- TextdokumentDerived Partial Identities Generated from App Permissions(Open Identity Summit 2017, 2017) Fritsch, Lothar; Momen, Nurul; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefThis article presents a model of partial identities derived from app permissions that is based on Pfitzmann and Hansen’s terminology for privacy [PH10]. The article first shows how app permissions accommodate the accumulation of identity attributes for partial digital identities by building a model for identity attribute retrieval through permissions. Then, it presents an experimental survey of partial identity access for selected app groups. By applying the identity attribute retrieval model on the permission access log from the experiment, we show how apps’ permission usage is providing to identity profiling.
- TextdokumentA Mechanism for Discovery and Verification of Trust Scheme Memberships: The Lightest Reference Architecture(Open Identity Summit 2017, 2017) Roßnagel, Heiko; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefElectronic transactions are an integral component of private and business life. For this purpose, a certification of trustworthy electronic identities supported from authorities is often required. Within the EU-funded LIGHTest project, a global trust infrastructure based on DNS is built, where arbitrary authorities can publish their trust information. A high level description of the LIGHTest reference architecture is presented. Then, the Trust Scheme Publication Authority, which enables discovery and verification of trust scheme memberships is introduced.
- TextdokumentTowards secure and standard-compliant implementations of the PSD2 Directive(Open Identity Summit 2017, 2017) Wich, Tobias; Nemmert, Daniel; Hühnlein, Detlef; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefThe present article provides a compact overview of the most important requirements of the so-called “Payment Services Directive 2” (PSD2) [Di15], together with the related Regulatory Technical Standard on authentication and communication [Eu17] according to Article 98, and outlines how the pivotal “Access-to-Account-Interface” can be securely implemented based on widely acknowledged international standards.
- TextdokumentAn explorative approach on the impact of external and organizational events on information security(Open Identity Summit 2017, 2017) Ajazaj, Ilirjana; Kurowski, Sebastian; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefThis contribution aims at the research question on which observable organizational events occur prior to an information security incident, and how these may relate to the organization. It therefore uses a dataset that was built using Google News, and the list of data breaches from [Mc17] to analyse which organizational events occur most often. It provides a categorization of these events, which were built by using a grounded theory approach. On the other hand, causal chains are constructed by sing the sociologic system theory and constructivism. Both, the causal chains and the organizational event categories are applied together within this contribution to discuss, the likelihood of the causalities of the occurred events. However, events, such as financial gains also exhibit a higher occurrence prior to an information security incident. This contribution is a speculative, yet first approach on this question. Further research will focus on refining the constructed causalities.
- TextdokumentPrivacy dark patterns in identity management(Open Identity Summit 2017, 2017) Fritsch, Lothar; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefThis article presents three privacy dark patterns observed in identity management. Dark patterns are software design patterns that intentionally violate requirements, in the given case privacy requirements for identity management. First, the theoretical background is presented, and then next, the observed patterns are documented, described and formalized. The resulting dark patterns show how security is used as obfuscation of data collection, how the seemingly harmless collection of additional data is advertised to end users, and how the use of anonymization technology is actively discouraged by service providers.
- TextdokumentPassword Assistance(Open Identity Summit 2017, 2017) Horsch, Moritz; Braun, Johannes; Buchmann, Johannes; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefFor decades, users are not able to realize secure passwords for their user accounts at Internet services. Users’ passwords need to fulfil general security requirements and the password requirements of services. Furthermore, users need to cope with different password implementations at services. Finally, users need to perform a multitude of tasks to properly manage their large password portfolios. This is practically impossible. In this paper, we introduce the vision of a password assistant. It supports users in all duties and tasks with regard to their passwords, from the creation of secure passwords to the recovery of them in case of loss. Moreover, it provides an extensive automatization of all password tasks that reduces the users’ efforts and activities to deal with passwords to a minimum. A password assistant enables high security for passwords as well as improves their ease of use. First, we provide a detailed description of the problem of users to realize secure passwords for their accounts in practice. Second, we outline the vision of a password assistant, describe its technical foundation, and introduce the related open-source project starting to realize the first password assistant.
- TextdokumentTowards Privacy-Preserving and User-Centric Identity Management as a Service(Open Identity Summit 2017, 2017) Dash, Pritam; Rabensteiner, Christof; Hörandner, Felix; Roth, Simon; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefIdentification, authentication and the exchange of users’ identity information are key factors in protecting access to online services. Especially cost-effectiveness is a considerable incentive to move identity management models into the public cloud. As cloud environments are not fully trusted, the users’ sensitive attributes must not be stored or transmitted in plain, while it still has to be possible to share them. One approach is to employ proxy re-encryption, which enables the identity provider to transform a user’s encrypted attributes into ciphertext for an authorized service provider. However, for adoption, the user’s perspective must not be neglected. In this paper, we propose a user-friendly and user-centric identity management solution that employs cryptographic mechanisms to protect the users’ privacy and keep them in control of the data sharing process. We integrate proxy re-encryption into the widely-adopted OpenID Connect protocol to achieve end-to-end confidentiality. To make this concept user-friendly, we introduce a mobile app that handles the involved cryptographic operations which rely on keys securely stored in a trusted execution environment.
- TextdokumentA meta-heuristic for access control test data creation in access control model testing(Open Identity Summit 2017, 2017) Winterstetter, Matthias; Kurowski, Sebastian; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefUser to Document Access data is in most cases protected and as such difficult to acquire for research purposes. This work seeks to circumvent this problem by creating research data on the basis of reference processes through the evolutionary Algorithm. Data created through this method, while not as accurate as real data, still has it’s foundation in reality through the reference process and can as such be used as a replacement.
- TextdokumentTowards a Smart Assistant for Enterprise Availability Management(Open Identity Summit 2017, 2017) Laufs, Uwe; Roßnagel, Heiko; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefIn today’s work environment, people are increasingly available because of the vast distribution of smartphones. This leads to a lack of real leisure time without being disturbed by phone calls or e-Mail concerning job issues. In the last few years, several large companies in Germany addressed this issue using more or less successful methods like switching off mail servers after working hours or deleting mails received during holidays [Fa14], [We14]. Tough, these methods seems to be either too strict or do not provide an accurate solution for the different needs of the different roles in a company. In project SANDRA, we aim at the development of a smart assistant in order to provide non-disturbed leisure time for employees. The assistant will both delay the delivery of mails based on the content (e.g. natural language processing, deep learning) and on additional information such as roles, holiday, or location. In addition, phone calls can be rejected by the assistant. The project also has a focus on privacy aspects and several legal aspects such as labour management regulations and data protection laws. The development will include enterprises for gathering of requirements, continuous testing and optimisation as well as for the evaluation. For the evaluation of the system, stress levels will be measured based on the heart frequencies of the test users with and without using the system over a longer period of time.
- TextdokumentA Semantic Data Model for the Development of Secure and Valuable Software(Open Identity Summit 2017, 2017) Horch, Andrea; Laufs, Uwe; Sellung, Rachelle; Fritsch, Lothar; Roßnagel, Heiko; Hühnlein, DetlefIT security is a crucial non-functional software requirement. Nevertheless, there are several other aspects that a softwares’ market success depends on. Therefore, it is vital that during the development process software developers consider different disciplines needs that essentially add value when going to market such as usability and socio-economics. The project CUES addresses these aspects by developing an interdisciplinary and integrated guidance tool, called the Wizard. The Wizard is designed to support software developers with interdisciplinary knowledge during the software development processes. The core of the Wizard builds a knowledge base, which is based on a semantic data model. While the semantic data model is finished, the Wizard is still undergoing development in the CUES project and is not yet complete. This paper presents the semantic data model as a first project result and as the core element of theWizard. The proposed data model stores knowledge about software development processes, methods and tools in order to derive problems and corresponding solutions which may occur in real software development processes.