Security and Identity Management

Security and Identity Management Group as of May 2012.
Left to right: Frank Morgner, Fabian Kaczmarczyck, Wolf Müller, Dominik Oepen.

 

Summary:

Competency Profile:

• Identity Management
• RFID/NFC
• eID, ePassport, nPA
• Cryptography
• Reputation Management

Projects

• Virtual Smartcard Architecture

  Audiovisual Introduction to the Virtual Smartcard Architecture
  Video as [640x480 wmv] [1024x768 wmv] [1024x768 ogv]

  The Virtual Smartcard Architecture provides software to emulate a smartcard. The virtual smartcard is internally accessible via PCSC and externally via USB (as CCID reader) or NFC (using an OpenPICC).

  
  The Virtual Smartcard Architecture consists of the following components:
  
  A virtual smartcard: The purpose of the virtual smartcard is to emulate a smartcard and make it accessible through PCSC. Currently the virtual smartcard supports almost all commands of ISO-7816 including secure messaging. Besides a plain ISO-7816 smartcard it is also possible to emulate a German ePass (only basic access control) and a rudimentary Cryptoflex smartcard.
  
  The virtual smartcard communicates with the virtual smartcard driver through a socket on port 35963.
  
  NFC module
  

  
  
  A USB CCID reader

  

  
  The purpose of the program ccid is to forward a PCSC smartcard reader as a standard USB CCID reader. If the host system is in USB device mode, ccid forwards the local reader via USB to an other device. If in USB host mode, ccid virtually plugs in a USB CCID reader to the host system.
  
  ccid is implemented using GadgetFS. The source code is based on the GadgetFS example at http://www.linux-usb.org/gadget/.

  The software is published on [SourceForge Project].
  
  
  

• OpenPACE 
  
  OpenPACE is an implementation of the Password-Authentication-Connection-Establishment (PACE) conforming to BSI TR-03110 version 2.02. OpenPACE enables applications to establish a strong session key using a weak password independent from the use of a smartcard. If a German "neuer Personalausweis" (nPA) is involved nevertheless, OpenPACE offers a smartcard abstraction layer to connect to the identity card.
  
  OpenPACE consists of the following components:
  
  
  A OpenSSL patch [SourceForge Project] [SVN]
  
  
  
  The patch makes the protocol steps accessible through the OpenSSL libraries.
   
  This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)
  
  
  A smartcard library
  
  The library abstracts from the APDU interface of smartcards to connect to the German "neuer Personalausweis (nPA)" using PACE.

• Enrollment to Computer Sciences studies and account administration with password recovery   
  
  
  
  The aim of the project is to replace the manual process for enrollment of students and staff at the Institute of Computer Sciences by an electronic one. Currently, in compliance with privacy rules, the following data groups are being recorded: first name, name and current address. In addition, the user identifies himself with his identity card and the user's identity is manually verified by comparing him to the photograph. The current method scales poorly and requires simultaneous presence of both users and account managers. The same procedures have to be used for resetting a user password (in case of loss).
  
  Using the electronic replacement, the enrollment procedures should be completely automated. The student registers by means of a valid registration number online (using a web form). Taking advantage of the "Chip authentication" and user authorization by entering the pin, the user's identity is verified without applying to someone in person. An account is automatically created. By means of the "restricted identification", a unique user-specific pseudonym is generated, which permits subsequent unambiguous recognition of a particular user. The use of this pseudonym ensures privacy and data economy. In addition, this pseudonym is persistent even if a student changes of the place of residence (which is particularly common). The restricted identification is the basis for all subsequent authentication procedures, in particular for the resetting the users password. The process can be conducted entirely online 24 hours a day, 7 days a week.
  
   
• OpenMoko as "Standardleser"
  
  Smart card readers can not only be used as communications medium between a smart card and a host. They can also act as a security device independent from the host, which might be contaminated with malware. They ensure a safe authentication to the smart card with secure hardware and certified firmware. As if a smart card reader with pinpad was not expensive enough, some smart cards, like the German electronic identity card (neuer Personalausweis), have unique requirements. Mobile phones could fill the gap between the need of secure authentication and the costs of a suitable reader. This diploma thesis evaluates what level of security can be reached when implementing a smart card reader on a mobile phone. In the first step, a CCID-compliant smartcard reader will be emulated by the phone and can be recognized by any modern operating system. In the second step, the functionality of the emulated reader will be extended to what TR-03119 specifies as "Standardleser". This approach combines mobility, security and modern cryptography in one single and cheap device.
   

• OpenMoko as mobile nPA-Terminal: Usability
  
  In November 2010, a new electronic identity card will be introduced in Germany. It will contain an ISO 14443 compliant chip that enables the holders of the card to authenticate themselves over the internet. The radio technology provides the possibility to use the new ID card in combination with a NFC enabled phone for mobile online authentication. Security procedures impose (by their very nature) limitations on the use of the applications they are protecting. An authentication technology might therefore affect the usability of the application. My diploma thesis will study the impact of eID-based authentication on the usability of mobile web usage and compare it with classical means of authentication. The core of the thesis will be a user study in which I will examine prototypes of eID based authentication scenarios with real users.
   
• NFC-phone as PACE-enabled electronic identity reader
  
  The project is aimed at combining a real life mobile phone with nearfield communication capability with the RFID chip of the new German electronic identity card. Operations that are specified as allowed by an unauthorized terminal like PIN management and updating the internal date timestamp through fresh certificate chains will be implemented.

TV

• Tagsesschau, ARD: Do, 14.01.10, 20:00Uhr
   
• Datenklau per Funk – Sicherheitsrisiko an deutschen Flughäfen, ARD: Do, 14.01.10, 21:45 Uhr Kontraste
  
  

Talks on 27C3

• "Die gesamte Technik ist sicher" Besitz und Wissen: Relay-Angriffe auf den neuen Personalausweis,
  Dominik Oepen und Frank Morgner [pdf] [mp4]
  
  
  
   
• Analyzing a modern cryptographic RFID system HID iClass demystified, Henryk Plötz und Milosch Meriac [pdf]

Talks on 26C3

• Legic Prime: Obscurity in Depth, Henryk Plötz, Karsten Nohl [pdf] [mp4]
   
• Technik des neuen ePA, Henryk Plötz [pdf] [mp4]

Publications

2016 Reports

• SAR-PR-2016-01
  Transparency and Security for Client-Side Encrypting Cloud Storage Applications, Erik Nellessen, 85 Seiten, Masterarbeit, 2016.
  [SAR-PR-2016-01][encrypting-cloud-storages][user-controlled-decryption-operations]

2014 Reports

• SAR-PR-2014-10
  Rücksetzen eines U2F-Accounts mit dem nPA, Samra Khan, 47 Seiten, Bachelorarbeit, 2014.
  [SAR-PR-2014-10]

• SAR-PR-2014-09
  Zeitaktualisierung des nPA mit einer Android-App, Hera Khan, 49 Seiten, Bachelorarbeit, 2014.
  [SAR-PR-2014-09]

• SAR-PR-2014-08
  Host-based Card Emulation einer PKCS15-kompatiblen Smartcard, Erik Nellessen, 67 Seiten, Bachelorarbeit, 2014.
  [SAR-PR-2014-08][Code: Version 17.10.2014 zip][aktuell git-Repository]

• SAR-PR-2014-07
  Prüfung von öffentlichen eID-Terminals mit einem Android-Smartphone, Ole Richter, 29 Seiten, Bachelorarbeit, 2014.
  [SAR-PR-2014-07]

• SAR-PR-2014-04
  Browser-History-Stealing: Ein Angriff auf die Privatsphäre, Sylvio Rüdian, 51 Seiten, Bachelorarbeit, 2014.
  [SAR-PR-2014-04]

• SAR-PR-2014-03
  ISO/IEC-14443-4 Weiterleitung über Android-Smartphones, Kai Warncke, 28 Seiten, Studienarbeit, 2014.
  [SAR-PR-2014-03]

2013 Reports

• SAR-PR-2013-05
  Praxisorientierte Sicherheitsanalyse des verteilten Dateisystems XtreemFS, Sven Schröder, 52 Seiten, Bachelorarbeit, 2013.
  [SAR-PR-2013-05]

• SAR-PR-2013-04
  Eine Machbarkeitsstudie zum Einsatz eines zentralen Authentisierungssystems in Wireless Mesh Networks, Christian Ricardo Kühne Gómez, 40 Seiten, Studienarbeit, 2013.
  [SAR-PR-2013-04]

• SAR-PR-2013-01
  Sichere Bereitstellung von Identitätstoken auf mobilen Endgeräten, Martin Schröder, 107 Seiten, Diplomarbeit, 2012.
  [SAR-PR-2013-01]

2012 Reports

• SAR-PR-2012-13
  Machbarkeitsstudie Gruppensignaturverfahren, Tobias Mühl, 39 Seiten, Studienarbeit, 2012.
  [SAR-PR-2012-13]

• SAR-PR-2012-07
  Mobile smart card reader using NFC-enabled smartphones, Frank Morgner, Dominik Oepen, Wolf Müller, and Jens-Peter Redlich, Mobisec 2012, Frankfurt, Germany (accepted), 14 pages, 2012.
  [SAR-PR-2012-07]

• SAR-PR-2012-05
  Mobiler Chipkartenleser für den neuen Personalausweis: Sicherheitsanalyse und Erweiterung des „Systems nPA“, Frank Morgner, 161 Seiten, Diplomarbeit, 2012.
  [SAR-PR-2012-05]

2011 Reports

• SAR-PR-2011-16 [Univention Absolventenpreis 2012 1. Platz]
  Software-gestütztes Reverse-Engineering von Logik-Gattern in integrierten Schaltkreisen. Martin Schobert, Diplomarbeit, 180 Seiten, 2011.
  [SAR-PR-2011-16]

• SAR-PR-2011-15
  Display-Javakarte mit dynamischer eID-PIN für den neuen Personalausweis. Paul Bastian, Bachelorarbeit, 49 Seiten, 2011.
  [SAR-PR-2011-15]

• SAR-PR-2011-09
  Benutzerkonten-Verwaltung mit dem neuen Personalausweis. Mathias Jeschke, Diplomarbeit, 99 Seiten, 2011.
  [SAR-PR-2011-09]

• SAR-PR-2011-08
  SAML Identity Federation und die eID-Funktionalität des nPA. Martin Schröder, Studienarbeit. 52 Seiten, 2011.
  [SAR-PR-2011-08]

• SAR-PR-2011-07
  Auth²(nPA): Starke Authentifizierung mit nPA für jedermann. Wolf Müller, Mathias Jeschke und Jens-Peter Redlich, Datenschutz und Datensicherheit - DuD, Vieweg Verlag, 2011, 35, 465-470, DOI:10.1007/s11623-011-0116-9.
  [SAR-PR-2011-07]

• SAR-PR-2011-04
  Mobiler Leser für den neuen Personalausweis. Frank Morgner, Dominik Oepen, Wolf Müller und Jens-Peter Redlich, in "Sicher in die digitale Welt von morgen: Tagungsband zum 12. Deutschen IT-Sicherheitskongress, ISBN: 978-3-922746-96-6, Herausgeber: SecuMedia, S. 227-240, 2011.
  [SAR-PR-2011-04]

• SAR-PR-2011-03
  Peeling Away Layers of an RFID Security System. Henryk Plötz and Karsten Nohl, 15 pages, Financial Cryptography and Data Security '11, February 28–March 4, 2011, Saint Lucia.
  [SAR-PR-2011-03]

• SAR-PR-2011-01
  Mobiles Szenario für den neuen Personalausweis. Wolf Müller, Frank Morgner und Dominik Oepen, in 21. Smartcard-Workshop, 2.-3. Februar 2011, Darmstadt, Deutschland, 10 Seiten 179-188. Herausg. Ullrich Waldmann, ISBN 978-3-8396-0215-7
  [SAR-PR-2011-01]

2010 Reports

• SAR-PR-2010-13
  "Die gesamte Technik ist sicher": Besitz und Wissen: Relay-Angriffe auf den neuen Personalausweis. Frank Morgner und Dominik Oepen, 27th Chaos Communication Congress, 27.-30. Dezember 2010, Berlin, Deutschland, 6 Seiten.
  [SAR-PR-2010-13][pdf][slides]

• SAR-PR-2010-12
  Mobile eCard-API. Kristian Beilke, 119 Seiten, Diplomarbeit, 2010.
  [SAR-PR-2010-12]

• SAR-PR-2010-11
  Authentisierung im mobilen Web: Zur Usability eID basierter Authentisierung auf einem NFC Handy. Dominik Oepen, 100 Seiten, Diplomarbeit, 2010.
  [SAR-PR-2010-11]

• SAR-PR-2010-09
  NFC-Telefon als PACE-fähiges Lesegerät für elektronische Ausweisdokumente. Ingo Kampe, 66 Seiten, Diplomarbeit, 2010.
  [SAR-PR-2010-09]

• SAR-PR-2010-08
  Documentless Proof of Identity, Wolf Müller, Chapter 4 in Book: Handbook of eID Security: Concepts, Practical Experiences, Technologies. Editors Walter Fumy, Manfred Paeschke. Publicis Publishing, ISBN-13: 978-3895783791, 2010.
  [SAR-PR-2010-08]

2009 Reports

• SAR-PR-2009-15
  Webservice Autorisierung mit Attributzertifikaten, Ingo Kampe, Studienarbeit, 33 Seiten, 2009.
  [Studienarbeit]

• SAR-PR-2009-14
  Prüfstrategie für Chipkartensoftware von Ausweisdokumenten, Christopher Rudolf, Diplomarbeit, 103 Seiten, 2009.
  [Diplomarbeit]

• SAR-PR-2009-10
  Eine virtualisierte Smartcardarchitektur für mobile Endgeräte. Frank Morgner und Dominik Oepen. Studienarbeit. 72 Seiten.
  [SAR-PR-2009-10]

• SAR-PR-2009-09
  Integration von Vertrauen in das Bewertungssystem einer Webanwendung. Oliver Friedrich. Diplomarbeit. 65 Seiten.
  [SAR-PR-2009-09.pdf]

• SAR-PR-2009-04
  Kryptographisch abgesicherter Mailsammeldienst für mobile Endgeräte. Felix Bechstein. Diplomarbeit. 67 Seiten.
  [SAR-PR-2009-04.pdf]

2008 Reports

• SAR-PR-2008-21
  Mifare Classic – Eine Analyse der Implementierung. Henryk Plötz, Diplomarbeit (überarbeitete Version). 108 Seiten.
  [SAR-PR-2008-21]

• SAR-PR-2008-18
  Sybil Proof Anonymous Reputation Management.
  Wolf Müller¹, Henryk Plötz¹, Jens-Peter Redlich¹, Takashi Shiraki² (¹Humboldt University Berlin, ²NEC Corporation), 10 pages, SecureComm 2008: 4th International Conference on Security and Privacy in Communication Networks, Istanbul, Turkey, 2008.
  [Abstract], [Conference Paper]

• SAR-PR-2008-16
  Reverse-Engineering a Cryptographic RFID Tag. Karsten Nohl, David Evans, Starbug and Henryk Plötz, USENIX Security Symposium. San Jose, CA. 31 July 2008. 9 pages. University of Virginia, Chaos Computer Club Berlin, Humboldt-Universität zu Berlin
  [SAR-PR-2008-16.pdf]  [http://www.cs.virginia.edu/evans/pubs/usenix08/usenix08.pdf]

• SAR-PR-2008-09
  Chiptease: Verschlüsselung eines führenden Bezahlkartensystems geknackt. Jan Krissler, Karsten Nohl, Henryk Plötz, ct magazin für computer technik, 8 /2008, Seiten 80-85.
  [SAR-PR-2008-09]

• SAR-PR-2008-08
  Concepts of Anonymous Reputation Management. Henryk Plötz, Studienarbeit, 21 Seiten.
  [SAR-PR-2008-08]