15 YEARS OF SECUNET 15 YEARS OF PKI EXPERIENCE
Transcription
15 YEARS OF SECUNET 15 YEARS OF PKI EXPERIENCE
Issue 2 | 2012 The IT Security Report by 15 YEARS OF SECUNET 15 YEARS OF PKI EXPERIENCE Security framework for new identity documents Secure Cloud Computing? But of Course! Put the Seal of Quality on Your Line Encryption secunet delivers eID PKI Suite to the Latvian Offi ce of Citizenship and Migration Affairs Article by Fred di Giuseppe Chiachiarella, German Insurance Association (GDV) SINA L2 Box delivers line encryption with proven security The IT Security Report by Content 15 YEARS PKI by secunet 03 15 Years of secunet, 15 Years of PKI Experience 04 What is PKI and what is it for? 05 “Darling Romeo, Meet Me on the Balcony!” 06 Security framework for new identity documents 08 “Watch Out – Ambulance on Your Right!” 10 PKI Meets Mobile Devices National 12 Secure Cloud Computing? But of Course! 14 Preventive Security – A New IS Class ‘Driving Licence’ 16 An Informant in the Ranks Technologies & Solutions 17 Penetration Test for SMEs or “What’s That Windows NT 4 Box Doing There in the Corner?” 18 Put the Seal of Quality on Your Line Encryption 20 Health and Safety for Internet Users 13 Dates 21 News in Brief SINA AMN Client Now in Operational Use by German Military 22 02 Events » 2 | 2012 Dear Readers, 1997 was an eventful year: the comet Hale-Bopp was visible to the naked eye over a period of several months; the radio navigation system OMEGA was finally switched off; the german Digital Signature Act came into force in Germany; the German Federal President Roman Herzog made his famous speech in which he said that the country needed a ‘kick up the backside’; and secunet was founded! For the past 15 years, we have been steadily developing our expertise in the long-term protection of your data and applying the knowledge we have gained, playing an active role in drawing up guidelines and even legislation in the field of IT security. We are thus making our very own contribution to security in a digital world so that you can enjoy all the benefits it offers with full peace of mind. Public Key Infrastructure (PKI) is an area that has preoccupied us over the years – from the creation of the trust centre for Deutsche Telekom to the development of SINA and the security platform for ElsterOnline, and on to the planning of yet more exciting projects for the future. We are pleased to give you an insight into this seemingly mundane and yet challenging topic in a special supplement to this edition of secuview. Follow the 15-year history of PKI at secunet on a timeline and read a special report on the projects we have undertaken. One current development in particular requires innovative approaches to IT security (and that also applies to PKI), namely cloud computing. On pages 12 and 13 of this magazine, Fred di Giuseppe Chiachiarella, Head of Business Administration and Information Technology at the Gesamtverband der Deutschen Versicherungswirtschaft e. V. (German Insurance Association, or GDV for short) considers the opportunities presented by the cloud and the challenges of building an environment in which the security elements comply with legal requirements. At the moment, the GDV is engaged in a joint project with the BSI to develop certification criteria for cloud computing, with new safety standards that can subsequently be used for other applications. One thing is certain: the next few years will present new and exciting challenges that we look forward to meeting head on. I hope you enjoy reading our magazine. Best wishes Dr Rainer Baumgart by secunet 15 Years of secunet, 15 Years of PKI Experience With Public Key Infrastructure (PKI), secunet is able to meet the challenges of the digital era head on and therefore ranks as a trusted provider of IT security solutions to clients in all sectors of the economy By the mid-1990s, it had become clear secunet had thus entered uncharted that digitisation and interconnectivity territory, but was able to use and expand were an irresistible force, resources that its specialist knowledge at further trust were an essential part of modern life. centre and PKI projects both at home Consequently, it was urgently needed to and abroad. Today, secunet’s security confront the challenges posed by digi- experts are well versed in all business tisation and to create innovative secu- areas associated with public key infra- rity solutions, rather than allow itself to structures and trust centres, from the Around the same time, the Essen-based production of detailed security analyses and seeming impossibility of the task. In Technical Inspection Association (TÜV) and concepts to drafting procedural order to benefit from digitisation, it was decided to expand its field of operations documentation and dealing with any necessary to implement a legally binding beyond those of a testing and inspec- and all technical, organisational, legal digital equivalent to the handwritten sig- tion body and to join with Deutsche and administrative matters that might nature: the qualified electronic signature. Telekom in using its IT security exper- arise during a project. The legal framework for this was estab- tise to take on a consultancy role. As a lished in the 1997 German Electronic result, secunet was founded as an in- In this special edition of secuview, we Signature Act, which requires that dependent subsidiary specialising in IT explore the exciting world of PKI that accredited trust centres be set up with security services. secunet’s first project has been central to secunet’s success the capacity to act as trusted authorities was the creation of Germany’s first ever over the past 15 years. in electronic communication processes. trust centre for Deutsche Telekom. 1997 be overwhelmed by the sheer enormity SECUNET IS BORN With its very first projects, secunet (named initially SecuNet Security Networks GmbH) acquired a level of expertise that was unique in Germany at the time. It established the first trust centres in the country for Deutsche Telekom (1997) and the modern DPCom Signtrust (1999). A lot has happened since then. Indeed, secunet has broadened its PKI expertise through the production of detailed security analyses and concepts, the drafting of procedural documentation and the handling of all technical, organisational, legal and administrative issues for a number of further trust centre and PKI projects both at home and abroad. GERMANY’S FIRST TRUST CENTRE 1999 SINA Between 1999 and 2002, secunet developed SINA (Secure Inter-Network Architecture) based on a broad concept outlined by the German Federal Office for Information Security (BSI). The PKI-based system was designed to securely process, store and transmit classified information and other sensitive data. When smart cards are issued, the SINA Management system generates pairs of keys and certificates which are used for the secure authentication of SINA users/gateways by means of digital signatures when connections are established. SINA comprises a growing family of modular components which are designed to be secure in a variety of application scenarios, and whose functionality is constantly being extended – there are currently over 30,000 SINA components in operation worldwide. 2 | 2012 « 03 Special What is PKI and what is it for? Secure and confidential communication over the internet is not just a pipe dream PKI is thus a system that issues, distri- PKI enables users of essentially inse- keys associated with persons or entities, cure public networks such as the inter- PKI serves to protect electronic iden- net to securely and privately exchange tities through secure authentication, data data through the use of a cryptographic encryption and electronic signatures, key pair, consisting of a public and a thereby bringing an element of confi- private key. Within PKI, a so-called ‘trust dence into the digital world. PKI goes far centre’ assigns a unique public key to a beyond simple e-mail encryption. butes, verifies and revokes digital certificates for secure electronic communications. As a central security infrastructure that is always required for cryptographic given entity (a person or a device), which A public key infrastructure consists of: 1. A trust centre / certificate authority (CA) which issues and verifies digital certificates. A certificate includes the public key and information about the owner of the public key. 2. A registration authority (RA) which acts as the verifier for a certificate authority before a digital certificate is issued to a requester. 3. One or more directories in which the certificates (and their public keys) are held. 4. A certificate management service with the power to suspend or revoke certificates. 5. A validation service (VA) which makes it possible to check certificates. is then recorded on a digital certificate issued by the trust centre, also referred to as the ‘certificate authority’. The digiRA tal certificate is then published by online directory services and is thus made accessible to the public. Trust centres are also responsible for the blocking CA (‘revocation’) of certificates, and certificate revocation lists are published accordingly. ? 2002 VA eTRUST MAIL / SIGNTRUST MAIL AND eKURIER KURIER 1998 marked the creation of the LibSigG, a cryptographic library used to sign electronic documents in accordance with the 1997 German Electronic Signature Act. In addition to this, secunet developed the desktop software eTrust Mail (later called Signtrust Mail) and the electronic registered mail service eKurier in 2002 for Deutsche Post and PostCom respectively. ELECTRONIC-MAIL GETS SECURE 2003 ELECTRONIC WASTE MANAGEMENT SYSTEM – eANV 04 » Since April 2010, in Germany companies have been legally obliged to create an electronic audit trail when handling hazardous waste. This move was expected to reduce bureaucracy for waste management authorities and the companies concerned, as well as to make waste disposal monitoring processes more efficient. As early as 2003, secunet was already working with the German Federal Office for the Environment (BMU) to draw up the relevant legislation. secunet also established the system’s security requirements, developed a model of implementation for the system and designed a data interface for the exchange of electronic documents between companies and waste management authorities. Finally, secunet contributed to the implementation of the concept throughout Germany and adopted an advisory role during the commissioning of the system. Today, secunet continues to support the BMU in extending the functionality of eANV to include additional processes and meet further requirements of the waste management industry. 2 | 2012 by secunet “Darling Romeo, Meet Me on the Balcony!” How PKI can protect your sweet nothings from prying eyes Let’s bring Romeo and Juliet into the digital era. Juliet is yearning for her beloved Romeo and so writes him the following e-mail: “Meet me on the balcony.” Before she sends it But how can Romeo be sure that the message sitting in his inbox is actually from Juliet? to Romeo, she signs the message with her private key and then encrypts it with Romeo’s public key, so that only he can read it. Romeo then decrypts the e-mail with his private key and verifies Juliet’s signature with her public key, enabling him to read her message in plain text – and so the tragedy runs its course. The digital signature is the link between the message and the owner of the key pair: - Authentication Romeo can be sure that the owner of the private key sent the message. - Non-repudiation The owner of the private key cannot refute that he/she signed the message. - Integrity The message cannot be altered without detection. MONITORING AND ACCREDITATION SYSTEM FOR CERTIFICATION SERVICE PROVIDERS IN GREECE Working in cooperation with a local partner, secunet developed the monitoring and accreditation system for certification service providers in Greece. Throughout the project, secunet advised the Greek regulatory authority, EETT National Telecommunications and Post Commission, on all matters concerning the voluntary accreditation and monitoring of certification service providers for electronic signatures. Additionally, secunet was responsible for analysis and training as well as for implementation of all technical, organisational, legal and administrative aspects. LEGAL CERTAINTY ONLINE MULTISIGN 2003 2003 - Confidentiality Only the owner of the private key (the receiver) can read the message. The secunet ‘multisign’ mass signature solution was first proposed in May 2003. The product is a high-availability security solution that makes it possible to create qualified electronic signatures as a basis for legally compliant electronic business processes. In business communication, mass signatures provide legally valid proof of the ‘authenticity of origin’ and the ‘integrity of content’ of data transmissions. 2 | 2012 « 05 Special Security framework for new identity documents secunet delivers eID PKI Suite to the Latvian Office of Citizenship and Migration Affairs secunet is delivering its eID PKI Suite For easier document handling in border well; in addition to introducing new elec- as a subcontractor for the Latvian IT and other control scenarios, secunet tronic identity documents, the Latvian company Lattelecom Technology. This is also providing the Latvian govern- Republic is also updating its existing tried-and-true security solution pro- ment with a so-called Terminal Control Public Key Infrastructure (PKI) for the vides all of the functions required for Centre production and inspection of these the successful operation of the new which has already been adopted by documents. The PKI is thus being ex- Latvian PKI. Indeed, the eID PKI Suite the German Federal Police, manages tended to include a central infrastruc- comprises not only those PKI compo- (amongst other things) the certificates ture for the validation of electronic nents that are needed for issuing ICAO- and document data for all associated ID passports and national identity cards. compliant scanners, meaning that these no longer As a result, the enhanced system will also Extended Access Control (EAC) be able to issue electronic documents, PKI components for the validation of passports and be used for checking electronic documents, which makes it passports and ID cards at border con- possible to exchange information with Georg Hasse trol and in Latvian embassies world- other countries and thus facilitates [email protected] wide. The Latvian Office of Citizenship the use of identity documents world- and Migration Affairs (OCMA), which wide. Thanks to the flexible design of is charged with the planning and im- secunet’s eID PKI Suite, the specific plementation of this major project, has requirements of the Latvian authorities selected secunet as a partner on the can be met in their entirety – all without basis of its expertise and proven track compromising absolute security and record in eID solutions. reliability. 2004 If a job’s worth doing, it’s worth doing identity documents but (TCC). This infrastructure, have to be managed individually. More information: ELSTER At the behest of the Bavarian Regional Tax Office, secunet implemented a new security platform for the ElsterOnline portal. The solution satisfies the very highest security requirements, supporting authentication, encryption and electronic signatures for web applications through certificate-based processes. As a result of these processes, convenient, new online portals now exist for virtually all tax-related areas, including tax declarations, tax cards, income tax and tax account inquiries – today all over Germany. NEW ONLINE TRACK FOR TAX-RELATED AREAS 06 » Since 2003, secunet has supported the global product specifications for electronic passports. In 2005, the German National Printing Office put the first electronic passport (ePass) into circulation and the BSI approved secunet’s testing laboratory for electronic travel documents. As such, secunet’s laboratory is the first ever officially accredited testing laboratory for the security of electronic travel documents in Germany in accordance with BSI technical directive 03105 – Part 3. 2 | 2012 AUSTRIAN eCARD 2005 2005 ePASS Austria’s electronic social security card forms the basis of the system that administers Austrian social security affairs. The eCard replaces Austria’s paper health insurance voucher and carries an electronic signature to ensure that all applications for social security are secure. The eCard is also capable of accepting further electronic signatures. Under this project, secunet is responsible for the implementation of all security-related components and concepts, a PKI inclusive of directory services to secure business processes and a user-friendly web portal for carrying out eCard-related tasks. by secunet Always operating in the background: a central security infrastructure “We are delighted to be among the first European countries to have the technological capacity to process new-generation passports. During the course of this project, secunet has proved to be a flexible, reliable and motivated partner with whom we were able to build a modern, high-security, highavailability eID infrastructure.” Inguss Treiguts, Director of the ID Department at OCMA, speaking about the work done with secunet. OFFICE OF CITIZENSHIP AND MIGRATION AFFAIRS By introducing electronic identity documents, Latvia has established a reliable system for digital identification and thus created the necessary conditions for more efficient and secure management of existing processes. This in turn requires that a complex central security infrastructure constantly operates in the background. The reason for this is that the mutual trust between public bodies and citizens is paramount when handling national identity documents. Consequently, it is vital to provide the highest possible level of identity protection by ensuring that: – identity documents are authentic (i.e. they must have been produced and issued by an authorised agency); – printed and electronically stored data cannot be amended in any way; – only agents of a relevant authority are entitled to have access to this data, e.g. an immigration officer at the border or airport. Public Key Infrastructures have proven to be the technology of choice in this regard. There are two international PKI concepts that are relevant to national ID documents. The ICAO PKI is a system used all over the world to verify the authenticity and integrity of identity documents. Meanwhile, the EAC PKI, which is predominantly used in Europe, ensures that only authorised ID scanners are able to access the data stored in the document chip. The reason that such eID infrastructures are so complex is that the required certificates need to be exchanged between both PKI systems and between all of the countries in the world. 2006 / 2011 / 2012 In its eID PKI Suite, secunet has developed an all-encompassing, innovative security infrastructure especially to meet these unique requirements. DE-MAIL The security of De-Mail is also ensured through the use of PKI-based user authentication, as well as through qualified electronic signatures generated by De-Mail providers. From 2006 onwards, secunet has been heavily involved in the development of De-Mail’s technical directives, from which the De-Mail law and relevant technical directives were finally derived in 2011. De-Mail was first offered by providers in April 2012. secunet advises and assists De-Mail providers in the establishment of the necessary infrastructure and compliance with legal requirements, helping businesses and public authorities to establish a secure connection to De-Mail and to integrate it into their business processes. Meanwhile, secunet’s De-Mail ‘konnektor’ facilitates the PKI-based authentication of businesses and public authorities. INTEGRITY, AUTHENTICITY AND YOUR VEHICLE 2007 FLASHWARE PROTECTION IT is opening the door for vehicle manufacturers to innovations that make cars safer, more economical, more comfortable and more entertaining. To guarantee the continued safety and security of both the driver and vehicle, steps must therefore be taken to prevent software imitation and manipulation. secunet has developed mechanisms for the BMW Group that safeguard the integrity and authenticity of control unit software by means of modern public key cryptography. To this end, secunet has itemised and implemented all the necessary functions for BMW’s back-end infrastructure, workshop infrastructure and production systems. 2 | 2012 « 07 Special “Watch Out – Ambulance on Your Right!” Anonymous data exchange enables safer roads and more efficient traffic flow Drivers often engage in animated speed etc., evaluate it and pass it on via gestures and occasionally shouting wireless networks to other road users. matches. Unfortunately, this type of information exchange does not neces- Safety and efficiency on the road can, sarily lead to an improvement in road however, only be achieved if data ex- safety or traffic flow. change is rapid, reliable and authentic. Experts are now focusing on extending Secure car-2-x-communication via PKI A much more reliable and effective alter- and adapting existing technologies, In order to eliminate the possibility that native is inter-vehicle communication. In using WLAN to IEEE 802.11p standard any falsification of information might the future, cars will communicate with for data transmission. Because vehicles go undetected, recourse is made to one another (Car-2-Car) to make drivers are then open for data communication signatures in asymmetric cryptography aware in good time of critical and dan- over the radio network, this immediate- and to PKI, just as in ‘classic’ IT. Data gerous situations such as accidents or ly raises the issue of a secure commu- protection laws require, however, that black ice, or communicate with traffic nication structure. The core values of the transmission of information that has infrastructure such as traffic lights or information security such as integrity, been gathered from the use of a signa- traffic signs (Car-2-Infrastructure) to authenticity and liability are also key re- ture and certification in Car-2-X com- optimise traffic flow. To achieve this, quirements in communication between munication and which might be used to vehicles collect sensor data on brake vehicles and infrastructure. identify the sender (a desirable feature in business applications) must be pre- 2008 function, steering, position, direction, ELECTRONIC HEALTH CARD – eGK gematik (the German Association for the Telematic Application of Health Cards) and the German Federal Ministry of Health relied on secunet’s experience and expertise during the implementation and launch of the eGK in Germany. In just a short space of time, while working in parallel on the development of the certificate authority (CA), secunet created a security concept that was tested and approved by an independent auditor. Furthermore, secunet provided assistance to a large German insurance company in the implementation of its own PKI for issuing the first ever electronic health cards in the country. ALL-IN-ONE: YOUR HEALTH RECORDS ON ONE CARD 08 In 2007, secunet and Giesecke & Devrient Egypt Services Ltd won the contract for the creation of a national root certificate authority in Egypt. secunet’s contribution to the project was PKI software, network infra-structure components and relevant concepts and documentation; it also provided training for the trust centre’s employees. The Egyptian trust centre began operations in June 2008 under the aegis of the Egyptian Information Technology Industry Development Agency (ITIDA). » 2 | 2012 NEW ID CARDS – nPA 2010 2007 NATIONAL ROOT CERTIFICATE AUTHORITY IN EGYPT Since November 2010, DPCom Signtrust has been an accredited certification service provider, issuing authorisation certificates for the nPA in accordance with the EAC 2.0 security protocol. The necessary authorisation certificate authority for this was delivered by secunet which supported the project at every stage from conception and development to piloting. Through this project, foundations were laid for the first-time implementation of the nPA in the private sector. Building on the same secunet solution, the German Federal Police Force checks nPAs at Germany’s borders using a document verifying certificate authority. by secunet which is not used for communication work, secunet is able to draw on its between vehicles or communication comprehensive expertise in the design with traffic infrastructure, but only in and implementation of PKIs (Public Key requesting pseudonym certificates for Infrastructures) and on its own product signature of data telegrams on a PCA. components. In this way, individual vehicles retain More information: their anonymity. Andreas Ziska [email protected] As a member of the CAR 2 CAR forum, secunet is helping the automotive industry to standardise the system and to vented. The PKI feature used here en- overcome practical challenges related sures that the vehicles have at their to its introduction to the market. In this disposal a large number of pseudonym certificates which are periodically ex- RCA n changed as well as several key pairs for signing the messages that are to be Long-Term Certificate LTCA sent. For this purpose, several Root CAs (RCA) connected by means of cross- RCA 1 certification, need to be established, s- t os ca Cr er tifi C Certificate for LTCA RCA 2 o s- ti os ca Cr er tifi C n Specially developed PKI concept ensures vehicle anonymity Certificate for PCA which certify the subordinated Long- ion Term CAs (LTCA) and Pseudonym CAs PCA (PCA) (see illustration). The LTCA issues 2011 each vehicle with a unique certificate, Pseudonym Certificate AUTHEGA Using authega, a data protection-compliant authentication service developed with mgm technology partners GmbH, secunet has implemented secure access to the employee intranet service of the Bavarian State Finance Office (LfF). In August 2011, the pilot phase commenced for the first application of the portal, via which the employees of ministries and regional authorities will gain secure access to their personal data and staff-related processes in future. EASYGO AT THE AIRPORT 2011 eGATE AT AIRPORT PRAGUE Towards the end of 2011, the Czech border police put an eGate – a semi-automated border control system – into operation at the Prague Ruzyn airport. secunet delivered the so-called EasyGo system to Prague as a sub-contractor of the Czech company VÍTKOVICE IT Solutions. The system works via a PKI suite through which certificates are distributed that make it possible to access the data saved electronically in electronic identity documents (eIDs). 2 | 2012 « 09 Special PKI Meets Mobile Devices Integration of mobile devices into businesses More and more companies are willing and that are already standard in ‘classic’ to permit the use of mobile devices PC-based environments, including VPN and thereby fully exploit all the benefits connections, namely PKIs. of mobile communications. But at the Alongside IEEE 802.1x standard and curity, with 76 % of businesses seeing Kerberos, certificate-based authentica- the increasing number of mobile devices tion considerably enhances the level of as a serious threat.* These fears are not security in the authorisation of devices unfounded, but the associated risks within corporate networks. Each indi- can be minimised by taking appropriate vidual device is assigned individual keys measures. and certificates, thereby facilitating are verified via the relevant mobile de- direct mapping and simplified device vice management, including PKI con- To ensure that both company-issued management. If a device goes missing, nection. and private (‘bring-your-own’) mobile the associated certificate is centrally devices can be integrated into the cor- blocked and the lost or stolen device With the help of user certificates, the porate network and that sensitive data can no longer access the corporate transport and storage of data plus can be safely handled by apps without network. Authentication of mobile de- access to applications on mobile de- compromising security, there are tech- vices in the network takes place on the vices can be made more secure. nical aids that can be incorporated into basis of ‘knowledge and possession’. User-specific authentication and data operating systems (e.g. Android, iOS) The required keys and/or certificates encryption can already take place on 2012 same time, there are worries about se- GERMAN FEDERAL MINISTRY OF LABOUR For some years now, the German Federal Ministry of Labour (BfA) has been running a trust centre that issues digital service cards with qualified electronic certificates to its employees. secunet was involved in the BfA project from the conceptual development stage right through to the delivery of specialised PKI components. At the beginning of the year, secunet was asked as the BfA’s main contractor together with business partner vps ID Systeme GmbH to support the existing infrastructure as well as to overhaul the BfA trust centre’s existing technologies. Alongside the safeguarding of day-to-day operations, secunet is responsible for the conception, updating and delivery of the entire PKI suite. THE FUTURE IS NOW secunet has created – or contributed to the creation of – numerous trust centres in Germany, for example: 10 » DATEV Deutscher Sparkassen Verlag (S-Trust) DPCom Signtrust TC Trustcenter D-TRUST German Federal Ministry of Labour Deutsche Telekom Deutsche Rentenversicherung 2 | 2012 by secunet Facts and figures ELSTER:1) So far, around 73 million income tax declarations, 334 million VAT pre-registrations, 213 million income tax registrations and 883 million tax certificates have been electronically transmitted in Germany (as of March 2012). In 2010 alone, 8.6 million tax declarations were completed online. nPA:2) the basis of certificates using stand- PKI solution with the aim of testing and ard features of the operating systems integrating mobile device management and applications; for example, Apple’s solutions and mobile devices in con- Mail.app comes with corresponding junction with PKIs. (S/MIME) functions on board. By the end of 2011, more than 10 million new electronic ID cards had been issued. The introduction of the new ID card counts as one of the largest-scale publicly financed IT projects ever carried out in Germany. With the increasing use of mobile de- Steffen Heyde ePASS ELECTRONIC PASSPORT:3) By spring 2012, around 345 million ePass vices, enterprise PKI solutions as cen- [email protected] electronic passports had been issued in Germany. More information: tral security infrastructures are steadily FLASHWARE PROTECTION:4) gaining in importance. To allow the use of Smartphones and tablets without * Extract from research report ‘Global exacerbating security concerns, some Study on Mobility Risks – Survey of IT companies are already preparing to es- & IT Security Practitioners’, © Ponemon tablish and/or expand their respective Institute 02/2012 In the meantime, flashware protection has been distributed to the BMW Group’s entire fleet of vehicles – a total of more than 1.6 million vehicles in 2011. 1) 3) www.elster.de, 2) www.personalausweisportal.de, www.icao.int, 4) www.wiwo.de A GLANCE AT PKI'S FUTURE The need for confidential electronic communication makes electronic identities an integral part of the digital world Although the imminent demise of the PKI projects feature heavily in the daily the challenge of securing electronic PKI market has been forecast often work of secunet; from smart metering identities all the more compelling. In enough in recent years, it is in fact thriv- to credit card payment security, all IT the future, this problem will also be ing. Indeed, electronic identities are be- security solutions essentially build on overcome with PKI, enabling the use of coming increasingly important in this reliable PKI systems. certificates that verify the identity of devices and users and thus guaranteeing age of mobile digitisation and have long been an integral part of the digital world. New portable terminalsmobile devices secure communication. As such, the The functions and benefits afforded also often use PKI technology; the management, handling, security and by PKI meet all of society’s existing re- growing use of such equipmentmo- cost of electronic communication will be quirements concerning confidential elec- bile devices that are is not bound to any brought back into balance. tronic communication between trusted one location, and that are is often used identities, and even after 15 years, both commercially and privately, makes 2 | 2012 « 11 National Secure Cloud Computing? But of Course! Article by Fred di Giuseppe Chiachiarella, German Insurance Association (GDV) A weather phenomenon – more precisely, a cloud – has enthralled IT experts and ordinary internet users alike all around the world. With new ‘cloud’ technology, communication and data transfers have suddenly become possible at any time and from virtually anywhere in the world. Holiday and family photos, music, personal data and documents have all already been sent to the cloud – mostly without anyone ever wondering if it is truly secure. In fact, where IT security and data protection in cloud computing are concerned, there are still At this point, we should perhaps take a step back in time, a number of ambiguities which the European Commission because networked yet secure communication is nothing new has only recently begun to address. EU officials now want to to the insurance industry. Insurers already have dealings with create uniform security standards for private and commercial other organisations such as local and government authorities users of cloud technology. and service providers on behalf of their customers. As early as 1993, German insurance companies began using a secure The insurance industry in Germany is already some way ahead sector-specific network for regular data transfers – e. g. ap- of the Commission. As an industry that forges strong links with plications for Riester (national pension) benefits, for vehicle its customers and business licensing or for the submission of claims forms. This industry partners, we too are interest- network, run by the German Insurance Association (GDV) ed in the potential benefits and accredited by the German Federal Office for Information of cloud computing – for its Security (BSI), guarantees the secure transfer of data between ability to facilitate faster and insurance compa-nies and their external partners, with a total more flexible communication, of over 110 million messages sent each year. Alongside the enhanced services and syn- Riester allowance authorities, access to the network is also ergy effects. Insurance com- made available to the German Federal Motor Transport Author- panies must, however, meet ity, road traffic agencies, lawyers and vehicle repair shops. high customer expectations Fred di Giuseppe Chiachiarella, Head of Business Management/ Information Strategy, German Insurance Association (GDV) in terms of data protection We now want to develop this network to the ‘Trusted German and security. When using new Insurance Cloud’ (TGIC). Using cloud technology, in future technologies, we have to be communication across the GDV industry network will take confident that the relevant place directly via the internet, whilst maintaining the system’s technical and legal frame- current high standards of security. works are in place to ensure secure, reliable and confiden- The new infrastructure is also expected to meet the BSI’s own tial communication. That is why we are currently developing a stringent security standards. At the 2012 CeBIT trade show, legally compliant cloud environment that can meet the unique the BSI and the GDV announced that they would be working requirements of our industry. together to develop certification criteria for cloud computing. 12 » 2 | 2012 Dates September 2012 until March 2013 10 - 11 Sept 2012 » Energy seminar: IT Security for Energy Infrastructures / Berlin 11 - 13 Sept 2012 » NATO Information Assurance Symposium (NIAS) & Expo / Mons, Belgium 14 Sept 2012 » TeleTrusT Info Day: Electronic Signature / Berlin Until now, there have been no such criteria in Germany. In concrete terms, this means that we are currently busy developing a concept with the BSI designated ‘Security by Design’, the implementation of which will take into account BSI requirements of the level of IT security to be certified. In doing so, it is important to us that the new infrastructure operates within 18 - 21 Sept 2012 » ICMedia / Brasilia, Brazil 25 - 26 Sept 2012 » D-A-CH Security / Constance 16 - 18 Oct 2012 » it-sa / Nuremberg 23 - 25 Oct 2012 » AFCEA TechNet International / both the German and EU legal frameworks. Additionally, the new security standards should also provide scope for application to other projects. Rome, Italy 26 Oct 2012 » Workshop IT Security on Board / Munich With the TGIC, we hope to develop a communication platform for the use of the insurance industry and its partners that is both modern and secure. In short, we want to show that cloud computing and security are not mutually exclusive. 29 - 30 Oct 2012 » Telematics Update / Munich 30 - 31 Oct 2012 » Biometrics / London, UK 5 - 6 Nov 2012 » VDE Congress / Stuttgart 6 - 7 Nov 2012 » Moderner Staat / Berlin 13 Nov 2012 » National IT Summit / Essen The Insurance Trust Centre – ITC A central feature of the Trusted German Insurance Cloud (TGIC) will be the so-called Insurance Trust Centre (ITC). Its job is to authenticate communicating parties and to deliver the necessary data for user authorisation certificates. At the heart of the ITC concept is the Insurance Security Token Service (ISTS), which is currently being developed on the basis of the WS Trust standard. The ISTS is a central web service which issues (signed) security tokens by means of which the authenticity of a communicating party is assured. 19 - 20 Nov 2012 » Handelsblatt Defence Conference / Berlin 17 - 21 Feb 2013 » IDEX / Abu Dhabi, UAE 25 Febr- » RSA Conference / 1 March 2013 San Francisco, USA 5 - 9 March 2013 » CeBIT / Hannover Would you like to arrange an appointment with us? Then send an e-mail to [email protected]. 2 | 2012 « 13 National Preventive Security – A New IS Class ‘Driving Licence’ Customised, creative and sustainable security awareness solutions from secunet As drivers, we have to be able to make decisions quickly increases with the number of road users, it also increases with and react instinctively to what is happening around us on the increased data volumes, and in particular with increased data road. Experience combined with knowledge of the High- sensitivity. way Code and of the car’s safety systems will often prove decisive as to whether a critical A driving licence is compulsory for anyone situation runs its course without incident wishing to get behind the wheel of a car. or ends in an accident. Consequently, Why, then, is there not an ‘IS Class’ every single road user contributes to licence for IT security? IT security the overall safety of the traffic flow awareness solutions aim to fill this and has a responsibility to conduct gap, making employees and senior him/herself in accordance with the management alike more aware of the law. It therefore matters greatly that importance of information security drivers are well grounded in the rules and the need to use IT responsibly. Knowledge is imparted, rules are rein- of the road. The situation is essentially forced, practical examples and typically similar to the flow of data in our predominantly IT-based working lives, but with one key difference: whereas we start learning as children how to cope on the road and then consolidate this knowledge later on with driving lessons, the first that we hear about the ‘Information Security Highway Code’ risky situations are highlighted, good prac- »Hook, line and sinker. Danger: Data theft!« is likely to come from our employer. Some- tice is taught and tips are given – just as when learning to drive. IT security concerns everybody times employees never learn the rules at all – or they learn the Awareness-raising measures are more important today than rules but do not feel that they apply to them, and so do not feel ever before, because most employees do not realise that they obliged to abide by them. have a key role to play in IT security. This is largely due to the fact that, unlike in road traffic incidents, the effects of trans- Training in IT data flows – better late than never gression and carelessness in IT are often not immediately apparent to the user. Furthermore, most employees regard the IT department or the company’s IT security officers as being A poor understanding of these rules and a lack of accounta- exclusively responsible for IT security. Consequently, with the bility can lead to serious problems in practice because – just exception of the IT department itself, employees’ understand- as with road traffic incidents – most IT incidents occur through ing of IT security measures is likely to be relatively limited. human error*. Even the most secure information technology is The key to successfully raising awareness is in the approach unable to offer protection if employees act carelessly, in the taken; it must be persuasive but not overbearing, and it must same way that the most advanced vehicle technology is power- gain acceptance through emphasising the rewarding aspects, less to intervene as soon as a pedestrian crosses the road so that employees become less defensive and more willing to on a red light. In the same way that individual responsibility take ownership of the issue. 14 » 2 | 2012 National Awareness-raising measures are more important today than ever before, because most employees do not realise that they have a key role to play in IT security. Employees’ understanding of IT security measures is likely to be relatively limited. The perfect recipe for increased IT security awareness As an IT security specialist, secunet is able to implement se- More than 40,000 employees from local government agencies curity awareness measures on your behalf – but there is no and private companies have already been introduced to the one-size-fits-all solution. Indeed, the security awareness pro- wider implications of IT security in this exceptionally crea- gramme we offer will be tailored specifically to your business tive way; secunet’s awareness experts have driven home the culture and existing IT infrastructure, ensuring that partici- message that each and every one of them is an important part pants will be able to relate as closely as possible to its con- of their company’s IT defences. As Humboldt might have said: tent. Every target group will have specific needs, for example “Ideas (or in this case, “information security rules”) can only at senior management level where the expectation is to lead serve a purpose if they come alive in the minds of the many.” by example. Designed according to the stated objectives of each client, the awareness solutions implemented by secunet * Source: kes>/Microsoft Security study 2010 will vary greatly in terms of duration, format and style – in the same way that a moped licence is different from an HGV More information: licence. With the right combination of components, including Markus Linnemann live hacking presentations, comic strip handouts, brochures, [email protected] competitions and in-tray documents, as well as technological measures such as specially designed login screens, secunet will raise the security awareness of your employees in a creative, interesting and sustainable way. 2 | 2012 « 15 National An Informant in the Ranks How your hardware could be ‘leaking’ sensitive data and what you can do to stop it Information is a highly valuable commodity for public author- Information Security (BSI), these devices fall into three pro- ities and private companies alike, so it comes as no surprise tection classes: that technical data protection measures such as encryption are taken as a given today. Awareness-raising campaigns and other initiatives teach employees to take care when handling information – yet it often escapes attention that there could be an informant in the ranks, even when employees follow information security rules to the letter. Indeed, digital appliances Zone 0 (~ NATO SDIP 27 Level A) – Site of operation without special protection Zone 1 (~ NATO SDIP 27 Level B) – Site of operation with limited protection requirements Zone 2 (~ NATO SDIP 27 Level C) – Site of operation with high protection requirements such as monitors and keyboards can cause the unchecked broadcasting of your company secrets through the emission To achieve sufficient protection against compromising emana- of electromagnetic radiation (EMR), which can lead to inad- tions, it may be necessary to redesign the layout of your busi- vertent information leaks. With the right and professional ness premises. Or your computer system is already adequately equipment, these data leaks – also called ‘compromising protected: The SINA Terminal H SDIP 27A, for instance, can be emanations’ – can be tapped into relatively easily. Eavesdrop- used at a site of operation without special requirements, but is pers do not even have to be in the same building as your com- capable of offering the same level of protection as the Zone 2 puter system. Indeed, targeted attacks can be launched up to Faraday cage, which isolates compromised components and 1000 metres away. shields EMR from external reception. As a result, a garrulous informant will become a quiet and trusted friend once more. Radiation-proof devices such as those manufactured by our Fürth-based partner Siemens for the SINA product range More information: prevent the transmission of information via EMR and thus Dirk Mangelmann protect your data from unauthorised interception. In line with [email protected] the zone model drawn up by the German Federal Office for The exceptionally well-protected appliances described in this article should not be confused with so-called ‘low-emission’ components, which are commercially available devices bearing the quality seals of companies, e. g. TCO Certified. This is because these quality seals only indicate the threshold for harmful levels of EMR and do not signify protection against compromising emanations. 16 » 2 | 2012 Technologies & Solutions Penetration Test for SMEs or “What’s That Windows NT 4 Box Doing There in the Corner?” What is the most reliable way of making life hard for hackers? The answer is ob- HACKERSTORY #1 vious: identify and eliminate vulnerabilities in the company’s internal network. The best strategy is to get someone on the job who really knows what they are doing – a hacker with expert technical skills and a natural understanding of the way the criminal mind work. My secret is contained in my password Many networks and workstations still rely exclusively on So-called ‘penetration tests’ were origi- passwords to identify an authorised user. It is not difficult nally devised as a standard feature of for a hacker to clear this obstacle. Amazingly, the password the IT security process for major clients such as banks and insurers, but their popularity has since spread throughout the industry. Many small to mediumsized enterprises (SMEs) have started to chosen is often the same as the user name. Weak passwords can be cracked in a matter of hours using ‘brute force’. Clues can often be found in the user’s social background, e. g. who is important in their love life, what football team do they support?... If the hacker has physical access to the worksta- use this type of efficient analytical pro- tion, he will frequently find the password written on a post-it cedure to quickly and comprehensively note and stuck to the screen or hidden under the mouse mat. assess the current status of their own IT security. But that is not even the most egregious scenario: in some companies, the local administrative password is identical on For almost fifteen years now, a group all computers. This means that, once the password of a local of secunet experts has been heavily in- administrator has been cracked, the hacker can access other volved in such projects. Their in-depth workstations on the network, including those with admini knowledge of network and system ad- strative rights. The consequences can be catastrophic… ministration coupled with a creative approach, exceptional powers of imagination and all-round experience enables them to reliably pinpoint vulnerabilities – More information: Dirk Reimers [email protected] even without being granted access rights – and to exploit these (obviously with the permission of the client) to penetrate as far as core company data. In future editions of secuview, we will be revealing some of the classic vulnerabilities and typical hacker targets in com- IN THE NEXT ISSUE: Production and budget pressures as a source of risk pany systems as well as recounting some amusing and even hair-raising tales as told to us by a ‘white hat’ (i.e. an ethical hacker). 2 | 2012 « 17 Technologies & Solutions Put the Seal of Quality on Your Line Encryption SINA L2 Box delivers line encryption with proven security German research and development enjoys a worldwide repu- transmission speeds, even voice or video applications via fixed tation for strength of innovation, with the ‘Made in Germany’ lines or connections via satellite and radio relay system can label being seen as a reliable indicator of quality. It is not sur- be securely encrypted without any delay in real time or degra- prising, therefore, that research findings, production plans and dation of quality. even customer databases are the targets of industrial espioIn contrast to other Layer 2 encryption solutions on the market, nage from home and abroad. SINA L2 technology stores all configuration data as well as enThe increasing tendency to hook up ethernet structures over coding parameters on smartcards. In addition to the advantage an ever wider area of activity has led to a network that extends that comes from having data securely stored on a smartcard, over multiple sites operated both by government and by private this also makes for easier operation and system recovery after enterprise. The SINA L2 Box has been designed to encrypt servicing. Encryption is effected between the SINA L2 Boxes. data links as well as satellite connections between locations These are quickly and easily integrated into the link between and within sensitive areas; moreover, the highly efficient rate at provider and company network as a point-to-point, point-to- which data is encrypted means that there is no discernible effect multipoint or multipoint-to-multipoint connection; consequent- on transmission speed. The German Federal Office for Informa- ly, it is not necessary to make any alteration to the network tion Security (BSI) has confirmed and approved it for use up to infrastructure. The SINA L2 components can be used immedi- and including VS-NfD and NATO RESTRICTED. A Restreint UE ately and are completely transparent in the way they work for Approval for german national use has also beeing granted. VLAN, MPLS and other networks, i. e. users are not required to agree on a particular protocol. SINA L2 Boxes are thus out- Bandwidths of 100 MBit/s, 1 GBit/s or 10 GBit/s ensure high standing in the way they supplement and safeguard existing performance, and with ultra-low latency, transmissions can network infrastructures and enable compliance requirements be encrypted even for the most urgent applications and sce- to be fulfilled. narios. SINA L2 Boxes thus ensure absolute data security, also when entire data processing centres and SAN (Storage Area More information: Network) environments are to be hooked up or synchronised. Volker Wünnenberg Because encryption performance is able to cope with actual [email protected] Headquarters SAN at location A SINA Management SAN at location A Other branch offices Branch office 1 Branch office 2 18 » 2 | 2012 The quality and performance of the network connections between SINA L2 Boxes can be demonstrated by various analytical and measurement procedures. With the use of modern instruments, it is possible to determine the throughput of your connection, to run error and protocol analysis, and to provide you with useful comparative data, both with and without encryption running. 2 | 2012 « 19 Technologies & Solutions Health and Safety for Internet Users We have to take steps to protect ourselves from harm. Indeed, this is why we have to wear safety helmets on building sites – no helmet means No Entry! The internet can also be a dangerous place if you are not sufficiently protected, so why not wear an ‘online safety helmet’? For many people, the use of online communication between workstation encapsulates each of them completely services has become very much a part and the internet is prevented. ‘safe from the SINA system platform. A guest of working life. However, the internet surfer’ from secunet thus makes it pos- system can also be operated in quaran- is known to harbour many dangers. sible to work with sensitive data while tine mode, so that even potentially suc- Numerous studies carried out by repu- surfing the internet without imposing cessful infections are eradicated upon table IT security companies and re- any restrictions. At the same time, the next guest system reboot. search institutes confirm that the risk of users benefit from all-round protection, becoming a victim of a cyber-attack is both from malicious code infections constantly increasing. Local (browser) and from data leakage. Despite all applications are particularly vulnerable this, they retain the degree of flexibility to attack, with vulnerabilities that can in processing data to which they are Whether deployed together or in isola- be quickly exploited. Whilst virus scan- accustomed. tion, the SINA Workstation and secunet ners and firewalls can increase the level of protection, they cannot control Work securely online in any and all situations ‘safe surfer’ will make it possible for A protective suit for extreme situations users to work securely within their usual If an internet user is working mobile this with ease of operation and trans- and outside the local network, thus parent security features. The combined A safety helmet for local networks requiring the protection of several dif- use of both security architectures pro- ferent gateways and the continuous en- vides a holistic approach to satisfying cryption of data and communications, the requirements of individual organi- In ‘safe surfer’, secunet has developed an online safety helmet will simply not sations, of the various intended appli- a product that is built on the basis of the suffice. Instead, a ‘full-body protective cations (desktop, mobile, terminal) and ReCoBS* architecture approved by the suit’ is required. of the technological infrastructure and the behaviour of individual users in the hazardous environs of the World Wide Web. German Federal Office for Information system environment while enjoying unrestricted access to the internet – all of strategies in place. Security (BSI). The underlying principle The SINA Workstation also facilitates is that the internet browsers of the vari- secure internet browsing but takes a ous users within a local network are run different architectural approach that is on so-called ‘potentially compromised designed to enable secure access to systems’ (terminal proxy servers) out- the internet via mobile workstations, More information: side the sensitive network itself. Any e.g. via WLAN or satellite connection. Torsten Redlich malware that might be picked up whilst Virtualisation [email protected] browsing is kept out, and undesirable mentalises all guest systems and 20 » 2 | 2012 technology compart- * ReCoBS – Remote Controlled Browser System, www.bsi.bund.de News in Brief SINA AMN Client Now in Operational Use by German Military On 12th July 2012, responsibility for operating the German side of the Afghanistan Mission Network was transferred from IT-AmtBw to the Joint Support Command of the German Armed Forces. The official handover at Rheinbach was also an opportunity for everyone involved in the project, both military and private contractors, to meet up and celebrate the occasion. Dr Michael Sobirey thanked the system integrator, Atos, and Colonel Fleischmann for the excellent spirit of cooperation that had been apparent throughout. Of the 310 SINA Virtual Workstations delivered in 2011, some in a dual-monitor configuration, the majority are now in operational use. The multisession-enabled SINA AMN client makes From left to right: Oberst Haverkamp (SKUKdo FüUst/G6), Dr Sobirey (secunet), Oberst Schimmel (BtrZ IT-SysBw), Dipl. Ing. Schade (AbtLtr C IT-AmtBw), Oberst Fleischmann (BEA DEU AMN), Dipl. Ing. Möllers (Atos) Picture: Bundeswehr – IT-AmtBw it possible to consolidate classified information workstations, on which up to six standard PCs and/or thin clients networked with different systems had previously been required, into a single device. Subscribe to secuview Would you like to receive secuview on a regular basis, free of charge? Please choose between the print and electronic versions and subscribe at https://www.secunet.com/en/the-company/it-security-report-secuview. There you can also change your preference or unsubscribe. Imprint Editor secunet Security Networks AG Kronprinzenstraße 30 45128 Essen, Germany www.secunet.com Responsible in terms of the press law: Christine Skropke, [email protected] Chief Editor: Claudia Roers, [email protected] Chief Conception & Design Dominik Maoro, [email protected] Design www.knoerrich-marketing.de Copyright: © secunet Security Networks AG. All rights reserved. All contents and structures are copyright protected. All and any use not expressly permitted by copyright law requires prior written permission. Illustrations: Cover: Based on a picuture from Nils Berninger designed in the competition "Trust in IT" of Gelsenkirchen University of Applied Sciences, Illustration p 5: Lutz Lange, p 8 - 9: fotolia, p 9: shutterstock, p 10 - 11: fotolia, Illustration Stick p 14: Jonas Kramer, p 20: fotolia. Others: secunet. 2 | 2012 « 21 Events CeBIT 2012 The headline theme for this year’s CeBIT was ‘Managing Trust’, more specifically confidentiality and security in a digital world. Visitors to the secunet stand were shown a wide range of options for effectively meeting the challenges posed by IT security. 13th Data Protection Congress Speaking at the opening of the 13th Data Protection Congress in Berlin, Federal Interior Minister Dr Hans-Peter Friedrich called for “comprehensible and user-friendly” data protection legislation in Europe. At an exhibition held as part of the conference, secunet showcased solutions for secure and efficient data protection. ▀ Tenth SINA Users Day For the tenth year in succession, in which Markus Linnemann and Marian coffee breaks. The date for next year’s around 200 SINA customers from all Jungbauer from the secunet Govern- SINA Users Day will be published over Germany gathered for the Users ment business unit staged a fast- in secuview 1/2013 and will also be Day held in Bonn and Berlin. In addition moving live hacking demo, targeting appearing on our website in the near to the usual series of presentations both future. themed around SINA, there was a The show stimulated a lively debate gamekeeper-turned-poacher amongst the participants during the session computers Mobile Computing for Military Operations At the 26 and smartphones. RSA 2012 In February, secunet was once again in attendance at the RSA Conference in AFCEA conference and San Francisco. This was the fifth year exhibition held in Bonn Bad Godesberg in succession that we have shared the this May, the theme of the secunet TeleTrusT stand at the world’s largest contribution was ‘Mobile Computing event for the security industry. Separa- for Military Operations’. Among the tion kernel technology was high on the numerous visitors to the secunet stand agenda at the exhibition and was also was Stéphane Beemelmans, State Sec- the subject of a presentation given by retary at the German Federal Ministry Dr Kai Martius. th of Defence and also main patron of the event. ▀ 22 » 2 | 2012 Veranstaltungen A Complete Success: infosecurity 2012 The rise in visitor numbers at Europe's leading IT security exhibition – infosecurity – held in London this April was also apparent to the SINA international sales team manning the secunet stand. Proving particularly popular was a live demonstration of the SINA Workstation, as well as the display of SINA Boxes. We will be back in 2013 for the fourth year in succession. (For your diary: the next year's show at the Earls Court Convention Centre will be held: April, 23rd - 25th. Stand number D43.) Workshop IT Security on Board In April, experts at the secunet workshop ‘IT Security on Board’ analysed and discussed the extent to which classic IT methods can be developed to deliver secure automotive solutions. They provided insight into the suitability and potential of relevant IT security methods such as PKI and authentica- con id et f p r sec con e n t i al to enti al id f tion. 2 | 2012 « 23 L2 Box S Highly secure line connection – no laughing matter for attackers. Protect your data-communication with SINA L2 Technology. The transmission of company-internal information via public network connection is one of the most popular targets for attacks by hackers and data-spies. Protect your information and encrypt your connections between locations and data-centers with SINA L2 Boxes with a data throughput of up to 10 GBit/s and less than 0,004 ms latency. Functionality and performance of your network infrastructure remain unaffected due to the simple integration of the boxes between your company-network and the provider. This way, the laughter will stick in attackers’ throats. www.sinalayer2.secunet.com/en IT security partner of the Federal Republic of Germany