1. IBBT security departement
security, privacy and trust of E-*
Wouter Joosen
IBBT - COSIC – DistriNet – ICRI
3/05/2011, We-BBT Brussel

2. enhance the leading position
of ICT-security research in Flanders
essential objectives:
• perform first class basic and applied research in key
areas from ICT security (core)
• transfer the acquired basic knowledge into the economy
(traditional notion of valorization)
• lower the cost of regulatory compliance of new
hardware, software and applications (specific:
valorization)
• contribute actively to training of undergraduate and PhD
students, and of industry (valorization too)
not too different from IBBT as a whole

3. ICT security research:
context, application and technology trends
1. security research – a strong tradition in Flanders.
2. security is directly related to dependability, and to
trustworthiness – trustworthiness will remain essential
3. security cannot be achieved as an after-thought;
core to software applications and the development &
deployment processes (engineering)
4. security problems arise anywhere in systems (not only
at front- and backdoors):
end-to-end quality is required.
5. trustworthiness requires full life-cycle support
(management support)

4. security, privacy and trust of E-*
• Many Future Internet Applications need the solutions:
being dependable, secure and trustworthy…
• For example: Future health – Future Media <IP TV and
video on demand> - Smart grids - Smart infrastructures
– Mobile applications – Telematics – V2V..

5. security expertise (1/2)
• secure programming languages (Clarke, Piessens, Joosen)
• security middleware and component frameworks (Piessens, Desmet, Joosen)
• secure development process (Scandariato, Joosen)
• security monitoring and management (Desmet, Huygens, Joosen)
• security for computer networks and pervasive systems
(Verbaeten, Huygens, Preneel, Verbauwhede)
• security for ad-hoc and wireless networks (Preneel, Verbauwhede)
• privacy enhancing technologies, identity management (De Decker, Preneel)
• cryptographic software and software obfuscation (Piessens, Preneel)
• cryptographic hardware and embedded systems (Verbauwhede, Preneel, Rijmen)
• document security, watermarking and perceptual hashing (Preneel)
• trusted computing (Verbauwhede, Preneel)
• legislation, compliance & policy(Dumortier)

6. security expertise (2/2)
• cryptographic algorithms and protocols, foundations of cryptography and
provable security (Rijmen, Preneel)
• risk management (Huygens. Joosen)
• authorisation technologies (Piessens, Joosen, Desmet)
• secure system software (Piessens, Joosen)
• HW implementation of DRM, watermarking and perceptual hashing
(Verbauwhede, Preneel, Rijmen)
• side-channel attacks and countermeasures (Verbauwhede, Rijmen, Preneel)
• embedded biometry (Verbauwhede, Tuyls)
• security for RFID’s, smart-cards, sensor nodes (Verbauwhede, Batina, Preneel,
Huygens, Joosen)
• evaluation of system security, including requirements, security
architectures, software, hardware, cryptographic libraries and smart
cards (All)

7. “one stop shop for
ICT security research”

8. track record – a sample
• about 20 FP6/FP7 projects that relate to trust and security
(a separate chapter in the Framework Programmes, “alongside” for
example infrastructures and service engineering)
• featuring some NoE’s:
• Cryptology, Bart Preneel from COSIC is currently
coordinating ECRYPT II (Network of Excellence on
Cryptology), which is a successor to ECRYPT.
• Software and Software Engineering: Wouter Joosen
(DistriNet) currently is the Research Director of NESSoS:
Engineering Secure Software and Systems for Future
Internet Services.
• in the security and data protection area, ICRI also in a
number of FP7-projects, such as PICOS, TURBINE, TAS3
and Primelife.

9. track record: Rijndael/AES

10. track record - valorization
home of many succesfull industry training courses
(e.g. secappdev.org)
home of the AES cryptography standard
home of some strong spin-off companies
• Utimaco
• Ubizen (now part Verizon Business Solutions)
• Checkout Market Analysis for Managed Security
Solutions: 2009, 2010

11. research focus
For the business – applied to many hot application
domains:
1. Assurance, compliance of new applications, typically
Future Internet Services
a. Cloud computing (the next big one after SOA)
b. IoT and embedded software and systems
2. Very long term: Enabling Cost and Risk Assessment
For Society: focus on
1. Privacy (Social Networks) – SBO SPION
2. Long Term: Cybercrime
11

12. research focus - progammes
• Embedded Security
• Privacy and identity Management
• Secure Software
• Security in the engineering process
• Legal Research
• Distributed (Internet) Software
• (middleware)
• What does it mean?

13. one example: Bravehealth (FP7-IP 2010-2013)
The BRAVEHEALTH system will enable the integration of services provided by mobile
resources, legacy applications, data and computing intensive services within a mobile
grid to offer personalized e-health services to mobile, nomadic, stationary users.

14. another example: NextGenITS (IBBT/ICON)
privacy preserving electronic toll
GPS Satellites Fee Calculation Service Provider Driver
OBU Updates
GPS GSM
Fee Reporting Bill
Encrypted Location Data
• only final fee transmitted to Service Provider
• only driver has access to location data
• authenticity of reported fee and location data
• confidentiality of communications

15. structure of the department
15

16. security united >140 FTE’s
COSIC DistriNet ICRI
Prof. Jos Dumortier
Prof. Bart Preneel Prof. Dave Clarke
Prof. Peggy Valcke
Prof. Vincent Rijmen Prof. Bart De Decker
Prof. Ingrid Verbauwhede Prof. Christophe Huygens 2 postdocs
Prof. Claudia Diaz Prof. Wouter Joosen 15+ junior researchers
Prof. Frank Piessens
7 postdocs
40+ junior researchers Prof. Yolande Berbers
Prof. Tom Holvoet
Prof. Bart Jacobs
15 postdocs
50+ junior researchers

17. collaboration between departments: obvious
overlapping expertise and interest in enabling technologies
(FIA) – enabling service platforms
- Telecom SOA (TCASE, WTE+) + (CSEMAP)
- Cloud Computing (CUSTOMSS) + (DREAMaaS, PUMA)
strategic application domains include
- Future Health (EHIP, Share4Health)
- E-Media (CUPID)
- Telematica (NextGenITS)
- Logistics (MultiTr@ns, DEUS, Admid)
- E-government (IDEM) +(CSEMAP)
- …
17

18. partnerships
research partners:
• European universities: Cambridge University, ENS Paris, T.U.Graz, T.U.Eindhoven, R.U.Bochum,
Danish Technical University, EPFLausanne, TUDarmstadt, ULancaster, TCD Dublin, UTwente,
Univ. Trento, Open University (UK), ESRC Centre for Analysis of Risk and Regulation (Londen
School of Economics), Tilburg Law and Economics Center (Tilburg University), Institute for
Information Law (IViR) (Universiteit Amsterdam), Institute for European Media Law (EMR,
Germany), Hans Bredow Institute (Germany), Wissenschaftliches Institut für Infrastruktur und
Kommunikationsdienste (WIK, Germany), Helsinki Institute for Information Technology (HIIT,
Finland).
• universities outside Europe: Brown University, Korea University, Virginia Tech, Mc Gill University,
University of Colorado at Boulder (USA), Annenberg School of Communications at Penn State
University (USA), Center for Information Policy Research of the University of Wisconsin (USA),
the University of Technology Sydney (Australia) and Hitotsubashi University (Japan).
strategic partners:
• Flemish companies (or companies with a strong representation in Flanders):Agfa (e-health),
Alcatel-Lucent, Barco, Belgacom, Telenet, VRT
• European companies: Orange Labs (telecommunications), STMicroelectronics (microelectronics),
Gemalto, Giesecke & Devriendt (smart cards), Irdeto and Nagra (content protection), Philips, SAP,
Siemens(HQ), Thales, ATOS and Docomo Labs.
• International Industry Research Labs Microsoft, Google, and IBM; Sony and Hitachi.
18

19. conclusion
• nature of the department: highly interdisciplinary in itself
• critical mass beats (most – all?) of the European competition
• international recognition is a fact
• track record: long term and versatile
• stable base for sustained success
..no matter what the buzz words are or will be