#WeKnowCybersecurity

Cybersecurity Blog of Fraunhofer AISEC

Cybersecurity
Alexander Küchler

Codyze: Automated Analysis of Cybersecurity Requirements in Software

Manually verifying compliance with requirements such as the Cyber Resilience Act is not scalable. Our code analysis tool, Codyze, translates product-centric regulatory requirements into verifiable rules and automatically assesses whether the product’s source code fulfills them – across languages and microservices. Codyze makes all analysis results transparent to developers, security teams, and auditors.

Read Article »
Cybersecurity
Nisha Jacob Kabakci

Laboratory Security Evaluation of the OpenTitan Silicon Root of Trust

This post summarizes a joint hardware security evaluation of OpenTitan® engineering and production silicon by Fraunhofer AISEC in cooperation with design teams from Google, lowRISC® and Nuvoton.
The goal was to validate OpenTitan’s security under strong attack models before deployment in servers and Chromebooks. The evaluation analysed OpenTitan’s core security properties and led to several hardening measures and tooling improvements that benefit future tape-outs and deployments.

Read Article »
Quantum Computing
Daniel Loebenberger

From Early Warning Signs to the Workbench: the PQC Update 2026 Shows that the Post-Quantum Era Has Begun

As we kicked off the PQC Update 2026, one question hung in the air: Is post-quantum cryptography still a distant dream – or has it long since become part of everyday life for government agencies, industry, and standards bodies? The answers from our speakers were surprisingly concrete: Dutch guidelines, German ID cards with PQC, new security chips, updated internet standards, roadmaps for critical infrastructure, and tools that can already reveal your legacy cryptographic vulnerabilities today. If you just want to know whether you need to take action now: Yes. If you want to know how, read on.

Read Article »
Cybersecurity
Matthias Hiller

Hardware Security in a Networked World | Threat Scenarios, Protection Against Manipulation and the Role of Trust Anchors

How can we trust the hardware that forms the backbone of our connected world? In this interview, Dr. Matthias Hiller, head of the Hardware Security department at Fraunhofer AISEC, explains how trust anchors, secure chiplets, and advanced protection mechanisms help safeguard IT systems against tampering, and why hardware security is becoming a strategic factor for Europe in the age of quantum-based threats.

Read Article »
Cybersecurity
Michael Weiß

Secure System-On-Chip: Protecting Operating Systems and Hardware

How can we trust chips and operating systems that power IoT, industry and the cloud? In this interview, Fraunhofer AISEC cybersecurity researcher Dr. Michael Weiß explains how GyroidOS, secure system-on-chip and open standards like RISC-V create verifiable, tamper-resistant platforms for tomorrow’s critical infrastructure.

Read Article »
‚Industrial Security‘
Patrick Wagner

Mastering Cross-Divisional Cybersecurity Risk Management in the Automotive Industry

Modern cars are interconnected systems of software, sensors, and cloud services. As automotive companies divide their work across engineering, production, and backend divisions, cybersecurity risks often fall through the cracks. While standards such as ISO/SAE 21434, the ISO/IEC 27000 family, and the IEC 62443 series provide important building blocks, none fully explain how to align cybersecurity across divisions. Our research at Fraunhofer AISEC reveals the consequences: hard-to-compare risk assessments, unclear communication, and fragmented security strategies. The solution lies in a cross-divisional approach that connects processes, tools, and terminology. Based on a structured analysis of key cybersecurity standards and interviews with experts from six automotive manufacturers, this article contrasts what the standards expect with how organizations work today – and outlines concrete steps to close the gaps.

Read Article »
Cybersecurity
Christian Banse

Automated cloud certification with EMERALD: Architecture, evidence, and trustworthy security

In the face of growing complexity and regulatory requirements, the security of cloud services is becoming increasingly challenging. However, conventional certification procedures require considerable financial and time investment to meet these requirements. That is why the EU research project EMERALD is pursuing a new approach: It is developing a framework for continuous, automated security certification based on semantically structured evidence. This article will discuss the concepts, methods, and validation approaches of the EMERALD platform.

Read Article »
Quantum Computing
Sebastian Issel

Towards Classical Software Verification using Quantum Computers

In this post, we explore the possibility of accelerating the formal verification of classical programs using quantum computers. Common programming errors, such as null-pointer dereference and out-of-bound access, are prevalent sources of security flaws. Our approach involves generating a Satisfiability (SAT) instance from code snippets, which is satisfiable if the undesired behavior exists. This instance is then converted into an optimization problem, solved using quantum algorithms, thus potentially achieving asymptotically polynomial speedup.

Read Article »
‚Industrial Security‘
Sebastian N. Peters

Gateway to the Danger Zone: Secure and Authentic Remote Reset in Machine Safety 

Modern manufacturing is rapidly digitizing, unlocking new business models and unprecedented efficiency. While remote operation has become commonplace, machine safety has still required hands-on, local intervention — until now. Our latest work at Fraunhofer AISEC bridges this gap with a secure, authentic remote reset system for safety events, blending future-proof cryptography and robust safety design. Here’s how we’re redefining the boundaries of safe, remote manufacturing.

Read Article »
Trusted Artificial Intelligence
Dariush Wahdany

Using Prototypes for Private Machine Learning 

How can machine learning respect privacy without sacrificing fairness? Discover DPPL, a prototype-based method that provides strong privacy guarantees while boosting accuracy for underrepresented groups. By addressing bias in differentially private models, this approach ensures ethical and inclusive AI development without compromising performance.

Read Article »
Cryptography
Thomas Bellebaum

Multi-Party Computation in the Head – an Introduction

In 2016, the National Institute of Standards and Technology (NIST) announced a standardization process for quantum-secure cryptographic primitives. The goal was to find secure key encapsulation mechanisms (KEM) and signature schemes. One unique approach was the PICNIC signature scheme, a scheme utilizing the MPC-in-the-Head (MPCitH) paradigm. This made PICNIC an interesting approach, since its security relies on well researched block ciphers and hash functions. PICNIC was announced as an alternative candidate by NIST. A lot of follow-up schemes based on PICNIC, like BBQ, Banquet, and FEAST, were proposed using different block ciphers and variations on the original construction paradigm. In 2022, NIST announced a second call specifically for signature schemes. MPC-in-the-Head-based signature schemes became their own category, with multiple submissions in this call. This articel explains the core idea and functionality of early MPCitH based signature schemes and how we at Fraunhofer AISEC make use of the concepts.

Read Article »
Trusted Artificial Intelligence
Nicolas Müller

How to build suitable datasets for successful detection of audio deepfakes

Deepfakes are a significant threat to democracy as well as private individuals and companies. They make it possible to spread disinformation, to steal intellectual property and to commit fraud, to name but a few. While robust AI detection systems offer a possible solution, their effectiveness depends largely on the quality of the underlying data, simply put: »Garbage in, garbage out.« But how do you create a dataset that is well suited to identifying the ever-evolving deepfakes and enables robust detection? And what constitutes high-quality training data?

Read Article »
Cybersecurity
Stefan Tatschner

Parsing X.509 Certificates: How Secure Are TLS Libraries?

Digital certificates like X.509 are essential for secure internet communication by enabling authentication and data integrity. However, differences in how they are parsed by various TLS libraries can introduce security risks. A recent study by Fraunhofer AISEC analyzed six widely used X.509 parsers with real-world certificates. The findings reveal inconsistencies that could impact security-critical applications. In this article, we summarize the key results and explain why companies need to scrutinize their cryptographic libraries.

Read Article »
Cryptography
Ivan Gavrilan

Fortifying Cryptography with Impeccable Circuits: Impeccable Keccak Explained

Cybersecurity threats are evolving, and cryptographic implementations face growing risks from fault injection attacks. Fraunhofer AISEC’s research introduces Impeccable Keccak, a new approach to secure SPHINCS+, a post-quantum cryptography digital signature scheme that has been standardized by NIST in 2024. By leveraging impeccable circuits and ensuring active security, this represents a new approach to fault-resilient cryptography.

Read Article »
Quantum Computing
Maximilian Wendlinger

Quantum and Classical AI Security: How to Build Robust Models Against Adversarial Attacks

The rise of quantum machine learning (QML) brings exciting advancements such as higher levels of efficiency or the potential to solve problems intractable for classical computers. Yet how secure are quantum-based AI systems against adversarial attacks compared to classical AI? A study conducted by Fraunhofer AISEC explores this question by analyzing and comparing the robustness of quantum and classical machine learning models under attack. Our findings about adversarial vulnerabilities and robustness in machine learning models form the basis for practical methods to defend against these attacks, which are introduced in this article.

Read Article »
IoT Security
Felix Oberhansl

Fraunhofer AISEC commissioned by the German Federal Office for Information Security (BSI): New study on the synthesis of cryptographic hardware implementations

The study by Fraunhofer AISEC on the security of cryptographic hardware implementations focuses on physical attacks on hardware, such as side-channel attacks and fault attacks, as well as measures to defend against them. These protective mechanisms can potentially be compromised by optimizations in the chip design process. The study shows that protective measures should be integrated into complex design processes and taken into account in hardware design synthesis in order to be resilient to hardware attacks. The findings will help hardware designers to develop robust and secure chips.

Read Article »
Cybersecurity
Christian Banse

Faster detection and rectification of security vulnerabilities in software with CSAF

The Common Security Advisory Framework (CSAF) is a machine-readable format for security notices and plays a crucial role in implementing the security requirements of the Cyber Resilience Act (CRA): Security vulnerabilities can be detected and rectified faster by automatically creating and sharing security information. Fraunhofer AISEC has now published the software library »kotlin-csaf«, which implements the CSAF standard in the Kotlin programming language.

Read Article »
Cybersecurity
Immanuel Kunz

Privacy By Design: Integrating Privacy into the Software Development Life Cycle

As data breaches and privacy violations continue to make headlines, it is evident that mere reactive measures are not enough to protect personal data. Therefore, behind every privacy-aware organization lies an established software engineering process that systematically includes privacy engineering activities. Such activities include the selection of privacy-enhancing technologies, the analysis of potential privacy threats, as well as the continuous re-evaluation of privacy risks at runtime.
In this blog post, we give an overview of some of these activities which help your organization to build and operate privacy-friendly software by design. In doing so, we focus on risk-based privacy engineering as the driver for »Privacy by Design«.

Read Article »
Headerbild zum Blogartikel "Neue Studie zu Laser-basiertem Fehlerangriff auf XMSS" im Cybersecurityblog des Fraunhofer AISEC
Cryptography
Silvan Streit

Fraunhofer AISEC commissioned by the German Federal Office for Information Security (BSI): new study of laser-based fault attacks on XMSS

To ensure the security of embedded systems, the integrity and authenticity of the software must be verified, for example through signatures. However, targeted hardware attacks enable malware to be used to take over the system. What risks are modern cryptographic implementations exposed to? What countermeasures need to be taken? To answer these questions, Fraunhofer AISEC was commissioned by the German Federal Office for Information Security (BSI) to carry out a study of laser-based fault attacks on XMSS. The focus is on a hash-based, quantum-secure scheme for creating and verifying signatures based on the Winternitz One-Time-Signature (WOTS) scheme.

Read Article »

Most Popular

Never want to miss a post?

Please submit your e-mail address to be notified about new blog posts.
 
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.

* Mandatory

* Mandatory

By filling out the form you accept our privacy policy.
WordPress Cookie Plugin by Real Cookie Banner