- KonferenzbeitragTopology of dynamic metadata exchange via a trusted third party(Open Identity Summit 2015, 2015) Pöhn, Daniela; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanFederated Identity Management is an effective technology that allows multiple organizations to share resources. Deployments of the protocol Security Assertion Markup Language (SAML) practically require the pre-exchange of aggregated metadata files, making federations to fixed trust boundaries. Dynamic metadata exchange between identity provider and service provider via a trusted third party (TTP) overcomes these barriers. In this paper, we contrast dynamic metadata exchange with other state-of-the-art approaches and present the topology of the dynamic metadata exchange via a TTP. Furthermore, a distributed dynamic metadata exchange is proposed, in order to enhance the current protocol and provide a scalable solution for large-scale infrastructures.
- KonferenzbeitragEvaluating complex identity management systems - the futureid approach(Open Identity Summit 2015, 2015) Sellung, Rachelle; Roßnagel, Heiko; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanThis in-progress paper will discuss the importance of evaluation methods in complex large scale projects, specifically those regarding identity management systems and electronic Identities (eIDs). It will depict the advantages of using a Design Science methodological framework approach and show how the EU project FutureID has utilized this methodology to bring multiple disciplines perspectives together in a harmonized evaluation.
- KonferenzbeitragAutomatic recognition, processing and attacking of single sign-on protocols with burp suite(Open Identity Summit 2015, 2015) Mainka, Christian; Mladenov, Vladislav; Guenther, Tim; Schwenk, Jörg; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanSAML, Mozilla BrowserID, OpenID, OpenID Connect, Facebook Connect, Microsoft Account, OAuth - today's web applications are supporting a large set of Single Sign-On (SSO) solutions. Some of them have common properties and behavior, others are completely different. This paper will give an overview of modern SSO protocols. We classify them into two groups and show how to distinguish them from each other. We provide EsPReSSO, an open source Burpsuite plugin that identifies SSO protocols automatically in a browser's HTTP traffic and helps penetration testers and security auditors to manipulate SSO flows easily.
- KonferenzbeitragQuality management in open source projects - experiences from the open ecard project(Open Identity Summit 2015, 2015) Nemmert, Daniel; Haase, Hans-Martin; Hühnlein, Detlef; Wich, Tobias; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanOpen Source Software (OSS) has immensely increased in popularity over the years and it is well known, that software with public access to the sources is on average less error prone than closed source software, especially if the project is supported by a large community which peer reviews the sources [Kua02]. For new and smaller projects however there is no large community yet and hence achieving and maintaining sufficient product quality is challenging. Against this background the present paper discusses aspects of product quality management for OSS in general and shares the experiences gathered in the Open eCard project, which has developed an ISO/IEC 24727 based eID client.
- KonferenzbeitragInnovative building blocks for versatile authentication within the skidentity service(Open Identity Summit 2015, 2015) Hühnlein, Detlef; Tuengerthal, Max; Wich, Tobias; Hühnlein, Tina; Biallowons, Benedikt; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanAccepting arbitrary electronic identity cards (eIDs) and similar authenticators in cloud and web applications has been a challenging task. Thanks to the multiply awarded 'SkIDentity Service' this has changed recently. This versatile authentication infrastructure combines open technologies, international eID standards and latest research results with respect to trusted cloud computing in order to offer electronic identification and strong authentication in form of a trustworthy, simple to use and cost efficient cloud computing service, which supports various European eIDs as well as alternative authenticators proposed by the FIDO Alliance for example. The present contribution exposes innovative and patent pending building blocks of the SkIDentity Service: (1) The 'Identity Broker', which eases the integration of authentication, authorization, federation and application services and in particular allows to derive secure credentials from conventional eID cards, which can be transferred to mobile devices for example. (2) The 'Universal Authentication Service' (UAS), which allows to execute arbitrary authentication protocols, which are specified by the recently introduced 'Authentication Protocol Specification' (APS) language, (3) the 'Cloud Connector' which eases the integration of federation protocols into web applications and last but not least (4) the 'SkIDentity Self-Service Portal', which makes it extremely easy for Service Providers to configure the necessary parameters in order to connect with the SkIDentity Service and use strong authentication in their individual applications.
- KonferenzbeitragTowards a secure cloud usage for financial IT(Open Identity Summit 2015, 2015) Hilbrich, Marcus; Petrlic, Ronald; Becker, Steffen; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanCloud Computing and Big Data are the current hot topics in research and industry. Based on the enormous amount of preliminary work, ranging from grid and distributed computing to data mining and clustering, to name only a few approaches, cloud computing has become a defacto standard for computing in general and data-intensive industry tasks in particular. Thus, a lot of questions about how to develop and implement such systems are already answered, but nonetheless, there is reservation to adopt such techniques in some business areas. Most of the reservations are due to security reasons, as in certain areas, like in the banking sector or in the health industry, high levels of security standards have been met for decades and those standards must not be weakened. This is the reason why we investigate-closely together with partners from the industry-how to overcome security concerns in the adoption of cloud computing in the financial industry. An introduction to our strategies is given with this paper.
- KonferenzbeitragSSEDIC.2020 on mobile eid(Open Identity Summit 2015, 2015) Kubach, Michael; Leitold, Herbert; Roßnagel, Heiko; Schunck, Christian H.; Talamo, Maurizio; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanMobile electronic identity (eID) management solutions are on the rise worldwide and see a rapid take-up by stakeholders. In this paper experts from the SSEDIC.2020 network study and review the status of mobile eID deployment and use in e-government as well as industry with a focus on Europe. The findings demonstrate that mobile eID solutions have the potential to become a major means for digital identification but significant efforts still must be made to drive broad adoption across European member states, to guide secure integration of mobile solutions in the industry and to arrive at dedicated standards.
- KonferenzbeitragProxied authentication in single sign-on setups with common open source systems - an empirical survey(Open Identity Summit 2015, 2015) Peinl, René; Holzschuher, Florian; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanThe paper presents results from an empirical study about the use of a single sign-on (SSO) system in an integrated open source system landscape for supporting team collaboration. A portal solution, enterprise content management system, groupware, business process management and enterprise search engine are used. The investigation shows that although it is easy to achieve SSO with the Web-based user interfaces of the information systems used, none of the systems was prepared to pass authentication tokens to the API of an integrated system or accept SSO tokens instead of username / password pairs for authentication against the API respectively. Different alternatives for achieving the desired functionality are presented and a recommendation for improvement of the affected information systems is derived.
- KonferenzbeitragIdentity management and cloud computing in the automotive industry: first empirical results from a quantitative survey(Open Identity Summit 2015, 2015) Fähnrich, Nicolas; Kubach, Michael; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanThe automotive industry forms a complex network of original equipment manufacturers and suppliers that requires a high level of cooperation in development projects. Therefore, an efficient identity management system is needed to control access to exchanged data and collaboratively used IT-solutions supporting the development process. One of the main requirements for this system is the reliable authentication of engineers of various companies with different credentials. The SkIDentity-Project, which aims at building trusted identities for the cloud, addresses this scenario. In this context, we carried out a quantitative survey to investigate the diffusion and adoption of cloud computing and identity management technologies. First results are presented in this paper and show that although cloud computing is used by approximately half of the companies in the sample, we noticed that with an increasing number of involved parties, the trust in this technology drops significantly. Regarding identity management systems, we found a similar effect. Company-wide identity management systems are used by the majority of the companies but cross-company solutions are not adopted to this extent. Further scrutiny identified a lack of motivation as one of the main reasons for the low diffusion of this technology.
- KonferenzbeitragUsing proxy re-encryption for secure data management in an ambient assisted living application(Open Identity Summit 2015, 2015) Zach, Hannes; Peinsold, Philip; Winter, Johannes; Danner, Peter; Hatzl, Jakob; Hühnlein, Detlef; Roßnagel, Heiko; Kuhlisch, Raik; Ziesing, JanWhenever applications process sensitive user data, secure storage and distribution plays a key role. This paper points out the security demands of an Ambient Assisted Living (AAL) application and demonstrates the usage of proxy re-encryption in order to fulfil its security requirements for storage and distribution of sensitive data. Because AAL systems often exhibit the same security needs as the application developed in the presented project, the described implementation can serve as a point of reference for similar projects.