Personal page: Dr. Tomáš Rosa

$Description: Description: Description: Description: Description: Description: C:\Eskimo\2012\Kauzy_projekty\publikace a prednasky\www\hyperlink\files\face_country.jpg$ I was born in 1974 in Prague, Czech Republic. I received M.Sc. degree in theoretical computer science at the Faculty of Electrical Engineering (FEE) at the Czech Technical University in Prague (CTU in Prague). The theme of my doctoral dissertation thesis reads “Modern Cryptology: Standards Are Not Enough” (online version of the Ph.D. thesis). It was a joint study program also at the Faculty of Mathematics and Physics of the Charles University in Prague and it was honored by the Best Doctoral Work Award of the Rector of CTU in Prague for the year of 2004. As an external lecturer and researcher, I closely cooperate with the Department of Algebra of the Faculty of Mathematics and Physics of the Charles University in Prague and with the Faculty of Information Technology of CTU in Prague.

Here is a personal page of my colleague and friend Dr. Vlastimil Klíma who I often cooperate on research projects with. You can also find some of our joint publications there.

Membership: Cryptoworld (CZ)

Quick Links: Cryptology For Practice (CZ), PicNic – HF RFID Emulator/Spyware

Work experience:

2004 – Yet Senior Cryptologist with Raiffeisenbank (merged with eBanka in summer 2008)

Having successfully established information security department for eBanka (c.f. bellow), I enjoy working in this department as a senior cryptologist, or broadly speaking as senior information security expert. That involves solving information security problems using formal models and methods. A considerable part of my job is internal evaluation of security products. Obviously, any modern bank requires its systems to be under close and continuous security supervision during their design and maintenance. That presents me various very interesting problems from the area of modern cryptology. I do actively promote the approach based on applied cryptanalysis as a natural and important counterpart to applied cryptography. I am also focused on the security of embedded systems (including the smart phone platforms like Android, iOS, etc.), RFID, NFC, and EMV cards. Besides that I also somehow participate on design and implementation of the whole information security strategy of Raiffeisenbank. Through the Vienna headquarter, I also provide the aforementioned services for the whole group of Raiffeisen Bank International.

2003 – 2004 Information Security Director with eBanka

The objective of this job was to provide certain technology vision and leadership to start developing and implementing information security program in the bank. I was responsible for establishing a secure environment for its information assets. That included, but was not limited to: security surveys and risk analyses, development of security policies, standards, procedures and guidelines, design and analysis of security countermeasures, intrusion detection, incident handling, disaster recovery planning, etc. Besides this position I continued working on cryptology research, mainly in the area of applied cryptography and cryptanalysis. In fact, this job gave me very good inspiration for that, since I could easily recognize how modern cryptology fits into the whole puzzle of information security. Seeing the lack of essential cryptologic knowledge together with facing its practical consequences motivated our joint (with Dr. Vlastimil Klíma) effort on writing an easy to read, easy to understand, and easy to get serial on Cryptology for Practice.

2001 – 2003 Chief Cryptologist with ICZ Co.

As the chief cryptologist, I worked on projects in the area of applied cryptographic research. This mainly included joint work with the Czech National Security Authority (CNSA) on cryptographic devices designated to protect sensitive information at various security levels, including the TOP SECRET level (according to the law 148/1998 Coll., Czech Republic). In 2001 and 2003, on behalf of my results achieved, I received a special award of the board of directors and CEO of ICZ Co.

1997 – 2001 Development Specialist, Development Manager with Decros Ltd.

Here, as an information security specialist, I started working on an implementation and design of cryptographic countermeasures into various protecting devices. Since 1999, I led a small security team which was focused on the joint work with CNSA aimed on the development of special purpose cryptographic devices.

1993 – 1999 Independent Security Consultant & Publicist

Besides various consultations, studies and expert’s findings, I worked on a security devices evaluation in testing laboratories of the computer magazine CHIP (in Czech Republic).

Research area:

Cryptology, Side Channel Cryptanalysis, Cryptographic Algorithms and Protocols, Quantum Cryptography, Quantum Cryptanalysis, Risk Analysis, Mathematical Foundations of Information Security, Security Management, and Information Management

Lecture notes and publications (selected):

Cryptology for Practice. A serial aimed to serve as a basic handbook of modern applied cryptology. It should mainly be useful for security architects and cryptology students (undergraduate level). Also, several notes on RFID security are presented there. (CZ)
Security (In)Dependence of Mobile and Internet Banking. ICT in Financial Institutions, Prague, February 27^th, 2013. First part of the presentation is devoted to emerging cross-platform attacks. Especially, various techniques of cross-platform infection are discussed. This is then used to show that those popular mobile Transaction Authentication Number (mTAN) techniques are rather on their way down. We show that having a mobile banking application is not just a luxury, as it can also be viewed as kind of countermeasure. Of course, this countermeasure is by no means definitive, as it is shown in mobile threats elaboration in second part. It may, however, give us some time to think about either external “smart” tokens or to finally bring TrustZone into its real life. Either way, we shall recognize there is rather strong dependence in between mobile and internet banking. We shall care about mobile devices security even (!) if our objective is just the internet banking only.
Discovering PIN Prints In Mobile Applications. Lecture at Security 2013, Prague (February 20^th). Despite it being feasible to achieve reliable resistance against the After-Theft Attack, we can still spot a terribly flawed design patterns that instead of defeating them rather do actively promote such attacks. In this presentation, we detail cryptographic issues connected with so-called PIN prints in applications aiming at two-factor authentication. We show various examples of such PIN prints that were already met in practice together with a (very slight) “computation-oriented” information theoretic analysis of how much information can be conveyed by such a PIN print, while transferring this to show how long PIN can be reliably brute-forced basing on that particular PIN print.
NFC On Mobile - On the Real Security of Mobile Payments. Lecture at the workshop Cards 2012, Prague. It is an extended version of the overviewing presentation from Mobile Payments 2012 (cf. bellow on this page).
Mobile Devices Security - On Practical Risks of NFC Payments. Lecture at the workshop Mobile Payments 2012, Prague. It is mainly focused on smart phone operating systems integrity, since this is the part that really deserves great attention, now. We rephrase iOS Jailbreaking as a world-wide verified proof showing us clearly even the best smart phone OS can be reliably (!) hacked (this is not to say the author is strongly against this initiative – we just reflect its security implications). Furthermore, we show practical results of iPhone peripheral channels infiltration (we use a simple MobileSubstrate tweak to do that) which has direct impact on mobile payment applications relying on external NFC controllers.
The Decline and Dawn of Two-Factor Authentication on Smart Phones. Invited lecture at Information Security Summit 2012. Basic study on whether and how we can achieve adequate two-factor authentication on smart phones. We define a simple threat model and discus the risk mitigation. The notion of distributed implicit PIN verification armored with partial OTP verification is introduced as a practical way on how to cope with this environment. The emerging concept of TrustZone is also touched. The accompanying presentation serves a dual role – instead of repeating the countermeasures from the main paper, it presents several hacking techniques emphasizing insecurity of disturbing amount of contemporary mobile applications.
Note on a mobile security, or “How the Brave Permutation Rescued a Naughty Keyboard”. Joint lecture with Petr Dvořák from Inmite at Mobile DevCamp 2012. Besides recalling wanted and unwanted design patterns, this lecture is also a continuation of the study presented at Smart Cards & Devices Forum 2012 noted bellow. It shows how exactly we have implemented the idea of the encrypted keyboard in certain mobile banking project that we have participated on.
Smart Phones Security - How (Not) To Summon The Devil. Invited lecture at Smart Cards & Devices Forum 2012. Being addressed to smart phone applications developers and penetration testers, the presentation shows typical vulnerabilities the author has met in contemporary financial applications. Particular experiments were done for Android and iOS environment, since - according to author's opinion - these systems are the most interesting and important ones. The results obtained, however, are generally applicable to almost any smart phone platform.
Android Ecosystem Integrity - Possible Malware Cross-Infection Vector. Seminar note, November 2011. This really is a trivial observation that is based on a well-known approach on how to bypass the screen lock on certain Android devices. Surprisingly, I have not seen it mentioned as a possible malware cross-infection vector regarding attacks on those popular SMS-based two-factor authentication schemes. So, I wrote this simple note for my students. Superseded by Smart Phones Security - How (Not) To Summon The Devil and also exploited in The Decline and Dawn of Two-Factor Authentication on Smart Phones.
RFID Security - Selected Areas of LF and HF Applications. Invited lecture at Hacking & Security 2012 by Soom.cz. Its aim is to illustrate typical RFID vulnerabilities and their particular exploits. It begins by trivial skimming attacks in the LF band and continues to the phenomenon of RFID wormholes. Also touched is the NFC technology, mainly as a promising hacking tool. Also included is a simple transformer-based tool for easier debugging of point-to-point NFC communication with mobile devices (no more those annoying “96” positions!).
RFID Wormholes – the Case of Contactless Smart Cards. Invited lecture at SmartCard Forum 2011. The aim was to give a solid overview of wormhole (or relay) attacks by looking at this phenomenon from various viewpoints – physical principles, technical realization, cryptographic countermeasures, NFC, etc. The experimental part is based on using libNFC library.
Unleashing EMV Cards For Security Research, Santa’s Crypto Get-Together in Prague, December 2^nd – 3^rd, 2010 (slides, abstract). Invited lecture for the international cryptography workshop organized in Prague. Together with the previous presentation on approaching side channel experiments (cf. bellow) this is another part of EMV Cards Trivium puzzle aimed to encourage academic research of payment cards security.
EMV Cards Trivium – A Fast Way to Side Channel Experiments. This lecture was originally prepared for the smartcard security research group at Masaryk University Faculty of Informatics in Brno. It is, however, addressed to all those researchers who would like to experiment with side channel attacks on EMV cards but were afraid of their obscure complexity. To allow rapid card profiling, a technique based on CAP/DPA-reader interaction is developed and described here. We call it a CAP/DPA-teacher approach. June 2010.
Authentication By Payment Card – Experiences Gained By Penetration Tests (CZ). Invited lecture at SmartCard Forum 2010. The main objective here was so-called connectable CAP/DPA reader. Besides promising new user-friendly features, these devices also introduce several new risks that shall be addressed accordingly when deploying them in internet banking applications.
Certain lecture notes on RFID security: SmartCard Forum 2009 (CZ, EN), Teleinformatika 2009 (CZ).
Problems arising around non-repudiation of digital signatures as an inspiration for quantum cryptologists, University of Palacky, October 7, Olomouc, 2004. (CZ)
Security Policy – a Document of Various Looks and Purposes, lecture for security managers and directors at IT Security 2004, staged by the Institute for International Research, Wien. (CZ)
Lecture on special cryptanalysis held for colleagues at the Department of Computer Science, June 2003 (zipped ppt, syllabus). (CZ)

Research projects and publications (selected ones):

Android Binder Security. Started in November 2011, this project aims to promote recognition of importance and further research in the area of security of the Android binder framework – its core Inter Process Communication mechanism.
Hlaváč, M. and Rosa, T.: A Note on the Realay-Attacks on e-passports – The Case of Czech e-passports, IACE ePrint archive 2007/244, Jun 2007.
Hlaváč, M. and Rosa, T.: Extended Hidden Number Problem and Its Cryptanalytic Applications, in Proc. of SAC 2006, LNCS 4356, pp. 114-133, Springer-Verlag, 2007.
Rosa, T.: Cryptographic Insecurity of the Test&Repeat Paradigm, NATO Advanced Research Workshop - Security and Embedded Systems, University of Patras, Greece, 2005. (slides in ppt)
Rosa, T.: Lattice-based Fault Attacks on DSA - Another Possible Strategy, in Proc. of Security and Protection of Information 2005, pp. 91-96, Brno, 2005.
Rosa, T.: Non-repudiation of digital signatures, in Proc. of 2^nd Scientific and Pedagogical Conference at ZMVS: Juridical Regulation of Networked Society, Trebic, September 2004. Slides used for the presentation are here. The paper identifies an insufficiency of a strictly logical approach to the subject of non-repudiation. It warns about problems arising on the edge between mathematical and juridical reasoning and sketches possible solutions. (CZ)
Dissertation thesis, mainly on Side Channel Cryptanalysis.
Klíma, V., Pokorný, O., and Rosa, T.: Attacking RSA-based Sessions in SSL/TLS, in Proc. of CHES 2003, Cologne, Germany, September 2003, pp. 426-440, Springer-Verlag, 2003. For an extended version, see IACR ePrint archive 2003/052, March 2003. Slides used for the presentation are here.
Klíma, V., Rosa, T.: Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format, in Proc. of Security and Protection of Information 2002, NATO PfP/PWP - 2nd International Scientific Conference Security and Protection of Information, Brno, Czech Republic, 28^th – 30^th of April 2003.
Klíma, V. and Rosa, T.: Further Results and Considerations on Side Channel Attacks on RSA, in Proc. of CHES 2002, San Francisco Bay, USA, August 2002, pp. 245-260 , Springer-Verlag, 2002. Slides used for the presentation are here.
Klíma, V. and Rosa, T.: Strengthened Encryption in the CBC Mode, IACR ePrint archive 2002/061, May 2002.
Rosa, T.: On the Key-collisions in the Signature Schemes (CZ), in Proc. of workshop VKB 2002, pp. 14-26, 2002, Brno. These slides (EN) belong to the Czech version of the paper. The paper won the best presentation award on the workshop VKB 2002. The paper differs from the one presented at CRYPTO 2002 Rump Session in that it also discuses k-collisions in RSA schemes. On the other hand the paper listed bellow is more general and it also elaborates possible countermeasures more deeply and precisely.
Rosa, T.: Key-collisions in (EC)DSA: Attacking Non-repudiation, CRYPTO 2002 Rump Session, IACR ePrint archive 2002/129, Santa Barbara, USA, August 2002. Slides used for the Rump Session presentation are available here.
Rosa, T.: Future Cryptography: Standards are not Enough, in Proc. of Security and Protection of Information 2001, NATO PfP/PWP – 1st International Scientific Conference Security and Protection of Information, Brno, Czech Republic, 9^th – 11^th of May 2001.
Klíma, V. and Rosa, T.: Attack on Private Signature Keys of the OpenPGP format, PGP (TM) Programs and Other Applications Compatible with OpenPGP, IACR ePrint archive 2002/076, version 1, March 2001, minor update on June 2002. For somehow re-factored elaboration of this subject please see my dissertation thesis here.
Kupča, V. and Rosa, T.: Theory and Perspectives of Quantum Computers, in Proc. of Workshop 2001 - Part A, pp. 192-193, CTU Prague, 2001. This short article summarizes the results of diploma thesis presented by Vojtěch Kupča at the Department of Computer Science at FEE, CTU in Prague, and led by Tomáš Rosa.

Other Activities:

Time to time, you can see my contributions at the Czech cryptologic news server. The aim of the server is to bring reader’s attention at fresh, but also certainly matured topics related to cryptology and-or information security. (CZ)
Here you can find an interview with me done for a weekend supplement of the newspaper Hospodářské noviny in May 2003. Partly, it is based on our attack on SSL/TLS (c.f. above). (CZ)

Last update: February 28^th, 2013.

tomas_dot_rosa (at) rb_dot_cz