Dr. Tomáš Rosa
I was born in 1974
in Prague, Czech Republic. I received M.Sc. degree in theoretical computer
science at the Faculty of Electrical Engineering (FEE) at the
Czech Technical University in Prague (CTU
in Prague). The theme of my doctoral dissertation thesis reads “Modern
Cryptology: Standards Are Not Enough” (online
version of the Ph.D. thesis). It was a joint study program also at the Faculty of Mathematics and
Physics of the Charles
University in Prague and it was honored by the Best Doctoral Work
Award of the Rector of CTU in Prague
for the year of 2004. As an external lecturer and researcher, I closely
cooperate with the Department
of Algebra of the Faculty
of Mathematics and Physics of the Charles University in Prague and
with the Faculty of Information
Technology of CTU in Prague.
Here is a personal
page of my colleague and friend Dr.
Vlastimil Klíma who I often cooperate on research projects with. You can
also find some of our joint publications there.
Membership: Cryptoworld (CZ)
Quick Links: Cryptology For Practice (CZ), PicNic
– HF RFID Emulator/Spyware
2004 – Yet Senior
Cryptologist with Raiffeisenbank (merged
with eBanka in summer 2008)
Having successfully established information
security department for eBanka (c.f. bellow), I enjoy working in this
department as a senior cryptologist, or broadly speaking as senior information
security expert. That involves solving information security problems using
formal models and methods. A considerable part of my job is internal evaluation
of security products. Obviously, any modern bank requires its systems to be
under close and continuous security supervision during their design and
maintenance. That presents me various very interesting problems from the area
of modern cryptology. I do actively promote the approach based on applied
cryptanalysis as a natural and important counterpart to applied
cryptography. I am also focused on the security of embedded systems
(including the smart phone platforms like Android, iOS, etc.), RFID, NFC, and
EMV cards. Besides that I also somehow participate on design and implementation
of the whole information security strategy of Raiffeisenbank. Through the
Vienna headquarter, I also provide the aforementioned services for the whole
group of Raiffeisen Bank
2003 – 2004
Information Security Director with eBanka
The objective of this job was to provide
certain technology vision and leadership to start developing and implementing
information security program in the bank. I was responsible for establishing a
secure environment for its information assets. That included, but was not
limited to: security surveys and risk analyses, development of security
policies, standards, procedures and guidelines, design and analysis of security
countermeasures, intrusion detection, incident handling, disaster recovery
planning, etc. Besides this position I continued working on cryptology
research, mainly in the area of applied cryptography and cryptanalysis. In
fact, this job gave me very good inspiration for that, since I could easily
recognize how modern cryptology fits into the whole puzzle of information
security. Seeing the lack of essential cryptologic knowledge together with
facing its practical consequences motivated our joint (with Dr. Vlastimil Klíma) effort on
writing an easy to read, easy to understand, and easy to get serial on Cryptology for Practice.
2001 – 2003 Chief Cryptologist
with ICZ Co.
As the chief cryptologist, I worked on
projects in the area of applied cryptographic research. This mainly included
joint work with the Czech National Security Authority (CNSA) on cryptographic devices
designated to protect sensitive information at various security levels,
including the TOP
level (according to the law 148/1998 Coll., Czech Republic). In 2001 and
2003, on behalf of my results achieved, I received a special award of the board
of directors and CEO of ICZ Co.
1997 – 2001
Development Specialist, Development Manager with Decros Ltd.
Here, as an information security
specialist, I started working on an implementation and design of cryptographic
countermeasures into various protecting devices. Since 1999, I led a small
security team which was focused on the joint work with CNSA aimed on the development of
special purpose cryptographic devices.
1993 – 1999
Independent Security Consultant & Publicist
Besides various consultations, studies and
expert’s findings, I worked on a security devices evaluation in testing
laboratories of the computer magazine CHIP
(in Czech Republic).
Cryptology, Side Channel
Cryptanalysis, Cryptographic Algorithms and Protocols, Quantum Cryptography,
Quantum Cryptanalysis, Risk Analysis, Mathematical Foundations of Information
Security, Security Management, and Information Management
notes and publications (selected):
- Cryptology for Practice. A serial aimed to serve
as a basic handbook of modern applied cryptology. It should mainly be
useful for security architects and cryptology students (undergraduate
level). Also, several notes on RFID security are presented there. (CZ)
- Security (In)Dependence of Mobile and
Internet Banking. ICT in Financial Institutions, Prague, February
27th, 2013. First part of the presentation is devoted to
emerging cross-platform attacks. Especially, various techniques of
cross-platform infection are discussed. This is then used to show that those
popular mobile Transaction Authentication Number (mTAN) techniques are
rather on their way down. We show that having a mobile banking application
is not just a luxury, as it can also be viewed as kind of countermeasure. Of
course, this countermeasure is by no means definitive, as it is shown in
mobile threats elaboration in second part. It may, however, give us some
time to think about either external “smart” tokens or to finally bring TrustZone
into its real life. Either way, we shall recognize there is rather strong
dependence in between mobile and internet banking. We shall care about
mobile devices security even (!) if our objective is just the internet
- Discovering PIN Prints In Mobile
Applications. Lecture at Security
2013, Prague (February 20th). Despite it being feasible to
achieve reliable resistance against the After-Theft
Attack, we can still spot a terribly flawed design patterns that
instead of defeating them rather do actively promote such attacks. In this
presentation, we detail cryptographic issues connected with so-called PIN prints
in applications aiming at two-factor authentication. We show various
examples of such PIN prints that were already met in practice together
with a (very slight) “computation-oriented” information theoretic analysis
of how much information can be conveyed by such a PIN print, while transferring
this to show how long PIN can be reliably brute-forced basing on that
particular PIN print.
- NFC On Mobile - On the Real Security of
Mobile Payments. Lecture at the workshop Cards 2012,
Prague. It is an extended version of the overviewing presentation from
Mobile Payments 2012 (cf. bellow on this page).
- Mobile Devices Security - On Practical
Risks of NFC Payments. Lecture at the workshop Mobile
Payments 2012, Prague. It is mainly focused on smart phone operating
systems integrity, since this is the part that really deserves great
attention, now. We rephrase iOS Jailbreaking as a world-wide verified
proof showing us clearly even the best smart phone OS can be reliably (!)
hacked (this is not to say the author is strongly against this
initiative – we just reflect its security implications). Furthermore,
we show practical results of iPhone peripheral channels infiltration (we
use a simple MobileSubstrate
tweak to do that) which has direct impact on mobile payment
applications relying on external NFC controllers.
- The Decline and Dawn of Two-Factor
Authentication on Smart Phones. Invited lecture at Information Security
Summit 2012. Basic study on whether and how we can achieve adequate
two-factor authentication on smart phones. We define a simple threat model
and discus the risk mitigation. The notion of distributed implicit PIN
verification armored with partial OTP verification is
introduced as a practical way on how to cope with this environment. The
emerging concept of TrustZone
is also touched. The accompanying presentation
serves a dual role – instead of repeating the countermeasures from the
main paper, it presents several hacking techniques emphasizing
insecurity of disturbing amount of contemporary mobile applications.
- Note on a mobile security, or “How
the Brave Permutation Rescued a Naughty Keyboard”. Joint lecture
with Petr Dvořák from Inmite at Mobile DevCamp 2012. Besides recalling
wanted and unwanted design patterns, this lecture is also a continuation
of the study presented at Smart Cards & Devices Forum 2012 noted
bellow. It shows how exactly we have implemented the idea of the encrypted
keyboard in certain mobile banking project that we have participated on.
- Smart Phones Security - How (Not) To
Summon The Devil. Invited lecture at Smart Cards & Devices
Forum 2012. Being addressed to smart phone applications developers and
penetration testers, the presentation shows typical vulnerabilities the
author has met in contemporary financial applications. Particular
experiments were done for Android and iOS environment, since - according
to author's opinion - these systems are the most interesting and important
ones. The results obtained, however, are generally applicable to almost
any smart phone platform.
- Android Ecosystem Integrity -
Possible Malware Cross-Infection Vector. Seminar note,
November 2011. This really is a trivial observation that is based on a
well-known approach on how to bypass the screen lock on certain Android
devices. Surprisingly, I have not seen it mentioned as a possible malware
cross-infection vector regarding attacks on those popular SMS-based
two-factor authentication schemes. So, I wrote this simple note for my
students. Superseded by Smart
Phones Security - How (Not) To Summon The Devil and also exploited
in The Decline and Dawn of
Two-Factor Authentication on Smart Phones.
- RFID Security - Selected Areas of LF and HF
Applications. Invited lecture at Hacking & Security 2012 by
Soom.cz. Its aim is to illustrate
typical RFID vulnerabilities and their particular exploits. It begins by
trivial skimming attacks in the LF band and continues to the phenomenon of
RFID wormholes. Also touched is the NFC technology, mainly as a promising
hacking tool. Also included is a simple transformer-based tool for easier
debugging of point-to-point NFC communication with mobile devices (no
more those annoying “96” positions!).
- RFID Wormholes – the Case of
Contactless Smart Cards.
Invited lecture at SmartCard Forum 2011. The aim was to give a solid
overview of wormhole (or relay) attacks by looking at this phenomenon from
various viewpoints – physical principles, technical realization,
cryptographic countermeasures, NFC, etc. The experimental part is based on
using libNFC library.
- Unleashing EMV Cards For Security
Santa’s Crypto Get-Together in Prague, December 2nd – 3rd,
2010 (slides, abstract). Invited lecture for the international cryptography
workshop organized in Prague. Together with the previous presentation
on approaching side channel experiments (cf. bellow) this is another part
of EMV Cards Trivium puzzle aimed to encourage academic research of
payment cards security.
- EMV Cards Trivium – A Fast Way to
Side Channel Experiments. This lecture was originally prepared
for the smartcard security research group at Masaryk University Faculty of
Informatics in Brno. It is, however, addressed to all those researchers
who would like to experiment with side channel attacks on EMV cards but
were afraid of their obscure complexity. To allow rapid card profiling, a
technique based on CAP/DPA-reader interaction is developed and described
here. We call it a CAP/DPA-teacher approach. June 2010.
- Authentication By Payment Card –
Experiences Gained By Penetration Tests (CZ). Invited lecture at
SmartCard Forum 2010. The main objective here was so-called connectable
CAP/DPA reader. Besides promising new user-friendly features, these
devices also introduce several new risks that shall be addressed
accordingly when deploying them in internet banking applications.
lecture notes on RFID security: SmartCard Forum 2009 (CZ, EN), Teleinformatika 2009 (CZ).
arising around non-repudiation of digital
signatures as an inspiration for quantum cryptologists, University of
Palacky, October 7, Olomouc, 2004. (CZ)
- Security Policy – a Document of Various
Looks and Purposes, lecture for security managers and directors at
IT Security 2004, staged by the Institute for
International Research, Wien. (CZ)
- Lecture on special cryptanalysis held for colleagues at the Department of Computer Science, June
2003 (zipped ppt, syllabus). (CZ)
projects and publications (selected ones):
- Android Binder Security. Started in
November 2011, this project aims to promote recognition of importance and
further research in the area of security of the Android binder framework –
its core Inter Process Communication mechanism.
- Hlaváč, M. and Rosa, T.: A Note on the Realay-Attacks on
e-passports – The Case of Czech e-passports, IACE ePrint archive 2007/244, Jun 2007.
- Hlaváč, M. and Rosa, T.: Extended
Hidden Number Problem and Its Cryptanalytic Applications, in Proc.
of SAC 2006, LNCS 4356, pp. 114-133, Springer-Verlag, 2007.
- Rosa, T.: Cryptographic
Insecurity of the Test&Repeat Paradigm, NATO Advanced Research
Workshop - Security and Embedded Systems, University of Patras, Greece,
2005. (slides in ppt)
- Rosa, T.: Lattice-based
Fault Attacks on DSA - Another Possible Strategy, in Proc. of
Security and Protection of Information 2005, pp. 91-96, Brno, 2005.
- Rosa, T.: Non-repudiation of
digital signatures, in Proc. of 2nd Scientific and
Pedagogical Conference at ZMVS:
Juridical Regulation of Networked Society, Trebic, September 2004. Slides
used for the presentation are here.
The paper identifies an insufficiency of a strictly logical approach to
the subject of non-repudiation. It warns about problems arising on the
edge between mathematical and juridical reasoning and sketches possible
- Dissertation thesis, mainly on Side
- Klíma, V., Pokorný, O., and Rosa, T.: Attacking RSA-based Sessions in SSL/TLS, in Proc. of CHES 2003, Cologne, Germany,
September 2003, pp. 426-440, Springer-Verlag, 2003. For an extended
version, see IACR ePrint
archive 2003/052, March 2003. Slides used
for the presentation are here.
- Klíma, V., Rosa, T.: Side
Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format, in Proc. of
Security and Protection of Information 2002, NATO PfP/PWP
- 2nd International Scientific Conference Security and Protection of
Information, Brno, Czech Republic, 28th – 30th of
- Klíma, V. and Rosa, T.: Further Results and Considerations on
Side Channel Attacks on RSA, in Proc. of CHES 2002, San Francisco Bay, USA,
August 2002, pp. 245-260 , Springer-Verlag, 2002. Slides used
for the presentation are here.
- Klíma, V. and Rosa, T.: Strengthened Encryption in the
CBC Mode, IACR ePrint
archive 2002/061, May 2002.
- Rosa, T.: On the
Key-collisions in the Signature Schemes (CZ), in Proc. of workshop
VKB 2002, pp. 14-26, 2002, Brno. These slides (EN) belong to the Czech
version of the paper. The paper won
the best presentation award on the workshop VKB 2002. The paper differs
from the one presented at CRYPTO 2002 Rump Session in that it also
discuses k-collisions in RSA schemes. On the other hand the paper
listed bellow is more general and it also elaborates possible
countermeasures more deeply and precisely.
- Rosa, T.: Key-collisions
in (EC)DSA: Attacking Non-repudiation, CRYPTO 2002 Rump Session,
IACR ePrint archive 2002/129,
Santa Barbara, USA, August 2002. Slides used for the Rump Session
presentation are available here.
- Rosa, T.: Future Cryptography: Standards are not
Enough, in Proc. of Security and Protection of Information 2001, NATO PfP/PWP
– 1st International Scientific Conference Security and Protection of
Information, Brno, Czech Republic, 9th – 11th
of May 2001.
- Klíma, V. and
Rosa, T.: Attack on
Private Signature Keys of the OpenPGP format, PGP (TM) Programs and Other
Applications Compatible with OpenPGP, IACR ePrint archive 2002/076, version 1, March
2001, minor update on June 2002. For somehow re-factored elaboration of
this subject please see my dissertation thesis here.
- Kupča, V. and
Rosa, T.: Theory and Perspectives
of Quantum Computers, in Proc. of Workshop 2001 - Part A, pp.
192-193, CTU Prague, 2001. This short article summarizes the results of
diploma thesis presented by Vojtěch Kupča at the Department of Computer
Science at FEE, CTU in Prague, and led by Tomáš Rosa.
- Time to time,
you can see my contributions at the Czech cryptologic news
server. The aim of the server is to bring reader’s attention at fresh,
but also certainly matured topics related to cryptology and-or information
- Here you can
find an interview with me done
for a weekend supplement of the newspaper Hospodářské
noviny in May 2003. Partly, it is based on our attack on SSL/TLS (c.f. above).
Last update: February 28th,