- KonferenzbeitragApproaches and challenges for a single sign-on enabled extranet using Jasig CAS.(Open Identity Summit 2013, 2013) Holzschuher, Florian; Peinl, René; Hühnlein, Detlef; Roßnagel, HeikoIn this paper we describe our experiences with setting up a single signon enabled intranet with open source software and then making it accessible over the internet using a reverse proxy. During this process, we encounter several issues. We describe those, discuss possible solutions and present our final setup.
- KonferenzbeitragAn Open eCard Plug-in for accessing the German national Personal Health Record(Open Identity Summit 2013, 2013) Kuhlisch, Raik; Petrautzki, Dirk; Schmölz, Johannes; Kraufmann, Ben; Thiemer, Florian; Wich, Tobias; Hühnlein, Detlef; Wieland, Thomas; Hühnlein, Detlef; Roßnagel, HeikoAn important future application of the German electronic health card (elektronische Gesundheitskarte, eGK) is the national Personal Health Record (PHR), because it enables a citizen to store and retrieve sensitive medical data in a secure and self-determined manner. As the stored data is encrypted with an eGK- specific certificate and retrieving the encrypted data is only possible after TLS- based authentication, the citizen needs to use a so called “PHR Citizen Client”, which allows to use the eGK for strong authentication, authorization, and decryption purposes. Instead of building such an application from scratch, this paper proposes to use the Open eCard App and its extension mechanism for the efficient creating of a PHR Citizen Client by developing an Open eCard Plug-in for accessing the German national Personal Health Record.
- KonferenzbeitragAn extensible client platform for eID, signatures and more(Open Identity Summit 2013, 2013) Wich, Tobias; Horsch, Moritz; Petrautzki, Dirk; Schmölz, Johannes; Hühnlein, Detlef; Wieland, Thomas; Potzernheim, Simon; Hühnlein, Detlef; Roßnagel, HeikoThe present paper introduces an extensible client platform, which can be used for eID, electronic signatures and many more smart card enabled applications.
- KonferenzbeitragSelective LDAP Multi-Master Replication(Open Identity Summit 2013, 2013) Bauereiss, Thomas; Gohmann, Stefan; Hutter, Dieter; Kläser, Alexander; Hühnlein, Detlef; Roßnagel, HeikoLDAP directory services are widely used to store and manage information about the assets of organisations and to ease the administration of IT infrastructure. With the popularity of cloud computing many companies start to distribute their computational needs in mixed-cloud infrastructures. However, distributing an LDAP directory including sensitive information to partially trusted cloud servers would constitute a major security risk. In this paper, we describe an LDAP replication mechanism that allows for a fine-grained selection of parts of an LDAP directory tree that are replicated to another server using content-based filters, while maintaining the availability and performance advantages of a full multi-master replication. We discuss sufficient conditions on replication topology and admissible operations such that the replication mechanism provides eventual consistency of selectively replicated data.
- KonferenzbeitragService providers' requirements for eID solutions: Empirical evidence from the leisure sector(Open Identity Summit 2013, 2013) Kubach, Michael; Roßnagel, Heiko; Sellung, Rachelle; Hühnlein, Detlef; Roßnagel, HeikoAlthough eID technology has undergone several development cycles and eID have been issued to citizens of various European countries, it is still not as broadly used as originally expected. One reason is the absence of compelling use cases besides eGovernment. Current Research focuses mainly on the needs of the user and technical aspects. The economic perspective is often disregarded. This is especially the case for the service providers that play a fundamental role in the adoption of the technology. The requirements of these stakeholders certainly have to be considered in the development of viable business models. So far, however, little empirical evidence on these requirements exists. We therefore performed a survey-based empirical analysis in two industries from the leisure sector to gain first insights into this topic. Results show that the service providers in our sample don't see a pressing need to change their currently used authentication method. However, they think that certain eID features could be valuable for their services. Our analysis of the hurdles showed that there is no ultimate reason that keeps service providers from implementing the eID technology.
- Editiertes BuchOpen Identity Summit 2013(2013) Hühnlein, Detlef; Roßnagel, Heiko
- KonferenzbeitragUnlinkability Support in a Decentralised, Multiple-identity Social Network(Open Identity Summit 2013, 2013) Thiel, Simon; Hermann, Fabian; Heupel, Marcel; Bourimi, Mohamed; Hühnlein, Detlef; Roßnagel, HeikoProviding support for unlinkability in a decentralized, multiple-identity social network is a complex task, which requires concepts and solutions on the technical as well as on the user-interface level. Reflecting these diverse levels of an application, this paper presents three scenarios to impede the linkability of multiple identities in decentralized social networking. Solutions cover a communication infrastructure which allows referencing to multiple identities; analysis of user content and sharing history to present linkability warnings; and user interface means allow for a privacy-ensuring management of partial identities. The di.me userware research prototype of the EU FP7 funded digital.me (di.me) is introduced to show the integration of the solutions accordingly.
- KonferenzbeitragA Novel Set of Measures against Insider Attacks – Sealed Cloud(Open Identity Summit 2013, 2013) Jäger, Hubert; Monitzer, Arnold; Rieken, Ralf; Ernst, Edmund; Hühnlein, Detlef; Roßnagel, HeikoSecurity and privacy have turned out to be major challenges of the further Internet evolution in general and cloud computing, in particular. This paper proposes a novel approach to safeguard against previously unimpeded insider attacks, referred to as Sealed Cloud. A canonical set of technical measures is described, which, in conjunction, sufficiently complicate and thus economically prevent insider access to unencrypted data. This paper shows the advantages versus end-to-end encryption relative to communication services. Another application of the Sealed Cloud, referred to as Sealed Freeze, provides a seminal solution to privacy issues pertaining to data retention.
- KonferenzbeitragSecure Hardware-Based Public Cloud Storage(Open Identity Summit 2013, 2013) Zwattendorfer, Bernd; Suzic, Bojan; Teufl, Peter; Derler, Andreas; Hühnlein, Detlef; Roßnagel, HeikoThe storage of data on remote systems such as the public cloud opens new challenges in the field of data protection and security of the stored files. One possible solution for meeting these challenges is the encryption of the data at the local device, e.g. desktop, tablet, or smartphone, prior to the data transfer to the remote cloud-based storage. However, this approach bears additional challenges itself, such as secure encryption key management or secure and effective sharing of data in user groups. Including an additional encryption layer and security checks may additionally affect the system's usability, as higher security requirements and a group sharing workflow increase general overhead through the complete organization of processes. To overcome such issues, we propose a solution which is based on highly secure and attack-resistant hardware-based encryption applied through the use of the Austrian citizen card public key infrastructure. As the citizen card infrastructure is already deployed and available to a wide population, the service overhead and additional requirements of our proposed solution are lower in comparison to other approaches, while at the same time synergistic and networking effects of the deployed infrastructure facilitate its usage and further potentials.
- KonferenzbeitragUpcoming specifications from the openID Foundation(Open Identity Summit 2013, 2013) Biering, Henrik; Nennker, Axel; Hühnlein, Detlef; Roßnagel, HeikoThe OpenID Foundation (OIDF), is an international non-profit organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Currently OIDF is finalizing the third generation of OpenID Single Sign-On protocols under the brand name ”OpenID Connect”. In parallel with this effort OIDF has also launched Working Groups for solving other problems that arise when users interact with an ecosystem of interoperable service providers rather than a single service provider. The presentation will cover the status, features, and benefits of OpenID Connect, Account Chooser, and the Backplane Protocol supplemented by feedback collected from various stakeholder groups.