different topics of Applied Cryptography and Ethics in Computer Science.

She is currently part of the KIWI Project, where she works on mechanisms to detect security issues in OAuth protocol flows at runtime.

Room IZ 209A

a.dirksen[at]tu-braunschweig.de

@z4lem

+49 531/391-2270

STUDENT PROJECTS

If you're interested in one of my project calls or any of my other fields of interest, feel free to contact me.
You can find my Lego specific project calls on the LegoLab's website.

Certificate Transparency (CT) aims to remedy certificate-based threats on the web, by making the issuance and existence of SSL certificates open to scrutiny by domain owners/users and CAs.
However, even by utilizing CT the certificate issuance process still suffers from several security and privacy issues. We are working on a protocol extension for CT, to mitigate most of those issues.

The goal of this project is the development and evaluation of a new software for CT logs, according to our new protocol's flow and security goals (LogPicker).
The estimated steps in this project are:

Analysis of the CT ecosystem's state of the art log software and the new protocol's flow
Developing and extending a log software, which integrates the new flow and respects the security goals
Performing and evaluating experiments, executed on a HPC cluster

This topic is suitable as a Master's project. In addition, it requires experience with the Go programming language in order to work with present CT software.

Websites that allow user log-in or external file access integrate specially developed protocols for this purpose. Well-known examples are the OpenID Connect and oAuth 2.0 protocols.
Due to their complexity and the number of different end points, such protocols are often susceptible to security issues on different levels (code based/ protocol flow/ misconfiguration).

The aim of the project is to build up a test suite (AuthLab) which can simulate such protocol flows. (E.g. during the module Praktikum IT Security 2)
This suite can then be used in the context of research and teaching to conduct experiments with known security issues or to investigate potential new weaknesses.

This topic offers a wide range of possibilities for a final thesis that builds on this project.

PUBLICATIONS

LogPicker: Strengthening Certificate Transparency Against Covert Adversaries.
Alexandra Dirksen, David Klein, Robert Michael, Tilman Stehr, Konrad Rieck and Martin Johns.
Proceedings on Privacy Enhancing Technologies (PETS'21)

Towards Enabling Secure Web-based Cloud Services using Client-side Encryption
Martin Johns, Alexandra Dirksen
Proceedings of ACM Workshop on Cloud Computing Security (CCSW’20) [BIB]

TALKS

LogPicker: Strengthening Certificate Transparency against Covert Adversaries
- PETS'21, Gather.town (virtual)

Towards enabling Secure Web-Based Cloud Services using Client-Side Encryption
- CCSW'21, Gather.town (virtual) [Slides]

A Blockchain Picture Book [Video]
- 35C3, 29.12.2018, Leipzig, Germany
- DMZ Europe, 08.11.2018, Stuttgart, Germany

SUPERVISED THESES

Master's Thesis by Tilman Stehr

Certificate Transparency (CT) is an extension to the web’s PKI that allows insight into the issuance of
TLS certificates by introducing public append-only logs, in which all certificates must be included.
Currently, CT can be circumvented by an attacker controlling a CA and several CT logs. We present
an attacker model for this attacker and derive security goals from it. Additionally, we derive design
goals from a review of related work.
We introduce LogPicker, which improves CT’s security by involving multiple logs in the logging of a
certificate. The logs use a distributed randomness protocol to unpredictably chose the log that is to
include the certificate. They generate proof of LogPicker’s execution with an aggregate signature
scheme.
An analysis LogPicker and related protocols to determine the probability of correctness depending
on the number of logs and the trust in each log is presented. The analysis shows that LogPicker can
significantly improve trust in the web’s PKI. Tests with a prototype implementation indicate that
LogPicker has reasonable performance, scalability, and failure tolerance.
We conclude that LogPicker constitutes a useful addition to CT that can be realistically implemented.
Further research into LogPicker is recommended, we suggest formal verification of the protocol
and expansion of the prototype implementation.

Bachelor's Thesis by Minela Becirovic

In recent years, data privacy and the usage of privacy-conscious applications have gained significant importance. With the implementation of security features like end-to-end encryption, applications like "Signal" offer strong security guarantees for their end-users.
In contrast to desktop or mobile applications, web-based applications are struggling to adopt client-side encryption due to various limitations. The risk of a data breach is increased when the web application uses JavaScript. This usage enables the execution of malicious JS code on the client-side where confidential data of the user resides unencrypted. This way an active JS attacker can access the user’s data without the user’s knowledge or consent.
One approach to deal with this issue is the idea of CryptoMembranes (CM). With the concept of CM, a new type of DOM element that enables native encryption on the client-side is introduced. By maintaining an encrypted and decrypted representation of confidential data on the client-side, the concept aims to provide strong protection against active JS attacks. As a result, only the user has access to the decrypted representation of the confidential data.
In this thesis, we will implement the CM concept as an extension for the Firefox browser. This way we practically evaluate to what extent the theoretical concept of the paper meets the defined privacy & security goals if implemented as a browser extension for legacy browsers.

TEACHING ASSISTANT

Year	Semester	Name
2022	SS	Anwendungssicherheit (Seminar)
21/22	WS	Programmieren 1 (Seminar)
		Anwendungssicherheit(Seminar)
2021	SS	Anwendungssicherheit (Seminar)
20/21	WS	Anwendungssicherheit (Seminar)
		TEAM: MTG Scanner, Lego@Space²
2020	SS	Anwendungssicherheit (Seminar)
		SEP: IAS_CONTENT0
19/20	WS	Anwendungssicherheit (Seminar)
		Projektarbeit: Lego@Space
18/19	WS	Anwendungssicherheit (Seminar)

FURTHER RESPONSIBILITY

Furthermore I am also responsible for the LegoLab.

Alexandra Dirksen

STUDENT PROJECTS

PUBLICATIONS

TALKS

SUPERVISED THESES

Master's Thesis by Tilman Stehr

Bachelor's Thesis by Minela Becirovic

TEACHING ASSISTANT

FURTHER RESPONSIBILITY

Für alle

Für Studierende

Interne Tools

Kontakt