Entwicklungen in den Informations- und Kommunikationstechnologien

Transkript

1 Entwicklungen in den Informations- und Kommunikationstechnologien Herausgeber: Friedrich-L. Holl Band 3 Study Criteria for success of identification, authentication and signing methods based on asymmetric cryptographic algorithms (EKIAS) On behalf of Federal Ministry of Education and Research Commissary: Fachhochschule Brandenburg Brandenburg University of Applied Sciences TeleTrusT e.v. Authors: Anja Beyer Sophie Hellmann Malte Hesse Friedrich-L. Holl Peter Morcinek Sachar Paulus Helmut Reimer Contributors: Markus Dahms Karsten Kausmann Simone Friedrich-Meier Jens Ziegler

2 Entwicklungen in den Informations- und Kommunikationstechnologien Herausgeber: Friedrich-L. Holl Band 3 Study Criteria for success of identification, authentication and signing methods based on asymmetric cryptographic algorithms (EKIAS) On behalf of Federal Ministry of Education and Research Commissary: Fachhochschule Brandenburg Brandenburg University of Applied Sciences TeleTrusT e.v. Authors: Anja Beyer Sophie Hellmann Malte Hesse Friedrich-L. Holl Peter Morcinek Sachar Paulus Helmut Reimer Contributors: Markus Dahms Karsten Kausmann Simone Friedrich-Meier Jens Ziegler

3 Editor: Prof. Dr. Friedrich-L. Holl, Fachhochschule Brandenburg Brandenburg University of Applied Sciences 2007 Self-published, Berlin Design: Martin Schüngel Translation: Stefanie Otersen and Peter Morcinek Print: digital business and printing GmbH, D Berlin ISSN All rights reserved. No part of this publication may be used or reproduced by any means including public reading, public broadcasting, television, translation into foreign languages, electronic, mechanical or computational processing, apart from the exceptions mentioned in 53, 54 URHG.

4 Table of Contents Introduction 9 Executive Summary Technical Outlook Methodology Cryptography Man between the conflicting priorities of technology and economics Tokens & Trusted Computing PKI applications Authentication, identification and signatures PKI standards and protocols Protocols Formatting standards Did asymmetric cryptography dash the vision of simple PKI solutions? Alternative concepts Symmetric encryption and key management methods Hybrid Methods Biometry Biometric authentication Biometric identification 33 Table of Contents 5

5 Rating of biometric methods Outlook Evaluation Summary Economic Insights Methodology Usage Scenarios Objective Classification approaches Classification according to involved players Classification according to security objectives Classification according to stakeholders Conclusions Successful business processes applications Economic considerations Measurement IT investments Frequently used key figure methods Return on Investment Return on Security Investment Net Present Value Balanced Scorecards Total Cost of Ownership Exemplary cost-benefit analysis ROSI calculation for a security process Balanced Scorecard-based examination Summary Operating Conditions Methodology Products Project procedure Operation Liability Synopsis Workshop Findings Methodology and course of the workshop Comments about results achieved so far Comments on Technical Outlook Comments on Economic Insights Comments on Operating Conditions 88 6 Table of Contents

6 4.3 Results of the Break-out Sessions Green Group Red Group Blue Group Conclusion Results of the Workshop Technology Economic Aspects Socio-scientific Aspects The Government s Role Recommendations Technology Economics Operating conditions Further Research Bibliography 107 Anhang 117 A. Fragebogen Technische Perspektiven 118 B. Interviewpartner zu Technischen Perspektiven 121 C. PKI 123 D. Return on Security Investment (ROSI) 139 E. Fragebogen zur Erfassung von Kriterien für die Nutzung von PKI 156 F. Details zum Workshop 167 Table of Contents 7

7 Introduction By establishing the Signature Law, the Federal Republic of German has achieved an early orientation towards using asymmetric encryption methods when ensuring electronically aided methods. From today s point of view, using PKI infrastructures which are implemented accordingly and serve as a basis for authenticating, identifying and singing, cross-company business processes can be secured. Using asymmetric cryptographic technologies together with smart card (or similar tokens) as security means, however, is still of no relevance. Rather, application access is still realised using the hardly reliable combination of user ID and password. One time passwords or other, secure methods are rarely used. New developments also rarely account other (stronger) identification and authentication methods and when they do were talking about designated security applications in most cases. Based on this problem the questions to be answered within the course of the project arose. In particular, we wanted find out why asymmetric methods are only used in a limited way and why companies still rely on payment systems which are not secure, despite the fact that the risk are substantial and commonly known. In the chapter on Operating Conditions (cf. chapter 3) this questions are discussed in detail. There we outline the criteria which usually determine the success of an implementation - and above all its use. Our approach for identifying these criteria consisted of developing them using appropriate literature like field reports. Since there are nearly no suitable publications on this field (publicly) available, we anonymously interviewed expert having a lot of experience with planning, implementation and operation of Introduction 9

8 public key infrastructure. By promising anonymity, we could obtain results we consider to be genuine and uncensored. In conjunction with the conducted interviews, we also determined aspects that militate for or against PKI, as well as consequences for the user, and questions of liability. Regarding implementation, we surveyed the solutions or, rather, products, as well as reasons for the use of this specific product, and the time needed for deployment. The part asking questions on operating PKI regarded advises and challenges of PKI use, as well as needed and actually used documentation. When addressing the issues of cross-company communication, technical realisations and the corresponding experiences where regarded amongst other things. All in all, we tried to identify possible obstacles of using PKI applications and concepts and have them rated. In the following, we examined the existing of new technical developments in connection to development of public key infrastructures, as well as possible mediumterm and long-term trends in this field. The information gained (as described in chapter 1 Technical Outlook ) was determined using two distinct approaches: We conducted an international literature study which regarded the topics of cryptography, tokens, PKI, alternative concepts without PKI, biometry, and security evaluations as well as security certifications. Additionally, we interviewed 13 experts coming from the fields of research, PKI industry, and commerce on the topics mentioned above. All in all, this chapter regards means which companies could use when increasingly handling B2C transactions as well as B2B transactions online. Laws like the Sarbanes-Oxley Act or Basel II require companies to follow a structured, efficient, and proactive approach of IT security. Thereby, significance of IT security technologies gains importance. We demonstrate that approaches for lasting solutions can be found in the domain of PKI technologies. On major goal of the chapter Economic Insights was to point out cost-benefit rate arising for the implementation of PKI systems. For that purpose we examined possible concepts and applications which clearly can be identified as scenarios for PKI use. Using literature surveys and practical experiences, we could identify according criteria and develop a classification. Subsequently, we investigated to which extent PKI use could be viewed from business process level, and to which extent PKI can be awarded an enabling function. For this to achieve, we conducted interviews with those responsible for such processes, in order to identify criteria for success as well as the economic background. All in all, we observed that orientation on business processes is currently not relevant for practical use, because of PKI use still being considered as an infrastructure investment. Based on this, we determined which key figure systems might have an effect on decisions of PKI investment and to what extent. Doing so, we analysed quanti- 10 Introduction

9 tative as well as qualitative methods. Using real, anonymised business data, we did a cost-benefit analyses which was based on our findings. The analysis demonstrated that regarding PKI investment decisions a complete picture can only be provided by a combination of different key figure methods. This picture is needed for making a detailed and realistic decision on PKI implementation. Based on the results of the preceding chapters we hosted a workshop which is described in chapter 4 Workshop Findings. The goal of this workshop was to identify criteria of success and point out prospects. Workshop structure and group line-up aimed for these objectives. Different groups of competence were represented: Vendors and service providers from the PKI market, chief information security officers, which already implemented successful multinational PKI projects, researchers, consultants with security and anti-fraud expertise, and IT managers. Long-time experience was emphasised in particular. In order to prepare the participants for the work groups planned, they were filled in on the present results of the project team s work. Based on this information as well as their practical experiences they were to identify problems and come up with matching ideal conditions, as well as solutions/fields of action. Due to the broadly differentiated competence of the workshop participants, resulting in contributions originating from different points of interest, and the detailed consideration of these topics within work groups, focus on the main topic was achieved. Especially, mixing technicians and non-technicians, IT managers and security managers, vendors and many others proved to be a major success factor for achieving differentiated and controversial aspects which were still aimed at the success of public key infrastructures as well as the according applications and technologies. Additionally we gained important details and practical information as well as personal opinions we probably would never have gained otherwise. In particular, this applies to opinions and assessment conflicting with the prevalent expert opinion which maybe due to political motivation has not been publicly discussed like this before. We used these results to suggest further approaches for PKI implementations. One major goal of this project was to identify possible further developments, need for support or practical advice which helps to push PKI. Additionally we intended to identify obstacles and phrase suggestions how to eliminate them. Therefore, chapter 5 Recommendations contains a summary of the most important findings for the fields of technology, business and practical use. Based on this, we suggest possible further research projects and give concrete advice for successful PKI implementations. As an overall result this study is intended to provide indication of conditions which are needed for successful PKI implementation and use, possible actions that can be taken maybe by the Government as well and which fields should be further researched. Introduction 11

10 Executive Summary The EKIAS study addresses criteria for success of identification, authentication and signing methods based on asymmetric cryptographic algorithms and therefore primarily on criteria having a positive influence on PKI as well as those that are limiting. The most important findings are that user matters have more influence on PKI than assumed before and economic arguments are only relevant when considered within the context of one particular process. Furthermore it is important to guide users during the implementation stage in order for them to accept the PKI applications. The goal of this survey has been to identify areas of PKI technology and applications needing further research and support as well as areas still having potential for innovation. The following was found: Technical Outlook In order to be cost effective, long-time use (guaranty of durability of algorithms and key length) needs to be technical realisable since establishing a PKI requires high initial costs which are continuously incurred for a long time. Long-term use is more important with regards to governmental applications (identity docu- Executive Summary 13

11 ments, documents to be digitally preserved by law) mainly; business applications are typically more market-oriented and therefore designed to be rather shortdated. Interoperability is important for successful use of PKI technology. With multi-procedural applications (e.g. encryption) this has to be assured through standards. In order to allow for successful application integration, the key management has to provide shared keys for several applications or alternatively allow for managing shared keys. In order to reach an enhanced security level, use of tokens (e.g. smart cards, USB-tokens) as a supplement of software-based certificates is desirable. With tokens, attention must be paid to expandability (replacement of algorithms etc.) the shape of tokens will evolve and adjust to the applications used. In the future, biometric techniques will be increasingly used in addition to tokens to identify people. Economic Insights PKI technology can act as a business process enabler. Possible applications can be economically justified within the context of specific processes only though. For the use of PKI two financially motivated reasons exist: PKI as a cost saving measure (PKI allows for digitalising processes, e.g. electronic invoices) and PKI for accelerating and standardising processes, in order to electronically represent them more elegantly and with less effort (e.g. authentication using certificates with business process outsourcing). The fact that the persons in charge of processes often do not know the corresponding costs is problematic. It results from the processes being attached to infrastructure and system components which are hard to understand and evaluate. The corresponding benefits and the risks are hard to quantify as well. Therefore reductions of costs are seldom objectively accounted for. In order to be a business process enabler, PKI demands an initial investment, which is why decision makers need to be persuaded of its reasonability. Single key figures like ROI/ROSI or NVP can aid the decision process, but often provide a negative result. This methodology would often argue against investing in PKI even though the investment would actually make sense. Therefore a mix of accepted methods (e.g. ROSI including TCO supplemented by NVP and Balanced Scorecard) should be generally used for a more detailed examination of costs. Another problem lies within the fact that the bearer of PKI costs is often not able to capitalise his investment. On infrastructural level transferring costs and benefits is often not possible not until the process level is considered and even here in-house processes are required. Therefore cross-company payment and cost allocation models have not been accepted by the market. It should be noted that PKI without specific applications is just an infrastructure, offering no actual use to anyone, even from the point of view of security. However, 14 Executive Summary

12 when it is established, the obvious benefits of PKI use are soon evident through support facilities for business processes. Operating Conditions PKI technology is not really suitable for daily use yet, and interoperability of different PKI applications is not given to the extent desired by costumers. This particularly applies to key management, necessary for PKI use. PKI projects are to be categorised as sensitive, therefore success of such a project may be compromised by changing requirements and specifications within the project. Furthermore PKI centralises trust decisions and assures a designated process sequence. In practice this may result in substantial problems, since such developments (may) conflict with personal interests of the parties involved. Acceptance of PKI applications could be enhanced if those were simple and transparent, meaning easy to understand within the context and language of business processes. But, even when this had been accomplished it turned out that the efforts for supporting PKI applications are still higher than those of other applications. In this context it needs to be guaranteed that the support can rely on qualified employees, so that security specifications are not compromised by wrongly recommended actions. With cross-company processes the problem of acceptance is much higher, since the trust decisions to be made are complex. Therefore certain requirements for PKI applications must be taken into account. We differentiate between three scenarios, all of which are following their own market drive: 1. For the mass market (e.g. home banking, online shopping) simplicity, transparency and minimal costs come first, making the use of a complex technology like PKI difficult. 2. In the business environment flexibility is the most important aspect, since PKI use depends on the level of security requirements and the technologies used, for an instance. Successful isolated solutions (i.e. information silos) show that standardisations are not given the highest priority and can only be established when paying attention to market rules. 3. When used for governmental purposes (e.g. electronic identity documents) though, standardisation combined with high security and sustainability (replacement of algorithms, use of biometry, and so on) is compulsory. Simple and understandable trust decisions still remain the most important requirement. Therefore, it needs to be taken into account that security results from control and trust and that reducing control is possible only by increasing trust. Executive Summary 15

13 Recommended Actions Amongst other things, the goal of this project was to point out options for eliminating obstacles associated with PKI technology and the corresponding operating conditions. Building on that, recommendations that will promote PKI were developed. Among the technical recommendations are suggestions for research on interchangeability of cryptographic algorithms, which we consider to be necessary. This is of particular interest for long-term PKI use within a governmental environment. We identified integration of PKI in applications as another object of investigation since supporting framework development allows for standardised methods. Interoperability of applications and key management is another important aspect, especially within a governmental environment. In this vein, further form aspects beyond smart cards as well as standardised access of cryptographic key are to be examined. Last but not least further fundamental research in the field of quantum computers and their effects on the crypto-algorithms used in PKI needs to be conducted. From the economical point of view costs for the infrastructure investment PKI are to be made transparent and compared with generated benefits. As a result of the complex processes, the business models are based on, the focus should be on core processes where PKI could act as an enabler. Security has to become an implicit part of business process modelling/development thereby. On a management level understanding of the importance of security must be improved by appropriate measures. In order to accomplish a more detailed examination of a PKI project s costs we suggest applying a mix of methods from different key figure systems. When realising PKI, direct and diversified support of applications often leads to problems, which is why we are of the opinion that PKI pilot projects should be integrated into the entire environment step by step. In order to reduce possible problems and help with decision making, we additionally recommend publishing positive and negative field reports on PKI use. Furthermore, the interdependence of technology, economics and aspects of use should be examined regarding PKI so as to find options for improving trust relationships for electronic business transfer. The trust decisions necessary for PKI applications need to be simple and understandable for the user. Thereby direct user contact allows for enhanced awareness of trust building and trust decisions within (internet) applications. It should be refrained from enacting technical requirements into law; instead we suggest specifying them in directives, so that leeway can be used when establishing PKI applications. 16 Executive Summary

14 1. Technical Outlook IT security technologies are gaining more and more importance. The rise in handling B2C as well as B2B transactions online notably contributes to this development. Laws and regulations like the Sarbanes Oxley Act or Basel II demand that companies address IT security in an organized, efficient and pro-active way. (cf. [Booker 2006]). In order to guard systems, data, and communication channels, several techniques for encryption, signing, identification, and authorisation can be utilised. 1.1 Methodology Two distinct approaches were chosen to gather information for the current chapter, Technical Outlook. Y Y 13 experts from research, industry and commerce agreed to participate in a guided telephone interview that addressed questions concerning cryptography, tokens, PKI, alternative concepts sans PKI, biometry, and security evaluation as well as security certification. (The interview guide and list of interview subjects can be found in the appendix). At the same time a survey of international literature referring to the topics mentioned was conducted. This report follows the thematic structure of the questionnaire used. Chapter 1 Technical Outlook 17

15 1.2 Cryptography Based on the German signature law, the Federal Network Agency recommends cryptographic algorithms for qualified signatures, hash functions, and random number generators every year (cf. [Bundesnetzagentur Algorithmenkatalog 2006]). The suggestions for qualified signatures listed in this catalogue are intended to provide for security for at least six years after being evaluated and published [SigV 2001]. When it comes to deployment this timeframe is not reasonable, since investments and associated amortisations are aimed at a longer timeframe. The 2006 algorithm catalogue recommends SHA 1 (until the end of 2009), RIPEMD (until the end of 2010) and SHA-224, SHA-256, SHA-384, SHA 512 (until the end of 2011). Qualified for electronic signatures: 1. RSA (until the end of 2007), RSA-1976 (until the end of 2011), suggested use of RSA DSA (until the end of 2007), DSA-2048 (until the end of 2011), suggested use of DSA DSA variants based on elliptic curves (bit-length of used prime number q at least 180 (until the end of 2009) and 224 (until the end of 2011)), especially: a. EC 5 -DSA, b. EC-KDSA, c. EC-GDSA 6, d. Nyberg-Rueppel signatures (cf. [Bundesnetzagentur Algorithmenkatalog 2006]) Using a physical random number generator for key generation is strongly recommended. If no physical random number generator is available a pseudo-random number generator might be considered. The inner state is being initialised using the [ ] seed. With every step the state has to be renewed and a random number derived. The seed has to be guarded against being read out or manipulated... ([Bundesnetzagentur Algorithmenkatalog 2006]). Every pseudo-random number generator has to be a class K3 (evaluation class 3, strength high ) deterministic random number generator in terms of AIS-20 (cf. [BSI 2006a]). The seeds entropy is at least 80 bit -100 and 120 bit are recommended (until the end of 2009), 100 or 120 (starting 2010) (cf. [Bundesnetzagentur Algorithmenkatalog 2006]). An algorithm catalogue like that of the Federal Network Agency can be regarded as a basic requirement for keeping systems reliable over a longer timeframe. Addition Secure Hash Algorithm RACE Integrity Primitives Evaluation Message Digest Asymmetric cryptographic system named after Rivest, Shamir and Adleman Digital Signature Algorithm Elliptic Curves KDSA and GDSA are DSA variants based on elliptic curves 18 Chapter 1 Technical Outlook

16 ally it serves as an adequate means of establishing standardised procedures (cf. [Giessmann 2006]). There is no national specification of algorithms and parameters for securing digital signature methods. Generally the catalogue s recommendations are useful when it comes to interoperability (cf. [Preneel 2006]). On an international level, the recommendations the NSA provided in Suite B are crucial and valuable (cf. [Temple 2006], [Preneel 2006]). This catalogue suggests: Y Encryption: AES-128 or AES-256 (Advanced Encryption Standard) (cf. [NSA A 2007]) Y Digital signatures: ECDSA-256 or ECDSA-384 (Elliptic-Curve Digital Signature Algorithm) (cf. [NSA B 2007]) Y Key agreement: EC DH (Elliptic Curve Diffie-Hellman) or EC MQV (Menezes-Qu-Vanstone) with NIST P-256 respectively NIST P-384 (cf. [NSA C 2007]) Y Hash functions: SHA-256 and SHA-384 (Secure Hash Algorithm) (cf. [NSA D 2007]) Unfortunately the functions recommend by the NSA are often lacking implementation. (cf. [Temple 2006]). Security of the methods mentioned accordingly relies on: 1. the factorising problem of integers, 2. the discrete logarithm problem for the multiplicative group of a prime field Fp, 3. the discrete logarithm problem for the groups E(Fp) and E(F2m). [Bundesnetzagentur Algorithmenkatalog 2006] Additionally one needs to take into account that security of today s methods is affected by a combination of computers capability and the mathematical foundations of the cryptographic algorithms used. This will be outlined in detail below. Security also relies on nobody having found a better mathematical algorithm. When evaluating, progress in this area has to be considered carefully, even though it is hard to rate. In 1978, Rivest, Shamir, and Adleman introduced the RSA algorithm (cf. [RSA 1978]), which is still the application standard of asymmetric cryptography. It is implemented in widespread smart card families (signature cards, cards used for financial transactions SECCOS, health cards) as well. This algorithm s security relies on an effectively complicated mathematical problem: Prime factorisation, which is impossible for large numbers using today's methods (cf. [Buchmann 2006]). Given a sufficient key length, a RSA-encrypted document cannot be decrypted within a reasonable frame of time, assuming one does not possess the private key. Current developments in the area of quantum mechanics could annihilate this protection. Due to their construction, quantum computers are able to make calculations Chapter 1 Technical Outlook 19

17 much more quickly than traditional computers. But it is not only the hypothetical quantum computer that is putting algorithms security at risk. In 1996 Shor demonstrated that quantum computers will make factorising RSA moduli possible and thus break RSA (cf. [Shor 1996]), which would make currently used algorithms, similar to RSA, unsafe (cf. [Schmidt 2006], [Brassard 1996]). According to Schmidt, there are two methods to counteract this: 1. develop alternative crypto-systems, e.g. lattice-based crypto-systems 2. raise the key length of currently used algorithms To what extent the first option really does pose an alternative has yet to be determined. Every deterministically unique mathematical problem could probably be solved in polynomial time by using quantum computers. Today one cannot definitively say whether it is possible to build quantum computers in sufficient size (cf. [Buchmann 2006], [Schmidt 2006]). Schmidt acts on the assumption that quantum computer size increases rather slowly (cf. [Schmidt 2006]). As long as no large quantum computers exist the second option seems to be the better choice (cf. [Schmidt 2006]). The largest quantum computer existing today is able to factorise the number 15 (cf. [Buchmann 2006]), therefore quantum computers do not pose an immediate threat (cf. [Okamoto 2003]). Against this background one can say that the algorithms, like RSA and cryptographic algorithms based on elliptic curves, are safe for the time being (short-term, up to 10 years) at least (cf. [Buchmann 2006b], [Preneel 2006]). Some applications, e.g. code signing and SSL authentication, merely need short-term security (cf. [Buchmann 2006a]). Progression in the field of DNA computers is relevant for evaluating cryptographic algorithms security as well. Boneh et al. did demonstrate that massive parallel processing is possible using molecular computers (cf. [Boneh 1995], [Boneh 1996]). Might this lead to the breaking of encryption keys? For now hash functions seem to be much less durable than encryption algorithms. The first collisions were discovered six years after MD4 had been launched (cf. [Dobbertin 1996]). SHA-0 and SHA-1 are based on a similar algorithm, thus in theory those became vulnerable too (cf. [Buchmann 2006a]). In this respect hash functions turn out to be a complex of problems by themselves (cf. [Leitold 2006]), forcing the cryptographic community to work hard on developing better design criteria for long-term security of hash functions (cf. [Weis 2005], [Buchmann 2006a]). For applications like the electronic patient record, law demands methods that are secure for at least 30 years (the legal obligation for medical records). Today s algorithms do not meet this requirement (cf. [Buchmann 2006b]). It is not possible to say what we will do in 20 years (cf. [Buchmann 2006b]). In order to be prepared for the future and unforeseen attacks, two things are necessary: 20 Chapter 1 Technical Outlook

18 Y a stock of secure alternative cryptographic algorithms needs to be made available Y the applications, using cryptographic algorithms, need to be designed in a modular way, making it easy to replace algorithms that have become vulnerable (cf. [Buchmann 2006a]). Giessmann also deems this pragmatic approach to make sense: implementing a secure solution and substituting alternatives by degrees. For this reason, algorithm catalogues are warranted too (cf. [Giessmann 2006]). The main problem concerning interchangeability of algorithms is the implementation (cf. Preneel 2006]). Software and protocols need to be coded in a way that makes replacing algorithms simple. As of today, this is not generally the case (e.g. the Microsoft Windows operating system) (cf. Buchmann 2006b]). Buchmann suggests designing applications in such a manner that they import the cryptographic algorithms needed from a corresponding crypto-api like the Java Cryptographic Architecture (JCA) or the Microsoft Crypto API. Keys, certificates, etc. need to be interchangeable too (cf. [Buchmann 2006a]). Buchmann introduces the crypto-library FlexiProvider, having all mainstream and alternative cryptographic algorithms implemented on base of JCA. The trustcenter application Flexitrust is based on FlexiProvider and is used by the German Root Certification Authority (CA) and the German Country Signing CA. Some experimental algorithms, which are intended to provide a certain security against quantum computers, are integrated in FlexiProvider via PostQuantumProvider (cf. Buchmann 2006a]). FlexiProvider is subject to the GNU GPL (General Public License) and LGPL (Lesser General Public License). It is freely available on the internet (cf. [FlexiProvider 2006]). In an interview on the topic, Christoph Busch said that he was in favour of the Flexi-PKI concept (cf. [Busch 2006]). The IEEE (Institute of Electrical and Electronics Engineers) P1363 is a task force working on standardisation of specifications of public key cryptography. The emphasis of standardising efforts is on traditional algorithms (e.g. RSA, DSA, etc.) as well as on new ones like lattice-based public-key cryptography (e.g. NTRU), which are intended to remain secure once quantum computers arrive (cf. [Buchmann 2006a]). NTRU is a public-key crypto-system that is much quicker than conventional algorithms (like RSA). Development and distribution are done by NTRU Cryptosystems Inc. Due to this system s speed, it is geared to the embedded systems market and can be utilised for telephones and RFID chips amongst others things. The corresponding algorithms for encryption and signing are called NTRUEncrypt and NTRUSign. They are already being used. NTRU Cryptosystems Inc. distributes its security suite for wireless networks Aerolink containing the NTRU cryptosystem (cf. [NTRU 2006]). Quantum cryptographic algorithms, using the possibilities of quantum mechanics, are another option for generating long-term security. Brennet and Brassard have already prepared the ground, demonstrating experimental distribution of quantum keys (Quantum Key Distribution) in 1989 (cf. [Brassard 1996]). Most experimental quantum cryptographic algorithm prototypes existing today are based on the QKD protocol BD84 published in The question that has to be met during further Chapter 1 Technical Outlook 21

19 research is: how secure is QKD actually? (cf. [Brassard 1996]). QKD would not be a solution for internet applications or end-to-end communication for those who need a common channel (electro-magnetic wave or wired channels). Conventional quantum cryptography demands a quantum channel (cf. [Okamoto 2003]). Currently no applicable quantum cryptographic algorithm exists. More research is needed on this topic. Even though there are preliminary methods of securing bank transfers via quantum cryptography (cf. [Wissenschaft.de 2005]) none of them is functional. Despite companies already offering products covering this area, practical usability has to be considered nonexistent (cf. [ID Quantique 2007], [SmartQuantum 2007]). 1.3 Man between the conflicting priorities of technology and economics Another problem being discussed in conjunction with IT security is the threat posed by the human factor. Experts often consider the person operating a system or application the number one vulnerability (cf. [Preneel 2006], [Temple 2006]). In fact, systems are secure on a technological level but are not designed to be used by human beings since they forget or (sometimes involuntary) give away theirs passwords amongst other things. Attackers do not try to break cryptographic algorithms but rather take aim at elements promising an easier break-through: On the one hand, this is the implementation; on the other hand, it is the user (social engineering) (cf. [Hilton 2007]). Additional awareness measures (cf. [Busch 2006]) could be one option, as well as other measures like biometry (cf. [Giessmann 2006]) or Single sign-on (SSO) combined with smart cards and biometry. Those could gain more acceptance by providing better usability (cf. [Kuppinger 2006a]). Tagging the user as being weak is short-sighted though. IT users are hard to reshape, even when using awareness measures. Technology is much easier to configure. Man should not have to conform to the system: the system should conform to man. IT has to be designed in a way encouraging users to make simple decisions instead of being overwhelmed by the system s complexity (cf. [Kuppinger 2006a]). Chapter 3 Operating Conditions contains a detailed discussion on this topic. 1.4 Tokens & Trusted Computing A token is a sort of bit pattern used for authentication. The term originates from network engineering, featuring the token ring technology which has been developed for linking computer networks. The device holding the token is allowed to send data. In the field of security a token is defined similarly. A token is represented either by software (e.g. the access token used for logging into MS Windows contains access permissions too) or in combination with hardware devices (e.g. a chip on a smart 22 Chapter 1 Technical Outlook

20 card, an USB memory stick) and is also called a crypto-token. With the token, applications can be used as authorised. Hardware tokens add the aspect of physical ownership. Nobody but the person holding the token is able to authenticate him or herself to a system or an application. The systems called tokens are being used for a variety of applications (electronic health cards, ticketing, finances, etc.) (cf. [Williamson 2006]). Chip cards holding an embedded chip, hardware logic, and memory are called smart cards. Shelfer s paper provides an overview of smart card types, infrastructures and standards (cf. [Shelfer 2002]). RFID chips, which provide all functions smart cards offer, are available as well. They are based on the same concept and allow for realising contactless chip cards. This extended the scope of possible shapes. Smart card chips can be easily blended in portable (and personalised) devices (e.g. USB memory sticks, mobile phone, etc.). The lack of a viable method of identification has kept smart cards from gaining much popularity, but the situation has been improving. Currently, there are no standards defined, but this is being worked on. ISO standard sounds promising with respect to interoperability. (cf. [Williamson 2006]). In (cf. [Spitz 2006]) it is described in detail. Bakdi introduces a method for combining several smart cards in one. The approach of virtual tokens allows for the operation of several applications on one hardware token (cf. [Bakdi 2006]). RFID systems, being used en mass, will be a future hot topic in security discussions. Providing for privacy and data integrity using these systems still poses a challenge (cf. [Calmels 2006]). A trusted platform module (TPM) is a smart card derivative associated with an API and protocols for enhancing trustworthiness of computing platforms or other devices (trusted platform). The goal is to form a cryptographic hash chain, representing the current execution status, and to store this value securely in one register of the TPM. By asking the TPM to generate a signed data block having the value of the hash chain, the counterpart is able to verify whether the platform resides in a secure mode of operation (cf. [Portitz 2006]). TPMs have been developed by the Trusted Computing Group (cf. [TCG 2006]). TPMs being bound to systems and not persons is the most important difference between them and smart cards. TPMs were developed to provide a more appropriate base for high trust platforms (cf. [Sandhu 2005]) and are supposed to form a root of trust (cf. [Sadeghi 2006]). Many platforms containing a TPM have already been rolled out (cf. [Sadeghi 2006]). The architecture allows for later integration of newer methods, like lattice-based access control (cf. [Sandhu 2005]). The BSI appreciates the security initiative regarding trusted computing initiated by Microsoft. That is because of the fact that at the present time PCs are fairly vulnerable to malware, since the operating systems currently used especially the Microsoft Windows family can fend of those threats imperfectly at best. The BSI expects IT Chapter 1 Technical Outlook 23