Event details

Trusted identities for the cloud using open source technologies - where Open eCard App meets SkIDentity

von Tobias Wich (ecsec GmbH), Detlef Hühnlein (ecsec GmbH), Johannes Schmölz (ecsec GmbH)

Wednesday, 23.05.2012, Berlin II, 16:00-16:45 Uhr

While more and more sensitive business processes are shifted to the cloud, recent research results [1] demonstrate that popular cloud platforms are vulnerable to identity theft and hence there is an urgent need for strong authentication and trustworthy identities in the cloud. Because there are already many rolled out electronic identity (eID) cards, electronic health cards, banking and signature cards it is a natural approach to use these hardware tokens for strong authentication in web and cloud based applications. It is subject of the SkIDentity project [2], which has been awarded in the "Trusted Cloud" program of the German Federal Ministry of Economics and Technology [3], to provide a comprehensive and trustworthy infrastructure for the secure, economically viable and legally valid usage of electronic identity tokens in the cloud. While there are first government provided [4] and commercial [5] eID client components which support the German eID card ("neuer Personalausweis"), these components are only shipped as executable code and hence there remains a queasy feeling, if these eID clients are used in security and privacy sensitive applications. Furthermore these components are currently only supporting the German eID card on selected PC-based platforms and it is not possible for the public to add support for additional authentication tokens, protocols or port it to mobile platforms, such as Android for example.

Against this background there has been an initiative to design and develop the Open eCard App [6], which will provide the necessary functionality to use the different smart cards for strong authentication and signature purposes on various platforms and will be provided under an Apache-style open source license.

The main goals of the Open eCard App are to provide usabilty, security, multi-platform support, portability and extensibility. The first supported platforms will be Desktop-PCs via a Java Applet and Android devices. Further iterations will yield a standalone desktop application. The key aspect in achieving this goal is modularity. Clean interfaces exist for all platform dependent parts like the user interface and the smart card backend as well as card specific protocols. In case that the correct protocols are already available, supporting a new smart card is a matter of adding an abstract card description, a fragment of a CardInfo file according to [7] to be precise, to the card recognition engine.

Though being possible to be used as a local application to access smart cards, the primary purpose of an eID client is to perform authentication in distributed scenarios. For a service provider, setting up an eID infrastructure is usually associated with very high integration and operation costs. In order to use the German eID card, costly certificates and eID-Services have to be leased. Another problematic point with the currently available eID-Services is, that practically every service uses a different interface and thus each application needs a different connector library to use a particular eID-Service. The SkIDentity project tries to solve these deficiencies by adding an intermediate service, the eID-Broker. By communicating with the eID-Broker instead of the eID-Service directly, the differences between these services are abstracted and it is now possible to switch the eID-Service easily without changing the application using it at all.

The present contribution provides a rough overview of the SkIDentity system architecture and shows how the different components, services and trust infrastructures are integrated to form a coherent security solution, which provides trustworthy identities for the cloud. Special attention is given to the Open eCard App, which provides a trustworthy client component for a wide range of systems.

[1] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, L. Lo Iacono: All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces, In Proceedings of the ACM Cloud Computing Security Workshop (CCSW), 2011, http://www.nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/AmazonSignatureWrapping.pdf

[2] http://www.skidentity.de

[3] http://www.trusted-cloud.de

[4] https://www.ausweisapp.bund.de

[5] http://www.ageto.de/egovernment/ageto-ausweis-app

[6] D. Hühnlein, M. Horsch, J. Schmölz, T. Wich & al.: On the design and implementation of the Open eCard App, In Proceedings of Sicherheit 2012, Darmstadt, GI LNI. 2012

[7] CEN/TS 15480-3: Identification card systems — European Citizen Card — Part 3: European Citizen Card Interoperability using an application interface, Technical Specification, 2010

Über den Autor Tobias Wich:

Tobias Wich is a software developer at ecsec GmbH. He is mainly responsible for eID based services and applications, but also takes care of the company's Debian servers. The Open eCard App is his first open source project. He graduated with a Master's degree at university of applied sciences Coburg. Recently he held a talk at the CAST SmartCards Workshop in 2011. In his free time he enjoys Squash or preaches Clojure and the functional programming way of life.

Über den Autor Detlef Hühnlein:

Dr. Detlef Hühnlein is CEO of ecsec GmbH (www.ecsec.de) and has more than fifteen years of professional experience in the area of IT-security, received a doctoral degree in cryptography from TU Darmstadt, gives lectures about electronic signatures,
internet security and identity management at different universities, (co-)authored more than 50 papers for refereed journals and conferences and frequently gives talks at
national and international IT security events. He has been actively involved in various public initiatives in the area of electronic signatures and identity management and serves as expert in different standardization initiatives at DIN, CEN, ISO and OASIS.

Über den Autor Johannes Schmölz:

Johannes Schmölz was born in 1984. He studied computer science at university of applied sciences Coburg and graduated with a Master's degree. Currently he is working as a software developer at ecsec GmbH. His area of work covers web technologies, smart cards, and federated identity. The Open eCard App is his first open source project.