Pohlmann / Reimer / Schneider | ISSE 2010 Securing Electronic Business Processes | E-Book | sack.de
E-Book

E-Book, Englisch, 416 Seiten, eBook

Pohlmann / Reimer / Schneider ISSE 2010 Securing Electronic Business Processes

Highlights of the Information Security Solutions Europe 2010 Conference
2011
ISBN: 978-3-8348-9788-6
Verlag: Vieweg & Teubner
Format: PDF
 Kopierschutz: 1 - PDF Watermark

Highlights of the Information Security Solutions Europe 2010 Conference

E-Book, Englisch, 416 Seiten, eBook

ISBN: 978-3-8348-9788-6
Verlag: Vieweg & Teubner
Format: PDF
 Kopierschutz: 1 - PDF Watermark

This book presents the most interesting talks given at ISSE 2010 - the forum for the inter-disciplinary discussion of how to adequately secure electronic business processes.
The topics include:
- Identity and Security Management
- Technical and Economical Aspects of Cloud Security
- Security Services and Large Scale Public Applications
- Smart Grid Security and Emerging Security Solutions
- Privacy and Data Protection
Adequate information security is one of the basic requirements of all electronic business processes. It is crucial for effective solutions that the possibilities offered by security technology can be integrated with the commercial requirements of the applications. The reader may expect state-of-the-art: best papers of the Conference ISSE 2010.

Norbert Pohlmann: Professor for System and Information Security at the University of Applied Sciences in Gelsenkirchen
Helmut Reimer: Senior Consultant, TeleTrusT
Wolfgang Schneider: Deputy Institute Director, Fraunhofer Institute SIT

Pohlmann / Reimer / Schneider ISSE 2010 Securing Electronic Business Processes jetzt bestellen!

Zielgruppe

Research

Autoren/Hrsg.

Pohlmann, Norbert
Reimer, Helmut
Schneider, Wolfgang

Weitere Infos & Material

1;Contents;5
2;About this Book;9
3;Welcome;12
4;Germany on the Road to Electronic Proof of Identity;13
4.1;High security in miniature format;13
4.2;Security in many layers;14
4.3;Trust based on reciprocity;14
4.4;Give and take - the principle of networked system chains;15
4.5;Full control over data for citizens;15
4.6;Other components for using the German eID card;16
4.7;That's what authorisation certificates warrant;17
4.8;Tasks of AusweisApp;17
4.9;eID service as a trust authority;18
4.10;Who will benefit from the new eID architecture?;19
4.11;Security for the digital handshake;20
4.12;Citizens are the ones who will determine the success of the new concept;20
4.13;Outlook;21
4.14;Conclusion;21
5;Identityand Security Management;22
5.1;Security Analysis of OpenlD, followed by a Reference Implementation of an nPA-based OpenlD Provider;23
5.1.1;1 OpenlD asa standard for SSO on the Internet;23
5.1.1.1;1.1 Problem;23
5.1.1.2;1.2 Overview of OpenlD;24
5.1.1.3;1.3 Courseof the protocol;24
5.1.1.4;1.4 Possible fields of application;26
5.1.2;2 Security evaluation of using OpenlD;26
5.1.2.1;2.1 The main threats: Phishing and profiling;26
5.1.2.2;2.2 Additional risks and concerns;27
5.1.3;3 The new identity card (nPA) in Germany;29
5.1.3.1;3.1 Overview of the nPA;29
5.1.3.2;3.2 Course of an online authentication;30
5.1.3.3;3.3 Recognition via Restricted Identification;31
5.1.4;4 An nPA-based OpenlD provider (OP);31
5.1.4.1;4.1 Fundamental Concept;31
5.1.4.2;4.2 OP's communication sequence;32
5.1.4.3;4.3 Precondition for user and services;33
5.1.4.4;4.4 Added value in different directions;33
5.1.5;5 Outlook;34
5.1.6;6 Summary;34
5.1.7;References;35
5.2;New Authentication Concepts for Electronic IdentityTokens;36
5.2.1;1 Introduction;36
5.2.2;2 Background and motivation;37
5.2.2.1;2.1 Standardized interfaces in the context of electronic Identity Cards;37
5.2.2.2;2.2 Java Card 3.0 connected;38
5.2.2.3;2.3 Existing and emerging SAML-related profiles;38
5.2.3;3 The Service Access Layer as interoperable smart card Interface;39
5.2.4;4 New Authentication Concepts;40
5.2.4.1;4.1 EAC Web Service Binding;40
5.2.4.2;4.2 Path Protection based on XML and WS Secure Conversation;43
5.2.4.3;4.3 Path protection based on an EAC-TLS cipher suite;43
5.2.4.4;4.4 Integrating eID and SAML;43
5.2.4.4.1;4.4.1 Naïve integration using Web Browser SSO Profile;43
5.2.4.4.2;4.4.2 An ECP-based SAML-profile for eID integration;43
5.2.4.4.3;4.4.3 Identity Provider inside the elD-Taken;46
5.2.5;5 Conclusion;47
5.2.6;References;47
5.3;A Simplified Approach for Classifying Applications;49
5.3.1;1 Introduction;49
5.3.2;2 Background;50
5.3.3;3 Classification scheme;50
5.3.3.1;3.1 Confidentiality;50
5.3.3.2;3.2 Availability;52
5.3.3.3;3.3 Integrity;53
5.3.4;4 How to Classify Information;54
5.3.4.1;4.1 Process-oriented Approach;55
5.3.4.2;4.2 Application-oriented Approach;56
5.3.5;5 Experiences;57
5.3.5.1;5.1 Application Classification;57
5.3.5.2;5.2 Fast Lane Information Classification;58
5.3.5.3;5.3 The FLICTool;58
5.3.6;6 Conclusion;59
6;Technical and Economical Aspects of Cloud Security;60
6.1;Single Sign-on(SSO) to Cloud based Services and Legacy Applications "Hitting the IAM wall";61
6.1.1;1 Examining the role of IAM as SSO enabler;61
6.1.2;2 No SSO without solid Identity Management!;62
6.1.3;3 What makes Access Control 'in the Cloud' special?;63
6.1.3.1;3.1 Conventional SSO Solutions;63
6.1.3.2;3.2 Access to non web based legacy applications;64
6.1.3.3;3.3 Legacy Applications need user provisioning;64
6.1.4;4 SSO to Web applications 'in the cloud' using federation;65
6.1.5;5 SSO to Web applications 'in the cloud' using a User Centric Identity Management Framework (UCIF);66
6.1.6;6 Conclusion;68
6.2;Cloud & SOA Application Security as a Service;69
6.2.1;1 Cloud Computing;69
6.2.2;2 Cloud Security & Compliance;70
6.2.3;3 Cloud Application Security & Compliance;70
6.2.3.1;3.1 Authorization Management;71
6.2.3.2;3.2 Model Driven Security Policy Automation & Reporting;72
6.2.4;4 OpenPMF SCaaS: Security & Compliance as a Service;74
6.2.4.1;4.1 Policy Configuration in the Cloud (Policy as a Service);75
6.2.4.2;4.2 Automatic Technieal Poliey Generation in the Cloud;76
6.2.4.3;4.3 Automatic Security Poliey Enforcement in the Cloud;76
6.2.4.4;4.4 Automatic Poliey Monitoring into the Cloud;77
6.2.5;5 Related Work;77
6.2.6;6 Conclusion;77
6.2.7;Acknowledgements;78
6.2.8;References;78
6.3;Authentication and Trust: Turning the Cloud inside out;80
6.3.1;1 Introduction: Shaking things up;80
6.3.2;2 What do we mean by Security in the Cloud?;81
6.3.2.1;2.1 The Cloud;81
6.3.2.2;2.2 Security;82
6.3.3;3 Why start with security?;82
6.3.4;4 Breaking things down further;83
6.3.5;5 The technical opportunity;84
6.3.6;6 The cultural barriers;84
6.3.7;7 Case Study: TriCipher security for Google Apps;85
6.3.8;8 Conclusion;86
6.3.9;References;87
6.4;User Risk Management Strategies and Models - Adaption for Cloud Computing;88
6.4.1;1 Introduction;88
6.4.2;2 The Cloud Dilemma, Facts and Benefits;89
6.4.3;3 Classification of Service Models and Origin of Risks;90
6.4.4;4 Demand for an Adapted Approach;91
6.4.4.1;4.1 Perceived Security and Business Risk;91
6.4.4.2;4.2 Standard Risk Management versus Ultimate Purchase;92
6.4.5;5 Risk Management for Third Party lCT Services;93
6.4.5.1;5.1 General Model of Adaption;93
6.4.5.2;5.2 Managing Vendor Risks;94
6.4.5.3;5.3 Choosing the Service Model;95
6.4.5.4;5.4 Managing Specific Issues;96
6.4.6;6 Outlook;97
6.4.7;7 Conclusion;97
6.4.8;References;98
6.5;Security and Compliance in Clouds;99
6.5.1;1 Introduction;99
6.5.2;2 Security Issues in Cloud Computing;100
6.5.3;3 Privacy regulations on a global scale;101
6.5.4;4 Compliance in clouds;102
6.5.5;5 Applying the APEX approach to Cloud Computing Systems;104
6.5.6;6 Conclusion;107
6.5.7;References;107
6.6;Applying BMIS to Cloud Security;109
6.6.1;1 Changes in the Security Universe;109
6.6.2;2 Reviewing Contractual lnstruments;110
6.6.3;3 Systemic Risks and Crises;112
6.6.4;4 Applying the BMIS;113
6.6.4.1;4.1 Taking Stock - What is There in Terms of Security;114
6.6.4.2;4.2 Cloud Requirements and Internalising Them to the BMIS;115
6.6.4.3;4.3 Introducing and Measuring Systemic Improvements;118
6.6.5;5 Conclusion;119
6.6.6;References;119
7;Security Services and Large Scale Public Applications;121
7.1;Critical lnfrastructure in Finance PARSIFAL Recommendations;122
7.1.1;1 PARSIFAL - An Overview;122
7.1.2;2 PARSIFAL Methodology;123
7.1.3;3 Mapping CFI Challenges to Scenarios;123
7.1.4;4 PARSIFAL Recommendations and Research Directions;124
7.1.5;5 Dependencies between the Recommendations;125
7.1.6;6 Stakeholders' Voting on the Recommendations;126
7.1.7;7 PARSIFAL Documentation;127
7.1.8;8 Conclusion;127
7.1.9;References;127
7.2;The SPOCS Interoperability Framework: Interoperability of eDocuments and eDelivery Systems taken as Example;129
7.2.1;1 Introduction;129
7.2.2;2 The given situation;130
7.2.3;3 The Vision of SPOCS;131
7.2.4;4 Example: eDocuments;132
7.2.4.1;4.1 Layers of an OCD;132
7.2.4.2;4.2 Use of OCD in the SPOCS context;134
7.2.5;5 Example: eDelivery;135
7.2.5.1;5.1 Cross-Border eDelivery Framework;136
7.2.5.2;5.2 Usage of Cross-Border eDelivery in SPOCS;137
7.2.6;6 Conclusions;137
7.2.7;References;137
7.3;STORK: Architecture, Implementation and Pilots;138
7.3.1;1 Introduction;138
7.3.2;2 Goals of STORK;140
7.3.3;3 Legal and operational aspects;141
7.3.4;4 Interoperability Framework;142
7.3.4.1;4.1 Conceptual Models;142
7.3.4.1.1;4.1.1 PEPS Model;142
7.3.4.1.2;4.1.2 MW model;143
7.3.4.2;4.2 Interoperability Scenarios;144
7.3.4.3;4.2.1 PEPS – PEPS Scenario;144
7.3.4.4;4.2.2 PEPS – MW Scenario;145
7.3.4.5;4.2.3 MW – MW Scenario;145
7.3.5;5 Implementation Architecture;145
7.3.5.1;5.1 PEPS Architecture;145
7.3.5.1.1;5.1.1 Authentication PEPS;146
7.3.5.1.2;5.1.2 Validation PEPS;146
7.3.5.2;5.2 MW Architecture;147
7.3.6;6 Conclusion;148
7.3.7;References;149
7.4;Secure Networking is the Key to German Public e-Health Solution: Migration Towards an Integrated e-Health Infrastructure;150
7.4.1;1 Introduction;150
7.4.2;2 The current state of German e-health infrastructure systems;151
7.4.3;3 Parallel vs. integrated e-health infrastructures;153
7.4.4;4 Comparison to international e-Health infrastructure projects;155
7.4.4.1;4.1 Austria;155
7.4.4.2;4.2 Taiwan;155
7.4.5;5 Migration towards an integrated public e-health infrastructure;156
7.4.6;6 Conclusion;157
7.4.7;References;157
7.5;Advanced Security Service cERTificate for SOA: Certified Services go Digital!;158
7.5.1;1 Concept and Objectives;159
7.5.2;2 Certification Drawbacks;161
7.5.3;3 Market Trends and Potential Impact;162
7.5.3.1;3.1 SaaS Technology;162
7.5.3.2;3.2 Limitation of Security Certification;163
7.5.4;4 Bringing Certification-based Assurance to Service-based Systems;164
7.5.5;5 Conclusion;166
7.5.6;References;167
8;Privacy and Data Protection;168
8.1;Data Protection and Data Security Issues Related to Cloud Computing in the EU;169
8.1.1;1 Introduction;169
8.1.2;2 Main Legal lssues Relate to Cloud Computing;170
8.1.3;3 Focus on Data Protection and Data Security Issues;172
8.1.3.1;3.1 When Does the Directive 95/46/EC Apply?;172
8.1.3.2;3.2 Data Controller or Data Processor?;173
8.1.3.3;3.3 Data Security Measures;175
8.1.3.4;3.4 Data Transfer to Countries Outside the EEA;176
8.1.3.5;3.5 Data Subject Rights;177
8.1.4;4 Conclusions;177
8.1.5;References;178
8.2;The Mask of the Honorable Citizen;179
8.2.1;1 Anonymity under Suspicion;179
8.2.1.1;1.1 Real World Anonymity;179
8.2.1.2;1.2 Internet Anonymity;180
8.2.2;2 Anonymity in Ancient Venice;180
8.2.2.1;2.1 The Invention of the Bauta Device;181
8.2.2.2;2.2 Hedonistic and Unethical?;182
8.2.3;3 Social Disadvantages and Advantages of Anonymity;183
8.2.4;4 Venetian Practice - Staying Honest while Wearing a Mask;184
8.2.4.1;4.1 The Ethical and Political Framework;184
8.2.4.2;4.2 The Role of Playing a Predefined Role;185
8.2.4.3;4.3 Living twice without deindividuation;185
8.2.5;5 The Impact of Psychological Contracts;185
8.2.6;6 Acceptance as the Key Factor;186
8.2.7;References;187
8.3;Towards Future-Proof Privacy-Respecting Identity Management Systems;188
8.3.1;1 Introduction;188
8.3.2;2 Challenges for designing long-term privacy-respecting identity management systems;189
8.3.2.1;2.1 Keeping pace with progressing technologies;189
8.3.2.2;2.2 Preventing erosion of the IT security level;189
8.3.2.3;2.3 Coping with various areas of life;189
8.3.2.4;2.4 Avoiding future risks for the individuals' privacy;190
8.3.2.5;2.5 Handling different stages of Iife;190
8.3.3;3 How to future-proof privacy-respecting identity management systems?;191
8.3.3.1;3.1 Keeping pace with progressing technologies;191
8.3.3.2;3.2 Preventing erosion of the IT security level;192
8.3.3.3;3.3 Coping with various areas of Iife;192
8.3.3.4;3.4 Avoiding future risks for the individuals' privacy;193
8.3.3.5;3.5 Handling different stages of Iife;194
8.3.4;4 Conclusion and outlook;195
8.3.5;Acknowledgement;195
8.3.6;References;196
8.4;Privacy Compliant Internal Fraud Screening;197
8.4.1;1 Introduction;197
8.4.2;2 Example Scenario;197
8.4.2.1;2.1 Example Purchasing Process;198
8.4.2.2;2.2 Example Fraud Scenarios;199
8.4.3;3 Fraud Detection in ERP Systems;199
8.4.3.1;3.1 Example Audit Data;200
8.4.4;4 Legal Assessment;200
8.4.5;5 Organizational Reconciliation of Conflicting Interests;201
8.4.6;6 Towards Automated Fraud Screening;201
8.4.6.1;6.1 Requirements for Audit Data Pseudonymization for Fraud Screening;202
8.4.6.2;6.2 Example Approach;203
8.4.6.2.1;6.2.1 Confidentiality and Linkability;203
8.4.6.2.2;6.2.2 Technical Purpose Binding;203
8.4.6.2.3;6.2.3 Organizational Purpose Binding;204
8.4.6.2.4;6.2.4 Confidentiality of Pseudonym Mapping;204
8.4.6.3;6.3 Revisited Assessment with Pseudonymization;204
8.4.7;7 Conclusion;204
8.4.8;References;205
9;Threats and Countermeasures;206
9.1;Malware Detection and Prevention Platform: Telecom Italia Case Study;207
9.1.1;1 Introduction;207
9.1.2;2 Overview of the Botnet detection solutions;209
9.1.3;3 Telecom Italia strategy;210
9.1.3.1;3.1 Malware Domain Monitoring;211
9.1.3.2;3.2 Malware Prevention;213
9.1.3.3;3.3 Bot IP Monitoring;213
9.1.3.4;3.4 Security Portal;214
9.1.3.5;3.5 Passive DNS Monitoring;215
9.1.3.6;3.6 Malware Analysis and Remediation;216
9.1.4;4 Conclusion;216
9.1.5;References;217
9.2;Defining Threat Agents: Towards a More Complete Threat Analysis;218
9.2.1;1 Introduction;218
9.2.1.1;1.1 Game Change in Cybersecurity and Threat Modeling;219
9.2.1.2;1.2 Economic Aspects of Threat Analysis;220
9.2.2;2 Approaches to Threat Agents;221
9.2.2.1;2.1 Approach in Intel TAL;223
9.2.3;3 Uses of TAL;224
9.2.3.1;3.1 Components of threat assessments;225
9.2.3.2;3.2 Using TAL to analyze known threats: insights that we can gain;225
9.2.3.2.1;3.2.1 Device Remarking;225
9.2.3.2.2;3.2.2 Cognitive Hacking: Another Example;226
9.2.4;4 Conclusions and Future Work;227
9.2.5;References;227
9.3;A Mechanism for e-Banking Frauds Prevention and User Privacy Protection;230
9.3.1;1 Introduction;230
9.3.2;2 Proposed Solution;233
9.3.2.1;2.1 Protocol Details;235
9.3.2.1.1;2.1.1 Bootstrap Phase;235
9.3.2.1.2;2.1.2 Transaction Phase;237
9.3.3;3 A Brief Solution Analysis;237
9.3.4;4 Conclusion;238
9.3.5;References;239
9.4;Countering Phishing with TPM-bound Credentials;240
9.4.1;1 Introduction;240
9.4.2;2 Related Work;241
9.4.3;3 Online Banking in a Nutshell;242
9.4.3.1;3.1 SSL/TLS Usage;243
9.4.3.2;3.2 Threats;244
9.4.3.2.1;3.2.1 (T1): Misuse of Authentication Data;244
9.4.3.2.2;3.2.2 (T2): Misuse of Authentication and Authorization Data;244
9.4.3.2.3;3.2.3 (T3): Unauthorized manipulation of online banking sessions;244
9.4.4;4 Binding banking accounts to specific platforms;245
9.4.4.1;4.1 Deployment Phase;245
9.4.4.1.1;4.1.1 Key creation Problems;246
9.4.4.2;4.2 Authentication Phase;246
9.4.4.3;4.3 Security Consideration;247
9.4.4.3.1;4.3.1 (T1) Misuse of Authentication Data and (T2) Misuse of Authentication and Authorization Data;247
9.4.4.3.2;4.3.2 (T3.1): Unauthorized manipulation of online banking sessions by performing man in the middle attacks (remote);248
9.4.4.3.3;4.3.3 (T3.2): Unauthorized manipulation of online banking sessions by performing malware attacks (local);248
9.4.4.4;4.4 Practicability Consideration;248
9.4.4.4.1;4.4.1 (1) Practicability to users;248
9.4.4.4.2;4.4.2 (2) Practicability to banks;249
9.4.5;5 Conclusion and Future Work;249
9.4.6;References;250
10;Smart Grid Security and Future Aspects;251
10.1;Security Challenges of a Changing Energy Landscape;252
10.1.1;1 Motivation;252
10.1.2;2 The Energy Landscape under Change;253
10.1.2.1;2.1 Yesterday: Few Players, Strong lies;254
10.1.2.2;2.2 Today: Totally Liberalized ...;254
10.1.2.3;2.3 Tomorrow: Smart Grid Utopia;255
10.1.3;3 Emerging Technological Changes;256
10.1.3.1;3.1 More Communication Relationships with Heterogeneous Partners;256
10.1.3.2;3.2 Interfaces where No Interfaces Existed Before;256
10.1.3.3;3.3 New Communication Paradigms;257
10.1.3.4;3.4 High Amounts of Privacy Related Data;257
10.1.3.5;3.5 Overarching Architecture;257
10.1.4;4 Security Challenges;257
10.1.4.1;4.1 More Communication Relationships with Heterogeneous Partners;258
10.1.4.2;4.2 Interfaces where No Interfaces Existed Before;258
10.1.4.3;4.3 New Communication Paradigms;258
10.1.4.4;4.4 High Amounts of Privacy Related Data;259
10.1.4.5;4.5 Overarching Architecture;259
10.1.5;5 Related Work;260
10.1.6;6 Conclusion;260
10.1.7;7 Acknowledgment;261
10.1.8;References;261
10.2;Privacy by Design: Best Practices for Privacy and the Smart Grid;263
10.2.1;1 Introduction;263
10.2.2;2 The Smart Grid;264
10.2.3;3 Personally Identifiable Information and Privacy on the Smart Grid;265
10.2.4;4 Privacy by Design and the Smart Grid;267
10.2.5;5 Best Practices for Privacy and the Smart Grid;267
10.2.6;6 Conclusion;270
10.2.7;7 Appendix;270
10.2.7.1;7.1 The Smart Grid in Ontario;270
10.2.8;References;272
10.3;A Policy-based Authorization Scheme for Resource Sharing in Pervasive Environments;274
10.3.1;1 Introduction;274
10.3.2;2 Use Case Scenario;275
10.3.3;3 Security Challenges;276
10.3.4;4 CARM's Security Architecture;277
10.3.4.1;4.1 Security Module;277
10.3.4.2;4.2 Communication Protocol;278
10.3.4.3;4.3 Message Transmission;279
10.3.4.4;4.4 Testbed and Implementation;279
10.3.5;5 Related Work;280
10.3.6;6 Conclusions;281
10.3.7;Acknowledgement;281
10.3.8;References;281
10.4;Visual Representation of Advanced Electronic Signatures;283
10.4.1;1 Introduction: From Paper to Electronic;283
10.4.2;2 Visual Aspects of Electronic Signatures;285
10.4.2.1;2.1 Visual Appearance vs Verification;285
10.4.2.2;2.2 Visual Appearance;286
10.4.2.3;2.3 Signature Verification;287
10.4.3;3 Principles;288
10.4.3.1;3.1 The Signature Appearance is Only a Claim;289
10.4.3.2;3.2 The Signature Appearance should be visually verified against the Digital Signature;289
10.4.3.3;3.3 Human Understanding of Advanced E-Signature Verification;289
10.4.3.4;3.4 Consistency of Visual Representation of Electronic Signatures and Familiarity;290
10.4.3.5;3.5 Layered Approach to Advanced E-Signature Verification;290
10.4.3.6;3.6 Verification Clearly separate from Document Visible Content;291
10.4.3.7;3.7 See what was signed;291
10.4.4;4 Further Aspects of Electronic Signature Representation;292
10.4.5;5 Conclusions;292
10.4.6;6 References:;293
10.4.7;7 Acknowledgements;293
10.5;DSKPP and PSKC, IETF Standard Protocol and Payload for Symmetric Key Provisioning;294
10.5.1;1 Introduction;294
10.5.1.1;1.1 Hlstory of the 'keyprov' working group;296
10.5.2;2 The Dynamic Symmetric Key Provisioning Protocol (DSKPP);296
10.5.2.1;2.1 DSKPP Protocol variants;296
10.5.2.2;2.2 Cryptographic properties;297
10.5.2.3;2.3 DSKPP bindings;298
10.5.3;3 Portable Symmetric Key Container (PSKC);298
10.5.3.1;3.1 PSKC Data Model;299
10.5.3.2;3.2 PSKC Example;300
10.5.3.3;3.3 PSKC Key protection methods;300
10.5.3.4;3.4 PSKC additional features;300
10.5.4;4 Conclusion;301
10.5.5;References;302
10.6;Silicon PUFs in Practice;303
10.6.1;1 Introduction;303
10.6.1.1;1.1 Background;304
10.6.1.2;1.2 The Focus ofThis Paper;305
10.6.2;2 PUF Properties;306
10.6.2.1;2.1 Noise;306
10.6.2.2;2.2 Challenge-Response Space;307
10.6.2.3;2.3 Unpredictability;307
10.6.2.4;2.4 Physical Unclonabilty;308
10.6.2.5;2.5 Tamper Evidence;308
10.6.2.6;2.6 Area Efficiency;309
10.6.3;3 PUFApplications;310
10.6.3.1;3.1 Large Challenge-Response Space PUFs;310
10.6.3.1.1;3.1.1 Lightweight PUF Authentication;310
10.6.3.1.2;3.1.2 Controlled PUFs;311
10.6.3.2;3.2 Single CRP PUFs;311
10.6.3.2.1;3.2.1 PUF Based Secure Key Storage;312
10.6.4;4 Conclusions;312
10.6.5;References;313
11;Biometries and Teehnieal Solutions;315
11.1;Visa Applications inTG Biometries for Public Sector Applications;316
11.1.1;1 Introduction;316
11.1.2;2 Objectives;317
11.1.3;3 Overview of the TG Biometrics;317
11.1.4;4 Software Architecture;319
11.1.5;5 Introducing Visa applications in the TR Biometrics;320
11.1.6;6 Conclusion;323
11.1.7;References;323
11.2;Taking Signatures Seriously - Combining Biometric and Digital Signatures;324
11.2.1;1 Introduction;324
11.2.2;2 The Digitalised Signature Project;325
11.2.2.1;2.1 Original Objectives;325
11.2.2.2;2.2 Paradigm Shift: Embedding handwritten signatures in digital processes instead of replacing them;326
11.2.2.3;2.3 The Challenge: Documents requiring a Signature;326
11.2.2.4;2.4 Inspiration from German Experience;326
11.2.2.5;2.5 Award-Winning Solution receiving worldwide attention;327
11.2.2.6;2.6 The Track Record so far;328
11.2.2.6.1;2.6.1 Project Phases:;328
11.2.2.6.2;2.6.2 Project Management:;329
11.2.2.6.3;2.6.3 Significant Cost Reductions;329
11.2.2.7;2.7 The Components of the Solution;330
11.2.2.7.1;2.7.1 Client component;330
11.2.2.7.2;2.7.2 Server component;331
11.2.2.7.3;2.7.3 Administration & Signature Analyzer;331
11.2.2.8;2.8 Creating an optimized Workflow Through ProcessTransformation;332
11.2.2.8.1;2.8.1 Making the Auditing Department happy;332
11.2.3;3 Creating a "Green Workflow";332
11.2.4;4 The Future Directions;333
11.2.4.1;4.1 Impacts beyond banking;333
11.2.5;5 Conclusion;334
11.2.6;References;334
11.3;Automatic Configuration of Complex IPsec-VPNs and Implications to Higher Layer Network Management;335
11.3.1;1 Introduction;335
11.3.2;2 Objectives;337
11.3.3;3 Related Work;337
11.3.4;4 Secure OverLay for IPsec Discovery (SOLID);338
11.3.5;5 Network Services;339
11.3.5.1;5.1 Time Synchronization;340
11.3.5.2;5.2 DNS Name Resolution;341
11.3.5.3;5.3 VPN Monitoring;341
11.3.5.4;5.4 Other Services;342
11.3.6;6 Conclusion;342
11.3.7;References;342
11.4;SCADA and Control System Security: New Standards Protecting Old Technology;344
11.4.1;1 Cyber Security in Industrial Control Systems;344
11.4.1.1;1.1 ICS Security Incidents On the Rise;345
11.4.1.2;1.2 New Technologies Expose Old Vulnerabilities;346
11.4.1.3;1.3 What's Happening Out There?;346
11.4.1.4;1.4 Why are ICS Networks So Vulnerable?;347
11.4.1.5;1.4.1 Security Assumptions are Built-in to Tools and Procedures
;347
11.4.1.6;1.4.2 ICS Components are Extremely Vulnerable;348
11.4.2;2 Divide and Conquer: Defense in Depth
;349
11.4.2.1;2.1 ANSI/lSA-99 and 1EC62443
;349
11.4.2.2;2.2 The Tofino Security Appliance;350
11.4.3;3 Trusted Network Connect: the Next Generation;351
11.4.3.1;3.1 TNC on the Plant Floor;352
11.4.4;4 Conclusion;354
11.4.5;References;354
11.5;A Small Leak will Sink a Great Ship: An Empirical Study of DLP Solutions;355
11.5.1;1 Introduction;355
11.5.2;2 Background: DLP Solutions;356
11.5.2.1;2.1 Practical Examples of Data Leakage;356
11.5.2.2;2.2 Data Leakage Prevention Techniques;357
11.5.3;3 Evaluation Methodology;358
11.5.3.1;3.1 Evaluation and Results;359
11.5.3.2;3.2 Test Cases for DLP Endpoint Agents;359
11.5.3.3;3.3 Basic Setup and Reporting;359
11.5.3.4;3.4 McAfee Host Data Loss Prevention;360
11.5.3.4.1;3.4.1 Identify;360
11.5.3.4.2;3.4.2 Monitor;360
11.5.3.4.3;3A.3 React;361
11.5.3.5;3.5 Websense Data Security Suite;361
11.5.3.5.1;3.5.1 Identify;362
11.5.3.5.2;3.5.2 Monitor;362
11.5.3.5.3;3.5.3 React;362
11.5.3.5.4;3.5.4 System Security;363
11.5.3.6;3.6 Evaluation Summary;363
11.5.4;4 Conclusion;364
11.5.5;References;365
12;eID and the new German Identity Card;366
12.1;The New German ID Card;367
12.1.1;1 Introduction;367
12.1.2;2 Commercial applications;368
12.1.2.1;2.1 Electronic authentication;369
12.1.2.2;2.2 Qualified Digital Signature;370
12.1.3;3 Realization of the electronic authentication;370
12.1.4;3.1 Enter the PIN (Pass word Authentication Communication Protocol (PACE));370
12.1.5;3.2 Mutual Authentication (Extented Access Control (EAC));371
12.1.5.1;3.2.1 Public Key Infrastructure;371
12.1.5.2;3.2.2 Authentication of the Service Provider (Terminal Authentication);371
12.1.5.3;3.2.3 Authentication of the Document (Chip Authentication);372
12.1.5.4;3.2.4 Authentication of the Cardholder;372
12.1.6;3.3 Revocation Management;372
12.1.6.1;3.3.1 Revocation of Documents;372
12.1.6.2;3.3.2 Revocation of Service Providers;373
12.1.7;References;373
12.2;AusweisApp and the eID Service/Server - Online Identification Finally more Secure;374
12.2.1;1 The new ID card;375
12.2.1.1;1.1 Certificated identity makes online services more secure;375
12.2.2;2 AusweisApp and the eID service - Online identification;376
12.2.2.1;2.1 AusweisApp;376
12.2.2.2;2.2 The eID service;377
12.2.2.3;2.3 Interaction between AusweisApp and the eID service;377
12.2.3;3 eID and QES;379
12.2.3.1;3.1 The qualified electronic signature (QES);379
12.2.3.2;3.2 Differences between the identification and signature function;379
12.2.4;4 Application scenarios and testing;380
12.2.4.1;4.1 Publlc authorities;381
12.2.4.2;4.2 Enterprises;382
12.2.5;5 Important issues for service providers;383
12.3;Postident Online with the new Personal ldentity Card;385
12.3.1;1 Deutsche Post as an identification service provider;385
12.3.1.1;1.1 The situation in today's identification market;385
12.3.1.2;1.2 Future challenges;386
12.3.2;2 The product development of Postident Online;387
12.3.2.1;2.1 The online strategy of Postident;387
12.3.2.2;2.2 Postident Online in detail;387
12.3.2.3;2.3 Benefits of Postident Online for companies;390
12.3.2.4;2.4 Benefits of Postident Online for end users;390
12.3.3;3 Summary and outlook;391
12.4;The eID Function of the nPA within the European STORK Infrastructure;392
12.4.1;1 Introduction;392
12.4.1.1;1.1 The way from paper-based to electronic ID;392
12.4.1.2;1.2 German field trial;393
12.4.1.3;1.3 The STORK project;393
12.4.2;2 The architecture and technical infrastructure;394
12.4.3;3 Conclusion;397
12.4.4;References;398
12.5;Polish Concepts for Securing E-Government Document Flow;399
12.5.1;1 Digital Signatures in Public Administration;399
12.5.1.1;1.1 Specific Conditions;400
12.5.1.1.1;1.1.1 Hierarchical Structure;400
12.5.1.1.2;1.1.2 Multiple Trust Points;400
12.5.1.1.3;1.1.3 Role of Time;401
12.5.1.1.4;1.1.4 Economic Issues;401
12.5.1.2;1.2 Implementation Requirements;401
12.5.2;2 Mediated Signatures and RSA;402
12.5.3;3 Mediated Merkle Signatures;403
12.5.3.1;3.1 Merkle Signatures;404
12.5.3.1.1;3.1.1 Construction Idea;404
12.5.3.1.2;3.1.2 Implementation Issues;405
12.5.3.2;3.2 Mediated Merkle Signatures;406
12.5.4;4 Conclusion;406
12.5.5;5 Acknowledgment;406
12.5.6;References;406
13;Index;408

Norbert Pohlmann: Professor for System and Information Security at the University of Applied Sciences in Gelsenkirchen Helmut Reimer: Senior Consultant, TeleTrusT Wolfgang Schneider: Deputy Institute Director, Fraunhofer Institute SIT

Ihre Fragen, Wünsche oder Anmerkungen
Vorname*
Nachname*
Ihre E-Mail-Adresse*
Kundennr.
Ihre Nachricht*
Lediglich mit * gekennzeichnete Felder sind Pflichtfelder.
Wenn Sie die im Kontaktformular eingegebenen Daten durch Klick auf den nachfolgenden Button übersenden, erklären Sie sich damit einverstanden, dass wir Ihr Angaben für die Beantwortung Ihrer Anfrage verwenden. Selbstverständlich werden Ihre Daten vertraulich behandelt und nicht an Dritte weitergegeben. Sie können der Verwendung Ihrer Daten jederzeit widersprechen. Das Datenhandling bei Sack Fachmedien erklären wir Ihnen in unserer Datenschutzerklärung.