Auflistung nach Autor:in "Kuhlisch, Raik"
1 - 10 von 15
Treffer pro Seite
Sortieroptionen
- KonferenzbeitragAligning ABAC policies with information security policies using controlled vocabulary(2016) Kuhlisch, Raik; Bittins, SörenAttribute-based Access Control (ABAC) policies are based on mutually processable policy attributes. Assigned permissions in such policies need to be reflected or combined with organisational constraints. Best practice in information security dictates having the operational need to access a particular information artifact independent from the function of the specific application systems. Consequently, any policy regulating the behaviour towards information access must adhere to a minimum degree of mutual semantic expressiveness to be combined and processed with the matching ABAC policy. We show how to detect policy attribute conflicts between ABAC policies and information access policies by means of controlled vocabulary and Semantic Web technologies.
- KonferenzbeitragAutomatic recognition, processing and attacking of single sign-on protocols with burp suite(Open Identity Summit 2015, 2015) Mainka, Christian; Mladenov, Vladislav; Guenther, Tim; Schwenk, JörgSAML, Mozilla BrowserID, OpenID, OpenID Connect, Facebook Connect, Microsoft Account, OAuth - today's web applications are supporting a large set of Single Sign-On (SSO) solutions. Some of them have common properties and behavior, others are completely different. This paper will give an overview of modern SSO protocols. We classify them into two groups and show how to distinguish them from each other. We provide EsPReSSO, an open source Burpsuite plugin that identifies SSO protocols automatically in a browser's HTTP traffic and helps penetration testers and security auditors to manipulate SSO flows easily.
- KonferenzbeitragDeklarative Sicherheit zur Spezifikation und Implementierung der elektronischen Fallakte(perspeGKtive 2010. Workshop „Innovative und sichere Informationstechnologie für das Gesundheitswesen von morgen“, 2010) Kuhlisch, Raik; Caumanns, JörgAnwendungen zur sektorübergreifenden Kommunikation im Gesundheitswesen stellen für deren Betreiber (z. B. Kliniken) große Investitionen mit oftmals unsicherem Marktpotenzial dar. Es ist daher wesentlich, dass die einmal aufgebauten Dienste für eine Vielzahl von Anwendungen mitund nachnutzbar sind. In diesem Papier wird am Beispiel der elektronischen Fallakte (eFA) dargestellt, wie Konzepte einer deklarativen Sicherheit dazu beitragen, bestehende Dienste flexibel an sich verändernde Sicherheitsanforderungen anzupassen bzw. parallel in unterschiedlichen Sicherheitskontexten zu nutzen.
- KonferenzbeitragEconomic issues of federated identity management - an estimation of the costs of identity lifecycle management in inter-organisational information exchange using transaction cost theory(Open Identity Summit 2015, 2015) Kurowski, SebastianInter-organisational data-exchange is common in inter-organisational value-chains. Currently information providing organizations enrol users of suppliers, in order to enable them to access their services and information. This leaves some users with the issue of handling multiple credentials, introducing risks of password-reuse [Iv04] and weak-passwords [Ne94]. Federated identity management eases this scenario, by enabling users to authenticate against their organizations' identity provider [Hü10]. However, the costs involved in managing the underlying identity and rights lifecycle have hardly been considered. This paper addresses this gap, by using the principal-agent theory, and transaction cost theory, structuring the identity lifecycle using [BS08] [IS05] [IS10], and estimating the management costs. We finally analyse the economic benefits of federated identity management in inter-organisational information exchange. We find that while process costs for executing the identity lifecycle are reduced for the information provider, by introducing federated identity management, the control costs reduce, and in one case even diminish this cost benefit. We briefly discuss our findings, and conclude that further mechanisms and research is required to reduce the efforts in auditing, in order to fully unlock the security and economic benefits of federated identity management.
- KonferenzbeitragEvaluating complex identity management systems - the futureid approach(Open Identity Summit 2015, 2015) Sellung, Rachelle; Roßnagel, HeikoThis in-progress paper will discuss the importance of evaluation methods in complex large scale projects, specifically those regarding identity management systems and electronic Identities (eIDs). It will depict the advantages of using a Design Science methodological framework approach and show how the EU project FutureID has utilized this methodology to bring multiple disciplines perspectives together in a harmonized evaluation.
- KonferenzbeitragIdentity management and cloud computing in the automotive industry: first empirical results from a quantitative survey(Open Identity Summit 2015, 2015) Fähnrich, Nicolas; Kubach, MichaelThe automotive industry forms a complex network of original equipment manufacturers and suppliers that requires a high level of cooperation in development projects. Therefore, an efficient identity management system is needed to control access to exchanged data and collaboratively used IT-solutions supporting the development process. One of the main requirements for this system is the reliable authentication of engineers of various companies with different credentials. The SkIDentity-Project, which aims at building trusted identities for the cloud, addresses this scenario. In this context, we carried out a quantitative survey to investigate the diffusion and adoption of cloud computing and identity management technologies. First results are presented in this paper and show that although cloud computing is used by approximately half of the companies in the sample, we noticed that with an increasing number of involved parties, the trust in this technology drops significantly. Regarding identity management systems, we found a similar effect. Company-wide identity management systems are used by the majority of the companies but cross-company solutions are not adopted to this extent. Further scrutiny identified a lack of motivation as one of the main reasons for the low diffusion of this technology.
- KonferenzbeitragInnovative building blocks for versatile authentication within the skidentity service(Open Identity Summit 2015, 2015) Hühnlein, Detlef; Tuengerthal, Max; Wich, Tobias; Hühnlein, Tina; Biallowons, BenediktAccepting arbitrary electronic identity cards (eIDs) and similar authenticators in cloud and web applications has been a challenging task. Thanks to the multiply awarded 'SkIDentity Service' this has changed recently. This versatile authentication infrastructure combines open technologies, international eID standards and latest research results with respect to trusted cloud computing in order to offer electronic identification and strong authentication in form of a trustworthy, simple to use and cost efficient cloud computing service, which supports various European eIDs as well as alternative authenticators proposed by the FIDO Alliance for example. The present contribution exposes innovative and patent pending building blocks of the SkIDentity Service: (1) The 'Identity Broker', which eases the integration of authentication, authorization, federation and application services and in particular allows to derive secure credentials from conventional eID cards, which can be transferred to mobile devices for example. (2) The 'Universal Authentication Service' (UAS), which allows to execute arbitrary authentication protocols, which are specified by the recently introduced 'Authentication Protocol Specification' (APS) language, (3) the 'Cloud Connector' which eases the integration of federation protocols into web applications and last but not least (4) the 'SkIDentity Self-Service Portal', which makes it extremely easy for Service Providers to configure the necessary parameters in order to connect with the SkIDentity Service and use strong authentication in their individual applications.
- KonferenzbeitragAn Open eCard Plug-in for accessing the German national Personal Health Record(Open Identity Summit 2013, 2013) Kuhlisch, Raik; Petrautzki, Dirk; Schmölz, Johannes; Kraufmann, Ben; Thiemer, Florian; Wich, Tobias; Hühnlein, Detlef; Wieland, ThomasAn important future application of the German electronic health card (elektronische Gesundheitskarte, eGK) is the national Personal Health Record (PHR), because it enables a citizen to store and retrieve sensitive medical data in a secure and self-determined manner. As the stored data is encrypted with an eGK- specific certificate and retrieving the encrypted data is only possible after TLS- based authentication, the citizen needs to use a so called “PHR Citizen Client”, which allows to use the eGK for strong authentication, authorization, and decryption purposes. Instead of building such an application from scratch, this paper proposes to use the Open eCard App and its extension mechanism for the efficient creating of a PHR Citizen Client by developing an Open eCard Plug-in for accessing the German national Personal Health Record.
- Editiertes BuchOpen Identity Summit 2015(2015)
- KonferenzbeitragProxied authentication in single sign-on setups with common open source systems - an empirical survey(Open Identity Summit 2015, 2015) Peinl, René; Holzschuher, FlorianThe paper presents results from an empirical study about the use of a single sign-on (SSO) system in an integrated open source system landscape for supporting team collaboration. A portal solution, enterprise content management system, groupware, business process management and enterprise search engine are used. The investigation shows that although it is easy to achieve SSO with the Web-based user interfaces of the information systems used, none of the systems was prepared to pass authentication tokens to the API of an integrated system or accept SSO tokens instead of username / password pairs for authentication against the API respectively. Different alternatives for achieving the desired functionality are presented and a recommendation for improvement of the affected information systems is derived.