Home > Speakers >

Aljoscha Lautenbach

Aljoscha Lautenbach is a consultant at the Swedish engineering company Evidente which focuses on key aspects of embedded systems development. Aljoscha is Evidente's lead engineer in the area of cyber security, and he has worked on topics ranging from risk assessment to security architecture, design and implementation. He also represents Evidente in the Swedish ISO committee for the upcoming joint ISO/SAE standard 21434 on cybersecurity engineering for road vehicles and is a co-author of the HEAVENS risk assessment model mentioned in SAE's cybersecurity guidebook J3061. Aljoscha holds a BSc in Knowledge Engineering from Maastricht University, a MSc in Computer Systems and Networks from Chalmers University of Technology, and he is in the final phase of his PhD in automotive cyber security at Chalmers.

Common cryptography mistakes for software engineers

Most implementations of security mechanisms depend on cryptography, and yet, many vulnerabilities exist because cryptography is used incorrectly. This is partly due to lacking user-friendliness of cryptographic library API designs [1][2], and partly due to a lack of education in the developer community of the underlying mechanisms. As for the API design, we can only lobby for more user-focused design during library development and advocate user-friendly libraries. We can, however, try to improve the communal understanding of how to use cryptography securely. By way of examples, this talk will explore questions such as: What is an IV and why does it matter? Why does entropy matter? Which cipher mode is appropriate for my application? In essence, we highlight points to watch out for when implementing security mechanisms using cryptography.

[1] https://www.cl.cam.ac.uk/~rja14/shb17/fahl.pdf, Comparing the Usability of Cryptographic APIs, IEEE S&P 2017

[2] http://mattsmith.de/pdfs/DevelopersAreNotTheEnemy.pdf, Developers are not the enemy! The need for usable security APIs, IEEE S&P 2016

Go to Session