- KonferenzbeitragENX ID - an architecture for practical and secure cross company authentication(Open Identity Summit 2014, 2014) Kubach, Michael; Roßnagel, Heiko; Oly, Lennart; Wehrenberg, Immo; Hühnlein, Detlef; Roßnagel, HeikoThis paper introduces a development approach and a novel architecture for cross company identity management and authentication. It aims to design an architecture, which is practically implementable in the highly collaborative environment that exists in the automotive industry. The paper sketches the conducted marked research to obtain such a model and presents an architecture design based on a trusted intermediary.
- KonferenzbeitragTowards a privacy-preserving inspection process for authentication solutions with conditional identification(Open Identity Summit 2014, 2014) Bieker, Felix; Hansen, Marit; Zwingelberg, Harald; Hühnlein, Detlef; Roßnagel, HeikoAnonymous, yet accountable authentication solutions such as privacyenhancing attribute-based credentials do not only provide various privacy features, but also contain an option of conditional identification of specific attributes of the user. While the technical functionality of this so-called inspection is available, it has not yet been examined how the inspection operation can be embedded in the organizational framework of a service provider and which inspection grounds have to be considered. This text proposes a model inspection process with clearly defined roles and workflows derived from legal obligations and guidelines from European primary law and the EU data protection regime. Thereby implementation of privacy-preserving authentication solutions in practice is facilitated, as it has been shown in a pilot of an online communication platform in a Swedish school.
- KonferenzbeitragMaking authentication stronger and more cost efficient with web of trust(Open Identity Summit 2014, 2014) Hulsebosch, Bob; Wegdam, Maarten; Oostdijk, Martijn; Dijk, Joost Van; Wijnen, Remco Poortinga - Van; Hühnlein, Detlef; Roßnagel, HeikoSolid registration processes for identity registration including proofing, vetting and binding are essential for strong authentication solutions. Solid typically implies a face-2-face component in the registration process, which is expensive and not user friendly. Alternatives that rely on remote registration often result in weak binding or are overly complex. We propose a web of trust approach in which users can indicate trust in the identity of other users. It combines the best of remote and physical registration practices. There is no need for a physical registration desk as other users in the web of trust take over the identification task. This paper describes how to achieve web of trust enhanced authentication assurance.
- KonferenzbeitragSecure and trustworthy file sharing over cloud storage using eid tokens(Open Identity Summit 2014, 2014) Duarte, Eduardo; Pinheiro, Filipe; Zúquete, André; Gomes, Hélder; Hühnlein, Detlef; Roßnagel, HeikoThis paper presents a multi-platform, open-source application that aims to protect data stored and shared in existing cloud storage services. The access to the cryptographic material used to protect data is implemented using the identification and authentication functionalities of national electronic identity (eID) tokens. All peer to peer dialogs to exchange cryptographic material is implemented using the cloud storage facilities. Furthermore, we have included a set of mechanisms to prevent files from being permanently lost or damaged due to concurrent modification, deletion and malicious tampering. We have implemented a prototype in Java that is agnostic relatively to cloud storage providers; it only manages local folders, one of them being the local image of a cloud folder. We have successfully tested our prototype in Windows, Mac OS X and Linux, with Dropbox, OneDrive, Google Drive and SugarSync.
- KonferenzbeitragSecure cloud computing with skidentity: A cloud-teamroom for the automotive industry(Open Identity Summit 2014, 2014) Kubach, Michael; Özmü, Eray; Flach, Guntram; Hühnlein, Detlef; Roßnagel, HeikoA major security-challenge in the automotive industry is to enable the secure and flexible engineering cooperation with changing partners in complex development projects. Therefore an effective interorganizational identity management is needed to control access to cooperative development platforms. This identity management has to be based on reliable identification of engineers of various partners with different credentials. The SkIDentity-Project, that aims to build trusted identities for the cloud, addresses this scenario. By integrating the existing components, services and trust infrastructures into a comprehensive, legally valid and economically viable identity infrastructure the technology enables to provide trusted identities for the cloud and secure complete business processes and value chains. One pilot-application of the project is the “Cloud-Teamroom for the Automotive Industry”. It is adjusted to the specific requirements of the value chains in the automotive industry. Thanks to the SkIDentity-Technology, and via the so-called eID-Broker, engineers from different partners can access the cloudteamroom. For the required strong authentication they can use the credentials that are already available in their company. This paper presents the SkIDentitytechnology and exemplifies it by means of the pilot-application.
- KonferenzbeitragEidas as guideline for the development of a pan European eid framework in futureid(Open Identity Summit 2014, 2014) Cuijpers, Colette; Schroers, Jessica; Hühnlein, Detlef; Roßnagel, HeikoThis paper addresses the Regulation on Electronic transactions in the internal market: electronic identification and trust services (eIDAS) and analyses this regulatory framework in relation to the pan European eID infrastructure being developed in the FutureID project. The aim of this paper is to identify if eIDAS sets forward any legal requirements that need to be implemented in the FutureID infrastructure. Even though the focus of this paper is on the development of the FutureID infrastructure, the description of eIDAS and the analysis of its main requirements for technical developers are in general relevant to the development of online identification and authentication schemes.
- KonferenzbeitragTowards a seamless digital Europe: the SSEDIC recommendations on digital identity management(Open Identity Summit 2014, 2014) Talamo, Maurizio; Ramachandran, Selvakumar; Barchiesi, Maria-Laura; Merella, Daniela; Schunck, Christian; Hühnlein, Detlef; Roßnagel, HeikoThe SSEDIC (“Scoping the Single European Digital Identity Community”) thematic network has concluded an intensive 3-year consultation period together with over 200 European and international digital identity management experts and many stakeholder organizations to establish recommendations that address key issues regarding the usability and interoperability of electronic identity management solutions. The resulting recommendations are presented in this paper and should support the Eu- ropean Commission as well as other public and private stakeholders to set priorities for the path towards a Single European Digital Identity Community and the Horizon 2020. The key areas that need to be addressed as a priority are: mobile identity, attribute usage, authentication, and liability.
- KonferenzbeitragStrengthening Web Authentication through TLS - Beyond TLS Client Certificates(Open Identity Summit 2014, 2014) Mayer, Andreas; Mladenov, Vladislav; Schwenk, Jörg; Feldmann, Florian; Meyer, Christopher; Hühnlein, Detlef; Roßnagel, HeikoEven though novel identification techniques like Single Sign-On (SSO) are on the rise, stealing the credentials used for the authentication is still possible. This situation can only be changed if we make novel use of the single cryptographic functionality a web browser offers, namely TLS. Although the use of client certificates for initial login has a long history, only two approaches to integrate TLS in the session cookie mechanism have been proposed so far: Origin Bound Client Certificates in [DCBW12], and the Strong Locked Same Origin Policy (SLSOP) in [KSTW07]. In this paper, we propose a third method based on the TLS-unique API proposed in RFC 5929 [AWZ10]: A single TLS session is uniquely identified through each of the two Finished messages exchanged during the TLS handshake, and RFC 5929 proposes to make the first Finished message available to higher layer protocols through a novel browser API. We show how this API can be used to strengthen all commonly used types of authentication, ranging from simple password based authentication and SSO to session cookie binding.
- KonferenzbeitragA DNSSEC-based trust infrastructure(Open Identity Summit 2014, 2014) Bruegger, Bud P.; Özmü, Eray; Hühnlein, Detlef; Roßnagel, HeikoThe management of trust issues is central to a wide variety of digital systems, including systems dealing with electronic signature, authentication, or signing of applications. The common approach to trust management is the use of possibly signed trust lists and trust stores that enumerate trusted issuers. This approach fails to scale well and is thus unsuited for the implementation of larger trust infrastructures, as, for example, in support of a regional authentication infrastructure that enables a marketplace of services. This paper proposes to use the domain name system (DNS) with security extension (DNSSEC) as a base for the creation of a globally scalable and flexible trust infrastructure. As opposed to trust lists or stores, this also provides a vehicle for the efficient and secure dissemination of trust information among stakeholders.
- KonferenzbeitragUsing a whatsapp vulnerability for profiling individuals(Open Identity Summit 2014, 2014) Kurowski, Sebastian; Hühnlein, Detlef; Roßnagel, HeikoThis paper aims at raising awareness on the issue of using unfixed vulnerabilities for targeted attacks in order to harness private or even corporate information. We demonstrate an attack by using a well-known, yet not fixed whatsapp vulnerability, enabling us to eavesdrop the cell-phone number of a victim. We identified the concrete states, in which whatsapp leaks the cell-phone number of a victim. By using a volunteering individual, we demonstrate the feasibility of profiling the individual and provide further steps on how to disclose private and corporate information by using the leaked cell-phone number and the profiled information to introduce the adversary into a trust relationship with the victim. Once the victim trusts the adversary, social phishing can be used to retrieve further private or even corporate information.