Dr. Tomáš Rosa
for risk analysis and security, earned Ph.D. in cryptology with the doctoral dissertation thesis “Modern
Cryptology: Standards Are Not Enough” (online
version of the Ph.D. thesis). Graduated in a joint study program at the Faculty of Electrical Engineering (FEE) of
the Czech Technical University in Prague (CTU
in Prague) together with Faculty of Mathematics and
Physics of the Charles
University in Prague. My doctoral thesis received the Best Doctoral Work
Award of the Rector of CTU in Prague
for the year of 2004. As an external lecturer and researcher, I closely
cooperate with the Department
of Algebra of the Faculty
of Mathematics and Physics of the Charles University in Prague and
with the Faculty of Information
Technology of CTU in Prague.
-- "There are people, fluent in math. There are others fluent in plain talk.
The ones, who are fluent in both, might be then influential."
-- "Essentially, all models are insecure, but some are safe."
Professional Membership: IACR, UCMP
Quick Links: Cryptology For Practice (CZ), PicNic
– HF RFID Emulator/Spyware
Here is a personal
page of my colleague and friend Dr.
Vlastimil Klíma who I often cooperate on research projects with. You can
also find some of our joint publications there.
2004 – Yet Principal
Cryptologist with Raiffeisenbank and Raiffeisen Bank International Competence Centre for Cryptology and Biometrics
This involves solving information security problems using
formal models and methods. A considerable part of my job is an internal evaluation
of security products as well as designing our own security mechanisms.
That presents me various very interesting problems from the area
of computer science with certain accent on applied mathematics and physics.
I do actively promote the approach based on applied
cryptanalysis as a natural and important counterpart to applied
cryptography. I am also focused on the security of embedded and radio systems
such as RFID, NFC, EMV cards, GNSS, mobile networks, and biometrics (perceived as a signal detection
and estimation problem).
2003 – 2004
Information Security Director with eBanka
The objective of this job was to provide
certain technology vision and leadership to start developing and implementing
information security program in the bank. I was responsible for establishing a
secure environment for its information assets. That included, but was not
limited to: security surveys and risk analyses, development of security
policies, standards, procedures and guidelines, design and analysis of security
countermeasures, intrusion detection, incident handling, disaster recovery
planning, etc. Besides this position I continued working on cryptology
research, mainly in the area of applied cryptography and cryptanalysis. In
fact, this job gave me very good inspiration for that, since I could easily
recognize how modern cryptology fits into the whole puzzle of information
security. Seeing the lack of essential cryptologic knowledge together with
facing its practical consequences motivated our joint (with Dr. Vlastimil Klíma) effort on
writing an easy to read, easy to understand, and easy to get serial on Cryptology for Practice.
2001 – 2003 Chief Cryptologist
with ICZ Co.
As the chief cryptologist, I worked on
projects in the area of applied cryptographic research. This mainly included
joint work with the Czech National Security Authority (CNSA) on cryptographic devices designated
to protect sensitive information at various security levels, including the TOP SECRET level (according
to the law 148/1998 Coll., Czech Republic). In 2001 and 2003, on behalf of
my results achieved, I received a special award of the board of directors and
CEO of ICZ Co.
1997 – 2001
Development Specialist, Development Manager with Decros Ltd.
Here, as an information security
specialist, I started working on an implementation and design of cryptographic
countermeasures into various protecting devices. Since 1999, I led a small
security team which was focused on the joint work with CNSA aimed on the development of
special purpose cryptographic devices.
1993 – 1999 Independent
Security Consultant & Publicist
Besides various consultations, studies and
expert’s findings, I worked on a security devices evaluation in testing
laboratories of the computer magazine CHIP
(in Czech Republic).
Cryptology, Side Channel
Cryptanalysis, Cryptographic Algorithms and Protocols, Quantum Cryptography,
Quantum Cryptanalysis, Mathematical Modelling, Risk Analysis,
Mathematics and Physics in Computer Science, Information Theory,
Signal Processing, Radio Science.
notes and publications (selected):
- Cryptology for Practice. A serial aimed to serve
as a basic handbook of modern applied cryptology. It should mainly be useful
for security architects and cryptology students (undergraduate level).
Also, several notes on RFID security are presented there. (CZ)
Electronic Attack Vectors,
Information Security Summit, Prague, May 2023
Electronic Attacks on Computer Interfaces,
Fresh IT, Prague, March 2023
Unmasking the Signal of e-Mask Applications (GAEN hacking),
Mathematical Epidemiology - Compartmental Models Essentials,
Mathematical Epidemiology - Vaccination, Limits, and Rates,
Mathematical Epidemiology - Effective Reproduction Number
of mathematical epidemiology at the Faculty of Mathematics and Physics, Charles University, Prague, Autumn 2021
GARP Chapters: Mathematical Epidemiology,
Virtual chapters meeting, September 2021
KoroNERV-20 modelling meeting notes 2021:
These notes were used for discussions at our regular workshops when epi modelling was
the topics. They go uncommented, but with a moderate background,
I do believe they are self explaining. I put them here not only for my colleagues,
but to also pursue open modelling policy that I consider
Mathematical Epidemiology for... Security Analysts Again,
This time with a certain emphasis on the risk induced by the principal
invertibility and reversibility of the ODE-based models on the background
of the epidemic code controlling governmental decisions.
Mathematical Epidemiology for... just in case,
Financial Conference, Prague, June 10th, 2021. Explains mechanistic modelling using systems
of differential equations that can bring important insights into the principal code of epidemic.
This time, mainly for financial analysts to help them exploit this sort of a hidden determinism
in their economical analyses and predictions.
Mathematical Epidemiology for the People,
Internal Raiffeisen Bank seminars for financial analysts, March-April, 2021. Also touches non-pharmaceutical interventions,
vaccination models and endemic equilibria. The accent is on qualitative modelling using systems
of differential equations that can bring important insights into the principal code of epidemic.
Mathematical Epidemiology for KoroNERV-20.
KoroNERV-20 regular meeting, 30th of March, 2021. Explains the key ideas and principles of mathematical epidemiology to financial analysts. The emphasise was on mechanistic models formulated as systems of Ordinary Differential Equations, since these models do have many important properties for this particular kind of data science. The basic, effective, and controlled reproduction numbers were explained together with the herd immunity concept, all in the frame of the classical Kermack-McKendrick theory heritage. We also touched: non-pharmaceutical interventions, vaccination, very simple hospital occupation and prevalence relaxation models, etc. All with a qualitative accent on the principal understanding.
Mathematical Epidemiology for Security Analysts.
Security Meetup, 16th of February, 2021. We exemplify the power of mathematics when
applied to the epidemiological modelling, monitoring, and moderation. We view the contemporary
pandemic as a global security threat and to this end we also formulate several security-related
questions. Could there be a backdoor in the pandemic control system? How can we disprove
this? How can we simulate and verify our control strategy? What can we learn about
"patient zero" by reversing the time flow in a mechanistic model? Is the in-vivo
mathematical virology modelling a way to the security in-depth control principle?
eRouška Security, Privacy, and Impact.
Internal seminar, Prague, 2020. Evaluation of Google-Apple Exposure Notification framework,
which in turn addresses the Czech national contact tracing application "eRouška".
To also address the question "Why?", we touched the basis of mathematical modelling
of epidemics, hoping to illustrate general principles of its moderation.
Emerging Security Revolution as a Response to the Quantum Mechanics Threats.
Prague Payments Week, Prague, 2020.
Quantum Computation Fundamentals.
Online webinar, Prague, 2020.
RBI Quantum Hackathon Workbench, Part Two.
Prague and Bratislava, 2019. This time the focus was on the Learning Parity with Noise
problem from the quantum machine learning perspective, emphasising its
problematic usage as a cryptographic primitive under superposition queries.
The Advent of Quantum Computers.
Prague, 2019. Overview of the quantum computing phenomenon, its applications in
cryptanalysis and a brief outline of its peaceful usage in computational
chemistry and financial mathematics.
RBI Quantum Hackathon Workbench.
Prague and Vienna, 2019. This is to illustrate the quantum computing research activities that
our competence centre actively participates on internally in the whole group of
Raiffeisen Bank International.
Evil Qubits - The Threat of Quantum Cryptanalysis Explained.
Prague, 2019. One of many and actually a root of several other lectures I did on the topic
of the emerging era of quantum computer science and its implications for the future
cryptanalysis and cryptography.
Cyber Breakfast - Crime in the Radio Field.
Introduction into radio hacking based on the software-defined radio phenomenon.
It touches the security of mobile networks, GNSS, NFC from the radio perspective,
and Bluetooth LE adult toys.
Mobile Networks Hacking Techniques.
A quick overview of mobile networks vulnerabilities from the radio as well as signalling
systems perspective, mainly inspired by the privacy, integrity, and confidentiality
demands of financial services. A small disclaimer: As intelligence agencies are noted
to exploit some of these vulnerabilities here, I would like to add I am in no way surprised
nor disgusted they (have to) do so. Noting them here is just for the sake of completeness.
This text is a base for several public lectures on this topic I was giving in 2017.
GNSS Hacking in the Wild and Cryptographic Protections.
At ITSF 2016,
Prague, Oct 31st - Nov 3rd, 2016.
GPS Radio Hacking – What the Hell Time Is It?
At Information Security Summit, Prague, May 25th - 26th, 2016.
GNSS/GPS Radio Hacking - From Beautiful Equations to Serious Threats.
At QuBit Conference 2016,
Prague, April 12th - 14th, 2016.
This is a rather long (126 slides in total) lecture presentation that is meant
to be a GNSS/GPS hacking and security analysis trivium. It contains basic overview
of the GNSS principle exposing the physical connection in between the position, velocity, and time
computation and the underlying signal processing. In its second part, the basic
meaconing and spoofing attacks are exemplified in such a way they can be
easily repeated, while keeping certain academic rigor, so other researchers can
continue with their own approach. To that end, mathematical and physical
principles of the digital signal processing for software-defined radios together with
noise analysis in electronic circuits as well as a short introduction into real signal
transmission setups is also provided to such an extent that it sufficiently supports
the experiments documented here. Interestingly, in the meaconing experiment,
it can be seen that the EGNOS channel PRN120 (Inmarsat 3F2 AOR-E) has also been
successfully recorded and replayed, thereby illustrating a working attack on the EGNOS
safety mechanism. Of course, any SBAS clearly cannot address the reception
of fake signals by individual receivers, so this is not to show EGNOS would be
useless. Just to point out its strength has its limits. Finally, suggested references
for further study are also included in a classified way to help to pick up the right ones.
Update (05/12/16): GLONASS L1OF replay attack illustrated.
Update (05/26/16): Incidental radiation snapshots.
Software-Defined Radios Expose NFC and GPS Vulnerabilities.
At Security 2016,
Prague, February 17th, 2016.
- Radio Attacks on NFC, GPS, and Mobiles.
Advent seminar note for students at FIT, CTU in Prague, December 21st, 2015.
In very short and gentle introduction into mathematical groundings of Software Defined
Radio (SDR), we argue SDR will probably accelerate RF hacking in general. Therefore,
we shall pay attention even to those "exotic" attack that might have seem perhaps
too "theoretical". Once somebody creates an RF application exploit (as we know them
from the classical computer security), this SDR-exploit can be spread around the world
almost instantly. So, those "theoretical" weaknesses of NFC and GPS do matter, now!
Even that IEMI injection of commands into mobile voice assistants, despite looking
more o less like a funny game now, can be a useful part of cyber warfare portfolio.
Especially, provided we recognise IEMI can target not only those voice assistants.
- X-Platform Advanced Persistant Thread.
ISACA IT Governance 2015, Pilsen, October 13th - 15th, 2015.
Cross-platform attack is any fraudulent activity that exploits vulnerabilities
across different computing platforms. In particular, we review the following examples
here: Breaking the two-factor SMS-based authentication, Bluetooth Smart potential
weaknesses, and GPS spoofing.
- Bluetooth Low Energy - Smart
Choice With Just a Few Caveats.
Gemalto SafeNet Executive Day, Prague, October 8th, 2015.
Introduction into the BLE platform together with an overview of the
possible security opportunities and issues.
- Bluetooth Low Energy Ranging Primer.
Public seminar note, Prague, October, 2015.
Fundamental aspects of the BLE ranging problem are described, starting with
the essentials of the related EM field and antenna theory, going through
Friis transmission equation in the free space,
to a random process model for RSSI indicator of the a real BLE controller.
Based on this elaboration, several particular ranging procedures
can be devised
(I do apologize, this is not a part of the public edit version, since
it may contain certain company trade secrets, thanks for understanding).
- Coping with the Stochastic Biometrics.
At SPI 2015,
Brno, May 20th-21st, 2015.
Invited lecture, where I presented my approach to the biometrics from the
- Radio Aspects of NFC Security.
At Smart Cards & Devices Forum 2015,
Prague, May 19th, 2015.
Despite certain marketing claims, we show the NFC communication has a deeper
connection with the classical radio phenomenon then it seems to. We go deeper
into the antenna theory to show rigorously what are the common principles and
to what extent do they apply. On this platform, we review the physical layer
attacks on NFC. Especially, we warn about the sniffing attack that is usually possible
at somehow surprising distances. We also introduce a simple, however yet unpublished,
new Man-In-The-Middle approach that exploits the effects of the well-known linear
superposition in the electromagnetic field to allow monitoring as well as active
packet injections into an existing NFC channel. We emphasise that, similarly
to e.g. Wi-Fi or Bluetooth, the MITM attacker does not need to be exactly
in between the two communicating parties geometrically to get into their channel
in the logical sense.
With extended comments, this lecture was also presented to payment card experts
in the spring course of private workshops for
Widescreen cinema version of this lecture presented at the
- Biometrics as Signal Detection Problem.
At Security 2015,
Prague, February 18th, 2015.
Based on the lecture at Hacking & Security Conference 2014 below, this version
also includes certain notes on handwritten signatures security as deployed
in the so-called dynamic biometric signature applications in CZ.
- Biometrics - Trust But Test.
Hacking & Security Conference 2014, SOOM.CZ,
Prague, November 7th, 2014.
First part presents the biometrics as a statistical signal detection problem. It
emphasises biometric data mining techniques are the cornerstone of reliable
applications evaluation and safe (hopefully...) operation. Also mentioned
are the most important, yet still open problems we have to solve in this area.
Biometric cryptography is touched just lightly, please see one of those
previous lectures for more on
this subject. At the end,
we again turn our attention to the signal detection viewpoint to show we shall
never ever regard biometric characteristics as secret keys directly!
Yet, reasonable systems can be built, but never this way.
This complete lecture was also a base of several others of my autumn talks, so
please refer to this file should you be searching for the slides of
Mobile Payments 2014, Cardsession - Autumn 2014, etc.
- Mobile Authentication with BIO-Cryptography Taste.
Smart Cards and Device Forum 2014, Prague, May 22nd, 2014.
Popular, somewhat lightweight version of the lecture given at the Brno University of Technology
security workshop, please see bellow.
- Modern Authentication Hypes.
European Fraud Sharing Group Meeting 2014, hotel Port, Doksy,
May 16th - 17th, 2014.
Discusses the contemporary client authentication trends showing both what is
OUT and what is IN. Includes dissection of recent SMS-interception malware and also
shows how to approach mobile security with possible help of devices like
AirBond. We also touch the increasingly popular
area of biometrics, focusing mainly on brute-force attacks and detailing this technology
too has its pro et contra. Especially, we argue to do proper penetration tests
here as well!
- Biometric Cryptography - Mobile Application Viewpoint.
security workshop, Brno University of Technology, Apr 22nd 2014.
First part presents a cryptographer's viewpoint of biometrics security.
We have paid attention to expose the biometric-style brute force attack based on using
random input samples and relying just on the False Acceptance Rate. After reviewing
the most wanted open problems (convincing algorithm vs. black-box alchemy, safe template
revocation vs. security by obscurity "no one understands this mess", and liveness detection),
we have introduced the notion of biometric cryptography. Or, how to interconnect
biometrics and cryptography with reliability and without invoking security by obscurity.
For such "biocryptography", we have employed the well-know fuzzy commitment scheme
together with discussing the generalisation towards fuzzy extractors. As a model example,
we used a hypothetical mobile banking application that would use a biometric verification as
yet-another authentication factor. To protect against mobile device theft,
we showed we had to either use server-based biometrics or employ a biocryptography
to reliably project the biometric characteristics to a key space. The possibility
of biocryptography based on increasingly popular voice biometrics was discussed, too.
We have presented an idea on using front-end joint factor analysis to produce derived
feature vectors in the speaker space that can be employed as input samples in
- Bitcoin - Cryptographic Texture.
note, Prague, Dec 20th 2013. Introductory lecture covering the
essential security mechanisms of Bitcoin together with pointing out possible
directions for further research. Especially, we have paid certain attention to
the distributed time-stamping service based on BlockChain majority voting scheme
guarded by the Proof-of-Work mechanism. We present simple model based on an
information-theoretic channel that allows us to deliver a convincing proof
of the double-spending attack probabilities that are usually either "just stated"
or derived in a considerably more complicated way.
Nevertheless, there are still open questions concerning potential existence
of more efficient attacks on BlockChain that deserve further attention. The
purpose of this lecture was, besides the others, to provoke a follow-up research.
- Mobile Security In Practice - Autumn 2013.
Payments, Prague, Oct 10th 2013. Reviews the threat of X-platform
attacks in the light of recent attacks on mobile TAN in CZ. Then it
recalls the threat of Break Your Own Device as well
as inherent vulnerabilities of external NFC controllers on e.g. iPhone
(regarding PIN capturing attacks and more). We also warn about using payment
NFC stickers on mobile devices that have their own internal NFC
controller turned on. Bluetooth Low Energy is shown as a promising
technology for building e.g. external authentication devices that could
enhance mobile security if the long-awaited TrustZone concept would
fail its job. Finally, we discuss basics of biometric identification
from the perspective of a cryptographer who believes that security
through obscurity is not the right way. We warn about the necessity to
precisely know at least those probability density functions behind FAR
(False Accept Rate) and FRR (False Reject Rate). We then contrast
different design principles in between classic, quantum, and biometric
algorithms emphasizing the resistance against “algorithm tampering”
(like differential/linear cryptanalysis, side-channel attacks, etc.) is usually
not the prime concern in biometrics. What we can find instead is a
hope that the complexity of Mother Nature will somehow automatically
guarantee the strength of those algorithms. This is, however, a clear
example of security through obscurity.
- Mobile Devices Boom - Hackers Are
Ready. What About You? IT Security Trends and DMS Safety,
Prague, Sep 17th 2013. Recalls the threat of X-platform
attacks, PIN prints in mobile applications, and finally emphasizes the
importance of SSL/TLS and underlines certain consequences of ignoring its
known cryptographic properties (or not understanding on how to critically
judge server labels obtained by audit test tool). This is just an
overviewing, easy-to-follow presentation that revamps the most actual
topics that were detailed in separate lectures bellow.
- Wi-Fi Protected Setup - Friend or Foe?
Cards & Devices Forum, May 23rd 2013. We review the
brute-force attacks on WPS together with a new original countermeasure
algorithm called Swamp, showing that WPS is actually not that bad
as it may seem. We emphasize the attacks that captured public attention in
2011-2012 were already anticipated by WPS standard authors. We also
elaborate deeper cryptographic properties of the Registration protocol,
namely the role of Bit Commitment primitives inside the mutual
authentication scheme. From here, we conclude that the split verification
of WPS PIN that has been broadly criticised actually servers a very good
purpose in the whole protocol, since it allows us to reasonably defeat
another attack - we call it dual attack here. Furthermore, we show
the idea of Bit Commitment based authentication can be also found in
Secure Simple Pairing of Bluetooth BR/EDR, as well as in Security Manager
of Bluetooth Low Energy. Interestingly, the WPS implementation of the Bit
Commitment approach turns out to be the strongest one. Furthermore, we
show the idea of the brute-force attack was already discovered far before
Y. Lindell in 2008 in his attack on SSP in Bluetooth. When studying
the common properties of the aforementioned protocols, a new attack on authentication in
Bluetooth Low Energy has been found.
- Security (In)Dependence of Mobile and
Internet Banking. ICT in Financial Institutions, Prague, February
27th, 2013. First part of the presentation is devoted to
emerging cross-platform attacks. Especially, various techniques of
cross-platform infection are discussed. This is then used to show that
those popular mobile Transaction Authentication Number (mTAN) techniques
are rather on their way down. We show that having a mobile banking
application is not just a luxury, as it can also be viewed as kind of
countermeasure. Of course, this countermeasure is by no means definitive,
as it is shown in mobile threats elaboration in second part. It may,
however, give us some time to think about either external “smart” tokens
or to finally bring TrustZone
into its real life. Either way, we shall recognize there is rather strong
dependence in between mobile and internet banking. We shall care about
mobile devices security even (!) if our objective is just the internet
- Discovering PIN Prints In Mobile
Applications. Lecture at Security
2013, Prague (February 20th). Despite it being feasible to
achieve reliable resistance against the After-Theft
Attack, we can still spot a terribly flawed design patterns that
instead of defeating them rather do actively promote such attacks. In this
presentation, we detail cryptographic issues connected with so-called PIN
prints in applications aiming at two-factor authentication. We show
various examples of such PIN prints that were already met in practice
together with a (very slight) “computation-oriented” information theoretic
analysis of how much information can be conveyed by such a PIN print,
while transferring this to show how long PIN can be reliably brute-forced
basing on that particular PIN print.
- NFC On Mobile - On the Real Security of
Mobile Payments. Lecture at the workshop Cards 2012,
Prague. It is an extended version of the overviewing presentation from
Mobile Payments 2012 (cf. bellow on this page).
- Mobile Devices Security - On Practical
Risks of NFC Payments. Lecture at the workshop Mobile
Payments 2012, Prague. It is mainly focused on smart phone operating
systems integrity, since this is the part that really deserves great
attention, now. We rephrase iOS Jailbreaking as a world-wide verified
proof showing us clearly even the best smart phone OS can be reliably (!)
hacked (this is not to say the author is strongly against this
initiative – we just reflect its security implications). Furthermore,
we show practical results of iPhone peripheral channels infiltration (we
use a simple MobileSubstrate
tweak to do that) which has direct impact on mobile payment
applications relying on external NFC controllers.
- The Decline and Dawn of Two-Factor
Authentication on Smart Phones. Invited lecture at Information Security
Summit 2012. Basic study on whether and how we can achieve adequate
two-factor authentication on smart phones. We define a simple threat model
and discus the risk mitigation. The notion of distributed implicit PIN
verification armored with partial OTP verification is
introduced as a practical way on how to cope with this environment. The
emerging concept of TrustZone
is also touched. The accompanying presentation
serves a dual role – instead of repeating the countermeasures from the
main paper, it presents several hacking techniques emphasizing
insecurity of disturbing amount of contemporary mobile applications.
- Note on a mobile security, or “How
the Brave Permutation Rescued a Naughty Keyboard”. Joint lecture
with Petr Dvořák from Inmite at Mobile DevCamp 2012. Besides recalling
wanted and unwanted design patterns, this lecture is also a continuation
of the study presented at Smart Cards & Devices Forum 2012 noted
bellow. It shows how exactly we have implemented the idea of the encrypted
keyboard in certain mobile banking project that we have participated on.
- Smart Phones Security - How (Not) To
Summon The Devil. Invited lecture at Smart Cards & Devices
Forum 2012. Being addressed to smart phone applications developers and
penetration testers, the presentation shows typical vulnerabilities the
author has met in contemporary financial applications. Particular
experiments were done for Android and iOS environment, since - according
to author's opinion - these systems are the most interesting and important
ones. The results obtained, however, are generally applicable to almost
any smart phone platform.
- Android Ecosystem Integrity -
Possible Malware Cross-Infection Vector. Seminar note,
November 2011. This really is a trivial observation that is based on a
well-known approach on how to bypass the screen lock on certain Android
devices. Surprisingly, I have not seen it mentioned as a possible malware
cross-infection vector regarding attacks on those popular SMS-based
two-factor authentication schemes. So, I wrote this simple note for my
students. Superseded by Smart
Phones Security - How (Not) To Summon The Devil and also exploited
in The Decline and Dawn of
Two-Factor Authentication on Smart Phones.
- RFID Security - Selected Areas of LF and HF
Applications. Invited lecture at Hacking & Security 2012 by
Soom.cz. Its aim is to illustrate
typical RFID vulnerabilities and their particular exploits. It begins by
trivial skimming attacks in the LF band and continues to the phenomenon of
RFID wormholes. Also touched is the NFC technology, mainly as a promising
hacking tool. Also included is a simple transformer-based tool for easier
debugging of point-to-point NFC communication with mobile devices (no
more those annoying “96” positions!).
- RFID Wormholes – the Case of
Contactless Smart Cards.
Invited lecture at SmartCard Forum 2011. The aim was to give a solid
overview of wormhole (or relay) attacks by looking at this phenomenon from
various viewpoints – physical principles, technical realization,
cryptographic countermeasures, NFC, etc. The experimental part is based on
using libNFC library.
- Unleashing EMV Cards For Security
Santa’s Crypto Get-Together in Prague, December 2nd – 3rd,
2010 (slides, abstract). Invited lecture for the international
cryptography workshop organized in Prague. Together with the previous
presentation on approaching side channel experiments (cf. bellow) this is
another part of EMV Cards Trivium puzzle aimed to encourage
academic research of payment cards security.
- EMV Cards Trivium – A Fast Way to
Side Channel Experiments. This lecture was originally prepared
for the smartcard security research group at Masaryk University Faculty of
Informatics in Brno. It is, however, addressed to all those researchers
who would like to experiment with side channel attacks on EMV cards but
were afraid of their obscure complexity. To allow rapid card profiling, a
technique based on CAP/DPA-reader interaction is developed and described here.
We call it a CAP/DPA-teacher approach. June 2010.
- Authentication By Payment Card –
Experiences Gained By Penetration Tests (CZ). Invited lecture at
SmartCard Forum 2010. The main objective here was so-called connectable
CAP/DPA reader. Besides promising new user-friendly features, these
devices also introduce several new risks that shall be addressed
accordingly when deploying them in internet banking applications.
lecture notes on RFID security: SmartCard Forum 2009 (CZ, EN), Teleinformatika 2009 (CZ).
arising around non-repudiation of digital
signatures as an inspiration for quantum cryptologists, University of
Palacky, October 7, Olomouc, 2004. (CZ)
- Security Policy – a Document of Various
Looks and Purposes, lecture for security managers and directors at
IT Security 2004, staged by the Institute for
International Research, Wien. (CZ)
- Lecture on special cryptanalysis held for colleagues at the Department of Computer Science, June
2003 (zipped ppt, syllabus). (CZ)
projects and publications (selected ones):
- Rosa, T.: Bypassing
Passkey Authentication in Bluetooth Low Energy, IACR Cryptology ePrint Archive, Report 2013/309, May 2013.
- Android Binder Security. Started in
November 2011, this project aims to promote recognition of importance and
further research in the area of security of the Android binder framework –
its core Inter Process Communication mechanism.
- Hlaváč, M. and Rosa, T.: A Note on the Realay-Attacks on
e-passports – The Case of Czech e-passports, IACR ePrint archive 2007/244, Jun 2007.
- Hlaváč, M. and Rosa, T.: Extended
Hidden Number Problem and Its Cryptanalytic Applications, in Proc.
of SAC 2006, LNCS 4356, pp. 114-133, Springer-Verlag, 2007.
- Rosa, T.: Cryptographic
Insecurity of the Test&Repeat Paradigm, NATO Advanced Research
Workshop - Security and Embedded Systems, University of Patras, Greece,
2005. (slides in ppt)
- Rosa, T.: Lattice-based
Fault Attacks on DSA - Another Possible Strategy, in Proc. of
Security and Protection of Information 2005, pp. 91-96, Brno, 2005.
- Rosa, T.: Non-repudiation of digital
signatures, in Proc. of 2nd Scientific and Pedagogical
Conference at ZMVS: Juridical
Regulation of Networked Society, Trebic, September 2004. Slides used for
the presentation are here. The
paper identifies an insufficiency of a strictly logical approach to the
subject of non-repudiation. It warns about problems arising on the edge
between mathematical and juridical reasoning and sketches possible
- Dissertation thesis, mainly on Side
- Klíma, V., Pokorný, O., and Rosa, T.: Attacking RSA-based Sessions in SSL/TLS, in Proc. of CHES 2003, Cologne, Germany,
September 2003, pp. 426-440, Springer-Verlag, 2003. For an extended
version, see IACR ePrint
archive 2003/052, March 2003. Slides used
for the presentation are here.
- Klíma, V., Rosa, T.: Side
Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format, in Proc. of
Security and Protection of Information 2002, NATO PfP/PWP
- 2nd International Scientific Conference Security and Protection of
Information, Brno, Czech Republic, 28th – 30th of
- Klíma, V. and Rosa, T.: Further Results and Considerations on
Side Channel Attacks on RSA, in Proc. of CHES 2002, San Francisco Bay, USA,
August 2002, pp. 245-260 , Springer-Verlag, 2002. Slides used
for the presentation are here.
- Klíma, V. and Rosa, T.: Strengthened Encryption in the
CBC Mode, IACR ePrint
archive 2002/061, May 2002.
- Rosa, T.: On the
Key-collisions in the Signature Schemes (CZ), in Proc. of workshop
VKB 2002, pp. 14-26, 2002, Brno. These slides (EN) belong to the Czech
version of the paper. The paper won
the best presentation award on the workshop VKB 2002. The paper differs
from the one presented at CRYPTO 2002 Rump Session in that it also
discuses k-collisions in RSA schemes. On the other hand the paper
listed bellow is more general and it also elaborates possible
countermeasures more deeply and precisely.
- Rosa, T.: Key-collisions
in (EC)DSA: Attacking Non-repudiation, CRYPTO 2002 Rump Session,
IACR ePrint archive 2002/129, Santa
Barbara, USA, August 2002. Slides used for the Rump Session presentation
are available here.
- Rosa, T.: Future Cryptography: Standards are not
Enough, in Proc. of Security and Protection of Information 2001, NATO PfP/PWP
– 1st International Scientific Conference Security and Protection of
Information, Brno, Czech Republic, 9th – 11th
of May 2001.
- Klíma, V. and
Rosa, T.: Attack on
Private Signature Keys of the OpenPGP format, PGP (TM) Programs and Other
Applications Compatible with OpenPGP, IACR ePrint archive 2002/076, version 1, March
2001, minor update on June 2002. For somehow re-factored elaboration of
this subject please see my dissertation thesis here.
- Kupča, V. and
Rosa, T.: Theory and Perspectives
of Quantum Computers, in Proc. of Workshop 2001 - Part A, pp.
192-193, CTU Prague, 2001. This short article summarizes the results of
diploma thesis presented by Vojtěch Kupča at the Department of Computer
Science at FEE, CTU in Prague, and led by Tomáš Rosa.
- Time to time,
you can see my contributions at the Czech cryptologic news
server. The aim of the server is to bring reader’s attention at fresh,
but also certainly matured topics related to cryptology and-or information
- Here you can
find an interview with me done
for a weekend supplement of the newspaper Hospodářské
noviny in May 2003. Partly, it is based on our attack on SSL/TLS (cf. above).
Last update: July 15th, 2023.
"96"(just append this number) [at] gmail_dot_com