Doubtless Identification and Privacy Pre-serving of User in Cloud Systems - Prof. Dr. Norbert Pohlmann

C. Engling, E. Ernst, H. Jäger, A. González Robles, N. Pohlmann:,
„Doubtless Identification and Privacy Pre-serving of User in Cloud Systems”.
In Proceedings of the ISSE 2015 – Securing Electronic Business Processes – Highlights of the Information Security Solutions Europe 2015 Conference,
Eds.: N. Pohlmann, H. Reimer, W. Schneider;
Springer Vieweg Verlag,
Wiesbaden 2015

Present paper addresses the common challenge of compliant verification of electronic identities (eID) with legal certainty. The latter is of particular importance for banks, financial institutions, and public authorities. To ensure confidentiality, provider-proof cloud systems are a technical solution. However, they must also ensure privacy for communication from system to system. With this document, we shall highlight, based on said challenge, our motives and pinpoint the objective of the Verifi-eID research project and its implementation. We shall then address legal considerations, followed by commonly applied provider-proof cloud security and identification measures. Lastly, we shall illuminate a possible solution, followed by a summary

When information is exchanged or business is done online, being able to identify all users un-equivocally and securely is imperative [Kros14]. Certified security allows bank customers, for example, to be able to verify whether they are actually accessing the proper website when con-ducting financial transactions. In turn, banks verify clients’ actual IDs up front via prior face-to-face identification by demanding their user IDs and passwords, followed by re-mote access user confirmation for transaction. In doing so, banks inevitably recognize the mandatory user infor-mation and transaction content. Yet today’s customary cloud computing authentication methods have multiple serious drawbacks: Large-scale cloud providers can all access a user’s confidential data, not to mention metadata. The latter even includes file names and types. Providers are also able to distinguish who accesses which files. Normally, providers cannot exclude that internal staff, e.g. a system administrator, accesses data without authorization. Storing or processing con-fidential or personally identifiable third-party data, in particular, does not comply with strict German data privacy legislation

Weitere Informationen zum Thema “Identifikation”:

Artikel:

„Identitäts-Check anhand sozialer Netzwerke – Das Social-Ident-Projekt“

“Wenn der Softbot menschliche Identität bestätigt – VideoIdent-Verfahren: Die Technik”

„Doubtless Identification and Privacy Pre-serving of User in Cloud Systems”

“Identity Provider zur Verifikation der vertrauenswürdigen digitalen Identität”

“Sichere mobile Identifizierung und Authentisierung”

„eID Online Authentication Network Threat Model, Attacks and Implications”

“Integration biometrischer Anwendungen in Sicherheitsinfrastrukturen”

Vorträge:
„Smart Authentifikation, Identifikation und digitale Signaturen als Grundlage zukünftiger Ökosysteme“

„Restrisikoanalyse Online-Authentisierung“

Vorlesung: „Identifikation und Authentifikation“

Glossareintrag: “Identifikation”

Studie für das BMI: “Restrisiken beim Einsatz der AusweisApp auf dem Bürger-PC zur Online Authentisierung mit Penetrations-Test”

Informationen über das Lehrbuch: „Cyber-Sicherheit“