Proposed projects page (archives): Fall-2016
Fall semester
CISC Cothority Identity Skipchain SSH Interface
Identification has become a crucial part of the digital world especially in the Internet where authenticity is one of the most important safety measures. Nowadays it is hard to keep track of all different passwords and public keys that we use to authenticate ourselves to different services. In the worst case the same key is used for several services.
In order to solve this issue, keys must be regularly updated and rotated, which is cumbersome when multiple devices come into play and basically unattainable without the help of specialized software.
Web-Frontend for Cothority
Bastian Nanchen – Semester project
Abstract
The decentralized and distributed systems (DEDIS) team at EPFL is working among others on a software project called Collective Authority (Cothority). Cothority is composed of multiple conodes, which are servers running protocols and services. It implements different applications as Collective Signing (CoSi), Cisc (a distributed key/value storage handled by a blockchain with an SSH-plugin), Proof of Personhood (prove the existence of humain being), Guard (use distributed servers to hash passwords), Status (returns the status of a conode).
Enhancing Debian Update Service
Gaspard Zoss – Semester project
Abstract
Software updates are an essential element in securing any software running on devices going from small embedded devices to computer clusters. In this project, we will study how security of software update process in large projects can be improved and apply it to Debian APT.
When a new feature is added or when a bug is fixed in one of the software available through the Debian package manager, the package’s maintainer, often one of the project’s developers, generates a binary by compiling the code, hashes it and creates various scripts used to install, upgrade or remove the software. These scripts and the binary are then packed together and placed inside a repository, from which the end user may download the update. The repository itself is signed, usually using a single private cryptographic key and the binaries are verified by using checksums. Additionally, the software can be made reproducible by the developers allowing users to verify if the given binary was produced using the publicly available source code. But as of today, not all Debian packages are reproducible.