Security – the key to smart grids and planets

08.12.2011 by Martin Kuppinger

This week was the 6th National IT Summit in Germany. Like always, that’s where big speeches are made and little happens. The German BITKOM (Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V.), the IT and communications industry lobbyist association put the topic of smart networks (or grids) on the table. They requested initiatives (and money) to build such networks. That comes as no surprise, given that the smart world will require massive investments. So driving this forward makes sense.

However, the big problem to solve for this smart world – whatever it will look like – is security. I’d blogged about this quite a while ago, titled “Is an insecure smart planet really smart?” This question is not even still valid, it has become increasingly important. In Germany, there has been a large exercise – sort of a field exercise – just recently called LÜKEX. Many governmental organizations, police, and others are involved, this time upwards to 3,000 persons. In former years it has been about terrorist attacks with bombs and the like. This year it has been about CyberSecurity.

Networking the world requires a very well thought out approach on security. And it requires the willingess not to connect everything. The problem is that many of the initiatives around smart “whatevers” ignore this. There is a BITKOM presentation of mid 2011 which does not even mention security. Fortunately, BITKOM at least mentioned the need for security at the National IT Summit. Nevertheless it looks like the need is neither fully understood nor adequately prioritized. My perspective is that it has to be the priority number one for everything which is done around the smart world. Without security, nothing will be smart.

And even with well-thought security we have to be always aware that everything we network, especially including all the SCADA devices, will massively increase our security risks. So being not too smart might be smarter sometimes.


German state fails in hacking

09.10.2011 by Martin Kuppinger

This weekend, the German CCC (Chaos Computer Club), an institution which probably is best described as the “white hat” association in Germany and being prominent for a long time for identifying security issues, informed the public about severe issues with the so called “Bundestrojaner”, a trojan used by the German BKA (sort of the counterpart to the FBI) in some cases to hack computers of suspects and to collect internet telephony data.

There are two severe issues identified. The first one is that the trojan is able to do a lot of things which are just illegal. The German Federal Constitutional Court has ruled the German state regarding what is allowed and what not. In fact, only tapping of voice communication is allowed, and even that only within tightly defined boundaries. However, the trojan can for capture keyboard data, take over control of the webcam, and some other things. Interestingly, these things have been explicitly forbidden by the Court.

The other issue is simply that the Bundestrojaner is inherently insecure. It doesn’t authenticate communication and thus can be easily hijacked. So, a suspect could hijack the Bundestrojaner which has been placed at his system, for example. Regarding to current news, some communication of the Bundestrojaner even uses servers based in the US.

I won’t judge about the necessity of things like a Bundestrojaner, but I think the direction given by the German Federal Constitutional Court is reasonable. However, if Germany introduces such tools, they at least should do it right – with respect to the limits defined by the court and with respect to security.

By the way: This evening, the ministry of the interior (“Innenministerium”) denied the use of the trojan that had been analyzed and criticized by the CCC. Notably, they denied the use (not the existence). Let’s see what happens next. Overall, the concern I had from the very beginning regarding the “Bundestrojaner” has been fortified.


Posted in eGovernment, Security | Comments Off

eMail that noone really needs

11.11.2010 by Martin Kuppinger

These days, the Deutsche Post started its eBrief service. And the so called De-Mail is as well on its way. The common idea: Trustworthy, legally signed eMail. So far, so good. But we all know that its not the first approach for secure eMail. Some people are even using it actively, and some even beyond the reach of their corporate eMail systems. But when I look at my inbox, well below 1% of the incoming mails are signed and exactly 0% are encrypted.

Why should that change with new services which are expensive (to send the eBrief costs money like a real letter), have a complex registration procedure (you have to show up in person and with your ID card or – lucky one – your eID), and are difficult to use. The biggest problem: Yet another mailbox. I don’t want to have another mailbox. I don’t want to use websites to authenticate before I can access like I have experienced with other approaches. I just want to be able to use secure eMail (if I need it) with my existing mail accounts, my existing Microsoft Outlook (and NO new mail account I have to add to my outlook). Seamless. Without having to think much about. Without registration. And in a way that every recipient understands. The best way still is S/MIME, even while only few people really understand what happens there, at least besides the IT security people. But an eBrief? De-Mail? Why should I? Add another level of complexity to my communication? No way.

Besides this: De-Mail would also enable the state to communicate with me. They have a way to reliably send mail to me – do I really want them to have this option? Hey, I couldn’t ignore that any more. That’s far easier with the classical letters sent by snail mail.

Honestly, my reception of these initiatives is that someone tries to reinvent the wheel – one with five edges, not a round one.

I personally will further use my fax when it’s about really reliable communication.


Posted in eGovernment, eID cards/ePassports | Comments Off

Strong authentication as business development

31.03.2010 by Martin Kuppinger

In my recent post on versatile authentication I touched the topic of national eID cards. Some two weeks ago, I did a presentation on eID interoperability from a private perspective. I started with the question about why strong authentication technologies are still not widely used. The vendors might claim that they are, but in fact we still mainly rely on weak approaches like username/password, PINs, PIN/TAN, and so on.

One reason for that is that approaches which are reusable need a sponsor. Many companies in eBanking, eCommerce, and other areas understand the need for strong authentication. But they don’t want to rely on proprietary mechanisms. They don’t want to deploy and provide the logistics for advanced mechanisms due to the costs associated with. And they don’t want to invest in a technology for their customers which then might be used by their competitors as well. One example for the latter situation are readers for cash cards, amongst others.

For sure you could argue that the example of the UPU (Universal Postal Union) has demonstrated some 145 years ago, that this isn’t a valid argument. Before UPU, there had been a complex system of billing between postal agencies in different countries. They counted the letters and the fees and billed each other. The basic idea behind UPU was, that there is usually one letter back per letter sent, thus the fees which have to be payed are more or less equal. Thus it is much cheaper to just not do that billing anymore and to have the senders pay only a fee in the originating country of the letter. This system works for a pretty long time right now. And I don’t have that many doubts that a standardized system which requires some hardware to be deployed would work as well when everyone supports his customers – the ones with fewer customers will pay less on average because they have to deploy less, the ones with more customers will pay more.

Unfortunately I neither see a standard solution which is accepted by everyone nor the willigness to do that. Thus we need alternatives. And that is where eID cards come into play. There is a potential for mass adoption at least in countries where it is mandatory to have such a card. However, that requires that these cards can really be used for strong authentication in eCommerce and other areas. And that, again, requires the deployment of readers for these cards.

Thus, we need someone to sponsor at least the initial deployment to build the critical mass. The only ones to do that are the governments, like in Germany, where 1.3 million readers will be sponsored. That in fact is business development, because it enables the use of Internet-based services with strong authentication. It enables new business models, efficiency in organizations, it will reduce fraud and the associated costs. However, the eID projects usually aren’t seen from that perspective of business development – private use cases are more sort of an add-on. Decisions like in the Netherlands to shift such projects to a later point of time show a lack of understanding of the potential economic impact.

We need mass adoption of reusable strong authentication for the “Internet business”. The only way to achieve this is by sponsors who invest in the mass adoption of technologies. And the most likely sponsors are governments, as part of what they do for their economies and their competitive advantage. Once we have a mass adoption of strong authentication, we might see additional technologies being used for graded and step-up authentication. Vendors of versatile authentication and context-based authentication/authorization will benefit from this as well because eID cards will always be only one of many accepted means of authentication. But the ones who benefit most are the businesses themselves which can reduce fraud and implement new business models.

Visit EIC 2010, Cloud 2010, MIS 2010.


German politicians argue against the German eID

31.01.2010 by Martin Kuppinger

Today, some influential German politicians started argueing against the upcoming German eID card in a sunday newspaper. The eID card is planned to be available by November, 1st. The main argument is that the costs of the project are increasing – there is the request for some additional 7 million Euro for advertising. The politicans claim as well that experts doubt about the need for the eID card. They propose to shift the introduction to 2020.

There are for sure some points with the German eID card which you can discuss. However, the arguments of these politicians just show that they don’t understand anything of what they are talking about. No big surprise, you might claim – they are politicians. To provide my view on this:

  1. Yes, the eID card costs a lot of money. However, new things typically aren’t for free. And given that the eID card is a government project, there is a lot of politics and lobbying in, which never ever saves money. Anyhow, it doesn’t appear to be excessively costly.
  2. The concept of the German eID card might not be perfect, but it goes beyond most other approaches when looking at principles like “minimal disclosure of information” and the supported use cases as well for public as for private use.
  3. Security is well solved. There are some people claiming that fingerprints aren’t secure. Yes – there might be some fraud. But the eID card is way beyond the alternatives we have today and which could be used in a mass market. I personally think that it is much better to do some (significant) step forward in security instead of staying still and looking for the Nirvana.
  4. The concepts have to be explained to the public. That is an educational effort which will take time and which will cost money. However, we should look not only at potential downsides but might concentrate on the positive things – and there are many interesting use cases. There is a lot of potential within the German eID card.
  5. There are experts (I thought about putting the term into quotas…) – no surprise, you will always find experts which support your opinion, especially as a politician.
  6. You definitely can wonder about why we need a health card and an eID card on a national basis – one card might be sufficient (especially given that you have to educate people on the privacy concepts for both cards and thus you might reduce the efforts on this…).

I could add many more points to that list. However, I think that this is just another example of politicians talking about things they don’t understand at all. There is some value in the German eID card. It is based on a well-thought concept. There are things which might be improved – and many of the shortcomings we might observe at the beginning will be solved. It will take some time for the mass adoption – again no surprise. But overall, it is absurd to stop this project now and to restart it in some ten years. That would mean that much more money then it will ever cost to bring the project to an successful end will be destroyed and will have to be spent again in some years. Thus, there is definitely no sense at all in stopping this project now. But there is a lot of sense in spending some extra money in education of the citizens, to make it successful.


Posted in eGovernment, eID cards/ePassports | Comments Off

Many test cases for German eID card

22.07.2009 by Martin Kuppinger

Some days ago the German government announced a list of 30 companies with test cases for the upcoming eID card, which will be available starting November, 2010. The good news is that the BMI (Federal Ministry of the Interior) has managed to get a good number of test scenarios outside of eGovernment. The identification of flight passengers at airports, hotel check-in, online shops, and some use cases for age verification are on the list of published test cases.

For sure there are as well many eGovernment applications amongst these 30+ scenarios but the real important thing is that there are obviously many partners outside the eGovernment which are interested to use the eID card for identification (or age verification) purposes within their specific business use cases. If they succeed, there will be a lot more partners once the eID card is officially issued - and the more companies will use the eID card, the more momentum will be there for “buying” the eID card and switching to it from the current conventional ID card. That is about “buying” because the eID card is mandatory when renewing the current eID card (which is valid 10 years from the date of issuance). That fee will be accepted more likely when the card can be used for many use cases.

Overall it appears that the German government is doing a good job in creating some interest in and momentum behind the eID card. And doing a broad test with many partners more than one year before the card is distributed widely is definitely important – there will be many lessons learned. Anyhow, the biggest threat for the eID card still will be the acceptance. Test cases are one thing – the other aspects are usability (make the eID card as easy to use as possible, even from home) and trust. There will be a lot of discussions around the eID card, and educating users about the security and privacy (which is pretty good in the eID card concept) is extremly important for the success of the German eID card. But there will be a lot of FUD (fear, uncertainty, doubt) raised around this issues, like “the fingerprints aren’t fully secure”. Yes, in fact, there is some slight chance of abuse – but what the eID card provides is a big step forward for most of the users. Thus, we should look at it more positive and understand it as an important improvement for security in the Internet – with some shortcomings (national, time-to-market,…).

It will be definitely interesting to observe the different test cases and the lessons learned there. Despite all doubts, the German eID card has a good chance of becoming a successful project.


The German ePA project – yes we can

06.04.2009 by Martin Kuppinger

OK, everyone has used that claim “yes we can” right now. But it fit’s pretty well to the German project ePA (Elektronischer Personalausweis) which is one amongst several projects in different European countries for a new type of personal identification card. It’s not an ePassport but an personal identification card – you have to have the latter in Germany, you can obtain the first if you require it for international travel.

In contrast to some other countries like the USA and the United Kingdom, a personal ID card is mandatory in Germany. Currently it is an “old-school” type of printed document. The ePA will replace this with an electronic ID card which will be issued by the German state -  using the same deployment mechanism with the so called “Meldeämter”, e.g. registration offices (local offices run by cities where every address change and so on has to be registred). Thus there is a personal identification included when requesting and deploying the ID card.

For a long time I have been a little sceptical regarding German eGovernment initiatives. Many of the didn’t convince me, either due to their obvious lacks of identity management (like in the area of tax declarations with the ridiculous ELSTER project) or because there was far too much ideology in (Linux vs. Microsoft). But the ePA proves that Germany is able to really run a leading-edge project not only in the manufacturing industry, but as well in eGovernment.

The ePA supports different use cases, from the identification at border controls, the police, and in other situations up to several public use cases. The interesting point is that these use cases will then be supported by a strong authentication, based on the ePA and readers for that ID card. It will be possible, to give an example, to provide age verification – while enforcing the concept of “minimal disclosure”. For example, the answer might be “yes” when asking for age verification above 18 years instead of supplying the full birth date. The ePA will as well provide the capability to store the qualified electronic signature which can be used to sign contracts and official documents as well in the private as governmental use.

All these features are implemented in a well-thought way, based on distributed stores on the ID card. And they are backed by valid business models as well for providers of digital certificates (qualified electronic signature) as for relying parties, e.g. service providers which plan to support the ePA as a means for strong authentication, age verification, or other purposes.

For sure there are still some open questions: What about foreigners (there will be interoperability, there will be other solutions)? How long will it take for the critical mass (the old ID card has a validity of ten years thus replacement will take some time)? How about integration with concepts like Information Cards (some companies are working on that)? But despite open questions, the concept of the ePA is a promising one which might as well support eGovernment concepts as the strong authentication for private use cases. I expect that we’ll see a lot of interesting use cases and applications around ePA soon – and some things you might learn as well at our European Identity Conference 2009 in Munich.


Services
© 2014 Martin Kuppinger, KuppingerCole