Auflistung P325 - Open Identity Summit 2022 nach Erscheinungsdatum
1 - 10 von 14
Treffer pro Seite
Sortieroptionen
- KonferenzbeitragTowards robustness of keyboard-entered authentication factors with thermal wiping against thermographic attacks(Open Identity Summit 2022, 2022) Fritsch, Lothar; Mecaliff, Marie; Opdal, Kathinka W.; Rundgreen, Mathias; Sachse, TorilMany authentication methods use keyboard entry for one of their authentication factors. Keyboards factors have been compromised exploiting physical fingerprints, substances from fingers visible on keys, with acoustic recordings through mobile phones, and through video reflections captured by high-resolution cameras used for video conferencing. Heat transfer from human fingers to keypads is an additional attack channel that has been demonstrated. There are few mitigation measures published against this type of attack. This article summarizes the feasibility of thermographic attacks against computer keyboards and against door pin pads, as well as the efficiency of the scrubbing technique deployed in order to counter thermographic attacks. For this purpose, a series of experiments with small, mobile thermal cameras were carried out. We report findings such as time intervals and other constraints for successful laboratory observation of authentication factors, describe scrubbing methods and report the performance of those methods.
- KonferenzbeitragRisk variance: Towards a definition of varying outcomes of IT security risk assessment(Open Identity Summit 2022, 2022) Kurowski, Sebastian; Schunck, Christian H.Assessing IT-security risks in order to achieve adequate and efficient protection measures has become the core idea of various industry practices and regulatory frameworks in the last five years. Some research however suggests that the practice of assessing IT security risks may be subject to varying outcomes depending on personal, situational and contextual factors. In this contribution we first provide a definition of risk variance as the variation of risk assessment outcomes due to individual traits, the processual environment, the domain of the assessor, and possibly the target of the assessed risk. We then present the outcome of an interview series with 9 decision makers from different companies that aimed at discussing whether risk variance is an issue in their risk assessment procedures. Finally, we elaborate on the generalizability of the concept of risk variance, despite the low sample size in light of varying risk assessment procedures discussed in the interviews. We find that risk variance could be a general problem of current risk assessment procedures.
- KonferenzbeitragPreservation of (higher) Trustworthiness in IAM for distributed workflows and systems based on eIDAS(Open Identity Summit 2022, 2022) Strack, H.; Karius, S.; Gollnick, M.; Lips, M.; Wefel, S.; Altschaffel, R.The secure digitalisation of distributed workflows with different stakeholders (and trust relationships) using systems from different stakeholder domains is of increasing interest. Just one example is the workflow/policy area of student mobility. Others are from public administration and from economic sectors. According to the eIDAS regulation, eID and trust services (TS) are available across EU - upcoming also EUid & wallets (eIDAS 2.0) - to improve security aspects (providing interoperability or standards). We present some security enhancements to maintainhigher trustworthiness in Identity and Access Management (IAM) services for different policy areas with mandatory, owner-based and self-sovereign control aspects - based on eIDAS and different standards and the integration of views/results from deployed or ongoing projects (EMREX/ELMO, Europass/ EDCI, eIDAS, EUid, Verifiable Credentials, NBP initiative, OZG implementation, Self-Sovereign Identities SSI, RBAC, ABAC, DAC/MAC, IPv6) and a trustistor.
- KonferenzbeitragContinuous authorization over HTTP using Verifiable Credentials and OAuth 2.0(Open Identity Summit 2022, 2022) Fotiou, Nikos; Faltaka, Evgenia; Kalos, Vasilis; Kefala, Anna; Pittaras, Iakovos; Siris, Vasilios A.; Polyzos, George C.We design, implement, and evaluate a solution for achieving continuous authorization of HTTP requests exploiting Verifiable Credentials (VCs) and OAuth 2.0. Specifically, we develop a VC issuer that acts as an OAuth 2.0 authorization server, a VC verifier that transparently protects HTTP-based resources, and a VC wallet implemented as a browser extension capable of injecting the necessary authentication data in HTTP requests without needing user intervention. Our approach is motivated by recent security paradigms, such as the Zero Trust architecture, that require authentication and authorization of every request and it is tailored for HTTP-based services, accessed using a web browser. Our solution leverages JSONWeb Tokens and JSONWeb Signatures for encoding VCs and protecting their integrity, achieving this way interoperability and security. VCs in our system are bound to a user-controlled public key or a Decentralized Identifier, and mechanisms for proving possession are provided. Finally, VCs can be easily revoked.
- KonferenzbeitragA user-centric approach to IT-security risk analysis for an identity management solution(Open Identity Summit 2022, 2022) Fähnrich, Nicolas; Winterstetter, Matthias; Kubach, MichaelIn order to build identity management (IdM) solutions that are secure in the practical application context, a holistic approach their IT-security risk analysis is required. This complements the indispensable technical, and crypto-focused analysis of risks and vulnerabilities with an approach that puts another important vector for security in the center: the users and their usage of the technology over the whole lifecycle. In our short paper we focus exclusively on the user-centric approach and present an IT-security risk analysis that is structured around the IdM lifecycle.
- KonferenzbeitragFlexible Method for Supporting OAuth 2.0 Based Security Profiles in Keycloak(Open Identity Summit 2022, 2022) Norimatsu, Takashi; Nakamura, Yuichi; Yamauchi, ToshihiroKeycloak is identity and access control open-source software. When used for open banking, where many OAuth 2.0 clients need to be managed and a different OAuth 2.0-based security profile needs to be applied to each type of API, the problem of increasing managerial costs by the Keycloak administrator occurs because Keycloak's security profile logic depends on the client settings, and the logic cannot be changed for each client's request. This paper proposes its solution by separating the security profile logic from the client settings, and by changing the security profile for each client's request based on the content of the request, and actual security profiles Financial-grade API (FAPI) are implemented to Keycloak. The paper calculates managerial costs in both the existing and proposed methods in scenarios managing FAPI, and compares the results. The comparison shows that using the proposed method reduces costs. Our implementations are contributed to Keycloak.
- KonferenzbeitragA novel approach to establish trust in verifiable credential issuers in Self-sovereign identity ecosystems using TRAIN(Open Identity Summit 2022, 2022) Johnson Jeyakumar, Isaac H.; Chadwick, David W.; Kubach, MichaelSelf-sovereign identity (SSI) promises to bring decentralized privacy friendly identity management (IdM) ecosystems to everyone. Yet, trust management in SSI remains challenging. In particular, it lacks a holistic approach that combines trust and governance frameworks. A practical and scalable mechanism is needed for verifiers to externally verify their trust in credential issuers. This paper illustrates how TRAIN (Trust mAnagement INfrastructure), an approach based on established components like ETSI trust lists and the Domain Name System (DNS), can be used as a trust registry component to provide a holistic approach for trust management in SSI ecosystems. TRAIN facilitates individual trust decisions through the discovery of trust lists in SSI ecosystems, along with published credential schemas, so that verifiers can perform informed trust decisions about issued credentials.
- KonferenzbeitragCombination of x509 and DID/VC for inheritance properties of trust in digital identities(Open Identity Summit 2022, 2022) Bastian, Paul; Stöcker, Carsten; Schwalm, SteffenThe proposal for review of the eIDAS Regulation from 2021 has opened strong expectations for a deep change in traditional identity models. The user-centric identity model proposed starts with the creation of European Digital Identity Wallets that will enable citizens’ control over their data in identification and authentication processes without control by entities providing the identification services. Likewise digital identities and digital signatures are in place and interoperability between existing solutions mainly based on x509 certificates and decentralized PKI using DID/VC foreseeable. The paper provides various options to address different aspects in combining x509 and DID/VC approaches.
- KonferenzbeitragCorporate Digital Responsibility and the current Corporate Social Responsibility standard: An analysis of applicability(Open Identity Summit 2022, 2022) Carl, K. Valerie; Zilcher, Timothy M. C.; Hinz, OliverCorporate Digital Responsibility (CDR) takes a key role in developing, deploying, and managing digital technologies, products, and services responsibly and ethically. New technologies offer new chances but also expose new threats, especially related to privacy and data security that managers need to cope with. CDR puts privacy and data security attempts in a broader context to provide a more holistic approach to Corporate Responsibilities and to strengthen consumer trust in corporate activities. However, managers still face a lack of CDR guidelines that support the implementation of CDR activities. Existing guidelines related to Corporate Responsibilities, like the ISO standard 26000, provide guidance on Corporate Social Responsibility (CSR) addressing socially responsible and sustainable behaviour. However, current standards do not cover CDR directly. As such, the purpose of this contribution is to evaluate the applicability of the existing CSR standard to CDR to pave the way for CDR standardization in the future
- KonferenzbeitragOpen Identity Summit 2022, LNI Volume P325 Complete(Open Identity Summit 2022, 2022)