Home | deutsch  | Legals | Data Protection | Sitemap | KIT


Institut für Theoretische Informatik

Arbeitsgruppe Kryptographie und Sicherheit

Carmen Manietta

Am Fasanengarten 5

Geb. 50.34

D-76131 Karlsruhe

Tel.: + 49 721 608-44213

Fax: + 49 721 608-55022

E-Mail: crypto-infoPfv9∂iti kit edu


Seven Theses on IT Security


Seven Theses

Open Positions

You haven't found a suitable position? Even if it is not always advertised, we are happy to hear from new doctoral students / postdocs who are interested in reinforcing our team. Simply send us your unsolicited application. We look forward to hearing from you!


Welcome to KASTEL

The Competence Center for Applied Security Technology (KASTEL) is one of three competence centers for cyber security in Germany, which were initiated by the Federal Ministry of Education and Research (BMBF) in March 2011.

Following the motto “Comprehensible security in the networked world”, KASTEL is meeting the challenges posed by the increasing interconnection of previously isolated systems.

Of particular importance are the consequences of digitalization in the area of critical infrastructures, for example in the energy economy, in industrial production or networked mobility, but also in "intelligent" environments.

KASTEL bundles the competencies in the field of IT security at the research location Karlsruhe. The goal is to develop a widespread approach instead of isolated partial solutions. The focus will be on comprehensive security in specific application areas, such as power grids or intelligent factories.

To ensure this security, new threats need to be modeled, security objectives need to be described and new methods have to be developed.

This can only be achieved through the cooperation of cryptographers, IT-security specialists, software-engineers, network experts, jurists, economics and social scientists – like here at KASTEL.


KASTEL started in 2011 with a provisional term of four years. The goal was to conduct interdisciplinary research and answer questions about IT security that were to be put to practical use on the basis of prototypes and scenarios. This section, known as Phase 1, was completed in autumn of 2015. After a successful evaluation, the BMBF extended the duration of the competence centers and KASTEL started the second phase with newly defined research fields and projects.


Privacy friendly mask recognition

Masks are an important means to contain the novel coronavirus and prevent the spread of an infected person via the respiratory tract. Many states rely on state-regulated obligations. However, such a legal obligation is also accompanied by a test to prevent people without masks from crowds.

Thanks to advances in both theoretical AI research and practical, technical implementation, such tests can be carried out very cost-effectively by machine. However, there is a danger of mass monitoring without cause if too much data is collected.

In order to ensure a compromise between technical convenience and the protection of basic rights, Niklas Kühl, Dominik Martin, Clemens Wolff and Melanie Volkamer are investigating how mask recognition can be implemented in a way that protects the private sphere. This project has now resulted in a publication that can be viewed in the KIT library.

Webinar „Corona, Tracing & Privacy“

A wide variety of proposals have been put forward in recent months to curb the spread of the corona virus. Different countries have now developed a wide variety of approaches, with which volunteers can help to keep infection rates low, for example by using contact tracing apps on smartphones. Different approaches differ in terms of their impact on privacy, among other things.

In a webinar on "Corona, Tracing & Privacy", KASTEL-PI Prof. Indra Spiecker gen. Döhmann and Prof. Michael Birnhack from the University of Tel Aviv talk about exactly these topics. They will also discuss their experiences with the restrictions and the hurdles for contact tracing apps.

The full webinar can be viewed here.

BMBF Research Project INSPECTION

The term "phishing" refers to an attack in which the attacker pretends to be a trustworthy and already known website in order to sell his own products or distribute viruses. In order to make users more careless, phishing attacks sometimes go so far as to use security holes to take over trustworthy websites from attackers in order to advertise products and services in their name and, in the worst case, to steal private information.

This can even happen without website operators noticing. In order to help small and medium-sized enterprises (SMEs) in particular, the Federal Ministry of Education and Research started the research project INSPECTION on June 1st as part of the initiative "KMU-innovativ". The aim of the project is to automatically detect whether a page has been hacked in order to inform the operators.

In addition to industrial members such as mindup GmbH and BDO Cybersecurity, the SECUSO research group of KASTEL-PI Prof. Melanie Volkamer is part of the project consortium.

Interdisziplitäre Veröffentlichung beim Workshop „Recht und Technik“

To enable companies to react centrally to data protection violations and IT security incidents, the reporting obligation stipulates that violations by employees must be reported. However, this can have consequences under occupational safety law.

In order to investigate this in more detail, the Chairs SECUSO of KASTEL-PI Prof. Melanie Volkamer and the Chair of Public Law, Environmental Law, Administrative Science of the Goethe University Frankfurt am Main of KASTEL-Pi Prof. Indra Spiecker gen. Döhmann together. This cooperation resulted in a paper on the "Obligation to report IT security and data protection incidents by employees - consideration of possible consequences under labour law", which was written by Prof. Volkamer and Dirk Müllmann, a doctoral student of Prof. Spiecker. This publication was accepted at the "Law and Technology" workshop of Informatik 2020.

Segmentation of smart home components

Smart home networks enable easy operation of domestic components via technical devices such as mobile phones, tablets or computers. The corresponding Smart Devices are often connected to the same network as the control devices. However, this can quickly lead to problems: for cost reasons, security is often neglected. An attacker can thus gain control over the entire network via a single corrupted device.

From a cooperation between KASTEL-PI Prof. Thorsten Strufe with Amr Osman and Stefan Köpsell from the Technical University of Dresden and Armin Wasicek from the Czech security software manufacturer Avast, a method based on network segmentation was introduced, which has already been implemented in practice. The method provides protection of such networks. A central Software-Defined Networking Controller first quarantines each newly connected device, where it is first tested for functionality and known attack strategies. Based on its functionality, the device is then connected only to a separate subnetwork, which it shares with components fulfilling the same basic functionality. This type of sandboxing prevents free propagation in the network, since corrupted devices can only move within their segment.

The results will be presented at this year's USENIX HotEdge '20, where the authors also analyze how well this approach prevents attack scenarios while only slightly restricting the functionality of the smart home. More Information.

Interview with Prof. Strufe about the Corona App

With the Corona-Warn-App of the Federal Government, users have the possibility to use their smartphone on a voluntary basis in order to quickly inform all people who have stayed near an infected person for a longer period of time in case of a positive test on the corona virus. The use of this app is voluntary – the government is counting on as many people as possible to install the app on their smartphone.

One of the probably most relevant issues that influence many people's decision for or against using the app are privacy concerns. For safe operation, it is necessary to store who was in contact with whom and for how long. From plain text data, social graphs could be derived here, which would have a high potential for abuse, In order to prevent such misuse, the app relies on pseudonymization: data can be assigned to one another, but it is not possible to assign them efficiently to a mobile phone or a persion – or at least that is what is hoped

In an interview with the BNN, KASTEL-PI Prof. Thorsten Strufe explains security and privacy concerns. In particular, he explains how common techniques work that allow warnings of positive tests of people a user has been in contact with to be clearly assigned to a point in time. According to Strufe, this would help to narrow down the circle of potentially infected people. Nevertheless, he welcomes the Corona warning app, but suggests that updates to protect against stigmatisation of infected people are extremely important and pleads for a more transparent information policy regarding known weaknesses.