german embassies in digital dialogue...video conferencing between embassies throughout the world is...
TRANSCRIPT
Security in the Cloud Using authega
authega provides secure access to online portals in the cloud
Beautiful Mobile World
MobiCore® protects security-sensitive Mobile Apps
secunet Customer Satisfaction Survey
Above average overall satisfaction
German Embassies in Digital Dialogue
Issue 1 | 2012The IT Security Report by
Dear Readers,
we all make use of the internet for its endless possibilities; we enjoy
its convenience and happily use it to communicate at length – both
in our private and our professional lives. The cloud promises us even
more freedom: greater data volumes, and more mobility and flexibility.
But we also all need to control and protect our data. How to combine
these conflicting demands without compromising either on security
or convenience is a constant balancing act. Here at secunet, we have
taken on this challenge.
A fundamental prerequisite for secure and binding communication
on the internet is the ability to authenticate the identity of the user:
whether it is for securing your own home, refuelling your electric car or
at passport control – the scenarios are many and varied, but none is
insoluble. authega, for example, is already in use in Bavaria providing
secure and reliable access to the services offered by the service portal
of the State Office for Finance through the use of cryptographic proto-
cols. Despite the major challenges it poses for IT security, secure
video conferencing between embassies throughout the world is now
possible, thanks to SINA.
We take our role as an IT security service provider extremely seriously.
Our desire to know that you, our customers are satisfied of course
goes hand in hand with this. On page 17 you can see the results of our
2011 customer satisfaction survey. We were very pleased to receive
your feedback and we will certainly be using it in our further develop-
ment. Many thanks!
We hope you will enjoy reading our magazine.
With best wishes,
Dr Rainer Baumgart
PS: This year, CeBIT is responding to the latest challenges in IT with the
keynote theme ‘Managing Trust’. Visit us at booth B36 in hall 12!
National
03 What’s Next, EasyPASS?
04 Data in the Cloud – Lower Costs and Loss of Control
05 authega Secures Access to Online Services and to the Cloud
06 Ready for De-Mail?
07 Staying Ahead of the Game
07 Staff Awareness is Key When it Comes to IT Security
International
08 Foreign Office and secunet Integrate VoIP Client into SINA Virtual Workstation
09 Confidentiality in Words and Pictures
10 Checking That All Is Well at Home While You Are Out and About
Technologies & Solutions
12 SHE Needs IT … We Build IT!
13 E-Mobility 2.0
14 Beautiful Mobile World
15 Every Human Being is Unique – and their Vein Pattern Proves it
15 secunet Secures Dell as a Partner for SINA
16 Security on the Move – Optimum Protection for Data
News in Brief
17 secunet Customer Satisfaction Survey 2011
18 Events
19 Dates
Content
02 » 1 | 2012
The IT Security Report by
National
What’s Next, EasyPASS?
eGate system at Frankfurt Airport
to be opened to passengers with
new German ID Card
Passengers who use the semi-auto-
mated biometrics-based EasyPASS
border control system at Frankfurt Air-
port save a lot of time. Since October
2009 holders of electronic passports
(ePassports) can use this fast, bio-
metrics-based procedure at Germany’s
largest aviation hub for border crossing.
EasyPASS has proved its worth with
regards to security, user convenience
and speed, and has become an integral
part of the German Federal Police’s bor-
der control strategy.
Despite the well-known saying “Never
change a running system” (especially
one that is working so smoothly), the
German Federal Office for Informa-
tion Security (BSI) asked secunet to
take EasyPASS to the next level. As a
result of the upgrade, the system now
accepts the new German ID Card (nPA).
Although this sounds straightforward in
principle, it has proved quite complex in
practice. On the RFID chip of the new
German ID Card personal information
including biometric data such as the
digital facial image of the holder is
stored. As this kind of data requires
a high level of protection it has been
decided to use the proven security
protocol Extended Access Control
(EAC) in a new and advanced version
in accordance with Technical Guideline
TR-03110 v 2.05 for the very first time.
Essentially, EAC is a certificate-based
authentication procedure. The relevant
cryptographic procedures are carried
out in a central component, the so-called
Terminal Control Centre (TCC). For the
use of the German ID Card all border
control systems will be connected to
the TCC and will thus be able to use
the EAC mechanism – in other words:
decentralised control applications and
TCC together form an inspection sys-
tem. The central storage of keys and
certificates in the TCC simplifies the
secure operation of inspection systems.
In summary, the extension of EasyPASS
by the new German ID Card not only
makes for a more user-friendly system.
The complex yet modular and standard-
compliant PKI infrastructure guarantees
even greater security in the entire border
control process.
Makes eGates at Frankfurt Airport
extra secure and user-friendly: the
new German ID Card
1 | 2012 « 03
The advantages of cloud services without sacrifice of
security or data protection – thanks to authega
Data in the Cloud – Lower Costs and Loss of Control
Cloud computing opens up new pos-
sibilities also for public administration
in the operation of IT infrastructures
and applications: major benefits include
increased flexibility of service and im-
proved scalability – an advantage when
new online services are offered to
citizens, or when usage turns out to
be greater than expected. In addition,
cloud computing offers great potential
savings, as no complex infrastructure
is required and there are lower software
licence-, operating- and energy costs.
Cloud computing also has important
strategic advantages: Cloud computing
services include the use of an infra-
structure, a platform and also software
applications. Public authorities no
longer have to deal with the provision,
management and day-to-day operation
of applications and data bases. This
allows the public institution to focus
more clearly on its core administrative
tasks.
Particular challenges faced by public authorities
Major reservations stand vis-à-vis to the
cloud computing euphoria, because in
the past few months various incidents
have put cloud services reliability into
question. Security and data protection
are of the utmost importance to public
administration needs to protect citizens
data privacy. It is necessary to guarantee
that no unauthorised persons can have
access to personal or official data that
has been outsourced to cloud service
providers. This requirement can only be
met by a private cloud, in which data
are not stored in shared servers around
the world, but only in secured systems
located directly in the special data
processing centre of the cloud service
provider, which fulfil the security require-
ments of private clouds. The relevant
security guidelines and rules on data
protection must be put in place: provid-
ing a reliable defence against malware
and hacker attacks is the fundamental
duty of the service provider – also for his
own protection. Just as important, but
less obvious, is the regulation of access
control when processing personal data.
For data protection reasons, not every
one is permitted access to all data.
A necessary precaution in a secure
cloud scenario (as indeed in any other
trustworthy online portal) is secure
authentication: it is the only way in
which data protection guidelines can
be reliably adhered to. Anyone who
wishes to access data will use such an
authentication system to prove that they
are indeed the individual to whom per-
mission has been granted. The proof is
provided by, for example, a fingerprint,
a signature, possession of a smartcard
or by keying in a password. For appli-
cations with special security demands
and those that are bound to data protec-
tion regulations, a so-called two-factor
authentication is recommended where
two items of proof
are combined, for
example something
the user knows
(a password) plus
something the user
holds (a smartcard).
Is a secure solution still a long way off?
Special requirements apply to authen-
tication services introduced as central
component within unsecure network
environments such as clouds: they need
to be extremely flexible, without at the
same time compromising security. In
order to make it possible to access
these procedures from any end device,
they need to be structured as barrier-free
solutions, quite independent of operat-
ing systems and browsers. An optimum
authentication service also takes care of
the initial registration of users in order to
relieve the web applications of this task.
Is this an impossible task? – No! A
proven and tested operational solution
already exists that meets the above
criteria for such a cloud authentication
service: the authega technology. This is
currently being piloted as a service for
the Bavarian public sector at the state
data processing centre in Nuremberg
(see box). Kept simple for the user, the
solution for the provider is a comprehen-
sive and adaptable infrastructure-based
04 » 1 | 2012
National
service – for secure authentication in
online portals. Using this kind of authen-
tication solutions, public authorities
can take full advantage of the benefits
of cloud computing without losing con-
trol of their data – these services can
already be used today, securely and
confidentially. Reliable, tried and tested,
constantly up-dated solutions from se-
curity experts are already available for
this purpose.
1 | 2012 « 05
authega Secures Access to Online Services and to the Cloud
Since August 2011, the proven and tested authentication
solution authega has been providing secure access for
employees of the Free State of Bavaria to the service portal
of the State Office for Finance. Within the (as yet) limited
framework of the pilot operation of MMSOnline (Online
Employee Message Service), users can already securely
access online their salary statements. In future, they will
also be able to claim travel costs and apply for contribution.
In February 2012, booking and registration processes at the
Bayerische Staatsbäder (state-run spas) will also be linked
to authega.
The project of the same name AUTHEGA was initiated in
summer 2010 by the Chief Information Officer (CIO) of the
Free State of Bavaria. The use of authega in the service
portal of the State Office for Finance shows that the
ELSTER-based security mechanisms (two-factor authenti-
cation with automatic registration and certificate manage-
ment at the German online tax system) are not only suitable
for use in tax administration but also for any other govern-
ment application.
It is proposed that further user groups and processes
should be linked to authega, e.g. for granting private in-
dividuals and companies secure access to e-government
portals and for generating electronic signatures or end-
to-end encryption of data exchanged between users and
public authorities.
ʽ More information:
Thomas Mohnhaupt
and www.authega.de
National
Services for binding electronic communication will be
presented at CeBIT
Ready for De-Mail?
Just in time for CeBIT 2012: some of the future De-Mail
providers have announced that they will have already been
accredited by the time the annual IT trade
fair in Hannover comes round, and will
therefore be in a position to offer De-Mail
services. These individual services will be
presented in detail to the public at CeBIT.
Thanks to seamless processing without
any media discontinuity in the upstream
and downstream processes of actual
transmission and reception, De-Mail offers
for the first time legally-binding, authentic
and confidential electronic communication. Companies and
public authorities are already preparing to introduce De-Mail
and are making the necessary adjustments to their application
systems and IT infrastructures so that they
can put into operation this secure and stream-
lined communication with their customers
and clients, with immediate effect from March
2012.
In order to provide public administration with support in the
introduction of De-Mail, the Federal Ministry of the Interior
(BMI) has established a De-Mail competence centre that has
advised selected public bodies in Federal, State and local
government on how to connect to De-Mail. This includes the
identification of potential uses, feasibility studies and profita-
bility analyses, together with technical concepts and ideas for
its implementation. secunet, in conjunction with its partners,
has within the framework of the competence centre taken part
in 15 projects to prepare the participating institutions for its
introduction.
secunet focussed on giving advice on the technical integra-
tion of De-Mail into application systems and
IT infrastructures – as it also does outside the
competence centre. In practice, the individual
projects covered the integration of the De-Mail
gateway as a basic IT component, and also
the integration of De-Mail in e-mail infrastruc-
tures and in various specialist IT applications
such as, for example, transaction processing
systems and systems for the management of
electronic records. Special attention was paid
to its secure integration and operation in the existing tech-
nical environment and its organisation. All this has enabled the
simple and gradual introduction of De-Mail.
ʽ More information:
Steffen Heyde
National
06 » 1 | 2012
secunet focussed on
giving advice on the
technical integration of
De-Mail into application
systems and IT infra-
structures.
Staying Ahead of the GamePartnership between secunet and Elektrobit
makes vehicle electrical systems more secure
The new partnership between secunet and
Elektrobit Automotive GmbH is beginning to
bear fruit. In 2011, the two companies jointly
developed a solution that protects communi-
cation between Electrical Control Units (ECUs) in on-board
electrical systems. These are vulnerable in respect to confi-
dentiality and authenticity of the data that is being exchanged.
In some cases, the underlying bus systems* (CAN, MOST, LIN)
are technologies that the automotive industry has been using
for almost the past 20 years and has not yet been adapted
in line with the security requirements of modern infotainment
and driver assistance systems. Whereas protocols such as
SSL and IPsec have since been developed for the wider IT
and Web environment, no such advances have been made for
classical vehicle buses. Consequently, if a physical attack is
mounted on the electrical network, the interloper can read and
tamper with the data being exchanged or even import his own.
Positive response to the BAköV initiative ‘Security first’
Staff Awareness is Key When it Comes to IT Security
Security-conscious behaviour and
responsible use of modern technology
is one of Federal Academy of Public
Administration (BAköV’s) main concerns.
In early 2010, the academy set aside a
budget of around 3 million euros for the
‘Security first: Information security in the
workplace’ initiative supported by the
Federal Office for Information Security
(BSI). And these funds have been in
great demand: by the end of 2011,
more than 100 federal authorities had
requested support with the planning
and realisation of appropriate training
for more than 45,000 employees.
IT security experts
from secunet made
awareness training in
over 30 of these in-
stitutions, targeted at
each group’s individual needs.
The whole awareness-raising campaign
has been very well received by both the
public authorities and those participat-
ing in the training. At the 6th annual
conference for IT Security Officers in
Federal administration, Cornelia Rogall-
Grothe, State Secretary at the Federal
Ministry of the Interior (BMI), CIO for the
National
The solution devised by secunet and Elektrobit protects the
data in the vehicle and safeguards its confidentiality. Elektrobit
supplies the electrical system components which secure the
sensitive data, regardless of the bus system employed, while
secunet provides the necessary IT system in the shape of the
secunet KeyCore which performs the relevant key manage-
ment. Both partners have thus contributed ‘best practice’
expertise to create an innovative and effective security solution
for modern on-board electrical systems.
ʽ More information:
Harry Knechtel
* Communication system between different components.
Federal Government and Chair of the
Federal IT Management Group, under-
lined BAköV’s excellent performance:
“The high level of interest shown to date
is an indication that raising awareness
among employees is key when it comes
to information security.” It therefore
comes as no surprise that BAköV will
carry on this initiative in 2012 and will
continue to rely on the tried and tested
partners secunet and ML Consulting.
ʽ More information:
Martin Woitke
1 | 2012 « 07
08 » 1 | 2012
Foreign Office and secunet Integrate VoIP Client into SINA Virtual Workstation Successful project partnership in context
of Economic Stimulus Package
International
Modern communication solutions are increasingly making
it possible to work from any location and are thus opening
up a whole range of opportunities. For the German Federal
Foreign Office in particular, mobility in a globalised world is
a key issue. Many employees are already using mobile sol-
utions, either to access data while out of office on official trips,
attending conferences or just teleworking at home. Wherever
the user may be logging on from, the
biggest challenge is always going to be
information security.
Secure communication includes not only
the written word but also the spoken.
With the aim of setting up a secure tele-
phony within a tight budget, the Foreign
Office has used the IT investment pro-
gramme to introduce a new solution
to complement existing facilities – the
integration of a ‘Voice over IP’ (VoIP)
client in the SINA Virtual Workstation*.
The SINA Virtual Workstation has long been used in the
Foreign Office to encrypt data communications. The system is
installed on laptops and allows the user to process, transmit
and store data to the highest security standards at all times.
With the newly integrated VoIP client, telephone calls can now
also be made over a secure line with network access from any-
where in the world, including the teleworker’s home. Because
the SINA Virtual Workstation already has the approval of the
Federal Office for Information Security, it can even be used for
telephone calls up to VS-NfD (RESTRICTED) level.
The phone itself has been designed to be user friendly: the
so-called Softphone application is launched during the course
of a SINA Virtual Workstation session and the call is made
via a simple user interface from the local or central LDAP
directory with a simple click of the mouse. All sensitive data
such as VS-NfD (RESTRICTED) phone numbers, call lists etc.
can be securely stored by the user in a crypto container.
Following its successful adoption by the
Foreign Office, the SINA Virtual Work-
station will incorporate the secure VoIP
client as standard from version 2.7.0
onwards. Consequently, all users will
benefit from this new solution com-
bining voice and data communications
in a single device. As a result of this
Foreign Office project (part of the federal
IT economic stimulus initiative), all users
of the SINA Virtual Workstation – in par-
ticular those employed in public admin-
istration – will enjoy an enhanced level of information security
when working out of office.
ʽ More information:
Dirk Mangelmann
* Due to the change in the SINA naming concept SINA Virtual Work-
station in future changes to SINA Workstation.
The SINA Virtual Workstation
has long been used in the
Foreign Office to encrypt data
communications. The system is
installed on laptops and allows
the user to process, transmit
and store data to the highest
security standards at all times.
1 | 2012 « 09
International
– Separate session type, hence less demand on
resources and quicker start-up time
– Operation by GUI or keyboard
– Simultaneous sound output from host system and
VoIP session; microphone only in VoIP session
– Incoming calls identified by name and number in
all sessions, i.e. even when working within guest
systems
– All the usual convenient features of a VoIP phone
(call list, call back, call transfer etc.) are supported
– Local phone book, additional phone book
available via LDAP
! VoiP features at a glance:
SINA products ensure secure video
conferencing
Confidentiality in Words and Pictures
The growing use of the internet for all kinds of communi-
cation and also of mobile devices, combined with the need
to protect the environment and to save on travel costs
and time, makes internet-based ‘video chat’ increasingly
attractive to businesses and public authorities. These com-
munication tools are also of particular interest to foreign
ministries throughout Europe, as they often have to com-
municate over long distances. To enable them to converse in
more than just small talk during business video conferences
and also to hold confidential conversations, additional se-
curity is required.
The introduction of SINA boxes to ensure the security of
different video conferencing systems supplied by our custo-
mers demonstrates that this does not necessarily entail the
limitations feared: the encryption process makes very little
difference to the transfer speed as this is line-dependent:
speech and images are encrypted and decrypted instan-
taneously and the data package to be transmitted is given
the highest priority by the network. Video conversations can
take place without images breaking up or any voice distor-
tion – up to GEHEIM (SECRET) classification.
For secure video conferencing on the go, SINA Workstations
offer a Video over IP function in addition to Voice over IP
(VoIP). Depending on the model, a camera is built into the
hardware and using the appropriate software add-on, se-
cure images can be transmitted alongside secure speech,
classified up to VS-NfD (RESTRICTED) and soon also up to
GEHEIM (SECRET).
ʽ More information:
Gerd Schneider
!
10 » 1 | 2012
International
Security audit for Swisscom HomeMonitor
We live in an increasingly mobile world. Using our smart-
phones, we can keep in constant touch with our friends,
check our bank balance and see what’s on at our local
cinema. Wherever we may be and whatever time of day, we
can find out the quickest route to our destination, rendezvous
with friends or get the latest football scores. In future, we
will also be able to answer nagging questions such as “Did I
extinguish the candle on the table?”, “What’s the weather like
at home?” or “Has the cat been ripping the sofa to shreds
again?”. With HomeMonitor, we can check up whether every-
thing is OK at home while we are out and about at any time of
day or night.
HomeMonitor requires the installation of CCTV cameras which
are controlled by means of an iPhone app. Live video can be
viewed as a stream on the handset. The system consists of a
local infrastructure at the user’s home (video cameras, wire-
less router, PC), the central infrastructure of Swisscom AG in
Switzerland (web server, databases, log server, SMS server)
and a mobile device with associated application.
There is a great deal of sensitive data handled by the Home-
Monitor systems that has to be safeguarded:
– passwords for customers and access to the cameras as
well as to all central systems
– key to the Web server certificates for authentication and
encryption
– customer base and transaction (i.e. image and video) data
Working on behalf of Swisscom AG, secunet experts have
helped to secure the system in all component areas to a
standard that not only meets the high expectations of the
provider and user but also complies fully with data protection
legislation. The security analyses were conducted in line with
well-established procedures: identifying where protection
is needed >> threat analysis >> risk assessment >> planning
and implementation of security measures >> assessment of
residual risks.
Checking That All Is Well at Home While You Are Out and About
After performing the threat analysis and risk assessment
according to level of potential damage and likelihood of
occurrence – looking in particular at processes in logging on,
in end customer infrastructure and in access by the mobile ter-
minal – secunet and the vendor have devised and implemented
the ultimate security concept. This includes the introduction of
a strict password policy, the optimisation of access protection
for video cameras and the improvement of authentication and
encryption algorithms.
So now, thanks to HomeMonitor, you can check that you
really did close the patio window before leaving home, without
having to worry about snoopers on the internet seeing that
your home is vulnerable.
ʽ More information:
Thomas Stürznickel
and www.homemonitor.ch
1 | 2012 « 11
International
Checking That All Is Well at Home While You Are Out and About
12 » 1 | 2012
SHE Needs IT … We Build IT!Key Management for secure hardware
extension using secunet KeyCore
Nowadays, we have constant access to the latest information,
we are permanently connected to one another through social
networks and we can be reached at any time via e-mail and
telephone. This ‘always on’ phenomenon is also being felt by
the automotive industry, which means that there is a steady
increase in the number of customers for whom access to
personal services, irrespective of time and place, is of enor-
mous importance. Against this background, it is not only
the networking of vehicles with the outside world that is on
the increase. Consumer electronic devices, apps, Ethernet
and IP technology are finding their way into vehicles and are
becoming an important part of the customer experience. What
is more, they offer the customer a whole world of adventures
in themselves.
The risks associated with the ‘always on’ mode are effectively
countered in the PC environment today by means of proce-
dures and products supplied by the IT security industry. For a
number of years now, vehicle manufacturers have been inte-
grating appropriate IT security mechanisms into their vehicles
to ensure that the progressive convergence of the two in-
dustries – automotive and information technology – does not
lead to any diminution of product quality or safety for either
vehicle or driver. For example, the so-called Secure Hardware
Extension (SHE) developed by the HIS AK working group
(Hersteller Initiative Software = Manufacturers’ Software Initi-
ative) is a new standard for automotive manufacture designed
analog to Trusted Platform Module technology. This coordi-
nated concept for a module that generates, deploys and
securely stores cryptographic keys in vehicles is now being
incorporated into various microcontrollers from a range of
semiconductor manufacturers.
Technologies & Solutions
Yet SHE 1.0 is only one part of a comprehensive security
solution. SHE allows the use of the symmetric encryption AES
(Advanced Encryption Standard) as well as the import / gen-
eration and storage of a limited number of cryptographic keys.
The implementation of a comprehensive security architecture
does, however, require the addition of appropriate crypto-
graphic services (e.g. asymmetric cryptography) and the
necessary processes for handling cryptographic keys for
the whole of their backend lifecycle (Key Management).
secunet KeyCore presents itself as a supplement for ex-
tending SHE-based security solutions (e.g. secure bootstrap)
with the required cryptographic services and key management
features – it makes available the functions required by SHE
for the management of keys, key templates and permissions
and implies methods for the secure export and import of
symmetric keys. KeyCore supports all major cryptographic
operations such as ‘Encrypt’, ‘Decrypt’, ‘Sign’, ‘Verify’, ‘Hash’
and ‘Random’ within a service-oriented architecture.
Together, secunet KeyCore and SHE offer the automotive in-
dustry a modular, scalable and secure solution for maintaining
driver and vehicle protection mechanisms in the multimedia
future.
ʽ More information:
Gunnar Hettstedt
KeyCore
1 | 2012 « 13
Technologies & Solutions
secunet sets the standard in e-vehicle
charging with KeyCore
E-Mobility 2.0
Communication between electric vehicles and charging
infrastructure constitutes a major challenge for the industry: it
has to be efficient and flexible enough to meet the demands
of the smart grid, while at the same time handling the billing
process conveniently, automatically and cheaply; and not
least, the system must be secure. Since mid-2010, secunet
has been a member of the ISO 15118 Security working group
looking into the standardisation of vehicle charging communi-
cation.
There are two main issues to be resolved. Firstly, how to
achieve ‘dynamic’ management of the charging process
between vehicle and infrastructure that takes into account
the supply of electricity in the network, i.e. if there is too little
power available because the system has been overloaded,
the flow will be restricted or even stopped, whereas when
power is in adequate supply or even in surplus, the price per
charged unit may be reduced. Secondly, the working group
is looking for ways of making the billing of customers flexible
and cost-efficient. The payment model whereby the motorist
settles up at the time of purchase at the charging station in
cash or by credit card (similar to a public phone booth) is
expensive to set up and to operate. That is why the industry is
keen to offer in parallel a monthly payment scheme similar to
those operated by the mobile phone sector, where the whole
payment process takes place completely behind the scenes.
These outcomes presuppose an absolute minimum standard
of security, not only in the communication between vehicle
and charging infrastructure but also in all the backend
systems. The agreed charging parameters must be tamper-
proof, which means that confirmation of meter readings and
billing data must be based on digital signatures. All of this
forms part of the specification for the communication protocol
and security features of ISO 15118. A revised draft of this
standard has been on the table since late 2011.
secunet has put forward a ‘proof of concept’ solution for
ISO 15118 on the basis of its own key management system,
KeyCore, a preliminary version of which has been in existence
since early 2011. This has since been upgraded to Version 2.0
to incorporate the current specifications of ISO 15118. Besides
supporting the ISO-specific certificate formats on the basis of
ECC (Elliptic Curve Cryptography) asymmetric crypto-algo-
rithms, it also has special protocols for the implementation of
key provisioning in the e-mobility environment. All necessary
services can be made available via the Web within a Service
Oriented Architecture (SOA) framework.
The new generic and customisable user front end, which also
permits manual control, operation and supervision of key
management, was unveiled at IAA 2011. This version is now
available for use in the field.
ʽ More information:
Harry Knechtel
KeyCore
MobiCore® protects security-sensitive
mobile apps
Beautiful Mobile World
Trustlet®and the server: as a
result the whole communication
process is encrypted and its
integrity protected.
An example: secure mobile banking
In order to access their own
bank account in a banking
application, users have to verify
their identity by entering their
PIN. Without MobiCore®, the
PIN is sent via the common app
and can easily be intercepted
by a Trojan on the mobile device
(phishing). On a device which
uses MobiCore®, the PIN entry is relocated to the Trustlet®.
The connection between the touch screen or pad and the
NWd is temporarily suspended and redirected instead to the
SWd. This means that none of the NWd components (malware
included) are in a position to intercept the PIN. The Trustlet®
then encrypts the entered PIN. Only the bank server can
decrypt and validate it.
The world of the user
In order to be able to run up to sixteen concurrent Trustlets®
on a mobile device simultaneously, the provider of a secure
mobile app has to purchase a special MobiCore® container, a
small data package, which is stored in the mobile device. This
can be bought from Giesecke & Devrient or one of its partner
companies. For the end user, everything stays the same: apps
are simply downloaded from an app store as usual. These
are then automatically covered by the extended security of
MobiCore®. Safe and secure.
ʽ More information:
Ingo Kubbilun
The thought of online banking or
using the company network via
a smartphone or tablet computer
gives security-conscious users and
data protection officers real cause
for concern. Most users of mobile
devices download apps with blind
faith in the security features they
contain, which for the most part
however are totally inadequate.
Mobile applications are increasingly
becoming the target of attacks and
malware, as they lack any signifi-
cant hardware-assisted security.
A broader security solution such
as MobiCore® is required. This
Giesecke & Devrient product, for which secunet supplies
integral components, provides a highly secure environment for
mobile applications. The vast majority of mobile devices can
make use of MobiCore® as ARM-based processors occupy a
dominant position in the mobile device market.
The two worlds … of a mobile device
MobiCore® separates the user environment of a mobile device
into two different areas: the ‘Normal World’ (NWd) and the
‘Secure World’ (SWd). These two worlds are kept completely
separate from each other on hardware level and use their own
operating system (OS). In the NWd this is known as ‘Rich OS’,
such as for example Android or Windows™ Mobile. In the
SWd the OS is a ‘Trusted Execution Environment’: MobiCore®.
… of an app
A secure mobile application is made up of two parts: the
‘normal’ app in the NWd and the Trustlet®, its cryptographi-
cally protected counterpart, which is executed by MobiCore®
in the SWd and through which all security-related operations
are processed. When a mobile app is started, a request is
sent to MobiCore® to also open the secure component – the
Trustlet® – and this establishes a secure channel between the
14 » 1 | 2012
Technologies & Solutions
secunet Secures Dell as a Partner for SINA Dell, one of the largest IT solution providers in the world, is
secunet's new partner for the SINA product range. “In Dell,
we have gained a highly skilled and well-established solution
provider who offers hardware alternatives that perfectly com-
plement our SINA Workstation,” said secunet Chairman of the
Management Board, Dr Rainer Baumgart of the new partner-
ship. In the medium term, the collaboration is to be extended
to further components.
In addition to its high-quality IT platforms, secunet particularly
values the excellent logistic collaboration with Dell. Using
the company’s efficient sales and service set-up in Germany,
orders can be processed simply and promptly. It is therefore
not only secunet and the High Security business unit that
benefit from this partnership, but above all SINA Workstation
customers.
In an adult human some 7,000 litres of blood are carried to
the heart by the veins every day. Apart from this they hold the
proof of our identity, because the pattern of veins in a finger
or hand, for example, is unique. Vein pattern recognition (VPR)
offers two clear advantages over finger print recognition: First,
it is virtually impossible to capture unnoticed the vein pattern
of an individual with the aim of bypassing technical security
hurdles through the use of spoofs. Secondly, vein recognition
works largely contactless, a property which is very attractive
to the many users who are sensitive about hygiene. Japan,
Brazil and Turkey already use this method: VPR is used for
verification at more than 50,000 automatic teller machines, for
an estimated seven million debit card holders.
As this technology is now also being used in Germany – VPR
will be used in future for access control at the new Berlin-
Brandenburg airport – secunet carried out one of the first
independent studies in order to evaluate the reliability and
usability of the systems currently on the market. Both estab-
lished and new products were tested. The systems generally
performed well and mainly showed good recognition results,
albeit in some cases their ease of use was not ideal. secunet’s
biometrics experts will continue to monitor VPR technology as
they expect it to complement traditional fingerprint recognition
in various areas like e.g. access control. Moreover the com-
bination of fingerprint and vein recognition already availalbe
in multi-biometric sensors promises a considerable improve-
ment in recognition performance along with higher spoof
resistance – thus providing greater security.
Every Human Being is Unique – and their Vein Pattern Proves it
1 | 2012 « 15
Technologies & Solutions
secunet experts test vein pattern
recognition for personal authentication
16 » 1 | 2012
Technologies & Solutions
Imprint
Copyright: © secunet Security Networks AG. All rights reserved. All contents and structures are copyright protected. All and any use notexpressly permitted by copyright law requires prior written permission.
Editorsecunet Security Networks AGKronprinzenstraße 3045128 Essen, Germanywww.secunet.com
Responsible in terms of the press law: Christine Skropke,[email protected] Editor: Claudia Roers,[email protected]
Chief Conception & DesignDominik Maoro,[email protected] Designwww.knoerrich-marketing.de
Illustrations: Cover, p 4/5, 6, 9, 12 and 14: www.shutterstock.com, p 10: fotolia.de, p 13: Illustration Lutz Lange, p 16: www.iStockphoto.com. Others: secunet.
Subscribe to secuviewWould you like to receive secuview on a regular basis free of charge? Choose between the print and the e-mail version. Register on www.secunet.com/en/the-company/it-security-report-secuview/secuview-e-mail-eng.
Rapid response, excellent accessibility for customers and
employees, great mobility and always up to date – this is all
part of good corporate governance and top management. And
for this a mobile workstation is indispensable. But with a large
number of essential, often time-critical tasks and changing lo-
cations, it is almost impossible to give constant attention to data
security and data protection. The Control and Transparency
in Business Act (KonTraG), which makes the management of a
company personally liable for data loss, further increases the
pressure. The SINA BusinessBook provides a security solution
for mobile working. This is a notebook system based on tried
and tested SINA technology*.
Virtualisation technology makes it possible to run a number
of completely separate environments on a single device, for
example to separate professional from private use or to be
able to undertake roles within a company or with customers
that need to be kept strictly separate. The security philosophy
incorporated into the SINA BusinessBook is based on the
complete encapsulation of all components that come into
contact with sensitive data. All data available on the notebook
can only be accessed with a smartcard and PIN, and this
applies to all the virtual environments that have been installed.
The SINA BusinessBook makes mobile working secure.
ʽ More information:
Thomas Stürznickel
* Various certificates of approval from the BSI confirm the
proven quality of our solutions – Made in Germany.
A comprehensive security solution
for mobile workstations
Security on the Move – Optimum Protection for Data
The SINA BusinessBook
keeps your sensitive
data secure even when
you are on the move
1 | 2012 « 17
News in Brief
Thank you for your confidence in us!
22% of customers
rated their overall
satisfaction as ‘very
good’, and 49%
rated it ‘good’.
secunet Customer Satisfaction Survey 2011
What are we doing well? How can we do better? How are
our products perceived, and how do we compare with the
competition? This is what secunet hoped to learn from its cus-
tomers through the customer satisfaction survey it conducted
in autumn 2011. Our goal was to obtain very open and honest
feedback which addressed all levels of the consulting and
support cycle – from initial contact and the ordering process
through to project completion and ongoing support. In order
to ensure the necessary anonymity, the survey was carried
out by the Cologne market research institute
SKOPOS. Almost 10% of the customers ap-
proached completed the online questionnaire.
The results confirmed an above average level
of satisfaction overall: 22% of respondents
rated us as ‘very good’ and 49% rated us as
‘good’. secunet customers were particularly
impressed with the technical expertise, pro-
fessionalism, reliability and friendliness they encountered day
by day. Particularly singled out for praise once again were the
customer-specific, practice-oriented solutions provided by the
secunet experts.
The survey revealed that we did not succeed fully in meeting
customer expectations when it came to in-depth documen-
tation of processes and outcomes. Delivery times of product
solutions also came in for some criticism. We have taken
this criticism on board and are working hard to bring about
improvements here.
The response to the quality of our hardware and software
solutions was extremely positive – 17% rated this as ‘very
good’ with 60% rating it as ‘good’. Only 9% gave us a ‘satis-
factory’ and no customers rated us as ‘unsatisfactory’. This
feedback underscores the fact that our intensive work on the
innovative development of our products, particularly those in
the SINA portfolio, is not only recognised by the market, but is
also appreciated by our customers. In comparison with overall
industry standards our support was rated as above average.
We shall not however be resting on our laurels!
We have already acted on some of the sug-
gestions from the questionnaire so that in the
future we will continue to be able to offer the
best possible service to our customers. A
survey of secunet employees confirmed that
the high expectations we have of ourselves, our
products and our services is also reflected in
the fact that in our self-assessment we were more critical than
the view our customers take of us.
We would like to take this opportunity to thank all our cus-
tomers for supporting us through their feedback and contri-
butions in the questionnaire. We will continue to do everything
we can in the future to be a good consultant and partner in the
field of IT security.
ʽ More information:
Christine Skropke
Federal Interior Minister Dr Hans-Peter
Friedrich was briefed about SINA and
authega by secunet staff.
Distinguished Visitors
Events
Spokesman for Chaos Computer Club Frank Rieger, Brigadier
General (Rtd) Friedrich Wilhelm Kriesel, secunet Chairman of the
Management Board Dr Rainer Baumgart, Facilitator Dr Rüdiger
Scheidges, Dr Michael Meier from FKIE, Dr Sandro Gaycken from
the FU Berlin (l to r)
Is attack the best defence in the online world? – This was just
one of the questions discussed by experts at the Handelsblatt
Conference “Cybersecurity 2011” held in Berlin in September.
secunet had a booth at the accompanying exhibition.
Concentrated Defence, Controlled Attack
Products from
the SINA portfolio
have long been in use in Germany. Now,
more and more clients from abroad are
coming to recognise their qualities. In
SINA Ventures into the Big Wide World
September 2011, our international SINA
resellers met in Amsterdam to attend
presentations, to network, and to ex-
change information and experiences.
Parliamentary Secretary to the Federal Minister of Econo-
mics and Technology Hans-Joachim Otto (left) in conversati-
on with SecuMedia CEO Peter Hohl (centre left) and secunet
Chairman of the Management Board Dr Rainer Baumgart
(right).
18 » 1 | 2012
Under the auspices of the Saudi Arabian Ministry of Com-
munications and Information Technology, secunet organised
the Riyadh Cyber Security Conference 2011. 50 members of
the Saudi Arabian security services and armed forces attended
the conference and were treated to fascinating presentations
on biometrics, cryptography and network analysis. Among the
speakers were representatives from the German Embassy in
Riyadh, BSI, ipoque and secunet.
Riyadh Cyber Security Conference 2011
Secure on-board Network Communi- cation at the IAA
At the secunet stand at the Frankfurt
Motor Show in September 2011, secunet
and Elektrobit used a demonstrator to show
the possible consequences of having unen-
crypted communication between control units rather than
encrypted communication. (For more about the partnership
between Elektrobit and secunet see article p 7.)
Dates
1 | 2012 « 19
Would you like to arrange an appointment with us?
Then send an e-mail to [email protected].
» RSA Conference
San Francisco, USA
» CeBIT; booth B36 in hall 12
Hannover
» Infosecurity Europe
London
» Workshop
‘IT Security on Board’
Munich
» 13th Datenschutzkongress 2012
Berlin
» AFCEA exhibition
Bonn - Bad Godesberg
» SINA User Day
Berlin
» BITS
Porto Alegre, Brasil
» Security Document World
London
» SINA User Day
Bonn
» General Annual Meeting
secunet
Essen, Castle of Borbeck
» Bayerisches Anwenderforum
eGovernment
Munich
27 February to
2 March 2012
6 - 10 March 2012
24 - 26 April 2012
27 April 2012
8 - 9 May 2012
9 - 10 May 2012
15 May 2012
15 - 17 May 2012
21 - 23 May 2012
22 and
23 May 2012
13 June 2012
27 - 28 June 2012
February to June 2012
IT security partner of theFederal Republic of Germanywww.secunet.com
Caution! Insecure Structure!Customized IT security provides a solid foundation for your success.
Protect your most important assets. IT security is essential for a stable IT infrastructure and for all processes. secunet is your trump card: Our vision and expertise will help you achieve even the most demanding IT security solutions.
We look forward to seeing you at CeBIT 2012. Visit us at booth B36 in hall 12.
secunet-Kundenmag-0212.indd 2 06.02.12 17:27