P325 - Open Identity Summit 2022
Permanent URI for this collectionhttps://dl.gi.de/handle/20.500.12116/38695
Authors with most Documents
Browse
Conference Paper Continuous authorization over HTTP using Verifiable Credentials and OAuth 2.0(Gesellschaft für Informatik e.V., 2022) Fotiou, Nikos; Faltaka, Evgenia; Kalos, Vasilis; Kefala, Anna; Pittaras, Iakovos; Siris, Vasilios A.; Polyzos, George C.; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianWe design, implement, and evaluate a solution for achieving continuous authorization of HTTP requests exploiting Verifiable Credentials (VCs) and OAuth 2.0. Specifically, we develop a VC issuer that acts as an OAuth 2.0 authorization server, a VC verifier that transparently protects HTTP-based resources, and a VC wallet implemented as a browser extension capable of injecting the necessary authentication data in HTTP requests without needing user intervention. Our approach is motivated by recent security paradigms, such as the Zero Trust architecture, that require authentication and authorization of every request and it is tailored for HTTP-based services, accessed using a web browser. Our solution leverages JSONWeb Tokens and JSONWeb Signatures for encoding VCs and protecting their integrity, achieving this way interoperability and security. VCs in our system are bound to a user-controlled public key or a Decentralized Identifier, and mechanisms for proving possession are provided. Finally, VCs can be easily revoked.Conference Paper Flexible Method for Supporting OAuth 2.0 Based Security Profiles in Keycloak(Gesellschaft für Informatik e.V., 2022) Norimatsu, Takashi; Nakamura, Yuichi; Yamauchi, Toshihiro; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianKeycloak is identity and access control open-source software. When used for open banking, where many OAuth 2.0 clients need to be managed and a different OAuth 2.0-based security profile needs to be applied to each type of API, the problem of increasing managerial costs by the Keycloak administrator occurs because Keycloak's security profile logic depends on the client settings, and the logic cannot be changed for each client's request. This paper proposes its solution by separating the security profile logic from the client settings, and by changing the security profile for each client's request based on the content of the request, and actual security profiles Financial-grade API (FAPI) are implemented to Keycloak. The paper calculates managerial costs in both the existing and proposed methods in scenarios managing FAPI, and compares the results. The comparison shows that using the proposed method reduces costs. Our implementations are contributed to Keycloak.Conference Paper Towards robustness of keyboard-entered authentication factors with thermal wiping against thermographic attacks(Gesellschaft für Informatik e.V., 2022) Fritsch, Lothar; Mecaliff, Marie; Opdal, Kathinka W.; Rundgreen, Mathias; Sachse, Toril; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianMany authentication methods use keyboard entry for one of their authentication factors. Keyboards factors have been compromised exploiting physical fingerprints, substances from fingers visible on keys, with acoustic recordings through mobile phones, and through video reflections captured by high-resolution cameras used for video conferencing. Heat transfer from human fingers to keypads is an additional attack channel that has been demonstrated. There are few mitigation measures published against this type of attack. This article summarizes the feasibility of thermographic attacks against computer keyboards and against door pin pads, as well as the efficiency of the scrubbing technique deployed in order to counter thermographic attacks. For this purpose, a series of experiments with small, mobile thermal cameras were carried out. We report findings such as time intervals and other constraints for successful laboratory observation of authentication factors, describe scrubbing methods and report the performance of those methods.Conference Paper A user-centric approach to IT-security risk analysis for an identity management solution(Gesellschaft für Informatik e.V., 2022) Fähnrich, Nicolas; Winterstetter, Matthias; Kubach, Michael; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianIn order to build identity management (IdM) solutions that are secure in the practical application context, a holistic approach their IT-security risk analysis is required. This complements the indispensable technical, and crypto-focused analysis of risks and vulnerabilities with an approach that puts another important vector for security in the center: the users and their usage of the technology over the whole lifecycle. In our short paper we focus exclusively on the user-centric approach and present an IT-security risk analysis that is structured around the IdM lifecycle.Conference Paper Risk variance: Towards a definition of varying outcomes of IT security risk assessment(Gesellschaft für Informatik e.V., 2022) Kurowski, Sebastian; Schunck, Christian H.; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianAssessing IT-security risks in order to achieve adequate and efficient protection measures has become the core idea of various industry practices and regulatory frameworks in the last five years. Some research however suggests that the practice of assessing IT security risks may be subject to varying outcomes depending on personal, situational and contextual factors. In this contribution we first provide a definition of risk variance as the variation of risk assessment outcomes due to individual traits, the processual environment, the domain of the assessor, and possibly the target of the assessed risk. We then present the outcome of an interview series with 9 decision makers from different companies that aimed at discussing whether risk variance is an issue in their risk assessment procedures. Finally, we elaborate on the generalizability of the concept of risk variance, despite the low sample size in light of varying risk assessment procedures discussed in the interviews. We find that risk variance could be a general problem of current risk assessment procedures.Conference Paper Corporate Digital Responsibility and the current Corporate Social Responsibility standard: An analysis of applicability(Gesellschaft für Informatik e.V., 2022) Carl, K. Valerie; Zilcher, Timothy M. C.; Hinz, Oliver; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianCorporate Digital Responsibility (CDR) takes a key role in developing, deploying, and managing digital technologies, products, and services responsibly and ethically. New technologies offer new chances but also expose new threats, especially related to privacy and data security that managers need to cope with. CDR puts privacy and data security attempts in a broader context to provide a more holistic approach to Corporate Responsibilities and to strengthen consumer trust in corporate activities. However, managers still face a lack of CDR guidelines that support the implementation of CDR activities. Existing guidelines related to Corporate Responsibilities, like the ISO standard 26000, provide guidance on Corporate Social Responsibility (CSR) addressing socially responsible and sustainable behaviour. However, current standards do not cover CDR directly. As such, the purpose of this contribution is to evaluate the applicability of the existing CSR standard to CDR to pave the way for CDR standardization in the futureConference Paper Preservation of (higher) Trustworthiness in IAM for distributed workflows and systems based on eIDAS(Gesellschaft für Informatik e.V., 2022) Strack, H.; Karius, S.; Gollnick, M.; Lips, M.; Wefel, S.; Altschaffel, R.; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianThe secure digitalisation of distributed workflows with different stakeholders (and trust relationships) using systems from different stakeholder domains is of increasing interest. Just one example is the workflow/policy area of student mobility. Others are from public administration and from economic sectors. According to the eIDAS regulation, eID and trust services (TS) are available across EU - upcoming also EUid & wallets (eIDAS 2.0) - to improve security aspects (providing interoperability or standards). We present some security enhancements to maintainhigher trustworthiness in Identity and Access Management (IAM) services for different policy areas with mandatory, owner-based and self-sovereign control aspects - based on eIDAS and different standards and the integration of views/results from deployed or ongoing projects (EMREX/ELMO, Europass/ EDCI, eIDAS, EUid, Verifiable Credentials, NBP initiative, OZG implementation, Self-Sovereign Identities SSI, RBAC, ABAC, DAC/MAC, IPv6) and a trustistor.Conference Paper A novel approach to establish trust in verifiable credential issuers in Self-sovereign identity ecosystems using TRAIN(Gesellschaft für Informatik e.V., 2022) Johnson Jeyakumar, Isaac H.; Chadwick, David W.; Kubach, Michael; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianSelf-sovereign identity (SSI) promises to bring decentralized privacy friendly identity management (IdM) ecosystems to everyone. Yet, trust management in SSI remains challenging. In particular, it lacks a holistic approach that combines trust and governance frameworks. A practical and scalable mechanism is needed for verifiers to externally verify their trust in credential issuers. This paper illustrates how TRAIN (Trust mAnagement INfrastructure), an approach based on established components like ETSI trust lists and the Domain Name System (DNS), can be used as a trust registry component to provide a holistic approach for trust management in SSI ecosystems. TRAIN facilitates individual trust decisions through the discovery of trust lists in SSI ecosystems, along with published credential schemas, so that verifiers can perform informed trust decisions about issued credentials.Conference Paper Open Identity Summit 2022, LNI Volume P325 Complete(Gesellschaft für Informatik e.V., 2022) Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianConference Paper Adversary Tactics and Techniques specific to Cryptocurrency Scams(Gesellschaft für Informatik e.V., 2022) Horch, Andrea; Schunck, Christian H.; Ruff, Christopher; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianAt the end of the year 2020, there was a steep uptrend of the cryptocurrency market. The global market capitalization of cryptocurrencies climbed from 350 billion US$ in October 2020 to almost 2.5 trillion US$ in May 2021 and reached 3 trillion US$ in November 2021. Currently, there are more than 17,600 cryptocurrencies listed on CoinMarketCap. The ample amount of money within the market attracts investors as well as scammers and hackers. Recent incidents like the BadgerDAO hack have shown how easy it is to steal cryptocurrencies. While all the standard scamming and hacking techniques such as identity theft, social engineering and web application hacking are successfully employed by attackers, new scams very specific to cryptocurrencies emerged, which are the focus of this paper.Conference Paper eIDAS 2.0: Challenges, perspectives and proposals to avoid contradictions between eIDAS 2.0 and SSI(Gesellschaft für Informatik e.V., 2022) Schwalm, Steffen; Albrecht, Daria; Alamillo, Ignacio; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianThe proposal for review of the eIDAS Regulation from 2021 has opened strong expectations for a deep change in traditional identity models. The user-centric identity model proposed starts with the creation of European Digital Identity Wallets that will enable citizens’ control over their data in identification and authentication processes without control by entities providing the identification services. Likewise, with the proposed legal rules for giving legal certainty to electronic ledgers and blockchains, [eIDAS2]opens possibilities to decentralization, especially for the provision and management of user’s attributes. The implementation of qualified trust services for attestations or electronic ledgers limits decentralization by requirement of a trusted 3rd party. Standardization will be key in assuring interoperability at the EU level. What are the challenges and opportunities of eIDAS 2.0? And what are the main focuses and needs of (European) standardization? These and other questions will be analysed and discussed in the paper.Conference Paper Combination of x509 and DID/VC for inheritance properties of trust in digital identities(Gesellschaft für Informatik e.V., 2022) Bastian, Paul; Stöcker, Carsten; Schwalm, Steffen; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianThe proposal for review of the eIDAS Regulation from 2021 has opened strong expectations for a deep change in traditional identity models. The user-centric identity model proposed starts with the creation of European Digital Identity Wallets that will enable citizens’ control over their data in identification and authentication processes without control by entities providing the identification services. Likewise digital identities and digital signatures are in place and interoperability between existing solutions mainly based on x509 certificates and decentralized PKI using DID/VC foreseeable. The paper provides various options to address different aspects in combining x509 and DID/VC approaches.Conference Paper Online tool for matching company demands with IT-security offerings(Gesellschaft für Informatik e.V., 2022) Fähnrich, Nicolas; Roßnagel, Heiko; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianSmall and medium sized companies (SMEs) are often insufficiently protected against cyberattacks although there is a wide range of cybersecurity guidelines, products and services availableIn this paper, we present an online tool to support SMEs in improving their IT-security level by enabling them to identify critical business processes and to identify the most pressing protection needs by using a lightweight value chain-based approach. For using the online tool, no expert knowledge of the company’s IT-infrastructure or implemented IT-security measures is required, since no assessment of cybersecurity threats but of the impact of potential damage scenarios on business processes is carried out. Based on a generated set of recommendations, companies are provided with suitable IT-security measures and corresponding offerings in a prioritized order. These offerings include services and products to implement the given recommendations.Conference Paper Integration of Self-Sovereign Identity into Conventional Software using Established IAM Protocols: A Survey(Gesellschaft für Informatik e.V., 2022) Kuperberg, Michael; Klemens, Robin; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianSelf-Sovereign Identity (SSI) is an approach based on asymmetric cryptography and on decentralized, user-controlled exchange of signed assertions. Most SSI implementations are not based on hierarchic certification schemas, but rather on the peer-to-peer and distributed “web of trust” without root or intermediate CAs. As SSI is a nascent technology, the adoption of vendor-independent SSI standards into existing software landscapes is at an early stage. Conventional enterprise-grade IAM implementations and cloud-based Identity Providers rely on widely established pre-SSI standards, and both will not be replaced by SSI offerings in the next few years. The contribution of this paper is an analysis of patterns and products to bridge unmodified pre-SSI applications and conventional IAM with SSI implementations. Our analysis covers 40+ SSI implementations and major authentication protocols such as OpenID Connect and LDAP.
Load citations