Norbert Pohlmann

Security Analysis of OpenID, followed by a Reference Implementation of an nPA-based OpenID Provider

OpenID is an open, decentralized and URL-based standard for Single Sign-On (SSO) on the Internet. In addition, the new electronic identity card (“Neuer Personalausweis”, nPA) will be introduced in Germany in November 2010. This work shows the problems associated with OpenID and addresses possible solutions. There is also a discussion on how to improve the OpenID protocol by the combination of the nPA respectively the Restricted Identification (RI) with an OpenID identity. The concept of an OpenID provider with nPA support will be presented together with its precondition. The added value created by the combination of the two technologies nPA and OpenID in different directions is discussed.

Internet Early Warning System: The Global View

The constantly growing importance of the Internet for our knowledge and information society makes it necessary to analyze and be acquainted with its status beyond the limits of the individual network operators. Only precise knowledge of the normal status makes it possible to detect anomalies which influence the functionality of the Internet.

Objectives and Added Value of an Internet Key Figure System for Germany

This work is motivated by the fact that the Internet can be seen as a critical infrastructure, whose on-going operation is particularly worth protecting. Problematic when considering the state of the Internet are two things: On the one hand, there are many dependencies in the context of the Internet, on the other hand there are only a few key figures that allow comprehensive statements. In the course of this work, a Key Figure System will be described in which the control object is the Internet by itself. The complex structure of the Internet is to be made more transparent and the condition, changes and future potential are to be expressed. In addition to the various objectives that are to be achieved during the design and implementation of such an Internet Key Figure System, this work describes the problems that have to be solved. These are less technical, but in fact organisational and legal nature. Each Key Figure System requires a control object, that is a clearly defined scope, which the data collection, data processing and data visualisation refer to. In the following the definition of an „Internet Germany“ is given and the appropriate stakeholder and criteria are described. This work concludes with an explanation of the different added value of an Internet Key Figure System for the various addressees.

Integrity Check of Remote Computer Systems Trusted Network Connect

The economic dependence on fast and inexpensive exchange of information that has arisen as a result of globalisation is leading to ever increasing levels of networking. The internet provides a communication infrastructure that is available worldwide. However, it does not provide for trustworthy communication, as it is not possible to assess the computer systems in the network with respect to their system integrity and trustworthiness. The same also applies to intranets. Visitors and field workers who use their computer systems both inside and outside the company network represent a threat to the company through these computer systems. By using the computer systems outside the company network they are also working outside the protective measures and control area of the company’s IT. Solution approaches such as Trusted Network Connect (TNC) provide methods for determining the integrity of end points which serve as a basis for trustworthy communication. The configurations of the end points can be measured on both the software and hardware level. It is possible to realise policy-controlled access control through the reconciliation of defined safety rules.

Secure Communication and Digital Sovereignty in Europe

Recent discussions about the weakening of Europe’s digital sovereignty have highlighted the fundamental importance of integrity and trustworthiness of Internet communication and services.

Draft of a Dynamic Malware Detection System on Trustworthy Endpoints

Malware infected computer systems can be found with increasing evidence in private and commercial fields of use. Always exposed to the risk of a “Lying End-Point”, an already manipulated security application that pretends to run on a clean computer system, the demand for new security solutions continues to rise. Project iTES (“innovative Trustworthy Endpoint Security”), government-funded by the German Federal Ministry of Education and Research, introduces a new system to enhance security while preserving usability. Based on an existing virtualized system which diversifies the software to a specific form of use, the project aims to develop new sensors to monitor the system dynamically and deliver real-time responses.

Analyzing G-20's Key Autonomus Systems and their Intermeshing using As-Analyzer

Several thousands of interconnected autonomous systems form the Internet, which is regarded as the most powerful communication infrastructure today. Measuring the network and monitoring its vital parameters is crucial for securing continuous availability and steady performance of the Internet. This paper introduces AS-Analyzer, a tool for gathering and analyzing data related to autonomous systems and their interconnection. Using AS-Analyzer’s modules for collecting data from different sources, calculating key figures and creating reports, we present a vivid example by analyzing the G-20’s key autonomous systems and their intermeshing. A brief discussion of key figures related to autonomous system, IPv4 addresses, connections, categories and malware will complete the presentation.

Influence of Security Mechanisms on the Quality of Service of VoIP

While Voice over IP (VoIP) is advancing rapidly in the telecommunications market, the interest to protect the data transmitted by this new service is also rising. However, in contrast to other internet services such as email or HTTP, VoIP is real-time media, and therefore must meet a special requirement referred to as Quality-of-Service to provide a comfortable flow of speech. Speech quality is worsened when transmitted over the network due to delays in transmission or loss of packets. Often, voice quality is at a level that even prevents comprehensive dialog. Therefore, an administrator who is to setup a VoIP infrastructure might consider avoiding additional decreases in voice quality resulting from security mechanisms, and might leave internet telephony unprotected as a result. The inspiration for this paper is to illustrate that security mechanisms have negligible impact on speech quality and should in fact be encouraged.

Trusted Network Connect — Vertrauenswürdige Netzwerkverbindungen

Die durch die Globalisierung entstandene wirtschaftliche Abhangigkeit von schnellem und kostengunstigem Informationsaustausch fuhrt zu einer immer starkeren Vernetzung. Das Internet stellt eine weltweit verfugbare Kommunikations-Infrastruktur bereit. Es bietet aber keine Moglichkeiten einer vertrauenswurdigen Kommunikation, da die im Netz befindlichen Rechnersysteme nicht auf deren Systemintegritat und Vertrauenswurdigkeit gepruft werden konnen. Gleiches gilt fur Intranets. Besucher und Ausendienstmitarbeiter, die ihre Rechnersysteme, zum Beispiel Notebooks, sowohl auserhalb als auch innerhalb des Firmennetzes einsetzen, stellen mit diesen Rechnersystemen eine Bedrohung fur das Unternehmen dar. Durch die Benutzung der Rechnersysteme auserhalb des Firmennetzes arbeiten diese auch auserhalb der Schutzmasnahmen und des Kontrollbereichs der Unternehmens-IT. Losungs-Ansatze wie zum Beispiel Trusted Network Connect (TNC), stellen Methoden zur Feststellung der Integritat von Endpunkten bereit, die als Basis fur vertrauenswurdige Kommunikation dienen. Die Konflgurationen der Endpunkte lassen sich sowohl auf Software- als auch auf Hardwareebene messen. Uber den Abgleich von definierten Sicherheitsregeln kann eine Policy-gesteuerte Zugriffssteuerung realisiert werden.

Web Service Security — XKMS (TrustPoint)

Web services have grown up and developed a considerable potential: They are based on an open, dynamic exchange of data. Their openness is their greatest plus and contributed to their wide acceptance. This openness, however, and the resulting lack of security is at the same time the barrier that prevents web services from being used on a broad basis. Web services have to become safe if they are to transmit sensitive data securely.