Study Criteria for success of identification ... fileBand 3 Study Criteria for success of...

Band 3

StudyCriteria for success of identification,authentication and signing methodsbased on asymmetric cryptographicalgorithms (EKIAS)

Entwicklungen in denInformations- undKommunikationstechnologienHerausgeber:Friedrich-L. Holl

Authors:

Anja BeyerSophie HellmannMalte HesseFriedrich-L. HollPeter MorcinekSachar PaulusHelmut Reimer

Contributors:

Markus DahmsKarsten KausmannSimone Friedrich-MeierJens Ziegler

Commissary:

Fachhochschule Brandenburg –Brandenburg University of AppliedSciencesTeleTrusT e.V.

On behalf of

Federal Ministry ofEducation and Research

Fietes Buch engl RZ2 24.09.2008 17:00 Uhr Seite 1

Band 3

StudyCriteria for success of identification,authentication and signing methodsbased on asymmetric cryptographicalgorithms (EKIAS)

Entwicklungen in denInformations- undKommunikationstechnologienHerausgeber:Friedrich-L. Holl

Authors:

Anja BeyerSophie HellmannMalte HesseFriedrich-L. HollPeter MorcinekSachar PaulusHelmut Reimer

Contributors:

Markus DahmsKarsten KausmannSimone Friedrich-MeierJens Ziegler

Commissary:

Fachhochschule Brandenburg –Brandenburg University of AppliedSciencesTeleTrusT e.V.

On behalf of

Federal Ministry ofEducation and Research

EKIAS-Studie_engl_Druck 25.09.2008 16:18 Uhr Seite 3

Editor: Prof. Dr. Friedrich-L. Holl,Fachhochschule Brandenburg – Brandenburg University of Applied Sciences

© 2007 Self-published, BerlinDesign: Martin SchüngelTranslation: Stefanie Otersen and Peter MorcinekPrint: digital business and printing GmbH, D-10409 Berlin

ISSN 1863-5016

All rights reserved. No part of this publication may be used or reproduced by anymeans including public reading, public broadcasting, television, translation intoforeign languages, electronic, mechanical or computational processing, apart fromthe exceptions mentioned in §§53, 54 URHG.


Table of Contents

Introduction……………………………………………………………………………………………………………………… 9

Executive Summary ……………………………………………………………………………………………………… 13

1. Technical Outlook ……………………………………………………………………………………………………… 17

1.1 Methodology ……………………………………………………………………………………………………………… 17

1.2 Cryptography ……………………………………………………………………………………………………………… 18

1.3 Man between the conflicting priorities of technology and economics …………… 22

1.4 Tokens & Trusted Computing …………………………………………………………………………………… 22

1.5 PKI applications ………………………………………………………………………………………………………… 24

1.5.1 Authentication, identification and signatures …………………………………………… 24

1.5.2 PKI standards and protocols…………………………………………………………………………… 26

1.5.2.1 Protocols ……………………………………………………………………………………………… 26

1.5.2.2 Formatting standards ……………………………………………………………………… 27

1.5.3 Did asymmetric cryptography dash the vision of simple PKI solutions? 27

1.6 Alternative concepts ………………………………………………………………………………………………… 31

1.6.1 Symmetric encryption and key management methods …………………………… 31

1.6.2 Hybrid Methods ……………………………………………………………………………………………… 32

1.6.3 Biometry …………………………………………………………………………………………………………… 32

1.6.3.1 Biometric authentication ………………………………………………………………… 32

1.6.3.2 Biometric identification …………………………………………………………………… 33

Table of Contents | 5


1.6.3.3 Rating of biometric methods…………………………………………………………… 33

1.6.3.4 Outlook ……………………………………………………………………………………………… 34

1.7 Evaluation …………………………………………………………………………………………………………………… 35

1.8 Summary……………………………………………………………………………………………………………………… 36

2. Economic Insights ……………………………………………………………………………………………………… 39

2.1 Methodology ………………………………………………………………………………………………………………39

2.2 Usage Scenarios ………………………………………………………………………………………………………… 40

2.2.1 Objective …………………………………………………………………………………………………………… 40

2.2.2 Classification approaches ……………………………………………………………………………… 40

2.2.2.1 Classification according to involved players ………………………………… 40

2.2.2.2 Classification according to security objectives …………………………… 42

2.2.2.3 Classification according to stakeholders ……………………………………… 43

2.2.3 Conclusions ……………………………………………………………………………………………………… 45

2.2.4 Successful business processes applications ……………………………………………… 46

2.3 Economic considerations …………………………………………………………………………………………… 48

2.3.1 Measurement IT investments ……………………………………………………………………… 48

2.3.2 Frequently used key figure methods …………………………………………………………… 49

2.3.2.1 Return on Investment ……………………………………………………………………… 52

2.3.2.2 Return on Security Investment ……………………………………………………… 53

2.3.2.3 Net Present Value ……………………………………………………………………………… 54

2.3.2.4 Balanced Scorecards ………………………………………………………………………… 54

2.3.2.5 Total Cost of Ownership …………………………………………………………………… 56

2.3.3 Exemplary cost-benefit analysis …………………………………………………………………… 56

2.3.3.1 ROSI calculation for a security process…………………………………………… 56

2.3.3.2 Balanced Scorecard-based examination ……………………………………… 60

2.4 Summary……………………………………………………………………………………………………………………… 69

3. Operating Conditions ………………………………………………………………………………………………… 71

3.1 Methodology ……………………………………………………………………………………………………………… 71

3.2 Products ……………………………………………………………………………………………………………………… 72

3.3 Project procedure ……………………………………………………………………………………………………… 73

3.4 Operation …………………………………………………………………………………………………………………… 74

3.5 Liability ………………………………………………………………………………………………………………………… 77

3.6 Synopsis ……………………………………………………………………………………………………………………… 79

4. Workshop – Findings ………………………………………………………………………………………………… 81

4.1 Methodology and course of the workshop …………………………………………………………… 81

4.2 Comments about results achieved so far ……………………………………………………………… 83

4.2.1 Comments on “Technical Outlook” ……………………………………………………………… 83

4.2.2 Comments on “Economic Insights” ……………………………………………………………… 86

4.2.3 Comments on “Operating Conditions” ………………………………………………………… 88

6 | Table of Contents


4.3 Results of the Break-out Sessions …………………………………………………………………………… 91

4.3.1 Green Group……………………………………………………………………………………………………… 92

4.3.2 Red Group ………………………………………………………………………………………………………… 93

4.3.3 Blue Group ………………………………………………………………………………………………………… 94

4.3.4 Conclusion ………………………………………………………………………………………………………… 95

4.4 Results of the Workshop …………………………………………………………………………………………… 95

4.4.1 Technology………………………………………………………………………………………………………… 95

4.4.2 Economic Aspects …………………………………………………………………………………………… 96

4.4.3 Socio-scientific Aspects…………………………………………………………………………………… 97

4.4.4 The Government’s Role …………………………………………………………………………………… 98

5. Recommendations …………………………………………………………………………………………………… 99

5.1 Technology ………………………………………………………………………………………………………………… 99

5.2 Economics ………………………………………………………………………………………………………………… 102

5.3 Operating conditions ……………………………………………………………………………………………… 104

5.4 Further Research ……………………………………………………………………………………………………… 106

6. Bibliography …………………………………………………………………………………………………………… 107

Anhang ………………………………………………………………………………………………………………………………… 117

A. Fragebogen Technische Perspektiven…………………………………………………………………………… 118

B. Interviewpartner zu Technischen Perspektiven ………………………………………………………… 121

C. PKI ……………………………………………………………………………………………………………………………………… 123

D. Return on Security Investment (ROSI) ………………………………………………………………………… 139

E. Fragebogen zur Erfassung von Kriterien für die Nutzung von PKI ………………………… 156

F. Details zum Workshop …………………………………………………………………………………………………… 167

Table of Contents | 7


Introduction

By establishing the Signature Law, the Federal Republic of German has achieved anearly orientation towards using asymmetric encryption methods when ensuringelectronically aided methods. From today’s point of view, using PKI infrastructureswhich are implemented accordingly and serve as a basis for authenticating, identi-fying and singing, cross-company business processes can be secured.

Using asymmetric cryptographic technologies together with smart card (or similartokens) as security means, however, is still of no relevance. Rather, applicationaccess is still realised using the hardly reliable combination of user ID and password.One time passwords or other, secure methods are rarely used. New developmentsalso rarely account other (stronger) identification and authentication methods andwhen they do were talking about designated security applications in most cases.

Based on this problem the questions to be answered within the course of the projectarose. In particular, we wanted find out why asymmetric methods are only used in alimited way and why companies still rely on payment systems which are not secure,despite the fact that the risk are substantial and commonly known. In the chapteron Operating Conditions (cf. chapter 3) this questions are discussed in detail. Therewe outline the criteria which usually determine the success of an implementation -and above all its use. Our approach for identifying these criteria consisted of devel-oping them using appropriate literature like field reports. Since there are nearly nosuitable publications on this field (publicly) available, we anonymously interviewedexpert having a lot of experience with planning, implementation and operation of

Introduction | 9


public key infrastructure. By promising anonymity, we could obtain results we con-sider to be genuine and uncensored.

In conjunction with the conducted interviews, we also determined aspects that mil-itate for or against PKI, as well as consequences for the user, and questions of liabili-ty. Regarding implementation, we surveyed the solutions or, rather, products, as wellas reasons for the use of this specific product, and the time needed for deployment.The part asking questions on operating PKI regarded advises and challenges of PKIuse, as well as needed and actually used documentation. When addressing theissues of cross-company communication, technical realisations and the correspon-ding experiences where regarded amongst other things. All in all, we tried to identi-fy possible obstacles of using PKI applications and concepts and have them rated.

In the following, we examined the existing of new technical developments in con-nection to development of public key infrastructures, as well as possible medium-term and long-term trends in this field. The information gained (as described inchapter 1 – “Technical Outlook”) was determined using two distinct approaches:

We conducted an international literature study which regarded the topics of cryp-tography, tokens, PKI, alternative concepts without PKI, biometry, and security eval-uations as well as security certifications. Additionally, we interviewed 13 expertscoming from the fields of research, PKI industry, and commerce on the topics men-tioned above.

All in all, this chapter regards means which companies could use when increasinglyhandling B2C transactions as well as B2B transactions online. Laws like the Sar-banes-Oxley Act or Basel II require companies to follow a structured, efficient, andproactive approach of IT security. Thereby, significance of IT security technologiesgains importance. We demonstrate that approaches for lasting solutions can befound in the domain of PKI technologies.

On major goal of the chapter “Economic Insights” was to point out cost-benefit ratearising for the implementation of PKI systems. For that purpose we examined possi-ble concepts and applications which clearly can be identified as scenarios for PKIuse. Using literature surveys and practical experiences, we could identify accordingcriteria and develop a classification.

Subsequently, we investigated to which extent PKI use could be viewed from busi-ness process level, and to which extent PKI can be awarded an enabling function. Forthis to achieve, we conducted interviews with those responsible for such processes,in order to identify criteria for success as well as the economic background. All in all,we observed that orientation on business processes is currently not relevant forpractical use, because of PKI use still being considered as an infrastructure invest-ment. Based on this, we determined which key figure systems might have an effecton decisions of PKI investment – and to what extent. Doing so, we analysed quanti-

10 | Introduction


tative as well as qualitative methods. Using real, anonymised business data, we dida cost-benefit analyses which was based on our findings. The analysis demonstratedthat regarding PKI investment decisions a complete picture can only be provided bya combination of different key figure methods. This picture is needed for making adetailed and realistic decision on PKI implementation.

Based on the results of the preceding chapters we hosted a workshop which isdescribed in chapter 4 – “Workshop – Findings”. The goal of this workshop was toidentify criteria of success and point out prospects. Workshop structure and groupline-up aimed for these objectives. Different groups of competence were represent-ed: Vendors and service providers from the PKI market, chief information securityofficers, which already implemented successful multinational PKI projects,researchers, consultants with security and anti-fraud expertise, and IT managers.Long-time experience was emphasised in particular.

In order to prepare the participants for the work groups planned, they were filled inon the present results of the project team’s work. Based on this information as wellas their practical experiences they were to identify problems and come up withmatching ideal conditions, as well as solutions/fields of action.

Due to the broadly differentiated competence of the workshop participants, result-ing in contributions originating from different points of interest, and the detailedconsideration of these topics within work groups, focus on the main topic wasachieved. Especially, mixing technicians and non-technicians, IT managers andsecurity managers, vendors and many others proved to be a major success factor forachieving differentiated and controversial aspects which were still aimed at thesuccess of public key infrastructures as well as the according applications and tech-nologies. Additionally we gained important details and practical information aswell as personal opinions we probably would never have gained otherwise. In par-ticular, this applies to opinions and assessment conflicting with the “prevalent”expert opinion which – maybe due to political motivation – has not been publiclydiscussed like this before. We used these results to suggest further approaches forPKI implementations.

One major goal of this project was to identify possible further developments, need forsupport or practical advice which helps to push PKI. Additionally we intended to iden-tify obstacles and phrase suggestions how to eliminate them. Therefore, chapter 5 –“Recommendations” contains a summary of the most important findings for the fieldsof technology, business and practical use. Based on this, we suggest possible furtherresearch projects and give concrete advice for successful PKI implementations.

As an overall result this study is intended to provide indication of conditions whichare needed for successful PKI implementation and use, possible actions that can betaken – maybe by the Government as well – and which fields should be furtherresearched.

Introduction | 11


Executive Summary

The EKIAS study addresses criteria for success of identification, authentication andsigning methods based on asymmetric cryptographic algorithms and thereforeprimarily on criteria having a positive influence on PKI as well as those that arelimiting. The most important findings are that user matters have more influenceon PKI than assumed before and economic arguments are only relevant when con-sidered within the context of one particular process. Furthermore it is important toguide users during the implementation stage in order for them to accept the PKIapplications.

The goal of this survey has been to identify areas of PKI technology and applicationsneeding further research and support as well as areas still having potential for inno-vation.

The following was found:

Technical Outlook

In order to be cost effective, long-time use (guaranty of durability of algorithmsand key length) needs to be technical realisable since establishing a PKI requireshigh initial costs which are continuously incurred for a long time. Long-term useis more important with regards to governmental applications (identity docu-

Executive Summary | 13


ments, documents to be digitally preserved by law) mainly; business applicationsare typically more market-oriented and therefore designed to be rather short-dated.

Interoperability is important for successful use of PKI technology. With multi-proce-dural applications (e.g. e-mail encryption) this has to be assured through standards.

In order to allow for successful application integration, the key management has toprovide shared keys for several applications or alternatively allow for managingshared keys. In order to reach an enhanced security level, use of tokens (e.g. smartcards, USB-tokens) as a supplement of software-based certificates is desirable. Withtokens, attention must be paid to expandability (replacement of algorithms etc.) –the shape of tokens will evolve and adjust to the applications used. In the future, bio-metric techniques will be increasingly used in addition to tokens to identify people.

Economic Insights

PKI technology can act as a business process enabler. Possible applications can beeconomically justified within the context of specific processes only though. For theuse of PKI two financially motivated reasons exist: PKI as a cost saving measure (PKIallows for digitalising processes, e.g. electronic invoices) and PKI for acceleratingand standardising processes, in order to electronically represent them more “ele-gantly” and with less effort (e.g. authentication using certificates with businessprocess outsourcing). The fact that the persons in charge of processes often do notknow the corresponding costs is problematic. It results from the processes beingattached to infrastructure and system components which are hard to understandand evaluate. The corresponding benefits and the risks are hard to quantify as well.Therefore reductions of costs are seldom objectively accounted for. In order to be abusiness process enabler, PKI demands an initial investment, which is why decisionmakers need to be persuaded of its reasonability. Single key figures like ROI/ROSI orNVP can aid the decision process, but often provide a negative result. This methodol-ogy would often argue against investing in PKI even though the investment wouldactually make sense. Therefore a mix of accepted methods (e.g. ROSI including TCOsupplemented by NVP and Balanced Scorecard) should be generally used for a moredetailed examination of costs.

Another problem lies within the fact that the bearer of PKI costs is often not able tocapitalise his investment. On infrastructural level transferring costs and benefits isoften not possible – not until the process level is considered and even here in-houseprocesses are required. Therefore cross-company payment and cost allocation mod-els have not been accepted by the market.

It should be noted that PKI without specific applications is just an infrastructure,offering no actual use to anyone, even from the point of view of security. However,

14 | Executive Summary


when it is established, the obvious benefits of PKI use are soon evident through sup-port facilities for business processes.

Operating Conditions

PKI technology is not really suitable for daily use yet, and interoperability of differ-ent PKI applications is not given to the extent desired by costumers. This particular-ly applies to key management, necessary for PKI use.

PKI projects are to be categorised as “sensitive”, therefore success of such a projectmay be compromised by changing requirements and specifications within the proj-ect. Furthermore PKI centralises trust decisions and assures a designated processsequence. In practice this may result in substantial problems, since such develop-ments (may) conflict with personal interests of the parties involved.

Acceptance of PKI applications could be enhanced if those were simple and transpar-ent, meaning easy to understand within the context and language of businessprocesses. But, even when this had been accomplished it turned out that the efforts forsupporting PKI applications are still higher than those of other applications. In thiscontext it needs to be guaranteed that the support can rely on qualified employees, sothat security specifications are not compromised by wrongly recommended actions.

With cross-company processes the problem of acceptance is much higher, since thetrust decisions to be made are complex. Therefore certain requirements for PKIapplications must be taken into account. We differentiate between three scenarios,all of which are following their own market drive:

1. For the mass market (e.g. home banking, online shopping) simplicity, trans-parency and minimal costs come first, making the use of a complex technologylike PKI difficult.

2. In the business environment flexibility is the most important aspect, since PKIuse depends on the level of security requirements and the technologies used, foran instance. Successful isolated solutions (i.e. information silos) show that stan-dardisations are not given the highest priority and can only be established whenpaying attention to market rules.

3. When used for governmental purposes (e.g. electronic identity documents)though, standardisation combined with high security and sustainability(replacement of algorithms, use of biometry, and so on) is compulsory.

Simple and understandable trust decisions still remain the most important require-ment. Therefore, it needs to be taken into account that security results from controland trust and that reducing control is possible only by increasing trust.

Executive Summary | 15


Recommended Actions

Amongst other things, the goal of this project was to point out options for eliminat-ing obstacles associated with PKI technology and the corresponding operating con-ditions. Building on that, recommendations that will promote PKI were developed.

Among the technical recommendations are suggestions for research on interchange-ability of cryptographic algorithms, which we consider to be necessary. This is of par-ticular interest for long-term PKI use within a governmental environment. We identi-fied integration of PKI in applications as another object of investigation since sup-porting framework development allows for standardised methods. Interoperabilityof applications and key management is another important aspect, especially within agovernmental environment. In this vein, further form aspects beyond smart cards aswell as standardised access of cryptographic key are to be examined. Last but notleast further fundamental research in the field of quantum computers and theireffects on the crypto-algorithms used in PKI needs to be conducted.

From the economical point of view costs for the infrastructure investment “PKI” areto be made transparent and compared with generated benefits. As a result of thecomplex processes, the business models are based on, the focus should be on coreprocesses where PKI could act as an enabler. Security has to become an implicit partof business process modelling/development thereby. On a management levelunderstanding of the importance of security must be improved by appropriatemeasures. In order to accomplish a more detailed examination of a PKI project’scosts we suggest applying a mix of methods from different key figure systems.

When realising PKI, direct and diversified support of applications often leads toproblems, which is why we are of the opinion that PKI pilot projects should be inte-grated into the entire environment step by step. In order to reduce possible prob-lems and help with decision making, we additionally recommend publishing posi-tive and negative field reports on PKI use.

Furthermore, the interdependence of technology, economics and aspects of useshould be examined regarding PKI so as to find options for improving trust relation-ships for electronic business transfer. The trust decisions necessary for PKI applica-tions need to be simple and understandable for the user. Thereby direct user contactallows for enhanced awareness of trust building and trust decisions within (inter-net) applications. It should be refrained from enacting technical requirements intolaw; instead we suggest specifying them in directives, so that leeway can be usedwhen establishing PKI applications.

16 | Executive Summary


1.

Technical Outlook

IT security technologies are gaining more and more importance. The rise in han-dling B2C as well as B2B transactions online notably contributes to this develop-ment. Laws and regulations like the Sarbanes Oxley Act or Basel II demand thatcompanies address IT security in an organized, efficient and pro-active way. (cf.[Booker 2006]). In order to guard systems, data, and communication channels, sever-al techniques for encryption, signing, identification, and authorisation can beutilised.

1.1 Methodology

Two distinct approaches were chosen to gather information for the current chapter,“Technical Outlook”.

Y 13 experts from research, industry and commerce agreed to participate in a guid-ed telephone interview that addressed questions concerning cryptography,tokens, PKI, alternative concepts sans PKI, biometry, and security evaluation aswell as security certification. (The interview guide and list of interview subjectscan be found in the appendix).

Y At the same time a survey of international literature referring to the topics men-tioned was conducted.

This report follows the thematic structure of the questionnaire used.

Chapter 1 | Technical Outlook | 17


18 | Chapter 1 | Technical Outlook

1.2 Cryptography

Based on the German signature law, the Federal Network Agency recommends cryp-tographic algorithms for qualified signatures, hash functions, and random numbergenerators every year (cf. [Bundesnetzagentur Algorithmenkatalog 2006]). The sug-gestions for qualified signatures listed in this catalogue are intended to provide forsecurity for “at least six years after being evaluated and published” [SigV 2001].When it comes to deployment this timeframe is not reasonable, since investmentsand associated amortisations are aimed at a longer timeframe. The 2006 algorithmcatalogue recommends SHA1 (until the end of 2009), RIPEMD2-160 (until the end of2010) and SHA-224, SHA-256, SHA-384, SHA 512 (until the end of 2011).

Qualified for electronic signatures:1. RSA3-1024 (until the end of 2007), RSA-1976 (until the end of 2011), suggested

use of RSA-20482. DSA4-1024 (until the end of 2007), DSA-2048 (until the end of 2011), suggested

use of DSA-20483. DSA variants based on elliptic curves (bit-length of used prime number q at

least 180 (until the end of 2009) and 224 (until the end of 2011)), especially:a. EC5-DSA,b. EC-KDSA,c. EC-GDSA6,d. Nyberg-Rueppel signatures

(cf. [Bundesnetzagentur Algorithmenkatalog 2006])

Using a physical random number generator for key generation is strongly recom-mended. If no physical random number generator is available a pseudo-randomnumber generator might be considered. “The inner state is being initialised usingthe […] seed. With every step the state has to be renewed and a random numberderived. The seed has to be guarded against being read out or manipulated . . .” ([Bun-desnetzagentur Algorithmenkatalog 2006]). Every pseudo-random number genera-tor has to be a class K3 (evaluation class 3, strength “high”) deterministic randomnumber generator in terms of AIS-20 (cf. [BSI 2006a]). The seeds entropy is at least80 bit -100 and 120 bit are recommended (until the end of 2009), 100 or 120 (starting2010) (cf. [Bundesnetzagentur Algorithmenkatalog 2006]).

An algorithm catalogue like that of the Federal Network Agency can be regarded asa basic requirement for keeping systems reliable over a longer timeframe. Addition-

1Secure Hash Algorithm

2RACE Integrity Primitives Evaluation Message Digest

3Asymmetric cryptographic system named after Rivest, Shamir and Adleman

4Digital Signature Algorithm

5Elliptic Curves

6KDSA and GDSA are DSA variants based on elliptic curves


ally it serves as an adequate means of establishing standardised procedures (cf.[Giessmann 2006]). There is no national specification of algorithms and parametersfor securing digital signature methods. Generally the catalogue’s recommendationsare useful when it comes to interoperability (cf. [Preneel 2006]).

On an international level, the recommendations the NSA provided in “Suite B” arecrucial and valuable (cf. [Temple 2006], [Preneel 2006]). This catalogue suggests:Y Encryption:

AES-128 or AES-256 (Advanced Encryption Standard) (cf. [NSA A 2007])Y Digital signatures:

ECDSA-256 or ECDSA-384 (Elliptic-Curve Digital Signature Algorithm)(cf. [NSA B 2007])

Y Key agreement:EC DH (Elliptic Curve Diffie-Hellman) or EC MQV (Menezes-Qu-Vanstone) withNIST P-256 respectively NIST P-384 (cf. [NSA C 2007])

Y Hash functions:SHA-256 and SHA-384 (Secure Hash Algorithm) (cf. [NSA D 2007])

Unfortunately the functions recommend by the NSA are often lacking implementa-tion. (cf. [Temple 2006]).

“Security of the methods mentioned accordingly relies on:1. the factorising problem of integers,2. the discrete logarithm problem for the multiplicative group of a prime field Fp,3. the discrete logarithm problem for the groups E(Fp) and E(F2m).”[Bundesnetzagentur Algorithmenkatalog 2006]

Additionally one needs to take into account that security of today’s methods isaffected by a combination of computers’ capability and the mathematical founda-tions of the cryptographic algorithms used. This will be outlined in detail below.Security also relies on nobody having found a better mathematical algorithm. Whenevaluating, progress in this area has to be considered carefully, even though it ishard to rate.

In 1978, Rivest, Shamir, and Adleman introduced the RSA algorithm (cf. [RSA 1978]),which is still the application standard of asymmetric cryptography. It is implement-ed in widespread smart card families (signature cards, cards used for financial trans-actions – SECCOS, health cards) as well. This algorithm’s security relies on an effec-tively complicated mathematical problem: Prime factorisation, which is impossiblefor large numbers using today's methods (cf. [Buchmann 2006]). Given a sufficientkey length, a RSA-encrypted document cannot be decrypted within a reasonableframe of time, assuming one does not possess the private key.

Current developments in the area of quantum mechanics could annihilate this pro-tection. Due to their construction, quantum computers are able to make calculations



much more quickly than traditional computers. But it is not only the hypotheticalquantum computer that is putting algorithms security at risk.

In 1996 Shor demonstrated that quantum computers will make factorising RSAmoduli possible and thus break RSA (cf. [Shor 1996]), which would make currentlyused algorithms, similar to RSA, unsafe (cf. [Schmidt 2006], [Brassard 1996]).

According to Schmidt, there are two methods to counteract this:1. develop alternative crypto-systems, e.g. lattice-based crypto-systems2. raise the key length of currently used algorithms

To what extent the first option really does pose an alternative has yet to be deter-mined. Every deterministically unique mathematical problem could probably besolved in polynomial time by using quantum computers. Today one cannot defini-tively say whether it is possible to build quantum computers in sufficient size (cf.[Buchmann 2006], [Schmidt 2006]). Schmidt acts on the assumption that quantumcomputer size increases rather slowly (cf. [Schmidt 2006]). As long as no large quan-tum computers exist the second option seems to be the better choice (cf. [Schmidt2006]). The largest quantum computer existing today is able to factorise the number15 (cf. [Buchmann 2006]), therefore quantum computers do not pose an immediatethreat (cf. [Okamoto 2003]). Against this background one can say that the algo-rithms, like RSA and cryptographic algorithms based on elliptic curves, are safe forthe time being (short-term, up to 10 years) at least (cf. [Buchmann 2006b], [Preneel2006]). Some applications, e.g. code signing and SSL authentication, merely needshort-term security (cf. [Buchmann 2006a]).

Progression in the field of DNA computers is relevant for evaluating cryptographicalgorithms’ security as well. Boneh et al. did demonstrate that massive parallel pro-cessing is possible using molecular computers (cf. [Boneh 1995], [Boneh 1996]).Might this lead to the breaking of encryption keys?

For now hash functions seem to be much less durable than encryption algorithms.The first collisions were discovered six years after MD4 had been launched (cf. [Dob-bertin 1996]). SHA-0 and SHA-1 are based on a similar algorithm, thus – in theory –those became vulnerable too (cf. [Buchmann 2006a]). In this respect hash functionsturn out to be a complex of problems by themselves (cf. [Leitold 2006]), forcing thecryptographic community to work hard on developing better design criteria forlong-term security of hash functions (cf. [Weis 2005], [Buchmann 2006a]).

For applications like the electronic patient record, law demands methods that aresecure for at least 30 years (the legal obligation for medical records). Today’s algo-rithms do not meet this requirement (cf. [Buchmann 2006b]).

It is not possible to say what we will do in 20 years (cf. [Buchmann 2006b]). In orderto be prepared for the future and unforeseen attacks, two things are necessary:



Y a stock of secure alternative cryptographic algorithms needs to be made availableY the applications, using cryptographic algorithms, need to be designed in a mod-

ular way, making it easy to replace algorithms that have become vulnerable (cf.[Buchmann 2006a]).

Giessmann also deems this pragmatic approach to make sense: implementing asecure solution and substituting alternatives by degrees. For this reason, algorithmcatalogues are warranted too (cf. [Giessmann 2006]). The main problem concerninginterchangeability of algorithms is the implementation (cf. Preneel 2006]). Softwareand protocols need to be coded in a way that makes replacing algorithms simple. Asof today, this is not generally the case (e.g. the Microsoft Windows operating system)(cf. Buchmann 2006b]). Buchmann suggests designing applications in such a man-ner that they import the cryptographic algorithms needed from a correspondingcrypto-API like the Java Cryptographic Architecture (JCA) or the Microsoft CryptoAPI. Keys, certificates, etc. need to be interchangeable too (cf. [Buchmann 2006a]).Buchmann introduces the crypto-library FlexiProvider, having all mainstream andalternative cryptographic algorithms implemented on base of JCA. The trustcenterapplication Flexitrust is based on FlexiProvider and is used by the German Root Cer-tification Authority (CA) and the German Country Signing CA. Some experimentalalgorithms, which are intended to provide a certain security against quantum com-puters, are integrated in FlexiProvider via PostQuantumProvider (cf. Buchmann2006a]). FlexiProvider is subject to the GNU GPL (General Public License) and LGPL(Lesser General Public License). It is freely available on the internet (cf. [FlexiProvider2006]). In an interview on the topic, Christoph Busch said that he was in favour ofthe Flexi-PKI concept (cf. [Busch 2006]).

The IEEE (Institute of Electrical and Electronics Engineers) P1363 is a task force work-ing on standardisation of specifications of public key cryptography. The emphasis ofstandardising efforts is on traditional algorithms (e.g. RSA, DSA, etc.) as well as onnew ones like lattice-based public-key cryptography (e.g. NTRU), which are intendedto remain secure once quantum computers arrive (cf. [Buchmann 2006a]). NTRU is apublic-key crypto-system that is much quicker than conventional algorithms (likeRSA). Development and distribution are done by NTRU Cryptosystems Inc. Due tothis system’s speed, it is geared to the embedded systems market and can be utilisedfor telephones and RFID chips amongst others things. The corresponding algorithmsfor encryption and signing are called NTRUEncrypt and NTRUSign. They are alreadybeing used. NTRU Cryptosystems Inc. distributes its security suite for wireless net-works ‘Aerolink’ containing the NTRU cryptosystem (cf. [NTRU 2006]).

Quantum cryptographic algorithms, using the possibilities of quantum mechanics,are another option for generating long-term security. Brennet and Brassard havealready prepared the ground, demonstrating experimental distribution of quantumkeys (Quantum Key Distribution) in 1989 (cf. [Brassard 1996]). Most experimentalquantum cryptographic algorithm prototypes existing today are based on the QKDprotocol BD84 published in 1984. The question that has to be met during further



research is: how secure is QKD actually? (cf. [Brassard 1996]). QKD would not be asolution for internet applications or end-to-end communication for those who needa common channel (electro-magnetic wave or wired channels). Conventional quan-tum cryptography demands a quantum channel (cf. [Okamoto 2003]). Currently noapplicable quantum cryptographic algorithm exists. More research is needed onthis topic.

Even though there are preliminary methods of securing bank transfers via quantumcryptography (cf. [Wissenschaft.de 2005]) none of them is functional. Despite com-panies already offering products covering this area, practical usability has to be con-sidered nonexistent (cf. [ID Quantique 2007], [SmartQuantum 2007]).

1.3 Man between the conflicting priorities of technology and economics

Another problem being discussed in conjunction with IT security is the threat posedby the human factor. Experts often consider the person operating a system or appli-cation the number one vulnerability (cf. [Preneel 2006], [Temple 2006]). In fact, sys-tems are secure on a technological level but are not designed to be used by humanbeings since they forget or (sometimes involuntary) give away theirs passwords –amongst other things. Attackers do not try to break cryptographic algorithms butrather take aim at elements promising an easier break-through: On the one hand,this is the implementation; on the other hand, it is the user (social engineering) (cf.[Hilton 2007]). Additional awareness measures (cf. [Busch 2006]) could be oneoption, as well as other measures like biometry (cf. [Giessmann 2006]) or Singlesign-on (SSO) combined with smart cards and biometry. Those could gain moreacceptance by providing better usability (cf. [Kuppinger 2006a]).

Tagging the user as being weak is short-sighted though. IT users are hard to‘reshape’, even when using awareness measures. Technology is much easier to con-figure. Man should not have to conform to the system: the system should conformto man. IT has to be designed in a way encouraging users to make simple decisionsinstead of being overwhelmed by the system’s complexity (cf. [Kuppinger 2006a]).Chapter 3 “Operating Conditions” contains a detailed discussion on this topic.

1.4 Tokens & Trusted Computing

A token is a sort of “bit pattern” used for authentication. The term originates fromnetwork engineering, featuring the token ring technology which has been devel-oped for linking computer networks. The device holding the token is allowed to senddata. In the field of security a token is defined similarly. A token is represented eitherby software (e.g. the access token used for logging into MS Windows contains accesspermissions too) or in combination with hardware devices (e.g. a chip on a smart



card, an USB memory stick) and is also called a “crypto-token”. With the token, appli-cations can be used as authorised. Hardware tokens add the aspect of physical own-ership. Nobody but the person holding the token is able to authenticate him or her-self to a system or an application. The systems called tokens are being used for avariety of applications (electronic health cards, ticketing, finances, etc.) (cf.[Williamson 2006]).

Chip cards holding an embedded chip, hardware logic, and memory are called smartcards. Shelfer’s paper provides an overview of smart card types, infrastructures andstandards (cf. [Shelfer 2002]). RFID chips, which provide all functions smart cardsoffer, are available as well. They are based on the same concept and allow for realis-ing contactless chip cards. This extended the scope of possible shapes. Smart cardchips can be easily blended in portable (and personalised) devices (e.g. USB memorysticks, mobile phone, etc.).

The lack of a viable method of identification has kept smart cards from gainingmuch popularity, but the situation has been improving. Currently, there are no stan-dards defined, but this is being worked on. ISO standard 25727 sounds promisingwith respect to interoperability. (cf. [Williamson 2006]). In (cf. [Spitz 2006]) it isdescribed in detail.

Bakdi introduces a method for combining several smart cards in one. The approachof “virtual tokens” allows for the operation of several applications on one hardwaretoken (cf. [Bakdi 2006]). RFID systems, being used en mass, will be a future hot topicin security discussions. Providing for privacy and data integrity using these systemsstill poses a challenge (cf. [Calmels 2006]).

A trusted platform module (TPM) is a smart card derivative associated with an APIand protocols for enhancing trustworthiness of computing platforms or otherdevices (trusted platform). The goal is to form a cryptographic hash chain, represent-ing the current execution status, and to store this value securely in one register of theTPM. By asking the TPM to generate a signed data block having the value of the hashchain, the counterpart is able to verify whether the platform resides in a secure modeof operation (cf. [Portitz 2006]). TPMs have been developed by the Trusted ComputingGroup (cf. [TCG 2006]). TPMs being bound to systems and not persons is the mostimportant difference between them and smart cards. TPMs were developed to pro-vide a more appropriate base for high trust platforms (cf. [Sandhu 2005]) and are sup-posed to form a “root of trust” (cf. [Sadeghi 2006]). Many platforms containing a TPMhave already been rolled out (cf. [Sadeghi 2006]). The architecture allows for laterintegration of newer methods, like lattice-based access control (cf. [Sandhu 2005]).

The BSI appreciates the security initiative regarding trusted computing initiated byMicrosoft. That is because of the fact that at the present time PCs are fairly vulnerableto malware, since “… the operating systems currently used – especially the MicrosoftWindows family – can fend of those threats imperfectly at best.” The BSI expects IT



security to improve, but also states that worries about “… too many limitations in usingcomputers ad libitum” can not be dismissed. It is still to be determined “… whicheffects this will have on free software solutions (Open Source)” (cf. [BSI 2006b]).

TPMs are already commonly used within the PC field and handy for devise authenti-cation (cf. [Giessmann 2006]), [Preneel 2006]), while chip cards are useful for authen-ticating human beings (cf. [Giessmann 2006]). Combining TPM and smart cards couldbe of great value (cf. [Preneel 2006]), since separation of personal data and device isdesirable for data privacy, e.g. with mobile computing (PDAs, mobile phones and soon.). Personal data is stored on the smart card held by the user. The smart card, on theother hand, is necessary for authentication against the TPM (cf. [Gawlas 2005]). Tem-ple also considers the TPM standard to be stable (cf. [Temple 2006]).

In order for trusted computing to be applied widely several problems must besolved:Y TPM complexity: Number of commands and parameters seem impossible to

handle. An analysis of essential functions which must be included is missing.Y TPM compliance: Many implementations do not comply with the specification, it

is impossible for users to check trustworthiness of compliance of their TPMY Maintenance: If the platform configuration is modified, methods for recovering

sealed information and backups are neededY Trust infrastructure: A framework for handling trust is needed; this applies to

platform certificates, trusted channels, attestation kernel, etc.Y Attestation: Existing methods of attestation are not sufficient. Further thoughts

are needed: Current methods reveal the systems configuration. Data privacy isdisregarded. There is an approach of “property-based attestation” which needsfurther specification.

(cf. [Sadeghi 2006])

The approach of “property-based attestation” sounds interesting but needs furtherresearch. Poritz criticises that TPM does not attest the security state of the platformbut rather the execution state (cf. [Poritz 2006]).

1.5 PKI applications

PKI technology and the asymmetric cryptographic it is based on provide securityfunctions like user authentication, identification and electronic signatures.

1.5.1 Authentication, identification and signatures

Authentication is a process establishing a user’s identity. PKI can be used as one partof this process. Additionally it is possible to authenticate technical components likerouters. User authentication can take numerous forms. The most common one is



asking the user to identify him or herself by entering a user id as well as a passwordor PIN. The authentication processes security depends on the number of proofs orelements asked for at run time. (cf. [Nash 2001]).

Traditional authentication methods like password or smart card methods are basedon the user possessing a particular piece of knowledge known only to him (verifica-tion of identity by knowledge) or a personal authorisation key (verification of iden-tity by possession). In contrast biometrical methods use physical or behaviouralcharacteristics of the user. (cf. [TeleTrusT 2006]).

PKI is able to guarantee a client’s identity, when using a protocol like SSL. The utili-sation of public/private keys and certificates can be considered a two-factorauthentication method. PKI authentication is based on the user to be authenticatedproving the possession of a certain private key. For this purpose the peer request-ing the authorisation sends him a challenge (random number) he is supposed tosign with his private key or a challenge that has been encrypted using his (theuser’s) public key. Given the first option the requestor verifies the signature byusing the public key and therefore verifies the possession of the private key as well.Given the second option evidence is supplied by the user decrypting the challenge.The decrypted challenge might serve as a session key for the following communi-cation (cf. [Nash 2001]).

One way of bundling authentication mechanisms is Single sign-on (SSO). On the onehand it is supposed to enable the user to use the same authentication method, e.g.the same password, for authenticating against different systems. On the other handthe user is supposed to need just one authentication process to authenticate againstall systems. SSO systems are realised using a SSO server, which is inserted betweenthe companies’ desktop computer and the respective application servers (cf.[Schmeh 2001]).

Identification is the process of verifying a person or an object by unique designatingfeatures presented. Several methods are available for this process, like smart cards orbiometric methods, which will be discussed further in the section “Alternative Con-cepts”.

User identification is not a PKI application in the usual sense however. Based on therole of conventional signatures, the following functions arise for their digital coun-terpart: identification, authenticity, termination, and warning. With regard to digi-tal signatures, this implies that they are to ascertain the signer’s identity beyonddoubt on the one hand. On the other hand digital signatures must not be reusableand need to be valid in connection with the original document. Moreover later mod-ification of the signed document must not be possible and the receiver must not beable to reject it. Using asymmetric methods those requirements can be fulfilled.Generation of digital signatures is based on the Digital Signature Standards (DSS) aswell as the Digital Signature Algorithm (DSA) (cf. [Eckert 2006]).



1.5.2 PKI standards and protocols

The protocols and standards described below provide the basis of public key infra-structures.

1.5.2.1 Protocols

Secure Sockets Layer, SSL, is the best known and most commonly used PKI-basedprotocol. SSL establishes a communication channel between both peers, which issecured at the transport layer level. Confidentiality of communication is guaranteedby providing asymmetric encryption and integrity through message authenticationcodes (MACs). SSL uses PKI mainly to authenticate the peers while establishing theconnection (cf. [Nash 2001]).

IPSec defines a secure background and several security services for (IP) communica-tion on network level. For IPSec two operation modes are defined: the tunnel modeon the one hand and the transportation mode on the other. Using the tunnel mode,the complete IP package is encrypted and becomes the data part of a new, largerpackage, which is equipped with a new IP header and an IPSec header. In trans-portation mode, the IPSec header is directly inserted into the IP packaged. The tun-nel mode is primarily used by gateways and proxies. IPSec is implemented by rout-ing components. In addition to proficient security attributes, IPSec also features agreat deal of flexibility (cf. [Nash 2001]).

S/MIME, the Secure/Multipurpose Internet Mail Extensions provide attributes forauthentication, integrity and confidentiality of messaging applications. S/MIME isnot limited to e-mails and can be used by other S/MIME compliant transport mech-anisms like http. Using this protocol individual message parts can be secured as wellas several different parts or the message as a whole (cf. [Nash 2001]).

Using services of a time stamp authority the Time-Stamp Protocol, TSP, proves thatdata existed at a certain point in time. TSP is a simple request/response protocol.The peer needing a time stamp submits a TimeStampReq message, to the TSA, so asto request the time stamp. The TimeStampReq message contains a hash of the datato be time stamped. The TSA returns the time stamp sending a TimeStampRespmessage. The TimeStampResp message contains the requests state and the timestamp. The transfer is signed and formatted according to CMS specification (cf.[Nash 2001]).

Wireless Transport Level Security, WTLS, provides functions similar to those of TLS,but deals with wireless transportation in particular. WTLS features handshake opti-misation for example and allows for refreshing keys dynamically in order toimprove the performance of wireless networks of low bandwidth and relativelyhigh latency. In contrast to TLS WTLS can be used in connection-oriented or connec-tion-less networks. (cf. [Nash 2001])



1.5.2.2 Formatting standards

In order to ensure interoperability of PKI applications it is necessary to lay downappropriate standards for data syntax.

X.509 is the most important PKI formatting standard and thereof represents thedefault format for certificates. It is the basic standard used to define the structure ofa PKI certificate. The current version X.509 Version 3 supports additional attributefields, which enhance the flexibility of certificates considerably. X.509’s high flexi-bility results in interoperability problems though (cf. [Nash 2001]).

PKCS, the Public Key Cryptography Standards, were developed to support interoper-ability of public key cryptography. They offer fundamental definitions of data for-mats and algorithms that most present-days PKI implementations are based on (cf.[Nash 2001]).

XML, the eXtensible Markup Language, provides flexible options for defining digitaldata formats. A typical operational area of XML is to define formats of signed datablocks. The signature elements serve as a segregation of the data signed and maycontain additional information on the signature, like time stamps (cf. [Nash 2001]).

1.5.3 Did asymmetric cryptography dash the vision of simple PKI solutions?

The idea of PKI was phrased in immediate context to key management features ofasymmetric cryptography originally. It posited a hierarchical internet infrastructurefor managing the bindings of public keys to each person with a unique name andwas to impart a unique electronic identity for everyone by this means. So much forthe vision. It could never be resolved who was to bear the immense infrastructureefforts and what a suitable business model could look like. Therefore, the idea wasonly partially realised – it lives on in Verisign’s personal certificates for an instance.In connection to development of standards the registration authority (RA) and cer-tificate authority (CA) were defined; both have been substantial elements of PKIinfrastructures ever since. Both authorities obtain the manner and extent of theirpublic trustworthiness via normative sets of rules (policies) regulating technicaland organisational processes. The user transparency of this trust models is notimmediately given, hence proper risk assessment is often impossible.

Regarding IT security applications, experts worldwide acknowledge qualificationand functionality of PKI technology. All the same, the expected use of PKI technolo-gy within the public internet has not yet taken place. Within closed user groups andfor special applications on the other hand, PKI concepts have increasingly been putinto effect. Large companies often realise IT security management based on PKI;whereat chip cards are increasingly introduced as a staff badge featuring IT securityfunctionality.




Using digital signatures to allow digital documents to be treated as if conventional-ly signed is one real world example of a public PKI. Those developments caused theexistence of a wide range of PKI domains. Those domains rule out simple hierarchicnetwork structures mainly due to them not being interoperable and lacking compa-rability regarding policies. Requirements posed on infrastructure did get signifi-cantly more complex in comparison to the basic concept: In addition to managingpublic cryptographic key’s bindings with names of persons or instances the person-alisation and lifecycle of chip cards must be managed as well.

No useful application has yet been developed that is worth the infrastructure costs(chip card, certificates, technical devices, losses of performance) to the “average cus-tomer” and the will to provide the trusting party with a gain of security. Manyauthors contemplate this problem. Many people have attempted to make the use ofthis technology possible.

According to Eckert “The substantial risks involved […] pose […] one important obsta-cle […] for the lack of area-wide rollout of signature cards […], since even banks(example: cash cards acting as signature cards) are not willing to bear them” [Eckert2006]. Eckert expects new impulses from implementation of the electronic healthcard as well as the electronic income statement “ELENA”. Starting in 2010 ELENA issupposed to provide about 35 million employees with means to apply qualified sig-natures to electronic administrative proceedings and business transactions. Accord-ing to Eckert this could make ELENA the “looked-for killer application” for electronicsignatures (cf. [Eckert 2006]).

According to Wiegel a many reasons are responsible for PKI failing: Company-wideroll-outs are confronted with high organisational barriers. The complicated han-dling results in users being scared off. Furthermore it is pretty difficult to prove thatinvestment in PKI will pay off – considering the economic point of view (cf. [Wiegel2005]). In the chapters on economic considerations and the operating conditions ofPKI this will be discussed further. Wiegel considers external key management to bea user problem, mainly because of “users having no difficulties applying securityfunctions using their personal private keys – authentication, signing and encryp-tion” [Wiegel 2005]. Security functions, needing public certificates or public keys, areusually hard for the user to understand because of the trust settlement being hardto understand (cf. [Wiegel 2005]).

According to Rossnagel unfair allocation of costs and benefits is the main problemof using electronic signatures. The user bears the cost but gets nothing in return. Onthe other hand public authorities bear no costs but profit the most (cf. [Rossnagel2006]). So far, attempts at developing a business model that avoids this problemhave failed. (cf. [SigBü 2005]). In order to solve the problem of acceptance of PKI solu-tions, the main “focus” needs to be on “early adopters” [Rossnagel 2006].

Problems of PKI are described more drastically by Clarke and Nash. According to


Clarke “conventional PKI developed according to ISO standard X.509 is a completefailure” [Clarke 2001]. He sees the reasons for this in “complexness and tremendouscosts” [Clarke 2001].

Nash cites the integration of PKI in applications, “faulty at best”, as the main obsta-cle. Infrastructures are of no use “until there are applications that can be integratedand that can use the service available within the infrastructure effectively” [Nash2001]. Flexible trust models could be one reason for inadequate integration. Theauthors suggest further research on this topic.

Schultz objects and considers the implementation to be the main problem, which“as most things originating in the world of information security”, is too complicated.


Figure 1.1: Complex background of PKI-supported business processes


“If PKI does not get easier to use, it will not become part of the cyber world we livein” [Schultz 2002].

Transparency of methods used is often cited as one possible solution for the accept-ance problem of PKI. “In order to be successful in the long run”, Nash says for exam-ple, “PKI has to perfectly integrate into business software so that PKI presence istransparent.” The main topics that need to be addressed according to Nash are “oper-ating convenience, transparency of the underlying infrastructure both for applica-tions and users, as well as a large degree of interoperability.” As every good infra-structure PKI works best if not noticed (cf. [Nash 2001]).

The expert interviews that have been executed within the framework of this studyreflect these statements. Public key infrastructure’s right to exist is not questioned.Most experts stress the lack of killer applications or enablers as of today though (cf.[Buchmann 2006], [Busch 2006]).

According to Pohlmann capital applications and infrastructures are missing. Everydayobstacles of realisation are much too high (cf. [Pohlmann 2007]). According to Busch’sopinion PKI could be excellently implemented in devices already being widely used,such as mobile phones. This would raise the general acceptance (cf. [Busch 2006]).

Again and again the interviewees stressed that PKI applications need to be transpar-ent to the user in order to be accepted. “PKI works best when the user is spared ques-tions which are har[d] to decide on anyway”, says Temple (cf. [Temple 2006]). Large-ly applied transparency, resulting in trust model and trust relationships being easyto comprehend, fosters awareness and appreciation of problems. Transparency doesnot imply hiding complexity, but rather eliminating it in the end.

Generally, says Preneel, PKI has been “over hyped”. It is no universal solution for all prob-lems. On the contrary: PKI has fulfilled all fundamental expectations (cf. Preneel 2006]).

Pohlmann sees the underlying cause in PKI being over-interpreted. It is a necessaryinfrastructure – nothing more, nothing less (cf. [Pohlmann 2007]). For Beutelspacherextreme complexity of PKI poses the grave obstacle for PKI being commonly used.For that reason the X.509 protocol, which PKI is based on, as well as the necessarychip card infrastructures and chip card aiding processes, should be simplified. Fur-thermore virtual applications with speciously ideal security traits do not help.Instead decent risk management should be practised (cf. [Beutelspacher 2007]), inorder to choose application oriented robust and pragmatically secure PKI solutionswith lower technical and organisational efforts.

Since PKI concepts based on current standards are rather complex many simplersolutions are used. On of these solutions is PGP. In the classical sense this methodsuses a Web of Trust, an “anarchic approach which emulates the trust structure of theorderless internet community” [Kirsch 2001] and “thereby bypasses the need of pro-



fessional CAs, since everyone is able to issue certificates” [Clarke 2001]. While theweb of trust offers many advantages for private use - compared to a X.509 hierarchy– according to Kirsch it is less useful for companies (cf. [Kirsch 2001]).

The Simple Public Key Infrastructure (SPKI/SDSI) poses a simplification of X.509.Certificates with local names provide one mayor foundation of this method, sinceglobally unique names proved to be impractical. According to this concept everyuser is to connect the public key of another user with a chosen name or a trait (cf.Schmeh 2001]). In practice SPKI/SDSI currently plays a tangible role.

Cross-certification poses another option for simplifying. Cross-certificates or multi-certificates are present when one subject is certified by more than one user. Theyserve to link certification hierarchies as wells as abbreviating certificate chains (cf.[Hammer 2001]).

1.6 Alternative concepts

Symmetric encryption methods, using one key as opposed to asymmetric cryptogra-phy, hybrid certificates or alternative infrastructures like PGP can be considered asan alternative to PKI. Biometry should be discussed as an alternative authenticationmethod too.

1.6.1 Symmetric encryption and key management methods

Even though asymmetric methods offer a vast number of advantages, due to per-formance reasons, symmetric methods currently do play a large role (cf. [Beu-telspacher 2006]). According to Eckert these are of great practical relevance, since theencryption and decryption algorithms used are based on very simple operations,which can be efficiently implemented in hardware and software (cf. [Eckert 2006]).

For a long time the Data Encryption Standard (DES), defined by the NIST (USA) in1976, has been used for symmetric encryption. The whole key space consists of just56 Bit. Given the state of technology this is not enough. The effective key length ofDES has been temporarily upgraded (TripleDES). On this basis sufficient security for“not classified” US administration documents and international financial transac-tions is guarantied. The Advanced Encryption Standard (AES), being realised withhelp of the Rijndael algorithm, has been chosen as DES successor by internationalexperts. According to Bruce Schneier its one downside is “the problem of correct pro-nunciation” [Schneier cited after Eckert 2006]. In 1985 X9.17 was introduced, a stan-dard used for key management of symmetric key in the field of banking.

One important protocol, being widely used in the field of user authentication, is the Ker-beros protocol. It provides a distributed authentication service based on symmetric cryp-



tography. Passwords are not transferred, Single Sign On is allowed. A three-headed dog ofGreek mythology (Cerberus), guarding the entrance to underworld, provided the idea forKerberus. Based on this picture the kerberus architecture provides a trusted third party:the Kerberos server, containing key distribution center (KDS) for key generation and keymanagement of a Kerberos session, the authentication server (AS) and the ticket granti-ng server (TGS), and acts as a trust authority for servers and clients. The main advantageof Kerberos lies within the complete abandonment of asymmetric encryption. “The cen-tral servers provide an ideal point for an attack though” [Schmeh 2001].

Symmetric key management systems are widely used within the field of mobilecommunications as well as for encrypting cable and satellite television. They tooallow for effective authentication methods.

1.6.2 Hybrid Methods

Hybrid methods aim at compensating the effort for encryption and the slow cipher-ing and deciphering of asymmetric encryption. This approach combines advantagesof symmetric encryption with those of asymmetric encryption. In the figurativesense this correlates to a wedding of high procession speed because of fast algo-rithms of the family of symmetric encryption and the public key exchange of asym-metric cryptography. Hybrid methods practise message exchange using symmetricand key exchange using asymmetric encryption instead. By now all important pro-tocols like SSL or S/MIME use hybrid methods.

1.6.3 Biometry

1.6.3.1 Biometric authentication

In connection with biometry, authentication stands for ”testimony of authenticity”[TeleTrusT 2006]. Biometrics are mainly used to realise authentication methods.Unlike traditional authentication methods, biometry uses physical or behaviouraltraits of the user to authenticate him. Therefore not only traits related to the user arecaptured but also those linked to him (cf. [TeleTrusT 2006]).

According to Donnerhacke biometry is a secure tool for authentication, keys andpasswords on the other hand serve for nothing but authorisation. “The differencemay be small, but it is essential: Authentication is bound to a person, authorisationon the other hand can be transferred” [Donnerhacke 1999].

Jueneman on the other hand, considers biometric methods to provide an excellentoption to control physical access to local networks or to authenticate someone butnot sufficient for securely authenticating the author or content of an electronic doc-ument (cf. Jueneman 1998].



Therefore biometric authentication cannot be considered secure unless combinedwith an existing method of authentication like PIN, password or smart card, result-ing in a multi level authentication (cf. [Nash 2001]). The most secure method is thethree-step authentication, including biometric data, smart card and a PIN forunlocking the smart card. However, Nash suggests considering that such a methodmay increase a systems security but not its usability (cf. [Nash 2001]).

1.6.3.2 Biometric identification

According to TeleTrusT’s criteria checklist for evaluating biometric methods, currentbiometric data of a person is captured while being identified and compared to bio-metric reference data of a number of individuals (1:n comparison) that have beencollected beforehand. Those reference data may be stored in a database. A multitudeof comparisons is performed. The person is identified as the individual whose bio-metric reference data record matches the current biometric data record of the per-son within the chosen tolerance limits (cf. [TeletrusT 2006]).

According to Krause, all problems of today’s biometric identification and authenti-cation are based on the fact that the rate of data processing of popular (and there-fore affordable) computer systems is not adequate for processing enough data with-in the desired time. Krause describes this as the primary problem of biometry (cf.[Krause 2005]). Furthermore biometry cannot compete against most common meth-ods yet despite its high technical standards. Field tests of different biometric meth-ods also did not produce satisfying results (cf. [Krause 2005]). The BioFinger studyconducted by the BSI in 2004 testing 13 different finger print sensors demonstratesthis as well. Most of the equipment tested exhibited a false rejection rate (FBR)7 ofmore than 3% (cf. [BioFinger 2004]).

1.6.3.3 Rating of biometric methods

In literature as well as in the interviews conducted within the course of this study,different trends for rating chances and risks of biometry can be found. Benefits of bio-metry are generally seen in convenient use as well as in the fact that, unlike thingslike passwords, biometric traits can not be forgotten or stolen (cf. [Sukhai 2004]).

Gravenitz considers higher security, convenience, simple usability, speed, and theassociated higher comfort to be the benefits of biometry as compared to conven-tional authentication methods. In particular the need to memorise passwords orPINs does not apply. Furthermore when substituting knowledge-based authentica-tion systems with biometric methods, the administrative effort of PIN-based andpassword-based methods will be eliminated (cf. [Graevenitz 2006]).


7The „false rejection rate […] [describes the] (mostly percentual) quota of wrongly rejected authorisedindividuals“ [TeleTrusT 2006]


In addition to enhanced security and simplification for the user Pohlmann pointsout biometry’s orientation towards the future, providing the user with investmentsecurity (cf. [Pohlmann 2003]).In contrast, many experts consider the high costs of biometric authentication to bethe main disadvantage. Moreover the lack of standards, which would allow for inter-operability of different devices, is often criticised (cf. [Albrecht 2001]).

According to Chandra, biometry itself is not a sufficient information security mech-anism. Rather, it needs to be combined with other components or integrated withthem (cf. [Chandra 2005]). Chandra too sees the problem of high costs being causedby implementation of biometric methods. Additionally he points out that thematching process of existing standards is extremely imprecise. From his point ofview, the main problem of biometry is the user’s lack of trust in the technology.Trusted Third Parties could be a solution to this problem, verifying security andintegrity of biometric databases for example (cf. [Chandra 2005]).

Graevenitz sees fundamental shortcomings in susceptibility to fraud, a lack of secu-rity against overcoming of measures, and high error rates. This can be attributed tothe lack of accuracy in the methods used. Additionally the difference between con-venience and security of biometric methods is large. According to Graevenitz theyeven are “inversely proportional to each other” [Graevenitz 2006].

Schneier is sceptical toward biometry as well and phrases the central problem ofthis technology as: “Biometric traits are no secret, they are left everywhere. As soonas a biometric trait has been stolen it stays useless for the rest of one’s life” [Schneier1999].

According to TeleTrusT’s criteria checklist for evaluating biometric methods, han-dling of biometric systems needs to be marked by simplicity, speed, convenience,ergonomic user devices and transferability of access authorisations in typical day-to-day work life (cf. [TeleTrusT 2006]).

1.6.3.4 Outlook

General information on the capabilities of biometric methods in IT applications hasalready been gained trough the projects BioTrusT (cf. [BioTrusT 2002]) and ROBIN (cf.[Bong 2005]). According to these projects, security of employee authentication aswell as security of data transfer is enhanced significantly by using biometric meth-ods in combination with smart cards. However, integration with different opera-tional environments like single workstations or corporate networks proved to belaborious for vendors as well as operators. This can be attributed to the high com-plexity of the international industry standard BioAPI.

In the course of this study, experts criticised the fact that an enabler or killer applica-tion for biometric methods is still lacking. As with PKI a device could be used here,



one common in everyday life like a mobile phone (cf. [Busch 2006]). However, stan-dards, which would allow for interoperability of different solutions, are lacking aswell (cf. [Busch 2006]).

Pohlmann and Leitold on the other hand clarify that security of biometric methods isnot completely secure. Leitold adds that secure application might be possible whencombining biometry with smart cards however (cf. [Leitold 2006], [Pohlmann 2007]).

Paar also puts the security issues of biometric methods in the right perspective. Intheory biometry may be conquerable, in practice, however, a medium-weak biome-try system combined with a mediocre password already offers high security (cf.[Paar 2007]).

Preneel considers the application of biometric methods useful if a certain FAR8 is tol-erable, thus with local applications (cf. [Preneel 2006]). Cardholm sees the long-termfuture of biometry within replacing passwords. For replacing digital signatures theyare not suited though (cf. Cardholm 2006]).

In order to help biometry to be commonly used as means of authentication andidentification Graevenitz considers the implementation of biometric technologiesby governments inevitable and necessary. Initial applications like biometric bordercontrol by means of biometric passports or eGovernment applications will result inbiometry penetrating commercial and civilian applications in the future, thoughbiometric methods can only ever be one part of an entire security concept. In thisrespect, it is to be assumed that biometry will take hold in everyday life (cf.[Graevenitz 2006]). Graevenitz describes the use of biometric traits for elections asone possible use case. Such systems could determine the true identity of the voter,and it would be possible to eliminate election fraud conducted by repeated voting(cf. [Graevenitz 2006]).

1.7 Evaluation

According to Schmeh security is a “highly abstract commodity and therefore notmeasurable” [Schmeh 2001]. Often, however, it is desirable to measure and prove asystem’s security. Even though security is not measurable, methods for “ranking[software and systems according to security] on the basis of definite criteria” weresought [Schmeh 2001]. This ranking is implemented by governmental agencies, likethe Federal Office for Information Security (BSI). Reviewing the compliance to thosecriteria is called evaluation. When the evaluated product receives a certificate theprocess is called certification (cf. [Schmeh 2001]).


8The „false acceptance rate […] [describes the] mostly percentual rate of wrongly accepted unauthorisedindividuals“ [TeleTrusT 2006]


According to Savola’s evaluation, a system’s security depends on the securityexpert’s level of experience. In order to make the evaluation more efficient an auto-matic approach is needed. Savola argues that no practical approach for a systematicevaluation exists as of today. He introduces a holistic approach (framework) basedon security behaviour modelling and security evidence collection. The processmodel for security evaluation consists of the following steps:

1. risk and treat analyses2. definition of security requirements3. prioritisation of security requirements4. modelling secure behaviour5. evidence collection6. determining the probability of certain events7. summarising results(cf. [Savola 2006])

According to Rottke there is an increasing demand of certifying systems’ securitybased on the Common Criteria (CC). The CC contain the requirements secure sys-tems need to fulfil but do not help with designing secure systems. Rottke introducesa method for requirement engineering and modelling of systems in order to accom-plish a better evaluation after CC (cf. [Rottke 2002]).

Evaluations based on CC are highly cost-intensive and time-intensive. An evaluationis of no use when it takes longer than the system is on the market (e.g. with mobiletelephones) (cf. [Leitold 2006]). Costs and time needed depend on availability ofaccurate developers’ documentation, complexity of software, and reusability of ear-lier evaluations. The goal of the CC-SEMS (CC Security Management System) pro-posed by Rottke is a practical evaluation checklist that contributes to automation ofevaluation and managing of the evaluation process (cf. [Bang 2006]).

Cardholm considers the CC to be to complex and repressive. For a more broad use itshould be included in generic certifications like ISO 27000 (cf. [Cardholm 2006]). ForPreneel on the other hand, the CC provide distinct rules and protocols and are a goodmarketing tool, but generates a lot of paperwork. Preneel, like Cardholm, presumesthat the market will evolve towards simpler solutions (cf. [Preneel 2006]). Accordingto Temple, the CC could help with developing trust, but are expensive and inflexible.As an example Temple mentions risk management (cf. [Temple 2006]).

1.8 Summary

The chapter “Technical outlook” mainly deals with how to evaluate crypto-basedapplication (PKI) for identification, authentication and signatures with regard totheir investment secure integrability in electronic business processes. The mainfocus has been laid on reflecting long experience of IT security experts and the



resulting view on permanently insecure cryptographic methods and their flawedimplementation on the practical security experiences at hand. In doing so it becameapparent that success and effectiveness are not influenced by gaps in the range oftechnology.

The goals for necessary and practical achievable security of business processes canonly be identified by well-founded risk management with special regards to theusers. Important conclusions comprise the facts that interoperability of security solu-tions is essential within application environments and that implementations mustnot be constrained by inflexible specifications or technology-oriented regulations.

When introducing a PKI, aspects of risk-assessed investment security and useracceptance take priority. In the process established as well as new technologiesshould be flexibly used. The speed of innovation of the examined applications foridentification, authentication and signatures result in the problem that their quan-titative security features can not be evaluated in their entirety before implementa-tion. An ongoing risk assessment of those applications is suggested and serves toidentify relevant security holes in the process as well as the technologies used.Therefore a migration strategy for security solutions, which should be based onstandard interfaces, should exist as an essential element of an investment-securePKI deployment.



2.

Economic Insights

2.1 Methodology

This chapter covers the economic aspects of PKI use. We examined whether success-ful use can be justified from this point of view and in which cases this would be pos-sible.

First, we examined whether there are concepts or applications which are clearlyidentifiable as PKI usage scenarios. Based on di≠erent criteria which we developedusing literature research and practical insights a classification was worked out, andreviewed in project-internal discussions.

Following, server and user certificates were examined using the FH Brandenburg –Brandenburg University of Applied Sciences – as an example. We intended to deter-mine whether – and to what extent – PKI use is to be considered on business processlevel. Furthermore, we wanted to verify whether PKI can be credited with anenabling function. Therefore, responsible persons were interviewed in order to iden-tify criteria of success as well as the economic background.

Within the course of the workshop we hosted (see chapter “Workshop – Findings”) itbecame obvious that orientation on business process is currently not relevant forpractice. PKI implementation is considered to be an infrastructure investment.Based on this observation, we further examined which key figures could be used forjustifying an investment decision. Out of the variety of key figure methods avail-

Chapter 2 | Economic Insights | 39


able, we considered those more detailed which are commonly accepted and applied.We emphasised regarding quantitative as well as qualitative aspects. Based onanonymised company data, a cost-benefit analysis was conducted.

This step caused the insight that only a combination of di≠erent key figure methodsprovides a holistic picture which can be used for justifying an investment decisionin detail and reality-oriented.

2.2 Usage scenarios

2.2.1 Objective

As a basis for surveying success criteria, it is necessary to identify appropriate PKIusage scenarios. This is done in order to clarify whether it is possible to directlyrelate PKI scenarios to successful implementations. However, at first we need toexamine if and how PKI scenarios can be classified based on appropriate criteria.

2.2.2 Classification approaches

The huge number of possible scenarios for implementing methods for identi-fication, authentication and signing needs to be limited. Thus, the players involved,the security objectives, and the stakeholders will be examined. We need to explore ifit is possible to identify an obvious influence these might have on choice and suc-cess of using PKI applications.

2.2.2.1 Classification according to involved players

The first scenario considers the players involved. Based on terms for informationstorage and processing in IT systems, we distinguish between subjects and objects.Subjects are individuals and juristic persons. Objects are components of IT systems(hardware, software, files, processes).1 This results in three di≠erent classificationapproaches:

Subject – SubjectIn a subject-subject relation persons (individuals and/or legal entities) mututal iden-tify and authenticate each other. This is done using attributes of the persons to beidentified or by proving ownership of items that identify subjects against others.Individuals authenticate each other using biometric attributes; legal entities byproving ownership, e.g. of a trade register excerpt. Authentication of individuals

40 | Chapter 2 | Economic Insights

1 The IT security literature also distinguishes between passive and active objects (cf. [Eckert 2005], p. 2f.).This differentiation will not be used in this context.


against legal entities can be done both by characteristic attributes, e.g. by appear-ance, and by prove of ownership, e.g. ID card. Digital processes use digital signatures.2

Typical use cases for digital subject-subject relations are e-mail, instant messaging,voice over IP (VoIP), or exchange of documents and contracts. Asymmetric cryptog-raphy can be implemented using di≠erent technologies. Various trust models arerelevant in this context.3

Subject – ObjectIn a subject-object relation, persons (subjects) interact with IT system components(objects). The subject is identified by a unique user-ID, and authenticated by meansof password/PIN or other characteristics like biometric features. At simplest, objectsare authenticated using addresses (e.g. MAC address) or other device characteristics.When using higher security levels the authentication is done using cryptographicmethods (e.g. web servers use a SSL certificate). Persons authenticate themselvesagainst technical systems mostly, but it is rarely the other way round.

There are manifold use cases: client/server applications in company intranets, e.g.(smart-card based) computer logon, miscellaneous internet o≠ers, like online-shop-ping or electronic banking using TAN or HBCI, or the so-called virtual administra-tion (administrative o≤ce for citizens, tax o≤ce, university, etc.) incl. digital tax dec-laration or electronic votings, many eCommerce and eGovernment solutions. A vari-ety of technical solutions are deployed.

Object – ObjectWith this approach, technical systems identify and authenticate themselves mutu-ally. Identification is done by digital IDs, e.g. GUID or IP address. Authentication isdone using cryptographic procedures and certificates, e.g. for servers or routers.4

Since users usually do not notice these processes, user acceptance takes a subordi-nated role in this context which is not the case with most approaches.

Fields of application are, for instance: automated online orders, credit card clearanceprocesses, signing device drivers and operating system files5, as well as mobile appli-cations (software agents) or so-called ad-hoc networks. Depending on the specificuse cases di≠erent methods are used.

Resulting from the trend towards service-oriented architectures (SOA) direct sub-ject-subject relations will increasingly be replaced by subject-object-object-…-object-subject chains. Objects in the middle of the chain may not be defined at the


2 Cf. [Signatur 2001], § 2.3 See explanations on PKI in the appendix.4 Cf. paragraph “Successful Business Processes Applications”.5 E.g. device drivers and files in MS Windows XP/2003 are digitally signed by the manufacturer. cf. [Microsoft

2005]


beginning of the request. That’s why questions regarding the trust relationships stillneed to be discussed. (cf. [Paulus 2006b], [Kuppinger 2006b]).

Examining the players involved provides for a first approach of classifying PKI sce-narios. However, this still is too general for assigning specific methods and scenariosto individual player relations. Besides, the used authentication methods di≠er toomuch concerning security level and user acceptance as well as technical practicabil-ity (cf. [Braz 2006]). However, analysing players by group is a helpful abstraction,especially when separating objects and subjects. With following considerations, wewill address this once more.

2.2.2.2 Classification according to security objectives

When using methods for identification, authentication and signing, the focus is onprotecting security objectives, as it is with all IT security processes. Beside the classi-cal CIA triad, confidentiality, integrity and availability, other sub-objectives are to beachieved as well. (cf. [Eckert 2006], p. 6≠.)

Information security is mainly specified by the requirement that no subject orobject may access information (confidentiality), modify information (integrity) ora≠ect the use of the required resources (hardware and software) (availability) with-out being authorised to do so.

Defining access rights within in the context of access management, and encryptingdata as well as communication are measures for protection of confidentiality andintegrity. This includes backup and recovery solutions. In doing so, IT system failurescan be reduces to a large extent (principle of reliability).

Subjects and objects need to be verified based on a unique identity or specific attrib-utes (authenticity). This is the only way to verify their authenticity and authenticityof messages they generate. Verification is done using authentication criteria likeuser login/password, biometric characteristics, signed code, or device drivers.

If identification is not desired, anonymity and pseudonymity can be demanded too.This conflicts with the objective of authenticity, but is needed for certain applica-tions, like online votes. The conflict can be resolved using so-called blind signatures.

In some cases it is also desired to keep the existence of a communication confiden-tial (so called non-observability), like communication with lawyers or doctors.

It is required that transactions, like sending an e-mail, cannot be denied later (non-repudiation). This is important for legal obligation of eBusiness contracts. Electronicsignatures in combination with logging the actions are used to guarantee accounta-bility.



Di≠erent applications have di≠erent security objectives. These objectives can be pre-served using di≠erent (technological) methods as shown in the following figure.

Figure 2.1: Security objectives and technological methods

The security objectives shown can also be achieved using other methods than PKI.This is one insight of the interviews we did (cf. [Pohlmann 2007] amongst others).Contrary, it can be said that obviously selection of PKI methods is not primarilydetermined by the possibility to protect specific security objectives.

2.2.2.3 Classification according to stakeholders

Classification according to stakeholders considers relations between subjects in thecontext of general business and administrative processes. In di≠erent roles subjectsappear as individuals and legal entities. When considering stakeholders, the focus isnot on the subject-subject relation itself but on the processes that result from thisrelations.



Figure 2.2: A/B/C stakeholders 6

There are various PKI usage scenarios. Using secure (encrypted) transactions is rele-vant for several stakeholders (B2B, B2C, B2A, C2C). Many stakeholders apply electron-ic signatures on legal documents, too (B2B, B2A).

A connection between PKI scenarios and stakeholders can indeed be found. It isinsu≤cient for a systematic classification though. Viewing PKI use detached fromspecific applications does not make sense. Resulting from the variety of possiblebusiness processes, it is di≤cult to obtain a comprehensive picture like that. Makinga statement about future business processes, completely unknown as of today, isalso impossible.

At least it is possible to divide and generalise the stakeholder view into businessprocesses (B2B, B2E, B2A, B2C), customer processes in the sense of mass markets (B2C,


6 A2A: Coordination of administration activities; B2A: Processes between industry und administration; C2A:Processes between administration and citizens; B2B: eBusiness between enterprises, suppliers and pur-chasers; B2C: eCommerce between manufacturers/purchasers and end-consumers; B2E: Internal businessprocesses / communication between an enterprise and its employees; C2C: eCommerce between end-con-sumers.An individual may represent a customer and an employee in one person.


C2C), and administrative/governmental processes (A2A, B2A, C2A). Although over-lapping exists, the rougher classification allows for identification of distinguishableattributes which apply to use of PKI solutions.7

2.2.3 Conclusions

Considering PKI scenarios with regard to individual criteria liked the playersinvolved, security objectives, or stakeholders, does not provide the desired results.Rather, criteria overlap and conjointly contribute to a specific business or adminis-trative process. A business-process-independent view, i.e. PKI exclusively as securityinfrastructure, does not appear to be of much use. Therefore, the focus of PKI consid-erations should be on business process’ requirements. (cf. [Brink 2002]).

We still need to clarify which role PKI solutions might assume regarding support ofbusiness processes. Usually, we can identify three types PKI solutions could a≠ect(cf. [Gadatsch 2006], p.48f.). These types also di≠er with regard to the extent towhich a feasibility study is possible.

Y Insurance against risks:Using PKI as an IT security solution, risks which may result from the occurrenceof security-relevant incidents are to be minimised. This is probably the mostcommon use case. Here, the focus is not on savings. Usually determining viabili-ty of such solutions is impossible.

Y Enabling of business processes:PKI use allows for new business processes which would not be possible in thisform if it was not for these technologies, i.e. the security component. Commonexamples would be: home-banking using PIN/TAN, online-shopping with SSLtechnology, password authentication, or firewalls. In these cases, savings areachieved by the application, not by the security solution.8 As a result, it is notpossible to directly examine viability. Due to feasibility studies usually beingdone in a monocausal way, complex solutions like PKI appear to be unprofitable,which is a common reason for them not being implemented.

Y Optimising of business processes:Using PKI solutions may achieve savings which can be economically verified.However, currently, such e≠ects rarely show.Rather, negative examples can be found, like the attempt to establish a PKIwhich complies with the German signature law. Up to now, this PKI is not eco-


7 Cf. chapter “Operating Conditions”.8 [Gaude 2007] comes to the same conclusion. The Delphi study could not name any business processes

which would not work without a PKI.


nomically successful which particularly results from the fact that the main point – a „critical mass“ of users / applications – has not been achieved yet.Therefore, the amount needed to make up for the assigned infrastructure costscould not be generated yet.

Unfortunately, examining each individual business process is extremely time-con-suming – with regards to the number of processes to be examined as well as theiraccording cost structure. Therefore, the determination of PKI’s viability from thebusiness process perspective can only be done for selected core processes. For thispurpose, those owning the respective core processes or those responsible need tooutline demands on the security criteria to be met, and to disclose the cost struc-tures – especially for changed and/or changeable processes.

Developments in the field of service-oriented architectures (SOA) intensify the prob-lem. If security requirements must be an implicit attribute of each business process,these attributes are also to be integrated into each single SOA component.

Ultimately, the processes’ complexity and insu≤cient information about neededand used (esp. monetary) resources with those processes lead to the fact that PKI isused as an infrastructure mainly and only considered in this context.9 The advan-tages for business processes using an infrastructure like that only become obviousafter a certain period of time.

2.2.4 Successful Business Processes Applications

Successful PKI use from the business process perspective can be described usingthe example of server and user certificates. Server certificates are, for example,being used to verify the authenticity of a web server (cf. [Losemann 2005], p. 41 ≠.).In this case SSL is used. Virtual private networks (VPN) are another applicationwhich use user certificates (cf. [Nash 2001], p. 430 ≠.). The essential components of acertificate are defined in the X.509 standard. (cf. [Brands 2005], p. 273) The Fach-hochschule Brandenburg – Brandenburg University of Applied Sciences (FHB) suc-cessfully applies server certificates for purposes mentioned above, which isdescribed following.

DSL substituting ISDN in private households rendered the setup of a VPN for asecure dial-up of employees and students at the internal FHB network necessary. Forthis purpose, a unique certificate had to be issued for each user. This could only bedone by establishing an own Root-CA according to usual university-related costrequirements.


9 As already shown, this is one result of the workshop.


Currently, application for and issuing (distribution) of advanced electronic certi-ficates is realised as an in-house, online solution. By doing so, server certificates canbe certified by the Root-CA of the FHB too. However, this PKI solution does not com-ply with legal requirements for qualified signatures. From the FHB’s point-of-viewthis is not necessary since risk is not estimated to be high and this “simple” – whichalso applies to the handling – solution is completely su≤cient.

The fact that the concept could be implemented at short notice with no rise in costswas particularly advantageous. First of all, this can be attributed to the use of open-source tools. These tools meet the requirements and were approved by the universi-ty administration.

Additionally, credibility and reliability as perceived by people not being a≤liatedwith the university are raised. Since members of the education community and par-ticularly universities are harshly competitive an image benefit can be obtained byhardening security. This benefit can be seen as a success criterion and can improvethe university’s competitive position.


1,5 210,50 32,5

Acceptance

Demand

Effort

Implementation Costs

Deployment

Measures

EvaluationServer Certificates

Full PKI Solution

Figure 2.3: Evaluation of key figures


Introducing a completely inter-university PKI solution has failed so far, mainly dueto lacking financial and human resources. The awareness that at higher expensesmore security is attainable exists, but the result of risk evaluation does not indicateany need for the university administration to act accordingly.

Within a survey, general opinion concerning the key figures human resources,implementation costs, e≠ort, demand, and acceptance was analysed. The followingfigure illustrates the results. For the evaluation, a scale of 1 (= low) to 3 (= high) wasused.

Using this survey it was found that the decision on implementing an internal Root-CA and using server certificates was not based on key figures. A detailed calculationwould have been impossible anyway since no analysable data was available. It is theopinion of the interviewees that gathering of key figures is not necessary until plan-ning and implementing a PKI solution.

However, attention should be paid to the fact that the demands which the universi-ty imposes on the PKI solution di≠er from that imposed by a company. Especially thefact that costs are not evaluated by choice – before implementation as well as after-wards – renders this example to be atypical and therefore it must be considered tobe a special case. It is not clear if this approach could apply to other public institu-tions as well.

2.3 Economic Considerations

2.3.1 Measuring IT Investments

What is the benefit of me investing into an IT measure? Many decision makers askthemselves this question, especially, if the budget for enhancing the company’s ITsecurity is concerned. Uncertainty and doubts are not su≤cient as reasons for legit-imising the permanently growing fixed costs of IT security. Rather, quantitative andqualitative approaches are demanded for determining an economically usefulinvestment. For the evaluation of an IT measure’s benefit, criteria for measuring theimplementation results are needed.

Defence strategies must be evaluated individually with every company. Frequentattacks resulting from more media attention given to the company, or the necessi-ty to protect intellectual property can require increased security measures. Animage loss can be threatening for a company too, e.g. when confidential companydata or personnel data are made public. That is one of the reasons for securityinvestments. However, many companies are not aware of the damage securityincidents can cause and the corresponding costs. Only few companies are able toprovide any data about the amount of loss that would result of a successfulattack.



An accurate evaluation of risks and e≠ects is extremely di≤cult. The problem isfounded in the fact that the costs of IT security as a cross-sectional problem and taskare not clearly assignable. Various interactions between in-house processes andsecurity measures exist. For this reason, feasibility study and viability optimisationrequire a general cost-benefit analysis. (cf. [Lubich 2006], p. 9)

Another approach for evaluating a company’s security uses an insurance view. Inthis context, sprinkler systems used in factories are a frequently mentioned exam-ple. At the beginning of its use at the end of the 19th century their advantage wasregarded as just as doubtful as the advantage of security investments are nowadays.It was only when the insurance companies made attractive o≠ers for factories withsprinkler systems that the return on the investing in such facilities could be proven.The problem lies in reliability and consistent gathering of the underlying data. Thisis where a common basis for calculation can be found. (cf. [Berinato 2002])

Whether the use of PKI is useful for a company depends on whether the invest-ment’s success can be determined. Therefore, the resulting costs of an investmentare compared with the expected benefit over a specific period of time. The benefitis to be quantified depending on the respective individual case which is notalways easy.

For examination of costs a distinction is made between the following levels/e≠ects(cf. e.g. [Hanusch 1995], p. 557f.):

Y Direct (=internal) and indirect (=external) e≠ects:Direct e≠ects are directly related to the planned investment (e.g. costs of hard-ware, software, administration, support, etc.). Indirect e≠ects usually refer tothird parties (e.g. training costs, losses in e≤ciency such as latencies, or the like).Indirect costs are di≤cult to calculate.

Y Tangible (directly measurable) and intangible (not directly measurable) e≠ects:Tangible e≠ects can be expressed in a monetary way, whereas intangible e≠ects,e.g. time savings, cannot. At least not directly. In this case, calculations mustinclude estimations.

Y Primary and secondary e≠ects:The direct consequences of an investment are primary. Subsequent e≠ects arecalled secondary e≠ects.

2.3.2 Frequently Used Key Figure Methods

Various methods exist for the determination of business key figures. For IT invest-ments and especially investments in IT security there are special requirementswhich, to some extent, are calculated using special modifications of these methods.



The following overview compares di≠erent evaluation methods for analysingprofitability of IT measures.10 (cf. [Hirschmeier 2005], p. 190 ≠.)


10 Highlighted areas (gray) show if the actual method is appropriate for the corresponding qualitative, quan-titative and/or peripheral analysis.

Qualitative Analysis Quantitative Analysis PeripheralAnalysis

LEE PrE CuE CoE TeE IdE VoE Ac Dq

Statistical Methods

Return on Investment (ROI)

Rentability

Amortisation(Payback Period, PBP)

Dynamical Methods

Net Present Value (NPV)

Internal Rate of Return (IRR)

Cost Benefit Analysis (CBA)

Qualitative Methods

Scoring Models

Balanced Scorecards (BSC)

EFQM Models

Key Performance Indicators(KPI) and DART

Cost-oriented Methods

Activity Based Costing (ABC)

Function Point Method (FPM)

Constructive Cost Model(CoCoMo)

Total Cost of Ownership (TCO)

Real Options Methods

Analytical Solutions(Black-Scholes)

Binomial Trees(Cox-Rubinstein-Ross)

Simulation

System Dynamics

Sensitivity Analysis

Monte Carlo Simulation(MCS)

Macroscopic Models

Learning and ExperienceCurves

Diffusion Curves

Customer Lifetime Value (CLV)


Qualitative Analysis di≠erentiates between Learning and Employee E≠ects (LEE),Process E≠ects (PrE), Customer E≠ects (CuE) and Cost E≠ects (CoE). QuantitativeAnalysis describes Temporal E≠ects (TeE), Interdependency E≠ects (IdE) and VolatilityE≠ects (VoE). Acceptance (Ac) and Data Quality (Dq) are counted among Peripheralanalysis.

In order to render the methods in question more precisely, we first need to resolvewhich methods are actually relevant in the context of IT investments.

Using static and dynamic methods, costs can be correlated to benefits and viceversa. E≤ciency may be considered dimensionless (ROI, Rentability, ERR), monetary(NPV, CBA), or over a certain period of time (PBP). Costs and benefits must be avail-able in form of monetary values. Especially for the benefit su≤cient values arerarely present. Nevertheless, these methods are frequently used due to them beingeasy to handle. Dynamic methods are also used for risk evaluations, e.g. using theCapital Asset Pricing Model (CAPM) or risk premiums.

Using qualitative methods qualitative influences on the cost-benefit analysis can beexamined. In this case, aspects of time are only included qualitatively. Additionally,interdependent e≠ects can be included as well. (BSC, KPI, DART). The main problemwith using these methods is the subjective nature of the evaluation. Nonetheless,they are used frequently too.

The cost-oriented methods only consider the costs of IT investments. The resultingbenefit is disregarded. Quantitative analyses cannot be accomplished in this way.However, su≤cient data is available for evaluation in most cases. A substantialproblem of these methods is that cost savings by temporally caused e≤ciencyenhancements are not examined. Regarding classical cost accounting this approachis useful since e≤ciency enhancements are not a kind of cost savings which a≠ectsthe balance sheet.

The real option methods are similar to the static and dynamic models. Methodical-ly, the e≠ect of follow-up investments can be additionally examined. For infrastruc-ture investments like PKI this is of interest. However, calculation expenditure is veryhigh due to the complexity of the procedures. Some values are only determinableusing simulations. This leads to limited confidence in the results and little accept-ance of the models.

Using simulations, additional information can be gained, e.g. for predicting values.A well-known method is the Monte Carlo simulation. Simulation methods are notdesigned for the mere investment consideration. Additionally, they ignore IT-specific aspects. Therefore, the result is often negative. Also, the acceptance is ratherlow since the model is complicated.

Empirical values can be described using so-called macroscopic models. The main



field of application lies in prediction of values and trends. Use of these models isstrongly coupled to the benefit (learning, cost, customer, process e≠ects).

Using separate methods is not su≤cient for complex IT investments such as PKI asan infrastructure solution. There is no method that provides a complete e≤ciencypicture. In our opinion, consideration of all investment attributes can only beachieved by combining di≠erent methods.

Unfortunately, this can result in a complexity which is hard to control and/or isbeing rejected. We recommend a combination of well-known and frequently usedmethods. Based on the decision matrix represented above, our suggestion is asfollows:

Table 2.1: Selection of appropriate methods for key figures10

Using this combination of methods, quantitative as well as qualitative and peripher-al aspects can be examined. Following, the methods ROI, NPV, BSC and TCO aredescribed.

2.3.2.1 Return on Investment

Using the Return on Investment (ROI) method the ratio of an investment’s profit iscalculated. The time aspect is ignored. A (simple) ROI is calculated as follows:

This calculation is applicable if the costs and the benefit of an investment can beassigned to one another directly. When the basic conditions are similar a higher ROI


Qualitative Analysis Quantitative Analysis PeripheralAnalysis

LEE PrE CuE CoE TeE IdE VoE Ac Dq

Statistically:Return on Investment (ROI)

Dynamically:Net Present Value (NPV)

Qualitativ:Balanced Scorecards (BSC)

Cost-oriented:Total Cost of Ownership (TCO)

ROI = Gains – InvestmentCostsInvestmentCosts

11 The highlights show which method fits an analysis most sensible. The combination of methods coversmost required analyses.


is an argument for an investment decision. ROI does not say anything about returnflow or investment risks. The more complex the investment decisions are and themore indirect costs are included, the less a ROI is convincing, esp. related to the cost-benefit ratio.

Examination of the investment period is also not considered with ROI calculation.Therefore, a further method, e.g. Net Present Value (NPV), should be included to findout what financial consequences an investment might have over several years.

In the context of considering IT security investments a modified ROI approach isusually applied – Return on Security Investment (ROSI).

2.3.2.2 Return on Security Investment

The Return on Security Investment (ROSI) equation was developed based on ROI. Ito≠ers a benefit-oriented and balance-oriented model as a basis for an improved esti-mation of IT security investments. There are di≠erent, not standardised methods todetermine ROSI which are all based on similar assumptions. Usually, the followingcalculation methods are used. (cf. [Schadt 2006], p. 21)

Formula 1:Annual Loss Exposure (ALE) = Recovery Costs – Savings + Tool CostsROSI = Recovery Costs – ALE

Formula 2: 12

The second method follows the original ROI calculation more than the first one. Bycomparison, this approach accounts for the probability that an incident might occurto a much larger degree. Annual loss exposure is not only calculated monetarily.Also, the fact that risk analysis probably might not help to repel or prevent every sin-gle occurrence (attack) is taken into account as well.

There are no standardised methods to calculate SLE or ARO, therefore, it is necessaryto fall back on empirical values or look them up in actuarial tables which are basedon real cases of loss. It is very di≤cult to gain data from cases of loss, though. Fewcompanies track losses and costs which arise from an attack. (cf. [Sonnenreich2006])


12 SLE = Single Loss Exposure = projected costs of a loss;ARO = Annual Rate of Occurence (of a loss);RM = Risk Mitigated (probability by percentage)

ROSI = (SLE x ARO x RM) – InvestmentCostsInvestmentCosts


As we pointed out, it is necessary to estimate risks in terms of probability of occur-rence as well as amount of the loss, and to calculate them based on these estima-tions. This as well as the fact that the time aspect is being disregarded is the mainweakness of the ROSI approach. Therefore, ROSI can only be regarded as an approxi-mation or benchmark. However, using an unvarying method of calculation the pos-sibility of a comparison is given. (cf. [Schadt 2006], p. 21)

2.3.2.3 Net Present Value

In order to regard the point of time at which cost and benefit e≠ects of an investmentemerge, dynamic methods, like determining the Net Present Value (NPV), are used.

The NPV is the sum of discounted deposits and payo≠s of an IT-investment over theperiod of use. ([Hirschmeier 2005], p. 44) The (simple) NPV is calculated as follows:

NPV = ∑ Netcashflow Time (1+Discountrate) -1

With this calculation the time aspect is represented using a discounted interest rate.Follow-up investments are not considered, though.

The NPV is not suitable for the qualitative analysis that is important for IT-invest-ments. Besides, data is often based on more or less intuitive estimations of the inter-est rate. In addition, it is assumed that debit and credit interest rates are equal. Theamount of future cash flows also is an estimation.

Nevertheless, the NPV is a commonly accepted method and since the time aspect isbeing included as well it is a frequently used.

2.3.2.4 Balanced Scorecards

The usually high complexity of an investment and the possibly problematic finan-cial e≠ects it may have on a company require the specification of an investmentsqualitative success/failure in addition to the key figure-based view. The BalancedScorecard (BSC) is one resource which can be used to achieve this view.

Using a BSC it is possible to avoid exclusively focussing on financial goals by obtain-ing a balanced view from three additional perspectives (process, customer andlearning / growth perspective). The basis is formed by a finalised company vision orstrategy. From this key figures are derived which are used to measure the imple-mentation of strategic activities within in the scopes which need to be considered.

Since the BSC includes non-financial key figures, the often unilateral discussion onfinancial feasibility and budget can be directed to qualitative aspects. For example,


N

Time -0


we can ask what the benefit of the investment is. What e≠ects does the investmenthave, internally and externally? How innovative is the investment? What competi-tive edge can be achieved?

Since an investment is always conditioned by a business positioning, e≠ects andpotentials of the investment need to be shown from several perspectives. Benefitsthe BSC can provide are: (cf. [Bernhard 2000])Y Pointing out the connection of investment and company strategy Y Shifting the discussion from budget and financing matters to qualitative and

strategic questions Y Detailed definition of an investment‘s orientationY Approaching the evaluation of investments systematically Y O≠ering the possibility to use the BSC as a management system for processes

which are connected with or initiated by the investmentY Critical examination of the investment strategy and start of a continuous strate-

gic learning process Y Means for evaluation of the investment life cycles


Figure 2.4: Balanced Scorecard (cf. [Kaplan 1997], p. 9)


2.3.2.5 Total Cost of Ownership

Technical devices do not only generate high initial costs but also high operation andmaintenance costs. These follow-up costs should be considered during investmentbudgeting. A suitable method is to determine those costs by means of Total Cost ofOwnership (TCO).

Using the TCO life cycle costs can be determined. This approach is frequently usedbecause operating cost of an IT system may substantially exceed the initial costs.13

The following costs are included in a TCO view: (cf. [Elsener 2005], p. 208)

Figure 2.5: Direct and incidental costs of TCO

The incidental costs are viewed as one part of the personnel costs. However, it isespecially these costs that are hard to quantify. According to Gartner Group 76% ofthe TCO are connected with personnel costs. This includes costs like the e≠ects aninvestment might have in employee’s motivation and possible diseases or fluctua-tions that might result. Standardised questionnaires and other measures arequalified for determining incidental costs.

Apart from the possibility to illustrate cost savings, TCO does not exhibit any furtherbusiness e≠ects. Therefore, when using TCO based decision making it is assumedthat the benefit of di≠erent alternatives is of the same value and only the costs di≠er.

2.3.3 Exemplary cost-benefit analysis

2.3.3.1 ROSI calculation for a security process 14

Single Sign On (SSO) is a typical example of a transparent ROSI representation of anIT security investment in a PKI environment. This investment is intended to opti-mise a secure business process.


Incidental Costs (Self) Application Development Training

Downtime Self-Study

File and Data Management Support/Help-desk

Direct Costs Hardware Maintenance

Software Administration

13 There are some tools for the calculation of TCO based on defined cost models e.g. www.tcotool.de14 The following example will be explained in detail in the appendix.


In company usually a variety of di≠erent systems is parallel administered. In mostcases the users get di≠erent usernames/passwords with which they authenticatethemselves against the respective system. If they lose (forget) their passwords theyneed fast support so that their productivity is ensured. In order to provide for this,usually a help-desk exists which tries to solve the problem as fast as possible.

A SSO system can defuse this problem. The user needs just one login identificationto identify himself against the SSO system, e.g. by means of a password or a smartcard. Using certificates the SSO system automatically realises the login process forother systems.15

The following examples are intended to clarify the implementation and expectedsaving potential of a SSO system. The calculation is done for a medium-sized busi-ness and a large-scale company. We used the data Gadatsch [Gadatsch 2006, p. 46]provided and adjusted them as needed.

Additionally to the possible abuse of user accounts due to the uncertain authentica-tion procedure 16, loss results in particular from the productivity loss of the employ-ees while they wait for their password to be reset or renewed. Downtime and fre-quency of password loss can be determined using a quantifying questionnaire. Theaverage time required for handling a password request at the help-desk can be deter-mined similarly. Combined with the average (internal) hourly rate of the employeesthe probable annual loss can be calculated. For calculating the investment costs theTCO approach proved to be of value. For the examples, the number of password relat-ed requests was scaled down based on the values mentioned in [Gadatsch 2006].

Expected savings and the mitigated risks were o≠set in the same way as the annualloss exposure. Beforehand, we need to predict the level to which an investmentcould reduce the number of requests. This can be derived from empirical values ofother companies, studies, or damage reports by insurances, given that appropriatedata is available.

Example 1 – SMB 17 – 100 employees:Password related requests per month: 100Loss of productivity per request: 20 minutesInternal hourly rate of an employee: 33 Euro 18

Estimated reduction of requests using SSO: 40%Asset and implementation costs of a SSO solution: 10.000 EuroOperation costs of a SSO solution per month: 400 Euro Probability of Risk Mitigated: 40% (acc. to Gartner Group)


15 There are different Single sign-on approaches (cf. [Kuppinger 2007]). The example uses PKI certificates,e.g. X.509.

16 The resulting potential loss, for instance by means of industrial espionage, is hard to quantify in general.Therefore this issue is not part of the calculation example.


Recovery Costs: Requests * Loss of productivity * Hourly rate * MonthsInvestment Costs: Asset and implementation costs + operating costs Savings: Reduced number of requests: 40 * Hourly rate * MonthsAnnual Loss Exposure: Requests * Loss of productivity * Hourly rate * Months

According to ROSI formula 1:

Year 1 Year 2 Year 3 Year 4 Year 5

Recovery Costs 13.200 13.200 13.200 13.200 13.200

Savings 5.280 5.280 5.280 5.280 5.280

Investment Costs 10.000

Operating Costs 4.800 4.800 4.800 4.800 4.800

Annual Loss Exposure 22.720 12.720 12.720 12.720 12.720

Recovery Costs 13.200 13.200 13.200 13.200 13.200

Annual Loss Exposure 22.720 12.720 12.720 12.720 12.720

ROSI -9.520 -9.040 -8.560 -8.080 -7.600



SLE 11 11 11 11 11

ARO 1.200 1.200 1.200 1.200 1.200

Risk Mitigated 40% 40% 40% 40% 40%

Investment /Operating Costs 14.800 4.800 4.800 4.800 4.800

ROSI -64,32% -54,32% -44,32% -34,32% -24,32%

Example 2 – Large enterprise – 1000 employees:Password related requests per month: 1000Loss of productivity per request: 20 minutesInternal hourly rate of an employee: 60 Euro Estimated reduction of requests by SSO: 40%Asset and implementation costs of a SSO solution: 60.000 EuroOperation costs of a SSO solution per month: 1.200 Euro Probability of Risk Mitigated: 40% (acc. to Gartner Group)


17 SMB = small and medium-sized business18 [Gadatsch 2006] assumes an internal hourly rate of 60 Euro. This value seems to be overestimated for a

SMB. An internal hourly rate between 30 and 35 Euro seems to be more realistic




Recovery Costs 240000 240000 240000 240000 240000

Savings 96000 96000 96000 96000 96000

Investment Costs 60000

Operating Costs 14400 14400 14400 14400 14400

Annual Loss Exposure 218400 158400 158400 158400 158400

Recovery Costs 240000 240000 240000 240000 240000

Annual Loss Exposure 218400 158400 158400 158400 158400

ROSI 21600 103200 184800 266400 348000



SLE 20 20 20 20 20

ARO 12.000 12.000 12.000 12.000 12.000

Risk Mitigated 40% 40% 40% 40% 40%

Investment /Operating Costs 74.400 14.400 14.400 14.400 14.400

ROSI 29,03% 595,70% 1162,37% 1729,03% 2295,70%

As you can see we kept ROSI calculation very simple. When looking at the examplesmore detailed it occurs that’s some aspects were not included in the calculation. Forexample, the reduction of user requests is not a static value. Experiences show thatwith a rising acceptance and experience with SSO systems even better ratios can beachieved. Further, the logon frequencies with and without SSO are not taken intoconsideration. This applies to the released help-desk capacities too. An example of ahardly measurable factor is the influence of the reduced logons on the employees’productivity. For example, by reducing the number of interruptions by demanding are-logon the employee stays focussed on the task at hand. The qualitative approachof the Balanced Scorecard method is appropriate for making these values visible.Thereby they can also be included into economic considerations.

Conclusion Implementing a SSO system as a security solution on business process level leads, atleast for SMBs, to a negative ROSI even if considering a longer period of time. Thismay result in deciding against such a solution.

Regarding the use of a PKI solution like that a ROSI calculation considers merely one



aspect. People, processes, and technologies used within the company as well as theway they act jointly in order to enable business activity must be included in theseconsiderations. Such a holistic picture cannot be determined using only one keyfigure. It is the combination of di≠erent methods that result in a comprehensive andrealistic picture.

2.3.3.2 Balanced Scorecard-based examination

Using a SSO system cannot only optimise the security process of authentication.When establishing a PKI business processes which were too risky before can be opti-mised or enabled. (cf. [Lareau 2002], p. 2) The existing infrastructure can also be usedby other business processes. This way the investments into an infrastructure maypay o≠.

Using PKI for electronic invoices or the delivery of digital documents as well wouldbe a useful option. The example also is to show how combining di≠erent methodscan be used to achieve a more comprehensive view of the influencing factors.

Calculation using the example of delivering digital documents 19

In the course of everyday business activity a variety of documents are created, e.g.for external communication with partners or customers. As of today, traditionalmail still is the method of choice in many areas. However, the recipient often digi-talised these documents in order to process or archive them electronically. To reducenecessary changes in format and the corresponding additional e≠ort and thus tosave costs, documents can be created and delivered completely digital. This processcan be supported and optimised by a PKI. In doing so it is important that the docu-ments’ authenticity is secured as much as it would be with correspondence signedby hand.

General examination by means of a Balanced ScorecardIn order to get a holistic view on the processes associated with document delivery aBalanced Scorecard (BSC) approach is useful. The following approach represents abasis for an evaluation.

The Balanced Scorecard is a suitable instrument for measuring investment projectsbecause cause-e≠ect relationships are examined from di≠erent perspectives. Addi-tionally correlations and dependencies are highlighted. However, in order to identifyall success criteria an in-depth analysis of a company would have to be accomplished.

Based on the example the following overview shows a couple of relevant criterionsand questions from the di≠erent perspectives, which – if necessary – are to bespecified in order to obtain an overall picture. (cf. [Beilschmidt 2007])


19 The data of this example originates from [Beilschmidt 2007]. Because of the reference character of theSSO example from [Gadatsch 2006] a connection can be made easily.


Figure 2.6: Balanced Scorecard for evaluation of delivery of digital documents

Financial:

Y Investment and Operating Costs:This includes certificate costs (number of employees who need certificates). Forcertain purposes, e.g. delivery of invoices, an employee might need qualified(more expensive) certificates than for day-to-day business (e-mail communica-tion with customers, partners, suppliers, etc.). Other employees might need nocertificates at all and only use SSO for their logons. Furthermore, the costs ofservice-level agreements for utilising directory and validation services are to betaken into account.Di≠erent specifications need to be tested for hardware costs of SSO and digitaldocument delivery, e.g. signing e-mails by means of software which is set up oneach workstation. This would result in more expenditure for training theemployees.Finally, the question arises if the development costs of an individual PKI mightby lower than using external PKI services. [Beilschmidt 2007] mentions a 6- to 8-digit amount and maintenance costs up to 100,000 Euro/year for a SMB.



Y Business Case:When developing business cases and business objectives employee and projectcosts arise, e.g. for specifying the requirements. If new software is purchased,corresponding tool costs are to be considered. Also, license costs for members ofthe project team may occur.Based on the possible applications it must be examined whether a hardwaresolution or a software solution should be preferred. Also, the question arises howmany potential new partners there are and if joint projects are possible. It is tobe clarified how many partners are actually up to using the new secure way ofcommunication.

Y Comparison of providers:Basically, this aspect matches the evaluation costs. Employee and project costsalso occur while comparing provider o≠ers. Potential travel costs for on-site pre-sentations, fair attendances, or business lunches are also to be taken into consid-eration. Sometimes this includes prototype installations, costs of employeessupervising the installation, being in charge of the providers or providing hard-ware, etc. as well.

Internal business processes:

Y Time to Market:How long will implementation and testing approximately take? Are the avail-able products ready for the market and can be used for productive work or is sub-stantial customising e≠ort necessary?

Y Interfaces:How is compatibility of the software with other systems? What are the costs ofpossible adjustments to legacy systems?Does the business case for the solutions found reveal further fields of applica-tions, e.g. VPN connections for home-o≤ces, or deployment of certificates forexternals?

Y Change of Process:How much time can be saved by the dropping printing, packaging and getting-to-the-post-o≤ce of documents? How much time is needed for logon? Howmany requests per month does the help-desk receive? How is the loss of produc-tivity to be interpreted?

Y Training Needs:Depending on the implementation employees need instructions and trainingcourses for the new systems. Administrators must be trained separately, inorder to ensure operation to be as independent of specific manufacturers aspossible.



Recipient/Customer:

Y Adjustment Needs:Customers, partners, and suppliers must be informed about the new technologi-cal possibilities. Marketing must advertise the secure way of communicationand animate new customers to use it.

Y Conditions for Participation:Which requirements do my contacts need to meet? Does communication workproperly even if partners do not support the technology?When participating, the time until an electronic business relationship can beestablished shortens. Contractual matters and audits can be skipped.

Y User friendliness:Software solutions for encryption strongly interfere with the operating methodof certain employees. Therefore, we need to estimate to what extent requests fordocument signatures (e-mail delivery) increase help-desk requests, thereby neu-tralising saving e≠ects.

Learn and growth:

Y Project Management Knowledge:Times, costs and employee e≠ort for planning, implementing and maintainingthe new systems are to be calculated. Here, established process models andexperience should be used.Evaluating employee’s and customer’s satisfaction with the new systems isimportant. Where do potentials for improvement and development lie? Onceimplementation is done, which processes cause the most costs?

Y Know-How:Developing internal knowledge management should be advanced as well. Publi-cations and PR campaigns can be used for promotion.

Note: Regarding acceptance and practicability of the method the crucial 20% of keyfigures, which – as per Pareto – bear 80% of investment success, are looked at.

Cost examinationIn the case present optimising the process of the document delivery is being exam-ined. The documents are created electronically and signed using a certificate 20 (inorder to ensure the sender’s identity) and afterwards delivered electronically.


20 In the example X.509 certificates are used which are issued by public trust centres in most cases.(cf. [Beilschmidt 2007])


We need to find out which costs can be saved when comparing the electronicmethod to the conventional way of delivery. In this case, the problem of determiningprecise data occurs in form of the expenses incurred by delivering a document.Every company estimates di≠erent expenditures for paper, toner consumption andthe work e≠ort of the post o≤ce for packaging, stamping and delivering. Here, wecan also see that ROSI is an approximate value for estimating an investmentse≤ciency.

The example assumes the following costs:Y 2.00 ¤ for paper, toner etc. for each document of which 1.40 ¤ can be saved by dig-

ital delivery Y 0.55 ¤ postage costs per forwarded document Y 19.75 ¤ certificate costs per employee and year for a qualified signature Y Costs for a hardware solution, which automatically signs outgoing documents.

The costs di≠er depending on company size and include purchase, operation,administration, and maintenance.

Y Costs of the post o≤ce, before and after installation, since the post o≤ce usuallyremains in a smaller form

The sample companies have 100 and 3000 employees because specific license costsof the central gateway where available for these sizes.



Enterprise A

Number of employees 100

Amount of documents per month 130

Costs per document 112,00 EuroCertificate costs per employee 119,75 Euro

Delivery of paper documents

One-time costsnone

Monthly costsDocument costs 260,00 EuroPostage (0,55 ¤ per document) 71,50 EuroPost office (1–2 employees) 1.000,00 Euro

Total per month 1.331,50 Euro

Delivery of digital documents

One-time costsCentral Gateway 6.000 Euro

Monthly costsDocument costs (0,60¤ per document) 78,00 EuroCertificates 164,58 EuroPost office 500,00 EuroMaintenance costs Gateway 90,00 Euro

Total per month 832,58 Euro



ROSI according to formula 1

Month 1 2 3 4 5 6

Investment Costs 6.000,00

Operating Costs PKI 832,58 832,58 832,58 832,58 832,58 832,58

Savings 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50

ROSI -5.501,08 -5.002,16 -4.503,24 -4.004,32 -3.505,40 -3.006,48

Month 7 8 9 10 11 12

Investment CostsOperating Costs PKI 832,58 832,58 832,58 832,58 832,58 832,58

Savings 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50

ROSI -2.507,56 -2.008,64 -1.509,72 -1.010,80 -511,88 -12,96

ROSI according to formula 2

Month 1 2 3 4 5 6


Operating Costs PKI 832,58 832,58 832,58 832,58 832,58 832,58

Cumulated Costs 6.832,58 7.665,16 8.497,74 9.330,32 10.162,90 10.995,48

Loss 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50

Overall Loss 1.331,50 2.663,00 3.994,50 5.326,00 6.657,50 7.989,00

ROSI -80,51% -65,26% -52,99% -42,92% -34,49% -27,34%

Month 7 8 9 10 11 12

Investment CostsOperating Costs PKI 832,58 832,58 832,58 832,58 832,58 832,58

Cumulated Costs 11.828,06 12.660,64 13.493,22 14.325,80 15.158,38 15.990,96

Loss 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50

Overall Loss 9.320,50 10.652,00 11.983,50 13.315,00 14.646,50 15.978,00

ROSI -21,20% -15,87% -11,19% -7,06% -3,38% -0,08%

Both methods can be use to show that after approximately 12 months the invest-ments pay o≠ to a large extent. However, a positive Return on Invest cannot bereached completely yet.



Enterprise B

Number of employees 3000

Amount of documents per month 2800

Costs per document 112,00 EuroCertificate costs per employee 119,75 Euro

Delivery of paper documents

One-time costsnone

Monthly costsDocument costs 5.600,00 EuroPortage (0,55 Euro per document) 1.540,00 EuroPost office (1–2 employees) 3.000,00 Euro


Delivery of digital documents

One-time costsCentral Gateway 25.000,00 Euro

Monthly costsDocument costs (0,60 Euro per document) 1.680,00 EuroCertificates 4.937,50 EuroPost office 1.000,00 EuroMaintenance costs Gateway 375,00 Euro




ROSI 1

Month 1 2 3 4 5 6


Operating Costs PKI 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50

Savings 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00

ROSI -22.852,50 -20.705,00 -18.557,50 -16.410,00 -14.262,50 -12.115,00

Month 7 8 9 10 11 12

Investment CostsOperating Costs PKI 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50

Savings 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00

ROSI -9.967,50 -7.820,00 -5.672,50 -3.525,00 -1.377,50 770,00

ROSI 2

Month 1 2 3 4 5 6


Operating Costs PKI 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50

Cumulated Costs 32.992,50 40.985,00 48.977,50 56.970,00 64.962,50 72.955,00

Loss 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00

Overall Loss 10.140,00 20.280,00 30.420,00 40.560,00 50.700,00 60.840,00

ROSI -69,27% -50,52% -37,89% -28,80% -21,95% -16,61%

Month 7 8 9 10 11 12

Investment CostsOperating Costs PKI 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50

Cumulated Costs 80.947,50 88.940,00 96.932,50 104.925,00 112.917,50 120.910,00

Loss 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00

Overall Loss 70.980,00 81.120,00 91.260,00 101.400,00 111.540,00 121.680,00

ROSI -12,31% -8,79% -5,85% -3,36% -1,22% 0,64%

The second example shows that the investments start to pay o≠ after 11 months.



ResultThe calculation shows that a comparative calculation is already possible whenknowing the fundamental cost drivers, i.e. the factors which have the largest shareof the overall costs. In the example qualified certificates were used as the calculationbase.21 Additionally, for each employee a certificate was requested. In this examplecosts could be saved among others by determining those employees, which definite-ly need expensive qualified certificates. For the remaining employees advancedcertificates might be su≤cient. It might also be possible to work without qualifiedcertificates at all. Furthermore, software solutions which can reduce or even save theoriginal costs and operating cost of the gateway can be evaluated. However, this willbe abolished at least partly by increased administration costs and additional train-ing needs for the employees. In the examples the reduced work e≠ort of the employ-ees, e.g. by the otherwise necessary printing and getting-to-the-post-o≤ce, was notconsidered too. Investigating such processes would focus too much on specific com-panies and would conflict with a fast and simple calculation. Emphasis is on sub-stantial factors for a fast but expressive comparison of alternatives.

Quantification of risksStill, the question arises to what extent measuring risks based on incomplete data ismaking sense. We assume that it is useful by all means when the methods used sup-ply reproducible and consistent results.

For this purpose accuracy of underlying costs are of minor important, thus it is nec-essary to develop consistent methods for calculating and describing cost. Whendetermining the factors for calculating an investment’s e≤ciency, productivity areoften valued higher than actual security aspects. Companies need to look for param-eters which allow for a raising e≤ciency or for new processes. Usually it is notdetails that have a significant e≠ect on the overall benefit. According to the Paretoprinciple, as we mentioned before, it is crucial to identify the driving 20% of the fac-tors which account for 80% of e≤ciency. Since companies, especially those comingfrom di≠erent industries, rarely follow one distinct standard, calculation must bebased on factors which can be measurable independent from other aspects and aredirectly correlate to the degree of severity, e.g. of a security incident. Also, concen-trating on few but important facts allows to compare products, projects, companiesand whole industries more easily. (cf. [Sonnenreich 2006])

2.4 Summary

The specific use of PKI should be viewed from a business process perspective. HerePKI can frequently enable new business processes or optimise existing processes.


20 The type of a certificate depends on the document to be signed. For instance, the German sales tax law (§14) demands a qualified electronic signature for signing digital invoices.


Due to the complexity of and the interdependences between business processes inpractice the top-down approach, i.e. PKI as infrastructure investment, is favoured.

Investments in PKI solutions are comparable with other infrastructure investments.Insofar well-known business key figure methods must be used in order to justifyinvestment decisions. It is to be noted that only a method combination can supply acomplete picture. Such an approach should always be accomplished and repeatedunder same conditions to receive reference values in order to make the success of aninvestment measurable.

The security aspect of PKI investment decisions is rather a secondary argument. Butit plays an important role in enabling business processes. It should also influenceanalyses of business processes. Even the developments within the range of SOA willshift this orientation into the foreground.



3.

Operating Conditions

3.1 Methodology

This chapter explores the criteria dictating the success and failure of public keyinfrastructure implementations and use in most cases. The first approach toidentify those criteria was to search for suitable literature, e.g. reports of personalexperiences. Soon it became apparent that companies did not feel like ‘hawking’ theproblems they had when realising projects. As a result of that there is barely any lit-erature available publicly. Thus a survey was done, interviewing several expertsanonymously, all of who were adept at planning, implementing and operating pub-lic key infrastructures. Ensuring absolute anonymity was necessary to free intervie-wees from administrative barriers regarding ‘official’ statements being imposed onthem by their companies and to obtain results free of censorship.

The interview was conducted over telephone and based on a questionnaire which hadbeen made available to the participants beforehand (see attached appendix). The ques-tionnaire had been divided in several sections consisting of general questions on plan-ning, design, deployment and operation as well as cross-company communication.

While picking questions regarding PKI strategies, pros and cons of PKI were gath-ered, as well as questions concerning consequences for users and liability. The sec-tion of the questionnaire dealing with PKI implementation covered questions on thesolutions offered, respectively products used and reasons for this decision, as well asquestions on how much time was needed for the deployment. The section on PKI use

Chapter 3 | Operating Conditions | 71


covered questions on barriers respectively challenges of operating PKI, as well asdocumentation needed and actually used. Questions on cross-company communi-cation aimed at technical implementations and experiences made in that process.All in all, the aim was to identify possible obstacles in using PKI applications andconcepts and have them rated. Following, the interviewees answer will be presentedgrouped according to scope of their content.

3.2 Products

Technical implementations are often based on open source technology that havebeen combined with independently designed products as well as products availableon the market, all of which often adopt non-standardised proprietary technology. Inthe early stages of PKI, companies were virtually forced to develop their own solu-tions because products being ready for the market were rare. Now many companiesfinancially support the solutions needed, specifically aiding the open source com-munities. In that respect, open source projects pose a powerful, marketable competi-tion for standardised products. This, combined with the lack of high demand, resultsin vendors cutting products and thus limits the range of products in turn.

Today, products like hard drive encryption, VPN solutions and virtual post offices,often come along as a stand-alone niche product, already featuring a fully embeddedPKI along with an administration tool built into the infrastructural component (wide-spread products do not display process orientation). This leads to a heterogeneous PKIlandscape. The interviewees try to avoid too much heterogeneity and the consequen-tial increased administrative effort, but most small and medium-sized businesses(SMB) do not have a choice save purchasing different products that do not operatetogether. Those businesses lack the resources and influence necessary to counteractthe problems resulting from vendors using certificates featuring different additionalattributes. There is a lack of interoperability with applications from different vendors,especially with managing keys and certificates. By using profiling, initial progress hasbeen made in certain areas of application, e.g. when it comes to S/MIME. Boostinggeneral interoperability still needs to be focused on more intensely.

Certificate formats change constantly, so certain components need to be adjustedpermanently, especially the certificate generator which should be purchased from avendor thereof. This works for stand-alone PKI components but not for embeddedapplications. The products available do not represent the existing business process-es in the best way. Interviewees pointed out that PKI solutions do need to be adjust-ed to business processes, in particular to enhance user acceptance. It should not bethe other way around though. In order to achieve an ideal representation of thebusiness processes used, interviewees suggest developing the components neededoneself. This is not easy for SMB given the resources typically available (respectivelylacking). Therefore, in order to strengthen PKI utilisation, it is necessary that ven-dors focus on business processes more intensely and are qualified accordingly.

72 | Chapter 3 | Operating Conditions


PKI is always connected to cryptographic technology, therefore it is necessary forcompanies, which operate at a global level, to dodge the limitations of import andexport. Several countries, like China or Russia, impose strong regulations on usingcryptography. According to experiences described by the interviewees it can berather tedious and complicated to get the necessary clearance, which might delayprojects. This begs the question whether cryptography should be seen as a dual-useitem still. It should be mentioned that the regulations of import and export do affectproduct choice significantly. On behalf of the German cryptography business theadvice is to simplify regulations from the German point of view. Industrial espi-onage will not be discussed in this context.

3.3 Project procedure

Being an infrastructural technology, PKI demands applications justifying its opera-tion. It is possible to apply PKI solutions to various scenarios though. In practice thismay cause conflicting requirements, threatening a project’s success. Generally oneshould not try to support as many applications as possible. Integrating applicationsstep by step, realising pilot projects cooperating with users, appears to be a top-notch approach.


PKI: Hard drive encryptionManufacturer A

PKI: VPN solutionManufacturer B

PKI: Virtual Post OfficeManufacturer C

PKI: For all Applicationsin the Company,interoperable at allManufacturers

Process of Integration

Figure 3.1: Process of integration of multiple PKI’s


Additionally, early PKI projects should be mentioned. These were set up for one spe-cific use only, like authentication of employees, and have proved to be successfulboth from a financial and an organisational view. Those projects might not providefurther room for improvement as a result of the intended technical design, but theydue to their specific purpose they have still made clear successes.

Generally it is notable that PKI projects are ‘alive’ in most cases, needing to deal withnew requirements, certificates and algorithms. On the other hand a PKI environ-ment can not cope with the changing requirements in technical design because ofits intrinsic complexity. Thus it is necessary to reason whether stakeholders will beinvolved right from the start or whether they will be excluded as to not jeopardisethe projects success. Exploring possible causes for the lack of flexibility of PKI isadvisable nonetheless.

The consequences of company policies and political influences as well as legalaspects are often underestimated when starting a project. Even though few projectsstrive for legal compliance, a number of corporate non-technical influences need tobe taken into account. A fundamental problem arises from the hierarchical struc-ture of PKI - with cross-company projects or large companies with self-dependentdepartments it may seem like everyone involved must submit to a ‘central authori-ty’. Hence technical discussions are often based on (corporate) politics. Those obsta-cles bear some difficulties and must be resolved accordingly by political engage-ment in committees and initiatives. Although this is not possible in all cases. Com-pared to technical problems, interviewees attest political and organisational obsta-cles to take substantially more time when implementing PKI projects. In case ofneed, technical problems can be solved by workarounds.

Furthermore, people involved in PKI projects are often fascinated by the technologywhich leads to more and more people wanting to influence any further develop-ment. That can lead to decisions and requirements changing due to personal rea-sons. Lacking long-time confidence in cryptography algorithms (mainly with peopleknowing little about PKI and cryptography) poses another challenge.

Mingling the two layers – which are particularly relevant to PKI implementations –technology and trust - might be another reason for the complexity of PKI projects.The trust relationship layer is often not definitively outlined causing specific prob-lems and complexity. Separating those layers in all stages (e.g. product design) couldhelp to find a solution.

3.4 Operation

Decisions related to PKI, like judging certificate or signature validity, can often over-whelm users. Besides which, users often do not see a particular benefit in using PKIbut think of it more as additional work. As with many security concepts there is a



lack of comprehension as to why security is needed at all. Training courses thatmight help to solve this problem are often not held because of a lack of resources, orthe needed resources not being made available and users being too sluggish todemand them.

Single sign-on (SSO) on the other hand, (aiding the user by securely storing theirpasswords) offers evident benefit – acceptance and understanding are much higherhere.

PKI applications should not ask the user for complex, incomprehensible decisions ontrust matters. Rather it should be aspired to demand those decisions merely in situ-ations requiring them as part of the due process applied by the user. All in all, appli-cations being as transparent as possible are easier to implement and deploy.

If the employee has to make decisions, it is crucial to enforce organisational specifi-cations in order to assure success – otherwise the significance of the whole PKI con-cept is put at risk. Employees need to take those specifications seriously and meetthem by all means. Think about the ever-present demand to wear visible staffbadges and visitor passes, for example. If it was not for consequently enforcing thisrequirement with all employees, as well as according checks and potential discipli-nary actions of the security personnel, this measure would lose its credibility andpeople would not care about it anymore.

PKI situations may arise where data signatures, being recoded by a server for exam-ple, can not be verified. Typically this will be pointed out to the user. If this situationis new to the user there is the danger of them not knowing or remembering the des-ignated specification and disregarding the warning in order to work efficiently. Atbest they will turn to the support team. In this situation the proper reaction of thesupport team member is important for solving the problem and sustaining theuser’s acceptance.

In principle it should be considered to which extent one should aim for solutionsthat allow for falling back on the organisational rules, which are hard to enforce, inorder to stick to a PKI implementations trust model.

A central e-mail security gateway can be cited as an example for a transparent real-isation, which additionally avoids using complex organisational rules. E-mails areencrypted and decrypted as well as verified by the gateway. The information for theuser simply consists of the result of this check, being displayed directly in the e-mailapplication, as intuitively as possible (using traffic light logic for example). On theone hand the benefit of end-to-end encryption gets lost here, but on the other handvalidation of certificates and signatures can be simplified as well as checkingencrypted e-mails for viruses and technical solutions for holiday replacement and e-mail distribution lists.



Formal documentation, being over-rated from the interviewees’ point-of-view, isnot used accordingly. Most solutions, even the in-house ones, may feature a certifi-cate practice statement (CPS), that was generated according to RFC 3647 or ETSI TS101 456. Still the experiences made with those documents indicate that they are cre-ated by theoreticians putting in a lot of time and work and may aid the implemen-tation as some kind of requirement specification, but are not useful during opera-tion because of complexity and size. With regards to operation, handbooks are creat-ed for relevant processes, especially since risk and quality management demandthis for high-risk processes. Terms of use referenced by a supplemental certificateattribute are being extremely rarely retrieved. The process of retrieving itself, to beactively initiated by the user, asks too much of most. Actually interpreting the termswill probably be difficult and time-consuming, because of the contained legal con-cerns and references to other documents. Instead of modelling requirements oftrust within a certificate practice statement it is more important to have documen-tation which describes how to secure the targeted process by using PKI.

Regarding cross-company communication, additional technical problems arise asdistribution of certificates only works out fine as long as device configuration isused as preset. Users that do not comply cause higher support expenses. Further-more it is sometimes difficult to access other companies’ blacklists - and thereforeinformation about the validity of certificates - adequately. Those entries need to beretrieved of a LDAP-server not existing in one’s own domain. Some firewalls do notyet feature a LDAP-proxy allowing for such access, which is one off the problemsoccurring. In respect to e-mail, interoperability of cross-company communications isrealised to large extent, but considering application in conjunction with businessprocesses to be guarded, it is still not clarified precisely enough.


Figure 3.2: Central e-mail security gateway


3.5 Liability

Controversial opinions exist regarding liability, depending on the particular operat-ing setting of the interviewee. One needs to differentiate between in-house andcross-company solutions as well as solutions using qualified certificates.

Companies which chose a pragmatic in-house implementation but still use qualifiedcertificates for signatures do so because of better reliability though not because ofadditional legal obligation. No interviewees knew about cases where employeeswere held accountable for applying an electronic signature inaccurately, for example.

Signatures are often applied to e-mails to other companies’ representatives, thuscross-company communication. In this relation the opinion is, that those processeswere usually handled via fax in the past, relevancy of transmission and thereforethe liability resulting remaining the same. Using a new transmission system basedon electronic signature the question of liability should not be posed again, becauseof the processes involved staying the same and reliability in fact being increased.

If questions of liability are of particular importance, e.g. because of the obligation ofqualified certificates, most companies tend to heavily restrict responsibility withintheir means. Ultimately this may result in rejecting qualified signatures and limit-ing PKI use with transactions of higher risk potential – this being the exact oppositeof what PKI pioneers intended concerning electronically aided processes in conjunc-tion with contract settlement and the like. Then again, implementing appropriateliability can generate more trust, according to some interviewees, which seems ofparticular relevancy when dealing with customers.


Figure 3.3: Lack of interoperability for e-mail communication



With pragmatic in-house solutions, focus was usually on advanced certificates. Com-pared to using qualified certificates this reduces the requirements as to IT security,does not demand smartcards or tokens for storing certificates securely and above alleliminates most legal requirements, therefore enhancing the binding character hasnot been the primary goals of most companies. Rather, using the possibility of strongcertificate-based authentication and securing electronically based processes byapplying encryption. Furthermore, companies intended to increase trustworthinesswith accountants by certified electronic processes that can not be counterfeited.

Some interviewees, having looked into solutions complying with legal require-ments, characterised the German discussion about qualified certificates as “mis-guided for a long time”. Most interviewees consider advanced certificates to be“completely sufficient” for most applications, whilst use cases for qualified certifi-cates are “almost nonexistent”. When there is the demand for qualified certificateson the other hand, like with particular applications (e.g. electronic award of con-tracts), this function is purchased from external service providers.

When a PKI solution is based on qualified certificates, interviewees complain aboutunrealistic requirements and too much control by politics and regulation authorityin many areas. Examples like “signature-causing event” with electronic prescrip-tions or mass signatures as well as audit proof long-time preservation were pointedout. In conjunction with launching the electronic health card and the affiliated useof electronic prescriptions, the doctor has to individually initiate, respectivelyunlock, the electronic signature for each prescription by entering a PIN. At any rate,according to experts this will cause considerable additional work and expenses. Inthe past, when signing personally, it was possible to hand in prescriptions in-between two patients. Due to experts, the option of mass signature, that is automat-ically signing several documents at once, has yet been governed in particular areas,like issuing an invoice electronically. With audit proof long-time preservation, aswith electronic patient records, retention periods of up to 30 years need to be com-plied with. Additionally to problems arising from outdated key length, as well asstoring certificates for verifying signatures, questions of durability of document for-mats and storage mediums need to be solved, respectively ensured.

Additionally, detailed technical requirements can be found, e.g. in the field of sociallegislation, already and are being regulated independently and without referencingto other operational areas of signatures. Interviewees expressed that it had beenmissed to create secure, yet workable, security level by laws. The requirements aredescribed as being too high, resulting in companies holding back of implementingsolutions complying with the law.

Lacking “application of legal requirements of electronic signatures in practice” inGermany has been identified as another fundamental problem. Usually a series ofsingle-case decisions of different levels of jurisdirection are needed until law andunderstanding of a technology have settled with representatives involved. Regard-ing PKI legal security is hard to achieve at present. Via legal opinions of acknowl-



edged entities at least parts of this problem could be dissolved. Lacking legal securi-ty does not pose a fundamental problem for companies though, thus it is notattempted to achieve security through corresponding measures.

Public authorities and courts relying on heterogeneous infrastructure when usingsignatures can be attributed to Germany’s federal system. This “patchwork rug” andthe varying level of acceptance causes certificates to be adopted by users ratherslowly. According to some interviewees, other countries, often those centrally man-aged or having chosen a pragmatic approach of integration, are way ahead inrespect to actual use cases.

Implementation of the European Community framework for electronic signaturesin the individual member states turns out to be dramatically different to someextent. States having open source PKI projects allow for legally realising the require-ments of qualified signatures accordingly, whereas in Germany those open sourceprojects barely qualify for advanced signatures. From the experts point of view thebarriers created by politics and authorities should be levelled off with pragmaticapproaches, at least for an initial transition phase.

3.6 Synopsis

PKI solutions are mainly used for the in-house purposes of electronic signatures,strong authentication and encryption. Compliance with legal requirements is typi-cally not the primary goal. Especially in this area non-technical problems may arisedue to corporate politics and organisational influences though, which are often dif-ficult to solve. The interviewees of the few PKI applications, trying to meet therequirements of qualified certificates, complained about too much regulation bypolitics and regulation authorities, unrealistic demands as well as poor acceptancefrom authorities and courts. As a consequence more pragmatic approaches shouldbe aimed for, at least for a longer period of transition, and use of PKI with authoritiesand courts should be actively supported.

According to some interviewees technical problems can always be solved, and ifonly for workarounds. In order to make it easy for SMB in particular to engage withPKI, companies holding a lot of market power should be enlisted to contribute tomore interoperability by publishing process oriented documentations of their PKIsolution and other measures. Additionally SMB could be supported indirectly bysupporting specific research projects, therefore safeguarding jobs in the long run.Trust in current and future algorithms should be strengthened by supporting scien-tific research in that area as well.

Supporting cross-company use of PKI is sensible in future, in order to strengthenGermany as a business location. In doing so, clearly-defined approaches for solu-tions should be provided in order to point out how problems of PKI use in business-es could be solved.


4.

Workshop – Findings

The following chapter presents the findings of the high-level workshop hold withinthe course of the project “Criteria for success of methods for identification, authenti-cation and signing based on asymmetric cryptographic methods”. Structure is as fol-lows: The first part describes the workshops procedure and methodology. The struc-ture of the attendants is addressed, too. The second part depicts the attendants’comments on previous results of this study. The third part deals with the findingsdeveloped in the break out sessions of the workshop. Following, the findings of theproject team which are based on the experiences of the workshop are beingdescribed. In conclusion, we offer several suggestions for further steps.

4.1 Methodology and course of the workshop

The workshop is the forth fundamental part of the project “Criteria for success ofmethods for identification, authentication and signing based on asymmetric cryp-tographic methods”. Based on the chapters addressing technical outlook, economicconsiderations and operating conditions, the workshop was intended to identify cri-teria for success and point out prospects. The workshops set-up was aimed at thesegoals. Thus were the participants.

Participants were chosen from different groups of competence: PKI vendors andservice providers, chief information security officers, having realised successfulmulti-national PKI projects, researchers, management consultants with security

Chapter 4 | Workshop – Findings | 81


and anti-fraud expertise, IT managers. Long-time experience was emphasised inparticular. Besides being willing to provide their knowledge for the project, furthermotivation for their participation differed. Some considered the commitment to PKIto be an important part of their personal expertise, which could be broadened byattending the workshop and discussing with other experts, others were into social-ising as well. The diversity of participants was a motivating reason for sure. Despiteor more precisely because of the experts’ seniority, willingness for cooperation wasextraordinarily high. In addition to the discussion supported by the project team,providing for enough room and time for bilateral conversation proved to be excep-tionally advantageous.

In order to prepare the participants for the work groups planned, they were filled inon the present results of the project team’s work first. Based on their knowledge andexperiences as well as the results presented by us the participants were to identify 3to 5 mayor problems and come up with matching ideal conditions, as well as solu-tions/fields of action resulting in these conditions. This was done in break out ses-sion. Following, the problems were worked on further, using explanations and feed-back of the participants of the particular session. Each work group had a rapporteursummarising the discussion and presenting it to the plenum.

From the beginning, discussions were affected intensely by the diverse expertise ofthe participants, who contributed views from different points of interest. By address-ing the different topic in detail within the work groups, focus on the main topic wasachieved, which was summarised in the final feedbacks given. The interdisciplinarygroup line-up, bringing together engineer and non-engineers, IT and security officersas well as PKI vendors and professors of business economics, provided considerablyto the differentiated and extremely controversial facets arising from the discussions.

Starting the break out sessions, it was tried to associate those persons which did notknow each other beforehand. By doing so an open, unbiased discussion was encour-aged. In our opinion, this approach proved to work just fine, even though it tooktime to reach a similar level of factual knowledge, of course.

While alluding to a broad field of aspects, the course was still defined by optimisticyet critical debates having one distinct focus: success of public-key infrastructures,applications and technologies. In the course of this chapter, the results of the discus-sions will be presented. The suggestions on further procedure, offered by the partic-ipants without being requested, were of great value.

Finally, the rather informal comments voiced during the un-moderated part of theworkshop included substantial details and information out of practice as well aspersonal experiences the team would not have learned by a formal interview. Thisapplies to opinions and assessments contrary to the “prevailing” expert opinion inparticular, which – maybe due to of political motivation – has not been discussedpublicly in this form.

82 | Chapter 4 | Workshop – Findings


Summing up, we can say that both aspect “Interdisciplinary nature of participants”and “Mixing moderated discussion and informal conversation” ensured the work-shops success and therefore formed an integral element for gaining knowledge. Fur-thermore, it needs to be pointed out that gathering this many different experts ofvarying field has probably never been achieved before. That way, we were able toobtain a complex picture of PKI in practice, definitely showing tensions and con-flicts. Most likely, this would not have been achieved without this kind of workshop,e.g. using interviews only. For that reason, we can generally suggest the approachused for other topics of interdisciplinary nature.

4.2 Comments about results achieved so far

In the first part of the workshop the previous research results were presented. Thethree parts “Technical Outlook”, “Economic Insights” and “Operating Conditions”were outlined und discussed by the participants.

4.2.1 Comments on “Technical Outlook”

Generally, participants highlighted more than once that PKI and the application-specific combinations of components based on it are technically mature to a largeextent. Discussions are being esoteric in part and it would be better to just start off:“Everything we do is better than what we have today, namely nothing”.

In terms of investment security three aspects were put up for discussion: First theobservation that while PKI forms an infrastructure technology it has pretty longphases of implementation (planning, technical realisation, definition of policy, deci-sion on tokens, user integration, implementation of applications) and high initialinvestments. Participants acknowledged this point, especially those which success-fully implemented large PKI projects already. Technically providing long times ofuse in order for the costs to pay off, was quoted as a precondition for success. Thisincludes the demand for application environments to remain stable. Cryptographicparameters providing sufficient application security for the domain of financialtransactions and banking service was cited as an example. Likewise, it is integral topay attention to the actual time needed for a user to become accustomed to identifi-cation, authentication and signature applications in conjunction with the compul-sory handling of certificates and tokens (often staff badges).

Non-technical participants disagreed with the experiences mentioned: The marketcontrols the success of a technology, and the technology markets rate of change isgetting faster and faster. From this point of view, it is not reasonable to focus on long-term use. Based on this practical point of view, the focus on stability of cryptographicfoundation was questioned as well – at least to the extent to which this has been dis-cussed in Germany in recent years. In concrete terms: Interchangeability and long-



term key length resulting from long-term use are not considered to be appropriate.Regarding governmental applications on the other hand, needing long-term security(including not only identity documents but also documents to be digitally preservedby law, for example) this may be a reasonable and necessary criterion for the deci-sion. Still, questions of enforceability need to be considered. Planning and implemen-tation phases are much longer within the governmental domain than in companies.Therefore, requirements on standardised stable parameters of technology are muchhigher. While business applications can afford to be geared towards shorter changerates and times to pay of it is different with governmental applications. Consequent-ly, problems appear where both fields overlap, in the domain of tax law for example.The consumer market is more likely to be attributed to the business environment,since the service, used by PKI, is delivered by an economically acting business.

The topic of interoperability, which was named as a mayor requirement for success-ful PKI use, was controversially discussed as well. It was found that interoperabilitydoes not play hardly any role with single-process applications of PKI technology(meaning fields of application where the PKI used serves exactly one purpose whichis bound to a process, like with VPN (Virtual Private Network) or a software updateinfrastructure), since those can be integrated completely transparent. With multi-process applications on the other hand (meaning fields of application where compo-nents and security properties are being accessed by several processes, like emailsecurity or authentication for example) interoperability is the basic idea and neces-sary by all means, and driven by the market to a large extent. This was alreadydemonstrated by industry standards like S/MIME or SSL. Nevertheless, initial sup-port is important in order to allow for possible standardisation. One of the bestexamples is the fact that the established e-mail encryption standards PGP andS/MIME are still compatible. Regarding governmental applications on the otherhand, the international aspect of standardisations is still to be considered. The con-clusion stays the same: Standards and interoperability can not be ordered, they needto be demanded by the market.

Application integration is also market driven to a large extent. In this domain just afew standardised approaches exist by now. Still, it becomes apparent that not onlyalgorithms but implementations as well (with multi-process applications) need tobe interoperable. The digital signature is a special case: There, interoperability is notonly necessary on implementation level but on document level as well. Thisbecomes obvious with the qualified signature. Due to nationally differing regula-tions, problems of interoperability on international level emerged. Whether the goalof document interoperability can by achieved by proprietary compulsory signaturemethods is doubtful.

In the field of application integration, key management has been identified as thedomain with the highest demand: Often, key management is still seen as a propri-etary characteristic of application integration, even though – especially within busi-ness environments – the management of keys emerges to be the main problem,



even for single-process applications. According to the attendants’ point of view,development of shared keys or alternatively of parallel existing keys is to be aspired.

When considering “Security as a process” it was pointed out that there are technicalrequirements on feasibility and acceptance that need to be retained repeatedly dur-ing an application’s life-cycle. This applies to two aspects in particular (which will beaddressed more detailed when discussing the operating conditions): the technicalrealisation being transparent for the user (meaning he does not need to understandor adjust to technical constraints), and few decisions for the user or the technologytaking on trust decisions (“policy-based decision making”).

The need to establish tokens was discussed broadly based. Participants agreed onthe fact that supplementing the exclusively software-based use of certificates –even though those are better than passwords – is necessary in the near future. Phys-ical design of tokens was left open: Whether smart card in the classical chip card for-mat, within an USB-token or existing devices like mobile phones, MP3 players, cam-eras or PC boards (as a “hardware module”, Trusted Computing was not mentionedat all) or identity cards within the governmental field – shape is not considered to berelevant, neither for the general success of PKI nor for a special field of application.On the other hand, the unanimous opinion was that combination with biometricmethods cannot be avoided. They serve for unambiguous identification of persons;within the consumer and business field mainly used due to reasons of usability andconvenience though, within the governmental field due to security considerationsas well. Regarding interoperability – going with the discussion of application inte-gration – it was said that no enforcement, no regulation is needed because “the mar-ket will take care of this”. Support of tokens according to the acceptance by the con-sumer, on the other hand, is useful, since this acceptance by a critical mass can onlybe created by a tedious process. The smart card is questioned in particular again andagain, but it still finds favour – complemented by concepts of a new contact-lessinterface - within the governmental field. Regarding the discussion on interchange-ability of algorithms, it is important though that smart cards, or/and tokens, allowfor exchangeability.

Finally, security of technical components was discussed. The fact that there is a needfor transparency of system’s and component’s security was generally accepted.However, product certification, like practised with the Common Criteria, was consid-ered useful for “products being stable in the long run”. With commonly used soft-ware components like browsers for example, certification of the developing compa-ny’s processes is considered to be significantly more sensible, especially due to theassociated high effort of time and money. At the same time, process certification isnot seen as a substitute but rather as an addition.

Along the way, it was stated that new upcoming IT technologies like service-orient-ed architectures, smart items or the ubiquitous use of intelligent devices demandsnew trust models and therefore poses new challenges on PKI implementations.



Over all, we can observe that regarding technical prospects the participants arguedas follows:Y with governmental applications interchangeability of algorithms is making

sense but not with corporate applicationsY interoperability and integration of applications is driven by the market mainlyY tokens will come, but design is of no importanceY biometry will play an increasing roleY considering human and technology isolated from each other is not useful

4.2.2 Comments on “Economic Insights”

Aspects of structuring the players involved, the different stakeholders, and aspectsof economic feasibility considerations were outlined by the participants.

Players are to be divided according to the following scenarios: subject-subject, sub-ject-object and object-object (whereas subjects can be represented by natural orjuristic persons). The subject-subject category includes e-mail communication andinstant messaging but also online tax declarations. The subject-object categoryincludes web sites or “ordinary” applications used on the internet or in-house. Theobject-object category includes most system communications, e.g. financial trans-fers or credit card clearing processes or automatic processing of online orders. Theparticipants considered this characterisation to be of use. They pointed out though,that due to the trend towards service-oriented architectures the direct object-object activities are being replaced by chains of the type subject-object-object-…-object-subject more and more, where the objects in the middle of the chain do notneed to be specified at the beginning of the request. Regarding trust relationshipsand their management this raises a significant need for clarification, mayberesearch as well.

Regarding the different stakeholder (B2B, B2C, G2C, etc.) participants stated that itdoes not make sense to consider this stakeholder’s nature for PKI detached of theapplication. Not until consideration of the processes aided by PKI, a distinction isreasonable. Problem is that looking at each single process consumes a vast amountof time. At this point a discussion about infrastructure vs. process started. The prob-lem identified collectively is that PKI as an infrastructure is not process-relevantregarding potential savings (just as e-mail or network technology as well). Similarlythis applies to every technology though. Investments in technical basics, allowingfor novel processes, have always been critically regarded and had a hard time tobecome accepted. Identity management as a larger scope of PKI is subjected to thesame effect: without fundamental technology there are no new, slim processes withsaving potential, whereas the saving potential does not result for those being thedriving force of this technology. Therefore, PKI is a business process enabler (just likeservice-oriented architectures), that can be economically justified within the con-text of specific processes. If this is not possible, only “belief” in advantages through



innovative infrastructures can result in establishing a PKI. Due to increasing costorientation this principle finds less and less “followers” within companies.

Thus two possible, financially motivated argumentations for PKI, being similar innature, arise: PKI as a means of cost cutting, since it can be used to digitalise process-es for the first time (e.g. electronic invoices), or PKI as a means of increasing businessprocess efficiency, since existing processes can be speed up or standardised, mean-ing electronically representing them more elegant and with less effort (e.g. authen-tication using certificates as with business process outsourcing).

The general problem is that those being in charge of processes often do not have an ideaabout the related costs. This is the result of cost structures being attached to infrastruc-ture and system component costs in most companies. Additionally, benefits as well asrisks are hard to quantify. All in all, this results in process costs being hard to calculateand therefore savings can rarely be verified objectively. Since they are being bound tothe complexity of the company’s business model they are hardly comparable as well.Hence, we may say that PKI as an enabler of business processes demands initial invest-ments. This is why the decision makers need to be positive about the sense of PKI. Apurely economic view of process cost savings is not possible with the majority of cases.

Notwithstanding the above, we can observe that a considerable number of PKI werealready deployed; especially multi-national companies realised PKI projects in oneway or another. Often, PKI is not being used in all areas it could be. Siemens poses asa positive example; PKI is being associated with application services like authentica-tion, therefore the different departments are motivated to actually use those servic-es. Hence, despite all argument, the participants confirmed that there are a numberof successful implementations by all means.

A considerable part of the discussion was about “Return on Security Investment”(ROSI). Even though this topic is not directly relevant for PKI it does play a more andmore vital role in discussions on economic considerations of security measures.Generally the question is: what’s the goal? Limiting harm, meaning specificallyusing measures to weaken the effect of certain events, or – along the lines of aninsurance – making provisions in order to protect the status. For this reason, ROSI isnot limited to security, if anything, the questions arises for every single risk thatcould possibly threaten a company. The basic problem – with both alternatives – isthat ROSI resembles “reading tea leaves”, since calculation is always done based onthe “hypothetical harm that has been avoided”. This implicates the assumptionthough that a damaging event does not only occur with certain probability butwould (in proportion to probability) actually occur if the protective measure wouldnot be implemented – which lacks any empirical base.

If benefit cannot be expressed monetarily, we still might try to measure its quality.Now, one substantial element of PKI is the fact that “asymmetry lies in its nature”.This means that according to aspects of use it is likely – and that is what can be



observed in practice – that he who bears the effort often does not benefit directly.Considerations of PKI as an infrastructure revealed that the desired transfer of costsand benefits can not take place at infrastructural level but rather when reaching thelevel of business processes. Within a company or an organisation this works rela-tively well – within the scope of possibilities which allow for actually identifying aninfrastructure investment as benefit. With cross-company processes, on the otherhand, it is obvious that transferring costs and benefits is hard to realise. This is oneof the reasons for payment model or approaches for relocation of costs are not beingaccepted by the market – one reason for the downfall of trust centres. Therefore,there need to be other motivators for bearing the costs – and “costs” do not onlyinclude product and project costs but also soft facts like changing habits, need fortraining or loss of control. One possible motivation – which by experience does notlast long – is compliance, meaning less risk for the CEOs. Correspondingly, increasedliability for service providers could act as a motivation for using PKI as an enablingtechnology. The slow down of innovation could be an argument against this.

Additionally, the option of proving that informational security has been improvedremains. This is a broad field and right now there are no noteworthy results onhand. This is mainly due to the fact that the value of information is hard to deter-mine (strictly speaking it is not the value of information that can be determined butthe respective value of availability, integrity and confidentiality that we mightattempt to estimate) and that incidents are hard to measure by quantity and com-prehensible as well. In the end, we need the skills and experiences of insuranceexperts. The questions arises as to when those experts are able to calculate IT securi-ty, even though within the course of the workshop one representative argued thatinsurances are not interested to make an effort in this direction.

Over all, we can observe that PKI without corresponding applications is nothingmore but an infrastructure without value. The value is generated by the supportedprocesses which might be possible then. If there are no new processes to be support-ed or streamlined, PKI is not necessary. Consequently PKI can, to put it bluntly, con-tribute to ROSI calculation. First and foremost, PKI is a “business enabler”, the role asa security technology comes second.

PKI has to prove that a process will be more expensive without it. Once PKI as beenestablished though, examples show that the benefits for supporting more businessprocesses are obvious.

4.2.3 Comments on “Operating Conditions”

The third presentation held at the beginning of the proceeding referred to “everydaytruths” of PKI in use. The insights, gained from the anonymised interviews ofexperts with practical background, were divided into four thematic blocks and pre-sented accordingly: Products, project approach, use and liability. At the beginning of



the presentation one participant stated that security consists of trust and control;this assessment helps to judge some of the received comments accordingly.

Open source solutions make up a large percentage of PKI products by now, thoughindividual designs and project solutions individually integrated into businessprocess applications can be found too. First products have been already taken off themarket, most off them not being process integration components but infrastructureproducts. Ready-made products are being used rarely, thus the market is not com-moditized yet. The fact that solutions are often not being as interoperable as cus-tomers would like them to be is in line with that. This particularly applies to keymanagement. In place of common application-oriented management, customersrequire central management of all keys used within their organisation. This, by anymeans, requires interoperability of key management. In this context, the varyingregulations for use and import of cryptography – even though aimed at encryptionalgorithms rather than authentication and digital signatures – turned out to be themain obstacle. Naturally, this only applies to international companies.

Regarding the projects approach it has been repeatedly noted that PKI is no end initself and therefore needs to be subordinated to other project objectives. At thispoint it is reasonable to refer to the previous section (Chapter 4.2.2) which coversprocess-oriented considerations. Another point we consider to be of importance, isthe observation that PKI projects are rather “fragile”. By this we understand thatrequirements and conditions, which repeatedly change within the course of a proj-ect, may question this project’s success. Most problems are of political nature. Thishas been acknowledged by many participants of the workshop. Paradoxically, thetrustworthiness of processes introduced by PKI poses the main problem, since thisnew trustworthiness implies limited freedom for those involved in this process,meaning a lose of control individually perceived. The process parties are no longerable to manipulate processes according to the way they see it, even though thismight be in the interest of the company. Abstractly speaking: PKI centralises trustdecisions and ensures a designated process sequence – this being the goal intendedby the corporate management. This is hard to realise though, since it conflicts (or atleast may conflict) with the individual interests of employees. The changes, individ-ually perceived by the realisation of a PKI project, are notable accordingly.

At the beginning of the discussion on operating conditions, which we had intended tobe the main topic, stood the statement that, in general, the user cannot grasp the ben-efits of PKI use. Therefore he has no sympathy for additional actions or decisions thatare required within the scope of IT security. Consumers, as well as users within a busi-ness environment, expect the business processes they are involved with to be secure.They feel that it must not be necessary for them to contribute to the process’ security.

In order for PKI applications to be accepted, trust decisions (which the user has to makewith most current products, e.g. “Would you like to trust this certificate?”) need to besimple and transparent, meaning easy to understand within the context and lan-



guage of the according business process. No decision is to be required isolated of thebusiness process. What would it be worth anyway? We, as well, do not trust every per-son completely in all cases; trust is always related to a transaction. Due to reasons ofacceptance, the ideal situation would be that the user has to decide on nothing, andalternatives are anticipated by the trust parameters of the respective business process.

Experienced PKI project managers reported that PKI support (i.e. help desk andonsite training) requires significantly more effort than observed with other IT proj-ects. They advised not to underestimate this part of the project but it also was point-ed out repeatedly that the overall success requires having a skilled help desk staffthat does not tamper security specifications by giving wrong advice. The partici-pants verified that formal manuals like the “Certificate Practice Statement” are notused at all, “those would be for lawyers”.

The problem of acceptance was discussed in consideration of other aspects. Someclaimed that this is a “technical” problem, that is: the lack of acceptance is due tolacking maturity of technical components. Other claimed that people need to getfamiliar with technology and new trust models yet: “Acceptance takes time, on theinternet building trust is a matter of generations”.

In the end, for the user it is vital to have a subjective feeling of security, in order toadopt a business process. It does not matter if the actual security level might be low,though. The subjective feeling differs with every individual: experienced PC usershaving a distinctive security awareness might feel safer when being able to makethe trust decisions all by his or herself, whilst the average user might be scared (off)by this.

Furthermore, participants confirmed that the most serious problems regardingacceptance occur with cross-company processes. This results from trust decisionsrequired in this scenario being neither simple nor understandable. Participantsrepeatedly stated that IT managers often do not know who is to be held accountablefor IT components. In the end, thus they stated, we need to differentiate betweenthree different scenarios:

Y Mass market (online shopping, home banking, etc.): handling has to be as simpleand inexpensive as possible. Since PKI is rather complicated this might meanthat it will not be applied. At least demands on simplicity, transparency andminimal costs of PKI solutions are extraordinarily high in this domain.

Y Business environment: flexibility is the most important aspect, i.e. according tosecurity requirements, different models are to be realised and enforced, rangingfrom technology to consistent user actions. Standardisations are not given thehighest priority; isolated solutions are perfectly fine and successful. Standardisa-tion will be established following market rules.

Y Use with governmental purpose (electronic identity documents, as well as tax-relevant processes): Standardisation combined with high security and sustain-



ability is necessary. Accordingly, replaceability of algorithms, use of biometry,and preconfigured trust decisions are set to be standard practice.

Every single one of those three scenarios follows a different market drive. Therefore, it isdifficult to compare PKI applications, especially regarding to their operating conditions.

While discussing questions of liability, we agreed that qualified certificates arehardly used as of today. Regulating liability questions “a priori” is all but unrealistic;instead of that we recommend using PKI applications with different security levelsand to wait for “applied law” to come into action. The sense of the security level ofqualified certificates has never been questioned, merely the German Governmentdictating this high security level, which results in high costs for all being involved,by law has been criticised. Furthermore, the question of liability should not be posedagain, since it was already to be answered for the respective business process.

The conclusion is: We do need simple and understandable trust decisions for the user.Many tools take the easy way out and give the user a hard time. Furthermore, in orderto make PKI use a success, corporate-policy problems need to be solved at first. Weshould keep in mind though, that those problems can not be solved using technical“tricks”, even though this may result in new requirements for the technology. Theproblem is a human/sociological one and needs to be treated accordingly. When real-ising PKI projects, we recommend consulting change management experts. Qualifiedcertificates “are not worth the trouble” – at least when used within a business envi-ronment the cost-benefit-rate is unacceptable. Instead of this, we need improvedinteroperability, namely in two spots: integration of PKI with business processes, andkey management. Additionally, we need to develop further concepts for modellingsimple cross-company trust relationships, e.g. “instant workgroups”. The fact thattrust is process-oriented and that communication and business partners can not begenerally trusted needs to be considered. Tools need to reflect this.

We consider the following insight to be the most important one: Security consists oftrust and control, and if control is reduced this can only be compensated by buildingup more trust.

4.3 Results of the break-out sessions

The objective of the break-out sessions was to have the participants identifyY problems,Y conditions which are regarded to be attractive,Y and according measures that need to be implementedin a semi-formal discussion session.

Following, each group’s findings as well as the other participants’ feedback will beoutlined.



4.3.1 Green group

Identified problems:Y resulting from infrastructure costs, initial investments are neededY PKI is expensiveY and too complicated when rolled-outY killer applications/processes are lackingY accessing PKI is too complicatedY benefits are not advertised wellY implementation of PKI is neither demanded nor supportedY there is no (standard) PKI for common components

Desired situation:Y unitary standards are neededY building trust and allowing for control is neededY management decisions regarding PKI need to be made based on a company-

wide conceptY with new projects PKI is a “must”Y there are financial incentives for migrating existing applications towards PKIY “everyone possess a certificate that can be trusted”Y confidential information is encrypted and can only be access by those authorisedY low-cost access and rewarded useY simple, transparent technologyY global implementation using Bridge-CAs and ID-cards for exampleY PKI for trusted computing

Possible solutions:Y support compatibilityY promote interdisciplinary communicationY resolve organisational responsibility within companiesY PKI has to be made budget-neutral, i.e. costs and benefits are to be evenly distrib-

uted Y establish global citizen-cards or banking cards Y advance (federated) identity managementY ensure universal use and availabilityY demand global IDsY invest into trusted computing

In the plenary session the green group made the following demands:1. Those bearing the costs of a PKI infrastructure must have a share of the bene-

fit. In order to accomplish this, best practices need to be provided and – togeth-er with business economist - concepts should be developed which allow forrealising “benefit reversal”.

2. PKI use needs to be regulated, that is: when it is making economic sense, PKIuse should be made compulsory.



3. One global infrastructure using one global card is necessary. We consider gov-ernments to be responsible for providing this infrastructure interoperably.

4.3.2 Red group

Identified problems:Y users consider current solutions to be sufficient,Y global interoperability is lacking,Y potential users lack trust in the technology,Y value added by PKI can not be measured (there is no method for measuring or

valuation that provides a basis for convincing decision makers that PKI paysoff),

Y working PKI solutions are often isolated solutions which do not push ubiquitousimplementation,

Y existing systems prevent the spread of PKI,Y the topic is strongly politicised, therefore, a variety of groups have a voice in it,Y not enough normative enforcement (law),Y more security costs more money, but there is no perceivable benefit; security is

intangible,Y ROI as a method of assessment is difficult, or rather not suitable.

Desired conditions:Y PKI as an insurance benefit,Y PKI including service and maintenance offers,Y well-defined, comparable methods of assessment,Y a comprehensive framework (PKI that proved itself with one company should be

provided for others as well, therefore establishing a working infrastructure),Y PKI needs to be a technical resource (nothing more, nothing less),Y Interdisciplinary discussion, in order to set up a reasonable business model

(including technicians, economists and social scientists),Y support bridge scenarios (create cross-boundary trust),Y establish service-oriented architectures,Y turn PKI into an automatic and invisible technology,Y no change to the decision making processes.

Solutions discussed:Y With PKI the focus should not be on infrastructure but on integration and inter-

operability,Y replace existing solutions step by step or integrate them with PKI,Y global identity card (issued by authorities, not by companies),Y regulation of applications (laws),Y create and increase demand,Y create standards and laws for standardisation,Y raise users’ awareness (examples: best practice forum, training).



The following three demands/suggestions were presented in the plenary discussion:1. Trust and security are always to bring in context. This implies adopting a

process-oriented view on PKI.2. Distinguish internal and external view. This goes with the comment that PKI

used in different scenarios can not be compared.3. The focus should be on integration in applications.

4.3.3 Blue group

The following problems were identified:Y lack of simple usabilityY lack of simple, integrated administration functionality, especially within busi-

ness environmentsY lack of flexibility when usedY to many isolated solutions in the consumer fieldY initial costs of PKI are too highY user acceptance is too lowY due to the signature law the market expects too much (or features PKI can not

provide)Y lack of knowledge about cost structures within the field of PKI

Desired conditions:Y institutional standardsY transparency of costs and benefits of PKIY PKI being an established enabling technologyY PKI being perceived positively in publicY calls for tenders containing PKI as on requirementY those investing in PKI are being rewardedY there is a visible benefit of PKI, in the field of business as well as in the consumer field

Possible solutions:Y development of further standardsY best practice sharing between companies, in order to take away “the fear of PKI”Y the amount of costs and benefits of PKI has to be determinedY usability has to be improved by technical innovationsY equalise international standardsY law has to demand standardisations, in order to encourage interoperability,

however, overregulation should be avoided

The following theses were presented in the plenary discussion:1. Creation of demand: by application-oriented research, and governmental sup-

port and incentives, like advantages for customers which use secure onlinebanking; support of PKI users (similar to tax relief with cars producing lessemissions).



2. Development of standards: launching quality seals; maybe demand standardi-sation by establishing corresponding laws.

3. Increasing awareness: of all users, interdisciplinary (training, best practice)

4.3.4 Conclusion

The groups offered rather different recommendations: ranging from drastic ones,like demand of PKI by law, to common, soft measures like raising awareness orimproving training. All had two things in common, a prevailing optimistic moodand the underlying assumption that the value of PKI can not be raised unless helpfor the kick-off is available.

During the presentations of the groups’ findings and during the final discussion, itwas pointed out once more that within a business environment the application,that is the process, is the focus and that PKI is one way of accomplishing security.Furthermore: PKI does not deal with security until the features are used within abusiness processes - prior to that it is nothing but an infrastructure.

PKI technology has to prove itself against other possible methods. This is differentwithin governmental context: here it should be demanded that there are no identitycards without PKI integration. With cross-company processes we observed that inte-gration can be rather problematically when companies are competitors. However, par-ticipants stated that security should not be an aspect promoting competition amongthe companies but among solutions and electronic business processes. Hence, compa-nies should be supported in choosing secure processes which offer PKI features.

4.4 Results of the workshop

The workshop was a success for sure. Many assumptions were confirmed and inter-esting aspects were put in a new perspective. It was interesting to see that there areconflicting opinions on many topics, especially regarding the question “how muchsupport does PKI need/should PKI get”. Contribution of non-PKI-experts was inspir-ing in particular, since they viewed the whole PKI discussion within a larger con-text. For us, the outcome of this is that PKI should be taken out of the experts’ sphereand regarded within a broader context.

We will summarise once more:

4.4.1 Technology

One of the main findings is that PKI technology is no end in itself but needs somecontext in order to be of use. PKI is a process enabler, allows for new or existingprocesses to be electronically represented. Interoperability amongst PK infrastruc-



tures has been overrated, it is more important to make it easier to integrate PKI withapplications and processes and to develop according standards. Interfaces for access-ing PKI functions out of applications exist (e.g. PKCS [Public Key Cryptography Stan-dards]), however, mapping to trust decisions within the respective application did notwork out in most cases. Only now, 10 years after globally introducing SSL with web-servers and browsers, it is possible to identify a website’s trustworthiness directlywithin the browser, for instance (Extended Validation Certificates). This statement ofa participant is interesting and note-worthy: “we should consider PKI as public keyintegration, not public key infrastructure – that is the actual challenge”.

In the near future, use of tokens of different types and designs will become accept-ed. Design aspects and thus vendor structure will be regulated by the market. In par-ticular, we expect that the token question will be resolved by ubiquitous PKI integra-tion with applications and therefore by the actual use.

Assessment of usability and user interface heads for the same direction: weobserved that too many trust decisions are to be made by the user; outside of theprocess/application context as of today. This asks too much of him and additionallymakes him feel like he cannot handle the technology. This results from PKI develop-ers often not having enough understanding of the processes as well as not beingwilling to integrate PKI with applications. Regarding user interfaces, it is assumedthat that a trust decision has to be made or not, just like in real “non-technical” life,based on a certain activity and/or process. Therefore we see the definite need forbringing together PKI technologists and process designers. Both parties would clear-ly benefit of a dialog like that: processes would be more secure and easier to under-stand, and PKI would be integrated with applications.

In the near future, managing a large number of keys and certificates will become achallenge for IT officers (as well as the home user) – similar to managing passwords.Therefore, we need an approach for interoperability of key management functions,so as to enable central managing tool – as well as consumer-oriented applications(e.g. Project Higgins, “InfoCard”) – to manage keys and certificates of any applica-tion. This does not mean to cover trust management using these tools. Quite thecontrary: Use and purpose of keys/certificates should be assigned freely dependingon the application they are used for.

4.4.2 Economic aspects

PKI is based on asymmetric cryptography – it is within the nature of this technologythat costs and benefits are unequally shared. Adjusting those imbalances is difficult(if it was that easy, according business model would already exist) but in order forPKI to be successful it is necessary that those who are bearing the costs do gain abenefit. Vice versa, those who gain the benefits should bear the costs as well or atleast have a share in them.



In the course of the workshop, we noticed that a cost-benefit analysis only makessense within the context of the according business processes. Using today’s means itis hard to calculate such costs, thus a strict ROI calculation of PKI is like “reading tealeaves”. In order to calculate the benefit of PKI more accurately we need to makecosts and benefits of business processes easier to measure, especially with regardsto those processes’ trust elements. Two different views exist: the company-internalview (progress optimisation) and the external view (customer requirements, laws,etc.). Regarding the internal view, PKI, like every other infrastructure technology,needs to justify the necessary investments by saving costs, e.g. omission of control.Regarding the external view, PKI might be interesting for rationalisation by self-service, as with authentication. Again, the question is: who is bearing the costs andwho is benefiting.

Another important insight is the fact that requirements and success criteria for PKIare different with each of the three scenarios. Therefore, the general operating con-ditions can only be compared partially. Especially, realising new business models byapplying technologies/processes to another scenario seems to be extremely diffi-cult. As an example, regarding the consumer or business market, qualified certifi-cates are not an option, however it is different with governmental processes (e.g.court documents and electronic papers). Another example refers to interchangeabil-ity of cryptographic algorithms: regarding identity documents, this could pay off(given that it is supported by cryptographic hardware), but it does not with commonbusiness applications (like VPN technology, even though industry standards willprovide for investment-secure algorithms).

4.4.3 Socio-scientific aspects

Security consists of trust and control – this is one of the main insights of this work-shop. Pushing this further, we could say: trust results from experience and the will-ingness to communicate positive experiences to a certain extent. As long as theyhave not made bad experiences, i.e. have not felt fear within a specific context, peo-ple feel safe. When they are afraid, they try to retain control in order to eliminate thereasons for this feeling. This is not the best starting point for (re)building trust.

However, this is what PKI projects are intended to do. The average user has probablynot had any negative experiences with the internet by now. Spam, viruses, anddialers are annoying but no reason to invest in security. The user has faith in thetechnology and thinks: “Everything will be fine”. As soon as he has been deceived oneBay or his bank account has been emptied out, he will try to obtain control. Whenhe does not succeed, he might not use the technology again. Now there are PKIexperts stating: “use digital signatures and you can trust again”.

This may be a bit exaggerated but it illustrates the problem quite well. In particular,it points out the reason why PKI has not been adopted that well (just like many



other preventive security measures): the acting people are still “free of fear” andhave no need for protection!

We think it is necessary to approach this topic in a more structured way. This callsfor an interdisciplinary approach. We need a better understanding of trust buildingmechanisms in the context of interaction, meaning processes, before we can expectthose acting to trust the technology. Separating the three layers technology, process,and trust, would be an important initial step. Detaching and separating those layers,which are often intermingled and strongly interweaved, would provide deeperinsight, not only with PKI implementers.

4.4.4 The Government’s role

Government’s role was discussed controversially, and the suggestions offered differ-ent approaches as well: ranging from making qualified certificates compulsory tosupporting best practices. Regarding the question of how to generate demand,involvement of the Government was considered to be a primary criterion.

Resulting from our own experiences and the result of the workshop, we are of thefollowing opinion: Government has its own interest in this field – those should berealised and funded by the Government. A citizen card, if intended to support gov-ernmental applications, can only be issued by the Government. We cannot fall backon the industry, since this has its own (industrial) requirements. In order to supportthe use any further, Government needs to support standardisation and interoper-ability within the scope of industrial politics. By doing so, markets become penetra-ble and export is strengthened. Aside from governmental use, the Governmentshould not be allowed to regulate the market and favour specific technologies.Therefore, we advocate further support of standardisation and interoperability, e.g.within the limits of introducing a citizen card (as with the electronic ID card). Thiscard should be as globally interoperable as possible, however, personality rightsneed to be respected (e.g. no introduction of a personal identification number (PKZ)through the “back door”). We advise against passing the regulation issues on the pri-vate industry or the consumer. This would lessen the innovation potential of thetechnology market and create artificial barriers. We would appreciate a quality sealor similar certificates for supporting positive perception.



5.

Recommendations

PKI provides important infrastructural elements for applications that use crypto-graphic protocols. When using asymmetric cryptography those elements are essen-tial for authentication, assurance of information integrity, signing and encryptingtransactions. Hence availability, level of utilisation and acceptance of PKI providereliable information on the pervasiveness of cryptography in applications andtherefore on information security in open networks. One major goal with this proj-ect is to identify possible further development, need for support or simply practicaladvice, which helps to spread PKI, or rather to identify obstacles and phrase sugges-tions how to eliminate them.

In the following we will recapitulate the most import findings for the domains oftechnology, business economics and practical application. Building on that, we willoutline suggestions for possible further development and research projects, but alsoprovide clearly-defined advice for successful PKI implementations.

5.1 Technology

The most important findings concerning technology are as follows:

Y There are enough technical solutions available on the market. Evaluating thetechnology in regard to applications is only useful if socio-scientific and econom-ical aspects are being considered as well.

Chapter 5 | Recommendations | 99


100 | Chapter 5 | Recommendations

Y Interoperability and integration of applications are mainly driven by the market;the problem arising in this context is solved by working with closed user groups(in companies and governmental agencies) mainly.

Y The tendency of supplementing PKI with personalised hardware token sustains.In doing so smart cards will be supplemented by other tokens in future. The formaspect does not matter; biometry will be adopted increasingly.

Y Exchanging cryptographic algorithms and parameters is extremely complex.Interchangeability of algorithms is useful when it comes to governmental appli-cations but not within a business environment.

Y Basing PKI on compulsory security levels (like the qualified signature) makes ithard for cryptographic applications to spread, even in official environments. Itdoes make sense to implement them here, though.

From our point of view the following suggestions result for the technical domain.

Interchangeability of cryptographic algorithmsIn order to ensure long-lasting success of PKI in a governmental environment withlong-term innovation cycles, concepts for the easy replacement of algorithms incryptographic libraries and common protocols are needed. Based on an examinationof the circumstances currently given, the necessary actions could be deduced, e.g.why do current applications and protocols not support the modularity necessary.Interoperability of hardware-embedded algorithms, as with tokens and smart cards,is necessary in particular. Substantial initial investments are needed for this pur-pose, especially for research and development.

Trusted Platform Module (TPM) with smart card enhancementThe combination of TPM for identification and for verification of the configurativeintegrity of devices and system components and personalised tokens (e.g. smartcards) will be useful since, amongst others, privacy protection demands that separa-tion of personal data and data processor should be possible, e.g. in the area of mobilecomputing (PDA, mobile telephone). Personal data is stored in a protected storagearea of the smart card for example, accessible by no-one but the user itself. The proj-ects currently undertaken should be supported further on.

Analysis of other form aspectsBeside smart cards and TPM further constructional alternatives for tokens (mobiletelephones, PDAs, MP3 players, digital cameras, RFID aided documents of identi-fication, etc) shall be analysed.

Long-term security of hash algorithmsCurrent hash algorithms offer security for a short period of time only. Long-termsecurity is needed on the other hand – at least in an official environment. In aninternational context this problem can only be solved by designing and testingnew hash algorithms within the global ‘crypto experts community’. Under leader-ship of NIST (USA) an according contest has been started. Regarding their coopera-


tion with NIST German crypto expert teams should be supported.

Methods for accessing cryptographic keysComparing practical security of biometric and password based methods for safe-guarding cryptographic keys has not been finalised yet. Therefore we suggest con-ducting comparative interdisciplinary research with detailed evaluation, consider-ing not only technical but socio-scientific factor (perception and acceptance) as well.

Integrating PKI in applications/service-oriented architecturesIntegration of applications is being solved within the specific projects in most casesand not standardised sufficiently. How this could be implemented better than cur-rently done remains to be answered. How can experiences with flexible trust mod-els be widened, for example? One approach, being particularly important from ourpoint of view, is the support of framework development, in order to enable standard-ised methods related to practice. This could be rendered more precisely by means ofa research project on “PKI in service-oriented architectures” for example.

Interoperability of PKI applicationsWe suggest supporting those vendors which are paying attention to interoperabili-ty. In this regard it should be pointed out that proprietary isolated applicationsshould not be used in official environments.

Interoperability of key managementNowadays applications tend to manage keys and trust relationships internally. Inprivate and business environments this involves increasingly more work for users,respectively administrators. Thus it is imperative to standardise management func-tions for cryptographic keys. In order to support PKI further on, particular attentionshould be paid to alternative initiatives of standardising credentials (e.g. project“Higgins” [IBM], CardSpace [Microsoft]) currently highly funded.

Simplifying crypto-rulesOn behalf of the German crypto-business the suggestion is to simplify import andexport regulations by international agreements accordingly.

More flexible security levels for applicationsAll applications should feature robustness and high performance, but above all rea-sonable security concepts. In the current market situation it is not clear whichresponsibility is to be attributed to the respective vendor. This process could be sup-ported by evaluating specific security measures, either by self-declaration of ven-dors or by auditing institutions. It would be necessary to develop according criteriaand procedures for evaluation. Furthermore the effects of liability rules, technicalregulations, standards and certificates on the market should be analysed.

Advancement of the Common CriteriaThe Common Criteria are rather static, that is they allow testing of security within a



specified environment. As of today, changes to the environment are not “allowed” –at least not without questioning the certification. Still it would be useful to do exact-ly that, for the environment may change depending on the specific business processand therefore demand different requirements.

Questions to be answered with fundamental research Quantum cryptography is being seen as the one aspect causing the relevancy of PKIto practice to be rather limited on a long-term basis. In this context a series of ques-tions remain:

Y There is no statement if “enough” quantum computers could be produced at all, towhat extent they will function in the planned way and when to expect the firstone. Realistic evaluation of the “threat” quantum computers may pose on crypto-graphic algorithms and PKI is not possible or useful until that point of time.

Y On the other hand, how secure will the quantum cryptographic methods, beingamong potential alternatives to PKI, be? Currently there is little information onthe level of security they will actually deliver.

Y Quantum computers and quantum algorithms demand the ubiquitous deploy-ment of quantum channels. The current channels, like wired channels and elec-tro-magnetic waves can not be used anymore. How realistic – especially underconsideration of investments – is the setup of an infrastructure like that?

Y So far it is assumed that only classical cryptographic algorithms are ‘threatenedby quantum computers’. It needs to be determined to what extent lattice-basedor similar cryptographic systems will be affected too.

In addition to quantum cryptography we suggest evaluating the possibilities andboundaries of DNA computing as well.

5.2 Economics

The most important findings concerning economics are the following:

Y Examining PKI solutions regarding costs is useful only when considering thebusiness process layer as well, which demands detailed knowledge. Develop-ments in the domain of SOA reinforce this need.

Y Regarding PKI calculation the ROSI is not useful: On the one hand determinationof possible damage is not realistic enough, on the other hand the schemes usedfor calculation have not matured yet.

Y PKI applications exhibit different criteria and operating conditions, dependingon the setting (governmental/official, business, customer-oriented). Hence actu-al comparability is not given and solutions for one setting can not be applied toanother one.

Y Regarding cross-company processes costs and benefits can not be allocated even-ly without providing incentives and defining methods for allocation.



The following suggestions are directed at this area:

Convert user benefits into business models Business models for private use of PKI are hard to create because of asymmetriccosts. It is obvious that the potential benefit for the user has to be high enough toaccept possible costs. Which applications, respectively combinations of applica-tions, are needed in order to allow for charging to be possible? This needs to beexamined further.

Security as an implicit part of business process modellingUnderstanding security-based processes is of importance at management level too;on that account security has to become an implicit part of business process model-ling/engineering. For this to be achieved it needs to be examined – e.g. in pilot proj-ects – which methodical approaches are available respectively need to be developedin order to be able to include security requirements in the task of modelling busi-ness processes.

Selected core processes as enablersConsidering all processes and costs involved is too complex and expensive whenmodelling key figures. Core processes, which could be “enabled” by PKI, need to beselected. For this purpose the persons in charge for the respective processes need toknow the security requirements to be met. The obvious procedure would be tochoose core processes, formulate the requirements in form of “best practices” andpublish them.

Transparency of infrastructure investmentsAt this time lacking information about the respective process costs allow for infra-structure investments only. That being the case it is difficult to recognise the“enabling” function of PKI. One needs to be fully aware that there are benefits forbusiness processes in principle, which take effect after a delay in time though.

The ratio of costs and benefits needs to be made clear because of infrastructureinvestments costs arising somewhere else. The bearer of the costs needs to get somekind of share of the benefit, if only to justify the investment. Accordingly it is to beexamined which incentives and methods for allocation could be defined and provid-ed in order to even out the costs and benefits.

Necessity of combined methods for cost examinationKey figure systems like ROI/ROSI or NVP currently used for investment decisionsdo not represent the situation in its entirety. Often they lead to negative results,which would forbid investing. Using combined methods costs can be examined inmore detail, making for valid results. Accepted methods shall be used mainly, e.g.ROSI including TCO combined with NPV combined with Balanced Scorecards.Costs at the business process level are difficult to calculate though, e.g. if processcosts are unknown. Therefore a project examining practicability and effectivity of



different combinations of methods for evaluation security investments would beuseful.

Application of the Pareto principleAs a matter of principle calculating the ROI is estimation at best. Usually it isimpossible to consider all relevant data. Therefore we suggest using the Paretoprinciple when collecting the data needed. Accordingly 20% of the costs assignableto main components typically generate 80% of the benefit. Detecting those 20%may be difficult in particular cases and should be generalised based on experience.We would therefore suggest compiling relevant data for IT security projects by wayof a study.

Killer application electronic health cardCommon opinion is that PKI use will be widely accepted once the electronic healthcard comes into operation. We suggest conducting an accompanying (long-term)study in order to analyse this very claim.

5.3 Operating conditions

The main conclusions concerning use of PKI are as following:

Y Socio-scientific consideration of PKI has been neglected so far.Y Automation of business processes often leads to an individual feeling of loss of

control, compensable only by putting more trust in the employee.Y Trust decision should be integrated in the corresponding process. If the user needs

to decide on something within the process it should be reasonable and clear.Y When realising PKI projects change management experts should be consulted.

Regarding the next steps we consider the following suggestions to be of relevancy:

Mutual dependency of technology, economic aspects and aspects of useTechnology, economic aspects and socio-scientific aspects in the domain of PKIshould be analysed systematically with the objective of developing criteria andoptions being useful for improving the development of trust of electronic businesstransactions.

Best practices for deploymentWhen implementing PKI, one should not try to support as many applications as pos-sible by all means, but by integrating them step by step using pilot applications.Support for handling internal political conflicts should be developed, accounting forthe hierarchic structure of PKI in particular.

We consider publishing best as well as worst practice examples to be particularlyappropriate to achieve this. Due to non-existent respectively less competition, gov-



ernment agencies and other public institutions could publish detailed reports ofsuccessful and failed PKI projects. Providing motivation for companies to publishsuch reports as well should still be attempted.

Awareness Within the context of this project the question comes up, what can be said for theawareness regarding generation of trust and trust decisions especially with internetapplications? At the same time an according survey could be aimed at showing howtrust is generated and how awareness inducing measures should be designed inorder for the user to accept them and put them into action. In our opinion tradition-al training is not necessarily the best way because the things learned will be forgot-ten soon. Instead we fancy measures, inducing awareness by permanent contact orenhancing it at least.

Lacking flexibilityReasons for PKI lacking flexibility, especially within the realisation phase, and howto improve this point should be analysed.

Simple trust decisionsPKI applications should not ask the user for decisions on trust matters being thatthey are too complex, obscure or incomprehensible. Decisions should be askedregarding where the user would expect them to be. In this respect solutions arerequired which were designed with comprehension of practical aspects and there-fore do not need to fall back on hard to enforce organisational directives, in order tostick to the trust model of PKI implementations. According criteria for success ofdesigning PKI application integration should be surveyed.

Experiment in order to emphasise the benefits of PKI Types of cross-company trust models being less complex (“instant workgroups”)should be examined.

No certificate practice statementsInstead of modelling trust requirements in a certificate practice statements it ismore important to document in which way the targeted process could be secured byimplementing PKI. A useful framework (proposals) for writing such documentationshould be developed.

Technical requirements should be kept outside lawsExperiences with the digital signature demonstrated that technical requirementsfor certain procedures should not be regulated using laws but rather within direc-tives. In order to gain experiences and take advantage of possible options we consid-er it to be of particular importance to allow for pragmatic approaches, if not evensupporting them – at least for a transitional period. By these means many problemsregarding coordination and enforcement within the political environment respec-tively administrative authorities could probably be avoided.



5.4 Further research

In future, PKI needs to be regarded within the contradictory context of technology,economy and social science – only then it will prove to be a successful enabling tech-nology. Following, some ideas (partly by participants of the workshop) for nextsteps:

Other industries, being highly standardised, should be referred to, in order to findout why it was possible to implement more standards and how to possibly adoptthis in a PKI environment.

Using simulation and scenario planning, different cases should be examined andthe breakdown into scenarios should be refined in order to provide industry andadministration with better and more comprehensible decision criteria for or againstPKI. Aspects, needed to be considered are: Users requirements as well as use casesand different industry line specifications.

Overall, during internal and external discussion the question came up as to whatextent our findings can be applied to PKI exclusively or to general aspects of IT secu-rity as well. We believe many of problems addressed (like the discussion on ROSI) tobe relevant for a broader discussion on IT security. Additionally the findings couldserve as input for the next IT summit.



6.

Bibliography

All hyperlinks were successfully tested for availability August 6, 2007.

[Albrecht 2001] Albrecht, A.; Probst, T.: Bedeutung der politischen undrechtlichen Rahmenbedingungen für biometrische Identi-fikationssysteme. Behrens, M.; Roth, R. (Hrsg.): BiometrischeIdentifikation: Grundlagen, Verfahren, Perspektiven,Vieweg Verlag Wiesbaden, 2001, pp. 27–54.

[Bang 2006] Bang, Y.; Kang, Y.; Lee, G.: CC-SEMS: A CC Based InformationSystem Security Evaluation Mangagement System. Don-garra, J.; Madsen, K.;Wasniewski, J. (Ed.): Applied ParallelComputing, 7th International Conference (PARA 2004), Lyn-gby, Denmark, June 20–23, 2004. Revised Selected Papers;Springer-Verlag Berlin Heidelberg, 2006, pp. 964–973.

[Bakdi 2006] Bakdi, I.: Towards a Secure and Practical MultifunctionalSmart Card. [Domingo 2006], pp. 16–31.

[Beilschmidt 2007] Beilschmidt, A.: Geschäftsmodelle für die European Bridge-CA; TeleTrusT Deutschland e.V.; 2007.

[Berinato 2002] Berinato, S.: Finally, a Return on Security Spending. CIOAustralia; April 8, 2002.http://www.cio.com.au/index.php?id=557330171

Chapter 6 | Bibliography | 107


[Bernhard 2000] Bernhard, M.: Balanced Scorecard in der IT – Den Nutzen fürdas Unternehmen darstellen. Bernhard, M.; Hoffschröer, S.:Report Balanced Scorecard – Strategien umsetzen, Prozessesteuern, Kennzahlensysteme entwickeln; 3. überarbeiteteAuflage; Symposion Publishing; 2003.

[Beutelspacher 2006] Beutelspacher, A.; Schwenk, J.; Wolfenstetter, K.: ModerneVerfahren der Kryptographie: Von RSA zu Zero-Knowledge;Vieweg Verlag Wiesbaden; 2006.

[Beutelspacher 2007] Telephone interview with Prof. Dr. Albrecht Beutelspacher,Professor for Geometry and Discrete Mathematics at theMathematical Institute, Universität Gießen; January 22, 2007.

[BioFinger 2004] BSI Studie: Evaluierung biometrischer Systeme Fingerab-drucktechnologien – BioFinger, Technical Report; BSI; 2004.

[BioTrusT 2002] BioTrusT, Ein interdisziplinäres Projekt zur Förderung bio-metrischer Identifizierungsverfahren; CD Abschlussbericht;September 2002.

[Boneh 1995] Boneh, D.; Dunworth, C.; Lipton, R. J.: Breaking DES Using aMolecular Computer, Technical Report CS-TR-489-95, Prince-ton University, 1995.

[Boneh 1996] Boneh, D.; Dunworth, C.; Lipton, R. J.; Sgall, J.: On the Compu-tational Power of DNA. Journal DAMTH: Discrete AppliedMathematics and Combinatorial Operations Research andComputer Science, Volume 71, 1996.

[Bong 2005] Bong, D.; De Swaart, J.: ROBIN, a Biometrics-based SecurityEnvironment at the Dutch Court Organization. Paulus,S.;Pohlmann, N.; Reimer, H. (Hrsg.): ISSE 2005 – Securing Elec-tronic Business Processes: Highlights of the Information Secu-rity Solutions Europe 2005 Conference, Budapest, Hungary,September 27 – 29, Vieweg Verlag Wiesbaden, 2005, pp.201–209.

[Booker 2006] Booker, R.: Re-engineering enterprise security. Computers &Security 25; 2006, pp.13–17.

[Brands 2005] Brands, G.: IT-Sicherheitsmanagement; Springer; 2005.

[Brassard 1996] Brassard, G.; Crepeau, C.: 25 years of quantum cryptography;SIGACT News 27 (3); 1996, pp. 13–24.

108 | Chapter 6 | Bibliography


[Braz 2006] Braz, C.; Robert, J.–M.: Security and Usability: The Case of theUser Authentication Methods. 18th Francophone Conferenceon Human Computer Interaction (IHM ‘06); Montreal; April18-2, 2006.

[Brink 2002] Brink, D.: PKI and Financial Return on Investment;Whitepaper; PKI Forum; August 2002.

[BSI 2006a] AIS 20: Funktionalitätsklassen und Evaluationsmethodolo-gie für deterministische Zufallszahlengeneratoren, Version1, 2 December 99, samt mathematisch-technischem Anhang(Version 2.0, December 2, 99).http://www.bsi.bund.de/zertifiz/zert/interpr/aisitsec.htm

[BSI 2006b] Statement of the BSI about the TC initiative.http://www.bsi.de/sichere_plattformen/trustcomp/stellung/palladium.htm

[Buchmann 2006a] Buchmann, J.; May, A.; Vollmer, U.: Privacy and security in high-ly dynamic systems: Perspectives for cryptographic longtermsecurity. Communications of the ACM 49 (9); 2006, pp. 50–55.

[Buchmann 2006b] Telephone interview with Prof. Dr. Johannes Buchmann,Professor for Computer Science and Mathematics, TechnischeUniversität Darmstadt; December 5, 2006.

[Bundesnetzagentur Algorithmenkatalog 2006] Bundesnetzagentur (für Elektrizität, Gas, Telekommunika-tion, Post und Eisenbahnen). Bekanntmachung zur elektro-nischen Signatur nach dem Signaturgesetz und der Sig-naturverordnung (Übersicht über geeignete Algorithmen)vom 02. Januar 2006, Bundesanzeiger Nr. 58 vom23.03.2006 (March 23, 2006), pp. 1913–1915.http://www.t-systems-zert.com/pdf/bas_03_kri/alg2006.pdf

[Busch 2006] Telephone interview with Prof. Dr. Christoph Busch; Profes-sor at the Hochschule Darmstadt – University of AppliedSciences, December 6, 2006.

[Calmels 2006] Calmels, B.; Canard, S.; Girault, M. & Silbert, H.: Low-CostCryptography for Privacy in RFID Systems. [Domingo 2006],pp. 237–251.

[Cardholm 2006] Telephone interview with LL.M. Lucas Cardholm, DirektorErnst & Young Sweden; December 15, 2006.



[Chandra 2005] Chandra, A.; Calderon, T.: Challenges and constraints to thediffusion of biometrics in information systems. Communi-cations of the ACM 48 (12), 2005, pp. 101–106.

[Clarke 2001] Clarke, R.: The Fundamental Inadequacies of ConventionalPublic Key Infrastructure. Proceedings of the 9th EuropeanConference on Information Systems (ECIS 2001), Bled, Slove-nia, June 27–29, 2001.http://www.anu.edu.au/people/Roger.Clarke/II/ECIS2001.html

[Dobbertin 1996] Dobbertin, H.: Cryptoanalysis of MD4. Proceedings of the 3rdWorkshop on Fast Software Encryption;Cambridge, UK; Feb-ruary 21–23, 1996; Lecture Notes in Computer Science; Bd.1039; pp. 53–70, Berlin, Springer, 1996.

[Domingo 2006] Domingo-Ferrer, J.; Posegga, J.; Schreckling, D. (Ed.): SmartCard Research and Advanced Applications; 7th IFIP WG8.8/11.2 International Conference (CARDIS 2006), Tarragona,Spain, April 19–21, 2006. Proceedings (Lecture Notes in Com-puter Science); 2006.

[Donnerhacke 1999] Donnerhacke, L.: Anonyme Biometrie. Datenschutz undDatensicherheit 23 (3) 1999, pp. 151–154.

[Eckert 2006] Eckert, C.: IT-Sicherheit : Konzepte, Verfahren, Protokolle; 4.Auflage, Oldenbourg, 2006.

[Elsener 2005] Elsener, M.: Kostenmanagement in der IT: Leis-tungssteigerung und Kostenoptimierung; Bonn: mitp Ver-lag; 2005.

[Flexiprovider 2006] Technical description of the Flexiprovider toolkit for theJava Cryptography Architecture (JCA/JCE).http://www.flexiprovider.de

[Gadatsch 2006] Gadatsch, A.; Uebelacker, H.: Wirtschaftlichkeitsbetrachtun-gen für IT-Security-Projekte. [Mörike 2006]; pp. 44–50.

[Gaude 2007] Gaude, M.; Pernul, G.: Die Rolle der Public Key Infrastrukturund der elektronischen Signatur in Geschäftsprozessen.Nutzenpotenzial – Schwächen – Zukünftige Entwicklungund Verbreitung; Delphi-Studie; Sindelfingen; 2007.

[Gawlas 2005] Gawlas, F.; Meister, G.: Interaktionen TPM und Smart Card.Datenschutz und Datensicherheit 29 (9) 2005; pp. 517 ff.



[Graevenitz 2006] von Graevenitz, G.: Erfolgskriterien und Absatzchancenbiometrischer Identifikationsverfahren; Lit Verlag; 2006.

[Giessmann 2006] Telephone interview with Prof. Dr. Ernst-Günter Giess-mann, Professor for Algorithms and Complexity at theHumboldt Universität Berlin; December 11, 2006.

[Hammer 2001] Hammer, V.; Petersen, H.: Aspekte der Cross-Zertifizierung;SecuMedia Verlags GmbH; 2001.http://www.kes.info/archiv/material/bsikongress2001/01-05-52.htm

[Hanusch 1995] Hanusch, H.; Kuhn, T. (Hrsg.): Kosten-Nutzen-Untersuchun-gen. Akademie für Raumforschung und Landeplanung.Handwörterbuch der Raumordnung; pp. 555–559; Hannover;1995.

[Hilton 2007] Telephone interview with Jeremy Hilton, Lecturer at theCardiff University UK; January 11, 2007.

[Hirschmeier 2005] Hirschmeier, M.: Wirtschaftlichkeitsanalysen für IT-Investitionen; WiKu-Verlag; Berlin; 2005.

[ID Quantique 2007] Company’s website.http://www.idquantique.com

[Jueneman 1998] Jueneman, R.; Robertson, R.: Biometrics and digital signa-tures in electronic commerce. Jurimetrics Journal of Law,Science and Technology 38 (3), 1998, pp. 427–458.

[Kaplan 1997] Kaplan, R.; Norton, D.: Balanced Scorecard. Strategien erfol-greich umsetzen; Schäffer-Poeschel Verlag; Stuttgart; 1997.

[Kirsch 2001] Kirsch, C.: S/MIME vs. OpenPGP: Eine Entscheidungshilfe.KES 1, SecuMedia Verlags GmbH, 2001, pp. 60 ff.http//www.kes.info/_archiv/_onlinearch/01-01-60-SMIMEvsOpenPGP.htm

[Krause 2005] Krause, R.: Bewertungskriterien für biometrische Identi-fikationssysteme im Vergleich zu bisherigen Identifika-tionsverfahren, Hochschulschrift, Freiburg (Breisgau), 2005.

[Kuppinger 2006a] Telephone interview with Martin Kuppinger, Senior Part-ner Kuppinger Cole + Partner; December 28, 2006.



[Kuppinger 2006b] Kuppinger, M.: SOA ohne IAM: geht nicht! InfoWeek 19/2006.http://www.infoweek.ch/archive/ar_single.cfm?ar_id=18007&ar_subid=2

[Kuppinger 2007] Kuppinger, M.; Cole, T.: Nur noch ein Passwort – Die richtigeSingle sign-on-Strategie. SearchSecurity.de, April 5, 2007.http://www.searchsecurity.de/themenkanaele/applika-tionssicherheit/websicherheit/webservicessoa/articles/62644/

[Lareau 2002] Lareau, P.: PKI Basics – A Business Perspective; PKI ForumBusiness Working Group; April 2002.

[Leitold 2006] Telephone interview with Herbert Leitold, A-SIT Zentrumfür sichere Informationstechnologie Graz; December 28,2006.

[Losemann 2005] Losemann, F.: Zertifikatsmanagement für große Organisa-tionen; Books on Demand GmbH; April 2005.

[Lubich 2006] Lubich, H. P.: IT-Sicherheit: Systematik, aktuelle Problemeund Kosten-Nutzen-Betrachtungen. [Mörike 2006]; pp. 6–15.

[Microsoft 2005] Signieren von Treibern für Windows; Microsoft Corp.; Janu-ary 21, 2005.http://www.microsoft.com/technet/prodtechnol/win-dowsserver2003/de/ library/ServerHelp/f211560e-ed86-4821-97ba-fcfdd525a842.mspx

[Mörike 2006] Mörike, M.; Teufel, S. (Hrsg.): Kosten & Nutzen von IT-Sicherheit; HMD – Praxis der Wirtschaftsinformatik; Heft248; April 2006.

[Nash 2001] Nash, A.; Duane, W.; Joseph, C.: PKI, e-security implemen-tieren; mitp; 2001.

[NSA A 2007] Federal Information Processing Standards Publication 197,November 26, 2001; Announcing the Advanced EncryptionStandard (AES).http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

[NSA B 2007] Federal Information Processing Standards Publication 186-2; Digital Signature Standard; January 2000.http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf



[NSA C 2007] NIST Special Publication 800-56, Recommendation on keyestablishment schemes; January 2003.http://csrc.nist.gov/CryptoToolkit/kms/keyschemes-Jan03.pdf

[NSA D 2007] Federal Information Processing Standards Publication 180-2, Announcing the secure hash standard; August 2002.http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf

[NTRU 2006] Produktbeschreibung der Security Suite für Drahtlos-Netz-werke 'Aerolink' mit dem NTRU-Kryptosystem.http://www.ntru.com/products/AL15_4.pdf

[Okamoto 2003] Okamoto, Tatsuaki: Trends in Cryptography: Technologiesand their Future, Special Feature: Information SecurityTechnologies Supporting Safe and Secure InformationSharing. NTT Review Vol.15 No.1; 2003, pp. 234–247.

[Paar 2007] Telephone interview with Prof. Dr.-Ing. Christof Paar, Pro-fessor for Communication Security at the Ruhr-UniversitätBochum; January 26, 2007.

[Paulus 2006a] Paulus, S.; Pohlmann, N.; Reimer, H. (Hrsg.): ISSE 2006 – Se-curing Electronic Business Processes: Highlights of theInformation Security Solutions Europe 2006 Conference,Rome, Italy, October 10–12, Vieweg Verlag Wiesbaden; 2006.

[Paulus 2006b] Paulus, S.: Sicherheit für Service-Orientierte Architekturen.Franz, R.U.; Heinrich, H. (Hrsg.): Moderne IT-Architekturen –eine Herausforderung für die Sicherheit? Tagungsband zum5. Berlin-Brandenburger SAP-Forum der FH Brandenburg;Shaker Verlag; Aachen 2006; pp. 21–44.

[Pohlmann 2003] Pohlmann, N.: Integration biometrischer Verfahren inSicherheitsinfrastrukturen. Horster, P. (Hrsg.): D-A-CH Secu-rity 2003, Syssec, 2003, pp. 322–331.

[Pohlmann 2007] Telephone interview with Prof. Dr. Norbert Pohlmann,Managing Director of the Institute for Internet Security atthe Fachhochschule Gelsenkirchen – University of AppliedSciences; January 12, 2007.

[Poritz 2006] Poritz, J. A.: Trust[ed | in] computing, signed code and theheat death of the internet. Proceedings of the 2006 ACM



Symposium on Applied Computing (SAC ’06); ACM Press;New York; 2006, pp. 1855–1859.

[Preneel 2006] Telephone interview with Prof. Dr. Bart Preneel; Professorat the K.U. Leuven; December 12, 2006.

[Rossnagel 2006] Rossnagel, H.: On Diffusion and Confusion – Why Electron-ic Signatures Have Failed. Fischer-Hübner, S.; Furnell, S.;Lambrinoudakis, C. (Ed.): Trust and Privacy in Digital Busi-ness, Third International Conference (TrustBus 2006);Krakow; Proceedings TrustBus; Springer; 2006, pp. 71–80.

[Rottke 2002] Rottke, T.; Hatebur, D.; Heisel, M.; Heiner, M.: A Problem-Ori-ented Approach to Common Criteria Certification. Ander-son, S. et al., (Ed.): Computer Safety, Reliability and Security:21st International Conference (SAFECOMP 2002), Catania,Italy, September 10-13, 2002. Proceedings; Springer-VerlagBerlin Heidelberg; 2002, pp. 334–346.

[RSA 1978] R. L. Rivest, A. Shamir, L. Adleman – A method for obtainingdigital signatures and public-key cryptosystems. Commu-nications of the ACM 21 (2); 1978, pp. 120–126.

[Sadeghi 2006] Sadeghi, A.: Challenges for Trusted Computing. Goubin, L.;Matsui, M. (Ed.): 'CHES 2006'; International Association forCryptologic Research; 2006, pp. 414.

[Sandhu 2005] Sandhu, R.; Zhang, X.: Peer-to-peer access control architec-ture using trusted computing technology. Proceedings ofthe 10th ACM symposium on Access control models andtechnologies (SACMAT '05); ACM Press; New York; 2005, pp.147–158.

[Savola 2006] Savola, R: Towards Security Evaluation based on EvidenceCollection. Wang, L. et al. (Ed.): Fuzzy Systems and Knowl-edge Discovery, Third International Conference (FSKD 2006),Xi’an, China, September 24-28, 2006. Proceedings; Springer-Verlag Berlin Heidelberg; 2007, pp. 1178–1181.

[Schadt 2006] Schadt, D.: Über die Ökonomie der IT-Sicherheit – Betrach-tungen zum Thema „Return on Security Investment“.[Mörike 2006], pp. 16–25.

[Schmeh 2001] Schmeh, K.: Kryptografie und Public-Key-Infrastrukturenim Internet; dpunkt-Verlag; 2001.



[Schmidt 2006] Schmidt, A.: Quantum Algorithm for Solving the DiscreteLogarithm Problem in the Class Group of an ImaginaryQuadartic Field and Security Comparison of Current Cryp-tosystems at the Beginning of Quantum Computer Age. G.Müller, G. (Ed.): Emerging Trends in Information and Com-munication Security, International Conference (ETRICS2006), Freiburg, Germany, June 6-9, 2006. ProceedingsSpringer-Verlag Berlin Heidelberg; 2006, pp. 481–493.

[Schneier 1999] Schneier, B.: Inside risks: the uses and abuses of biometrics,Communications of the ACM 42 (8); 1999, p. 136.

[Schultz 2002] Schultz, E.: The gap between cryptography and informationsecurity. Computers & Security 21(8), 2002, pp. 274–276.

[Shelfer 2002] Shelfer, K. M.; Procaccino, J. D.: Smart card evolution. Com-munications of the ACM 45 (7); 2001; pp. 83–88.

[Shor 1996] Shor, P.W.: Polynomial-time algorithms for prime factoriza-tion and discrete logarithms on a quantum computer.Goldwasser, S. (Ed.): Proceedings of the 35th Annual Sympo-sium on foundation of Computer Science (FOCS 1994); 1996,pp. 56–65.

[SigBü 2005] Signaturbündnis Bericht der Arbeitsgruppe„Geschäftsmodelle“, Deutscher Sparkassenverlag GmbH;2005.

[Signatur 2001] Signaturgesetz vom 16. Mai 2001 (BGBl. I S. 876); zuletztgeändert durch Artikel 4 des Gesetzes vom 26. Februar2007 (BGBl. I S. 179).http://bundesrecht.juris.de/sigg_2001/

[SigV 2001] Signaturverordnung (SigV) 2001, 16. November 2001, BGBl.I S. 3074, Anlage 1 Abschnitt I Nr. 2.

[SmartQuantum 2007] Datasheet SQKey Generator that uses the QKD (QuantumKey Distribution).http://www.smartquantum.com/IMG/pdf/SQKeyGenerator_Datasheet.pdf

[Sonnenreich 2006] Sonnenreich, W.: Return On Security Investment (ROSI): APractical Quantitative Model. In: Journal of Research andPractice in Information Technology; Vol. 38, No. 1; February2006.



[Spitz 2006] Spitz, S.; Urmann, J.; Meister, G.: ISO/IEC 24727 – A FutureStandard for Smart Card Middleware. [Paulus 2006a], pp.102–107.

[Sukhai 2004] Sukhai, N.B.: Access control & biometrics. Proceedings ofthe 1st annual conference on Information security curricu-lum development (InfoSecurity 2004), ACM Press, NewYork, NY, USA, 2004, pp. 124–127.

[TCG 2006] Website of the Trusted Computing Group.https://www.trustedcomputinggroup.org/home

[TeleTrusT 2006] TeleTrusT Deutschland e.V.: Bewertungskriterien zur Ver-gleichbarkeit biometrischer Verfahren – KriterienkatalogVersion 3.0.http://www.teletrust.de/fileadmin/files/publikationen/KritKat-3_final.pdf

[Temple 2006] Telephone interview with Robert Temple, Chief SecurityArchitect, British Telecom UK; December 8, 2006.

[Weis 2005] Weis, R., Lucks, S.: Hashfunktionen gebrochen. Datenschutzund Datensicherheit 29 (4) 2005, pp. 219 ff.

[Wiegel 2005] Wiegel, B.: Public Key Infrastrukturen – höhere Akzeptanzdurch Anwenderfreundlichkeit – Vorteile eines zentralenZertifikatsmanagements; PKI Forum Zertifikon SolutionsWhite Paper.http://www.zertificon.com/resourcen.php?k=3&t=9&detail

[Williamson 2006] Williamson, G.: e-ID and Smartcards – Current Status,Hopeful Developements and Best Practices. [Paulus 2006a],pp. 17–24.

[Wissenschaft.de 2005] Weltweit erste quantenkryptografisch verschlüsselte Bank-überweisung.http://www.wissenschaft.de/wissenschaft/news/240269.html



Appendix

Appendix A Fragebogen Technische Perspektiven

Appendix B Interviewpartner zu Technischen Perspektiven

Appendix C Public-Key-Infrastruktur (PKI)

Appendix D Return on Security Investment (ROSI)

Appendix E Fragebogen zur Erfassung von Kriterien für die Nutzung von PKI

Appendix F Details zum Workshop

Appendix | 117


Appendix A: Fragebogen Technische Perspektiven

118 | Appendix


Appendix | 119


120 | Appendix


Appendix B: Interviewpartner zu Technischen Perspektiven

Prof. Dr. Albrecht Beutelspacher Justus-Liebig-Universität GießenMathematisches Institut

J. Buchmann Forum für Sicherheitstechnologie beim Zentrumfür graphische DatenverarbeitungTechnische Hochschule Darmstadt

Christoph Busch Hochschule DarmstadtCAST e.V., Darmstadt

Lucas Cardholm ERNST & YOUNG ABStockholm, Sweden

Prof. Ernst-Günter Gießmann T-SystemsBerlin

Jeremy Hilton Viviale LtdCardiff, UK

Martin Kuppinger KUPPINGER COLE + PARTNERDigital ID Analysis & EvaluationMünchen - Stuttgart - Düsseldorf

Herbert Leitold A-SIT Zentrum für sichere Informations-technologie Graz

Prof. Christof Paar Chair for Communication SecurityDept. of Electr. Eng. & Information SciencesRuhr-University Bochum

Prof. Dr. Norbert Pohlmann Fachhochschule GelsenkirchenInstitut für Internet-Sicherheit

Prof. Dr. Bart Preneel Katholieke Universiteit LeuvenDept. Electrical Engineering-ESAT/COSIC

Robert Temple IT Security ArchitectBT exact Technologies, Ipswich, UK

Appendix | 121


Appendix C

Public-Key-Infrastruktur (PKI)

1. Einleitung

1978 wurde mit dem RSA-Algorithmus der auch heute noch am häufigsten verwen-dete Public-Key-Algorithmus entwickelt. Dieses Verfahren ist, wie auch alle anderenasymmetrischen Verschlüsselungsverfahren, dadurch gekennzeichnet, dass für dieVerschlüsselung ein anderer Schlüssel als für die Entschlüsselung verwendet wird.Die Sicherheit des Algorithmus beruht auf der Komplexität der Primfaktorzerlegung(vgl. [Ferguson 2002]).

Diese beiden Schlüssel (public key und private key) werden im Prozess der Schlüssel-generierung erzeugt. Der private Schlüssel muss vom Schlüsselerzeuger und auchspäter vom Nutzer geheim gehalten werden, währenddessen der öffentliche Schlüs-sel jedermann zugänglich gemacht wird.

Möchte jemand mithilfe eines asymmetrischen Verschlüsselungsverfahrens eineverschlüsselte Nachricht schicken, so verschlüsselt er diese Nachricht mit demöffentlichen Schlüssel dessen, an den die Nachricht geschickt wird.Die Entschlüsselung der Nachricht ist dann nur noch mit dem zum öffentlichenSchlüssel zugehörigen privaten Schlüssel möglich.

Asymmetrische Verschlüsselungsverfahren kann man zusätzlich zur digitalen Sig-nierung einsetzen. Dazu wird von der gegebenenfalls auch selbst zu verschlüsseln-den Nachricht ein Hashwert (eindeutiger Fingerprint der Nachricht) erzeugt. Dasverwendete Hash-Verfahren muss dabei die Forderung erfüllen, dass zwei unter-schiedliche Nachrichten niemals denselben Hashwert besitzen dürfen. Diese Eigen-

Appendix | 123


schaft wird als Kollisionsresistenz bezeichnet (vgl. [Selke 2000]). Der errechneteHashwert wird mit dem privaten Schlüssel des Absenders der Nachricht verschlüs-selt und kann seitens des Empfängers ausschließlich mit dem öffentlichen Schlüsseldes Absenders entschlüsselt werden.

Auf Empfängerseite wird nach dem eventuellen Entschlüsseln der Nachricht eben-falls der Hashwert der übertragenen Daten gebildet und mit dem eben entschlüssel-ten Hashwert verglichen. Sind beide identisch, so kann garantiert werden, dass dieNachricht auch wirklich von dem Absender kommt, der im Besitz des privatenSchlüssels ist. Außerdem kann garantiert werden, dass die Nachricht auf dem Über-tragungsweg nicht verändert wurde. Die digitale Signatur garantiert somit dieNicht-Abstreitbarkeit seitens des Absenders und die Integrität der Daten.

Aus der asymmetrischen Verschlüsselung ergeben sich klare Vorteile. Diese kom-men jedoch nur zum Tragen, wenn sichergestellt werden kann, dass der öffentlicheSchlüssel (als Bestandteil eines digitalen Zertifikates) auch wirklich von einer ent-sprechenden Person stammt und deren digitale Identität somit als vertrauenswür-dig angesehen werden kann. Auf dieser Basis lassen sich zudem entsprechendeAuthentifizierungs- und Identifizierungsmechanismen entwickeln, mithilfe derersichergestellt werden kann, dass Identitäten (Personen, Unternehmen, Organisatio-nen usw.) eindeutig zugeordnet werden können.

Ein Ansatz zur Lösung all der oben dargestellten Aufgaben ist der Aufbau einer sogenannte Public Key Infrastructure (PKI). Diese muss folgende Rahmenbedingun-gen erfüllen (vgl. [Nash 2002]):Die PKI muss die sichere Erstellung von gültigen Schlüsseln ermöglichen. Dazu musssie die Gültigkeitsprüfung der ursprünglichen Identität vornehmen.Außerdem ermöglicht sie die Ausgabe, Erneuerung und Beendigung von Zertifika-ten (vgl. [Oppliger 2005]). Diese Zertifikate und die darin enthaltenen Informationenwerden durch die PKI verteilt.

Sowohl der öffentliche als auch der private Schlüssel können in einer PKI archiviertund somit sicher wieder gefunden werden, wobei die Archivierung der privatenSchlüssel nur unter bestimmten Bedingungen notwendig und sinnvoll ist.Eine PKI ermöglicht auch die Generierung von Signaturen und Zeitstempeln. Eineweitere Aufgabe einer PKI ist der Aufbau und die Verwaltung von Vertrauensstel-lun-gen. Somit kann eine PKI als Rahmen für den Einsatz von Public-Key-Technolo-gien gesehen werden.

Zwingende Anforderungen an die Technologien stellt die PKI nicht, sodass z.B. derVerschlüsselungsalgorithmus ausgetauscht werden kann. Voraussetzung dafür ist,dass alle an der PKI beteiligten Instanzen in der Lage sind, den Algorithmus benut-zen zu können.

Im nächsten Abschnitt werden die einzelnen Komponenten einer PKI vorgestellt.

124 | Appendix


2. Komponenten einer PKI

Abbildung 1: Schema einer PKI

2.1 Registrierungsstelle (Registration Authority – RA)

Eine Registrierungsstelle ist entweder Bestandteil einer Zertifizierungsstelle (CA)(siehe Abschnitt 2.2) oder kann als eigene Komponente betrieben werden. Die Auf-gabe der RA besteht (vgl. [Cobb 2004]) darin, die Identität des Antragstellers festzu-stellen oder zu bestätigen. Der Identitätsnachweis kann z. B. über Geburtsurkundenoder (Lichtbild-) Ausweise erbracht werden. Dabei wird auch die Gültigkeit derNachweise geprüft. Es wird festgestellt, ob der Antragsteller die Berechtigung fürbestimmte Zertifikatsattribute (z.B. für ein CA-Zertifikat) besitzt. Wichtig ist dieFeststellung, ob der Antragsteller auch im Besitz des Private-Keys (auch Proof of Pos-session genannt) ist. Eine RA kann unter Umständen auch die Schlüssel initialerzeugen.

Appendix | 125


Wenn eine Kompromittierung oder eine zeitliche Ungültigkeit des Schlüsselmateri-als vorliegt, gibt die RA diese Informationen an die CA weiter, damit die entspre-chenden Zertifikate gesperrt werden, z. B. durch Eintragung in die Certificate Revo-cation List (CRL).

Die RA leitet den Registrierungsprozess zusammen mit der CA ein, indem die RAeinen Antrag auf die Erstellung eines Zertifikates über eine gesicherte Verbindungan die CA weiterleitet.

Außerdem werden private Schlüssel unter bestimmten Umständen (sofern diesrechtlich zulässig ist und/oder von den Teilnehmern gewünscht ist) archiviert, undgegebenenfalls kann durch eine RA eine Schlüsselwiederherstellung veranlasstwerden.

Die RA sorgt auch für die Ausgabe von physischen Tokens (z.B. Smartcards) aufdenen der private Schlüssel gespeichert ist.Während des Lebenszyklus der Schlüssel und der Zertifikate ist die RA die Vermitt-lungsstelle zwischen dem Teilnehmer und der PKI. Die RA macht – bis auf die Bes-tätigung gegenüber der CA – keine Angaben über die Vertrauenswürdigkeit der Teil-nehmer einer PKI.

2.2 Zertifizierungsstelle (Certificate Authority – CA)

Vorrangige Aufgabe einer CA ist die Übernahme des Managements aller Lebenszykleneines Zertifikates. So wird ein gesperrtes Zertifikat in die Certificate Revocation List(CRL) eingetragen und gleichzeitig für den Fall einer späteren Überprüfung archiviert.

Eine weitere Aufgabe der Zertifizierungsstelle besteht darin, Zertifikate zu erstellenund diese auszugeben, nachdem es den Antrag auf Erstellung des Zertifikats von RAüberprüft hat.

Für die Verwendung einer qualifizierten Signatur mit Anbieterakkreditierung dür-fen die qualifizierte Zertifikate nur von in Deutschland durch die Bundesnetzagen-tur akkreditierten CA (hier auch TrustCenter genannt) ausgestellt werden. Mit die-ser Akkreditierung ist verbunden, dass das TrustCenter ein Gütesiegel für garantier-te organisatorische und technische Sicherheit besitzt und die Zertifikate 30 Jahrenach Ablauf ihres Gültigkeitszeitraums in einem Verzeichnis speichert, damit des-sen Gültigkeit überprüft werden kann (vgl. [IHK 2005]).

Die von der CA ausgegebenen Zertifikate werden mit dem privaten Schlüssel des CAsigniert. Somit ist die Integrität und Authentizität eines Zertifikats durch die Ent-schlüsslung der Signatur mit dem im CA-Zertifikat enthaltenen öffentlichen Schlüs-sel überprüfbar, indem der durch die Entschlüsselung erhaltene Hashwert (Finger-print) des Zertifikats mit dem generierten Hash verglichen wird.

126 | Appendix


Das Zertifikat einer CA ist entweder selbst-signiert, wenn es sich um ein Root-CA-Zertifikat handelt (es gibt keine weiteren CA-Instanzen in der Hierarchie oberhalbdieser CA) oder es wird mit dem privaten Schlüssel der jeweils nächst höher gelege-nen CA signiert.

Durch die Möglichkeit, die CA-Zertifikate durch höhere CA-Instanzen signieren zulassen, entsteht ein so genannter Validierungspfad, an deren Ende eine Root-CAsteht. Ein Teilnehmer, welcher dieser Root-CA vertraut (z.B. durch das Abspeicherndes entsprechenden Root-CA-Zertifikats im Zertifikatsspeicher eines IT-Systems),vertraut automatisch auch allen anderen CA-Zertifikaten dieses Pfades.

Eine CA ist somit ein elementarer Bestandteil einer PKI, deren Grundbedeutung un-abhängig vom verwendeten Vertrauensmodell (vgl. Kapitel 3) ist. Da CAs für die un-terschiedlichsten Einsatzgebiete etabliert werden, sind die Rahmenbedingen unddie Vorgaben (z.B. Speicherung der Zertifikate auch nach Ablauf ihrer Gültigkeit, umden Nachweis der Gültigkeit von digitalen Signaturen sicherstellen zu können) fürjede CA individuell. So gilt für eine Root-CA das Höchstmaß an Sicherheit, um dieNotwendigkeit einer Neuzertifizierung aller untergeordneten Instanzen so geringwie möglich zu halten.

2.2.1 Certificate Revocation List (CRL)

In der CRL werden die gesperrten Zertifikate gespeichert. Die CRL hat eine be-stimm-te Laufzeit, nach deren Ablauf sie erneuert werden muss. Die CRL wird von der CAsigniert, sodass die Vertrauenswürdigkeit der Liste sichergestellt werden kann. EineCRL lässt sich zur Offline-Überprüfung von Zertifikaten nutzen.

2.2.2 Validierungsdienst

Neben der Offline-Validierung von Zertifikaten durch die Verwendung von CRLkann die Validierung auch online über die Protokolle „Online Certificate Status Pro-tocol“ (OCSP) und „Server-based Certificate Validation Protocol“ (SCVP) erfolgen.

Das OCSP dient dazu, Zertifikate zu identifizieren, die vor dem Ablauf ihres Gültig-keitszeitraums ungültig geworden sind. Ungültige Zertifikate dürfen bei sicher-heitskritischen Anwendungen keine Verwendung finden. Der Status eines Zertifi-kats kann durch die Anfrage an den so genannten OCSP-Responder, welcher meistvom Zertifikatsherausgeber betrieben wird, abgefragt werden. Folgende Stati sindmöglich (vgl. [RFC 2560]):

Y „good“ (Zertifikat ist gültig)Y „revoked“ (Zertifikat gesperrt) Y „unknown“ (Zertifikat unbekannt)

Appendix | 127


Wenn ein Zertifikat gesperrt ist, dann wird auch der Zeitpunkt der Sperrung angege-ben. Als Transportprotokoll für die Übertragung der Daten zwischen Client und Ser-ver werden meist die Protokolle http oder https verwendet. Es ist möglich, den Sta-tus von mehreren Zertifikaten abzufragen. OCSP wird jedoch nicht so häufig zurValidierung von Zertifikaten eingesetzt, dennoch betreiben alle CAs in Deutschland,die qualifizierte Zertifikate ausgeben, einen solchen Responder, um dem Signatur-gesetz (vgl. [SigG 2001]) zu entsprechen.

Ein großer Vorteil des OCSP gegenüber einer CRL besteht darin, dass die Sperrinfor-mationen in Echtzeit vorhanden sind, sofern der OCSP-Server direkten Zugriff aufdie Datenbank der CA hat (vgl. [Holenstein 2004]), währenddessen CRL nur perio-disch erneuert werden.

Nachteil von OCSP ist, dass der Client (für den Fall, dass er nur der Root-CA vertraut)selbst einen Validierungspfad aufbauen muss, um an die notwendigen Informatio-nen zur Überprüfung eines Zertifikates zu gelangen, denn der OCSP-Responder lie-fert die Struktur des Validierungspfades nicht mit (vgl. [Nash 2002]).Wenn eine CA vorübergehende Sperrungen zulässt (dies ist nach dem deutschenSignaturgesetz unzulässig), dann lässt sich nicht nachvollziehen, ob ein Zertifikat zueinem bestimmten Zeitpunkt ungültig war.

Das SCVP, welches bisher nur als Entwurf existiert (vgl. [IETF 2007]), wurde entwi-ckelt, um die Schwächen des OCSP zu beheben (vgl. [Nash 2002]). Der grundlegendeUnterschied zu OCSP besteht darin, dass der SCVP-Client an den Server kom-pletteZertifikate zur Überprüfung z.B. mittels http an den SCVP-Server überträgt. Der Clientkann auch weitere übergeordnete Zertifikaten übertragen, welche bei der Echtheits-überprüfung der zu prüfenden Zertifikate mit berücksichtigt werden müssen.

Der Client kann außerdem angeben, wie der Server die Anfragen zu bearbeiten hat:z.B. durch die Angabe der anzuwendenden Zertifikatsrichtlinien und welche CRL-und OCSP-Dienste zum Abfragen der Zertifikatssperrstati genutzt werden sollen.Der Client muss sich dabei nicht um die Überprüfung der Validierungspfade küm-mern, somit ermöglicht das SCVP das teilweise bis vollständige Auslagern der Zerti-fikats-Validierung (vgl. [Holenstein 2004]). Die Antworten des Servers werden eben-so wie im OCSP digital signiert um die Integrität und Authentizität der Nachricht zugewährleisten.

2.2.3 Gültigkeit von Zertifikaten

Um die Gültigkeit eines Zertifikates zu überprüfen gibt es drei verschiedene Gültig-keitsmodelle (vgl. [Wolf 1998]). Das Schalenmodell wird im PEM1-Standard, siehe

128 | Appendix

1Privacy Enhancement for Internet Electronic Mail


RFC 1421 – 1424, beschrieben. Das Schalenmodell trifft die Aussage über die Gültig-keit eines Zertifikates anhand des Verifikationszeitpunktes. Die Gültigkeit einesZertifikates zu einem bestimmten Zeitpunkt ist genau dann gegeben, wenn dieSignatur des Zertifikates gültig ist, der Zeitpunkt innerhalb des Gültigkeitszei-traums des Zertifikates liegt und das Zertifikat zum fraglichen Zeitpunkt nichtgesperrt ist. Außerdem müssen zum prüfenden Zeitpunkt alle Zertifikate der zumValidierungspfad des Zertifikats gehörenden CAs gültig sein. Beim Schalenmodellwird nicht überprüft, ob das Zertifikat zu dem Zeitpunkt gültig war, an dem mitdem zum Zertifikat entsprechenden privaten Schlüssel eine Signatur erzeugtwurde. Um dies zu prüfen verwendet man das so genannte modifizierte Schalen-modell.

Im Gegensatz zum Schalenmodell wird hier die Gültigkeit des Zertifikats und desValidierungspfades zum Zeitpunkt der Signierung eines Dokumentes geprüft. Dieshat zur Folge, dass Signaturen auch dann als gültig angesehen werden, obwohl dasZertifikat zum Verifikationszeitpunkt bereits abgelaufen ist.

Das Kettenmodell verfolgt einen anderen Ansatz. Die Gültigkeit einer Signatur istgegeben, wenn das Teilnehmer-Zertifikat zum Signierzeitpunkt gültig war. Fernerwird geprüft, ob Zertifikate des Validierungspfades zum Zeitpunkt ihrer Anwen-dung gültig waren. Das bedeutet, das Zertifikat der CA die das Signierzertifikat aus-gegeben hat, muss zum Ausgabezeitpunkt gültig gewesen sein. Auf dieselbe Artund Weise wird die Gültigkeitsprüfung an den Zertifikaten der hierarchisch dar-überliegenden CAs vorgenommen. Es wird bei diesem Modell nicht überprüft, obdas Zertifikat seit der Signatur gesperrt wurde.

Damit die Signatur eines Dokumentes nach allen drei Modellen gültig ist, muss eskurz vor Ablauf des Gültigkeitszeitraums des Zertifikates, welches zum ent-sprechen-den Signaturschlüssel gehört, neu signiert werden.

2.3 Digitale Zertifikate

Ein digitales Zertifikat ist eine Datenstruktur, die eine bestimmte Identität (Person,Organisation oder IT-System) und dessen Public-Key miteinander verknüpft. Derderzeit wichtigste Standard für digitale Zertifikate für die Benutzung in einer PKIheißt X.509. Derzeit aktuell ist X.509v3 und wurde von der ITU-T2 als Standard fest-geschrieben.

In einem Zertifikat sind unter anderem folgende Daten enthalten:1. Versionsnummer (z. B.: 3)2. Seriennummer (z. B.: 42)

Appendix | 129

2Privacy Enhancement for Internet Electronic Mail


3. Herausgeber des Zertifikates (Angabe von Land, Bundesstaat, Ort, Organisa-tion, Abteilung, Name, E-Mail-Adresse)

4. Gültigkeitszeitrauma. nicht vor einem Zeitpunkt b. nicht nach einem Zeitpunkt

5. Inhaber des Zertifikates (Angabe von Land, Bundesstaat, Ort, Organisation,Abteilung, Name [Person, Organisation, IT-System], E-Mail-Adresse)

6. Public-Key-Algorithmus (z.B. rsaEncryption)7. Public-Key 8. Signaturalgorithmus (z.B.: md5WithRSAEncryption)9. Signatur des Zertifikats 10. Erweiterungen

Zu den Erweiterungen zählt z.B. die Angabe einer URL, unter welcher die Policy derZertifizierungsstelle (CA), welche die Arbeitsweise der CA beschreibt, eingesehenwerden kann. Eine weitere beschreibt den Einsatz des Zertifikates (z.B. für die Da-ten-Verschlüsselung). Ein Zertifikat sollte ausschließlich für diese aufgeführtenZwecke eingesetzt werden.

Es gibt folgende zwei wichtige Zertifikatstypen:Y Teilnehmerzertifikate und Y CA-Zertifikate (erkennbar in der Erweiterung „Basic Contraints“, in dessen Feld

„CA“ den Wert TRUE besitzt), die dem Inhaber erlauben, selbst Zertifikateauszustellen.

2.3.1 Arten von Zertifikaten

Neben selbst-signierten Zertifikaten (aus denen einer Root-CA), bei denen keinesichere Identifizierung des Inhabers sichergestellt werden kann, gibt es die so ge-nannten fortgeschrittenen Zertifikate. Bei diesen kann die Identität des Inhabersein-deutig sichergestellt werden, jedoch sind die mit diesen Zertifikaten erzeugtenfortgeschrittenen Signaturen einer Unterschrift von Hand rechtlich nicht gleichgestellt (vgl. [D-Trust 2007]). „Der entscheidende Unterschied zur gewöhnlichenUnterschrift besteht darin, dass die digitale Signatur […] untrennbar mit der Nach-richt […] verbunden ist.“ [Beutelspacher 2002]

Qualifizierte Zertifikate hingegen ermöglichen qualifizierte digitale Signaturen, dieeiner händischen Unterschrift rechtlich gleichgestellt sind. Solche Zertifikate dürfennur von offiziellen Zertifizierungsstellen ausgegeben werden, die sich an dieBestimmungen des in Deutschland gültigen Signaturgesetzes halten. Die höchsteStufe sind qualifizierte Zertifikate mit Anbieterakkreditierung, bei denen die aus-stellungsberechtige Zertifizierungsstelle durch den TÜV-IT geprüft und von derBundesnetzagentur bestätigt ist.

130 | Appendix


2.3.2 Beispiele der Verwendung von Zertifikaten

Zertifikate kommen z.B. beim Secure-Sockets-Layer(SSL)-Protokoll zum Einsatz, wel-ches im OSI-Modell oberhalb der Transportschicht angesiedelt ist. Protokolle in derAnwendungsschicht des OSI-Modells können um die SSL-Protokoll-Funktionalität(und somit um die Möglichkeit der Verschlüsselung und Gewährleistung derAuthentizität und Integrität von Daten) erweitert werden.

Ein Beispiel dafür ist das Hypertext Transfer Protocol Secure (https)-Protokoll. Überdieses Protokoll kann eine verschlüsselte Verbindung zwischen Browser und Web-server hergestellt werden.

Obwohl eine gegenseitige Authentifizierung beider beteiligen Parteien möglich ist,wird meist nur der Server durch die Überprüfung des Server-Zertifikates, welches alsNamen des Inhabers die Domain des Webservers enthält, authentifiziert. Hierbeiwird das Zertifikat vom Server zum Browser übertragen.

Dieser überprüft das Zertifikat nach bestimmten Kriterien:1. Stimmt die Domain mit der im Zertifikat angegebenen Domain überein? 2. Ist das Zertifikat abgelaufen oder steht es auf einer Zertifikatsperrliste (Certifi-

cate Revocation List – CRL)? 3. Ist das Zertifikat von einer dem Browser als vertrauenswürdig eingestuften CA

signiert?

Sollten einige Kriterien nicht zutreffen, so gilt das Zertifikat als nicht-vertrauens-würdig und der Benutzer wird gefragt, ob er diesem Zertifikat trotzdem vertrauenmöchte. Wenn dem Zertifikat vertraut wurde, wird browser- und serverseitig der Sit-zungsschlüssel erzeugt. Dieser dient anschließend auf beiden Seiten zur symmetri-schen Verschlüsselung der zu übertragenden Daten, was einen Geschwindigkeitsge-winn gegenüber der asymmetrischen Verschlüsselung bietet, der übertragenenDaten erzeugt.

Ein weiteres Anwendungsgebiet ist E-Mail. Hierbei werden Zertifikate für zwei ver-schiedene Zwecke eingesetzt.Zum einen kann mit dem öffentlichen Schlüssel des Empfängers, welcher in seinemZertifikat oder einer entsprechenden CA hinterlegt ist, eine Nachricht verschlüsseltwerden. Zum anderen ist es möglich, die Identität des Absenders und die Integritätdes Mailinhalts zu gewährleisten, indem der Absender mithilfe seines privatenSchlüssels den Hashwert der Nachricht verschlüsselt. Dieser verschlüsselte Hash-wert wird an die verschlüsselte Nachricht angehängt und ermöglicht dem Empfän-ger, mit dem öffentlichen Schlüssel des Absenders den Hashwert und mit seinemeigenen privaten Schlüssel die Nachricht selbst zu entschlüsseln. Anschließendkann er für die entschlüsselte Nachricht den Hashwert erzeugen, mit dem ent-schlüsselten Hashwert vergleichen und somit die Identität feststellen.

Appendix | 131


Auch bei der Verwendung von Virtual-Private-Networks (VPN), welche durch denAufbau von Tunneln verschlüsselte Verbindungen zwischen Kommunikations-teilnehmern innerhalb eines öffentlichen ungesicherten Netzes ermöglichen,werden Zertifikate zur Feststellung der Identität eines an einem VPN beteiligtenEndpunktes verwendet. Dabei wird im Zertifikat für einen am VPN beteiligtenEndpunkt die Netzwerkadresse des Netzwerkknotens vermerkt (vgl. [Nash 2002]).Die Endpunkte identifizieren sich gegenüber den anderen Teilnehmern, indem sieihr Zertifikat zeigen und auch sicherstellen, dass der entsprechende privateSchlüssel vorliegt.

2.4 Verzeichnisdienst

Ein Verzeichnisdienst bietet als Bestandteil einer PKI die Möglichkeit der zentralenSpeicherung von Zertifikaten. Durch die Nutzung dieses Dienstes können benötigteZertifikate geholt werden. Ein Zertifikatsinhaber muss somit sein Zertifikat seinenKommunkationspartnern nicht bilateral zur Verfügung stellen (vgl. [Hammer1999]).

Die Zertifikate werden in einem Verzeichnisdienst technisch gesehen in einer hier-archischen Datenbank abgelegt. Über das Client/Server-Prinzip können die darinenthaltenen Daten manipuliert werden. Früher verwendete man als Verzeichnis-dienst den X.500-Verzeichnisdienst. Gegenwärtig werden häufig LDAP-basierte Ver-zeichnisdienstlösungen zur Speicherung der Zertifikate eingesetzt (vgl. [Schmeh2001]), welche u.a. bei der Verwaltung der verfügbaren Ressourcen (z.B. Speicher-platz) effizienter sind.

2.5 Dokumente

Zu den Dokumenten, welche innerhalb einer PKI gepflegt werden müssen, gehörtdas Certificate Practice Statement (CPS), welches die Umsetzung der Richtlinien fürdie Ausstellung von Zertifikaten festschreibt. Das CPS wird in den RFC 3647 und RFC2527 beschrieben. Falls das CPS nicht veröffentlicht werden soll, wird ein Policy Dis-closure Statement (PDS) mit einem für die Öffentlichkeit relevanten Auszug ausdem CPS veröffentlicht. Daneben gibt es das Dokument „Certificate Policy“ (CP), wel-ches das Anforderungsprofil einer PKI an ihre Arbeitsweise und die Zertifizierungs-richtlinien beschreibt.

Auf diese Dokumente kann im Zertifikat über ein Erweiterungsfeld, welches eineURL zu den Dokumenten enthält, verwiesen werden, sodass derjenige, der einemZertifikat vertrauen will, genau mit der Arbeitsweise der PKI hinsichtlich der Zertifi-katserstellung und –verwaltung vertraut gemacht werden kann. Auf dieser Basiswird er u.U. auch Zertifikaten vertrauen, die zunächst nicht als vertrauenswürdigeingestuft wurden.

132 | Appendix


Außerdem gibt es Dokumente, auf die nicht über das Erweiterungsfeld (vgl.Abschnitt 2.3) zugegriffen werden kann. Diese beschreiben, wie Abläufe, Schnittstel-len und Rollen innerhalb einer PKI definiert sind. Weitere Dokumente beschreibendas Verhalten im laufenden Betrieb der PKI. Auch ein Sicherheits- und ein Notfall-konzept gehört zu den PKI-Dokumentationen.

3. Vertrauensmodell

Ein Vertrauensmodell bildet die Grundlage für die Erstellung und das Managementvon Vertrauensstellungen, die für den Betrieb einer PKI mit mehreren CA notwendigsind. Solche Vertrauensstellungen werden z.B. durch das Ausstellen von einem CA-Zertifikat für eine CA durch eine andere CA erreicht. Wenn man einer CA vertraut,welche das Zertifikat einer anderen signiert hat, dann kann man folglicherweiseauch dieser vertrauen. Es gibt verschiedene Vertrauensmodelle. Auf einige vonihnen wird in den nächsten Abschnitten eingegangen.

3.1 Hierarchisches Modell

Im Vertrauensmodell der allgemeinen Hierarchie sind bidirektionale Vertrauens-stellungen zulässig und der Zertifikatsbenutzer kann eine beliebige CA als vertrau-enswürdige Stelle definieren.

Im Modell der untergeordneten Hierarchie gibt es genau eine Vetrauensbasis: dieRoot-CA. Alle Vertrauensstellungen basieren darauf, dass die Root-CA, für die CAsder nächsten Ebene, die ihrerseits ebenfalls Zertifikate ausstellen können, Zertifika-te ausstellt.

Das Zertifikat der Root-CA kann von keiner anderen CA als der Root-CA selbst aus-gestellt werden. Man spricht von der Selbst-Signierung des Root-CA-Zertifikates, beiwelcher der Aussteller des Zertifikates mit dem CA-Betreiber identisch ist, die Wer-tigkeit und Vertrauenswürdigkeit der Root-CA jedoch beispielsweise über staatlicheMechanismen oder Öffentlichkeit und Bekanntheitsgrad abgesichert ist.

Die Verkettung von Zertifikaten zur Überprüfung eines Zertifikats nennt man Zerti-fi-zierungspfad. In diesem Vertrauensmodell ist das Root-CA-Zertifikat immer Basisdieses Pfades.

Bei diesem Modell entsteht ein Problem, wenn das Root-CA-Zertifikat kompromit-tiert werden würde. Dann müsste dieses – und somit auch alle untergeordnetenZertifikate – ausgetauscht werden. Da die Root-CA jedoch selten in Anspruchgenommen wird (nur bei Zertifizierung von untergeordneten CAs und evtl. Sper-rung von CAs) ist die Wahrscheinlichkeit einer Kompromittierung eher als geringeinzustufen.

Appendix | 133


Dieses Vertrauensmodell ist das verbreitetste, was u.a. dadurch begründet ist, dassfür eine erfolgreiche Zertifikatsüberprüfung nur der Zertifizierungspfad bis zurWurzelinstanz durchlaufen werden muss.

3.2 Peer-To-Peer-Modell

Im Peer-To-Peer-Modell wird der Aufbau einer Vertrauensbeziehung von zwei gleichgestellten Zertifizierungsinstanzen beschrieben. Dazu stellt jede CA der jeweilsanderen CA ein Zertifikat aus (auch gegenseitige Zertifizierung genannt).Nachteil dieses Modell ist, dass es nicht skalierbar ist. Denn wenn zum Beispiel vierCAs sich gegenseitig zertifizieren und jede mit jeder anderen in einer bidirektiona-len Vertrauensstellung steht, dann sind 12 Zertifikate notwendig. Die allgemeineFormel lautet für die Anzahl der benötigten Zertifikate:

Anzahl der Zertifikate = CA-Anzahl * (CA-Anzahl – 1).

Dieses Modell ist meist erst nutzbar, wenn von PKI-Herstellern angebotene Plug-Insgenutzt werden, die den Aufbau und die Überprüfung von Zertifizierungspfadenmit gegenseitigen Zertifizierungen unterstützen.

3.3 Maschenmodelle

Bei einem Maschenmodell gibt es nicht zwischen allen CAs eine bidirektionale Ver-trauensstellung, sondern nur zwischen einigen dieser CAs. Zur Überprüfung eines

134 | Appendix

Abbildung 2: Vertrauensmodell „untergeordnete Hierarchie“


Zertifikats muss deshalb erst der Zertifizierungspfad gefunden werden.Durch das Anfragen an verschiedene CAs, welche Vertrauensstellung diese mit an-deren CAs besitzt, gelangt man schließlich von der eigenen vertrauenswürdigen CAzu der CA, welche das zu untersuchende Zertifikat signiert hat.Dabei ist es jedoch nicht möglich vorherzusagen, welcher Zertifizierungspfad ge-nommen werden muss, da man zunächst nicht weiß, welche CAs untereinanderdurch eine Vertrauensstellung verknüpft sind. Deshalb kann im Gegensatz zu der inAbschnitt 3.1 beschriebenen untergeordneten Hierarchie der Zertifizierungswegnicht mit dem Teilnehmerzertifikat übermittelt werden.

Ein Problem dieses Maschenmodells ist, dass man keine Aussage darüber treffenkann, welche Aktivitäten ein zertifizierter Partner plant. So kann es passieren, dassdie CA eines Konkurrenten durch den Aufbau einer Vertrauensstellung mit demPartner Teil der Masche wird. Um dies zu verhindern, ist eine Richtlinienstelle (Poli-cy Authority) zu etablieren, die sich um das Management der Richtlinien (damiteben keine Konkurrenten Teil der Masche werden können) kümmert.

3.4 Hybride Vertrauensmodelle

Zu den hybriden Vertrauensmodellen gehört das Verbinden von untergeordnetenHierarchien. Dieses Modell besteht aus mehreren Root-CAs, welche jeweils die Ver-trauensbasis für die darunterliegenden Ebenen bilden. Merkmal dieses Vertrauens-modell ist es, dass sich die Root-CAs untereinander zertifizieren, also eine Vertrau-ensstellung zwischen ihnen besteht. Als Alternative zur Zertifizierung der Root-CAsuntereinander besteht die Möglichkeit des Einsatzes einer so genannten Bridge-CA.Dabei zertifizieren sich jeweils die Bridge-CA und jede einzelne Root-CA gegenseitig.Die Bridge-CA ist dabei jedoch weder Vertrauensbasis noch Wurzelinstanz (vgl.[Nash 2002]).

Es gibt ferner innerhalb einer Hierarchie die Möglichkeit, dass sich untergeordneteCAs gegenseitig zertifizieren. Dies führt u.U. zur Optimierung der Zertifikatsgültig-keitsfeststellung, da der Zertifizierungspfad kleiner ist, als der im Falle einer unter-geordneten Hierarchie.

3.5 Web of Trust

Dieses dezentrale Vertrauensmodell basiert darauf, dass man (A) einer Zertifizie-rungsinstanz (C-H) vertraut werden kann, sofern eine andere Instanz (B-G), welcherman selbst (auch indirekt ) traut, dieser Instanz vertraut. Dies geschieht durch dasgegenseitige Signieren der öffentlichen Schlüssel (vgl. [Schwenk 2002]). Je kürzerder Pfad von der eigenen Zertifizierungsinstanz zur Zielzertifizierungsinstanz ist,desto vertrauenswürdiger kann dieser Weg angesehen werden (vgl. [Vaudenay2006]).

Appendix | 135


Das Problem bei diesem Modell besteht darin, dass jede Instanz sehr sorgfältig mitden Vertrauensbeziehungen umgehen muss damit das Vertrauensmodell seinenZweck erfüllen kann und keine „boshaften“ Instanzen Teil des Web of Trust werden.

4. Fazit

Eine PKI ermöglicht durch ihre Komponenten die vertrauenswürdige Nutzung vonZertifikaten, welche die öffentlichen Schlüssel von Teilnehmern enthalten und zurAuthentifizierung und Identifizierung von Benutzern sowie zur Verschlüsselungvon Daten und zur Überprüfung von digitalen Signaturen verwendbar sind.Eine PKI beschreibt dabei den Rahmen, in dem verschiedenste Public-Key-Technolo-gien zum Einsatz kommen können. Diese Technologien sind hierbei austauschbar.

136 | Appendix

Abbildung 3: Vertrauensmodell „Web of Trust“


5. Quellen

[Beutelspacher 2002] Beutelspacher, A.: Kryptologie; 6. Auflage; Vieweg; 2002.

[Cobb 2004] Cobb, C.: Cryptography for Dummies; Wiley Publishing Inc.;2004.

[D-Trust 2007] Kommunikationssicherheit à la carte; D-Trust; 2007.https://www.d-trust.net/internet/content/kommunikations-sicherheit.html

[Faber 2007] von Faber, E.: PKI-Vorlesungsmaterialien; FH Brandenburg;2007.

[Ferguson 2002] Ferguson, N.; Schneier, B.: Practical Cryptography; Wiley Pub-lishing Inc.;2002.

[Hammer 1999] Hammer, V.: Die 2. Dimension der IT-Sicherheit; Vieweg;1999.

[Holenstein 2004] Holenstein, N.; Pfister, C.: Statusprüfung von Zertifikaten mitCRL und OCSP, bewertet auf Basis des aktuellen Umfelds vonUBS; Zürcher Fachhochschule Winterthur; 25.10.2004.http://security.hsr.ch/theses/DA_2004_CertificateRevoca-tionStudy.pdf

[IETF 2007] Public-Key Infrastructure (X.509) (pkix) Charter; IETF Secreta-riat ; 02.04.2007.http://www.ietf.org/html.charters/pkix-charter.html

[IHK 2005] Digitale Signatur Überblick; IHK für Oberfranken Bayreuth;2005.http://www.bayreuth.ihk.de/xist4c/download/web/5710488422_3576_uplId_92712__coId_1057_.pdf;jsessionid=0538F61B107B706A15DC682534FE8AA6

[Nash 2002] Nash, A.: PKI – e-security implementieren; RSA Press; 2002.

[Oppliger 2005] Oppliger, R.: Contemporary Cryptography; Artech House;2005.

[RFC 2560] Request for Comments 2560: X.509 Internet Public KeyInfrastructure – Online Certificate Status Protocol – OCSP;Juni 1999.http://tools.ietf.org/html/rfc2560

Appendix | 137


[Schmeh 2001] Schmeh, K.: Kryptografie und Public-key-Infrastrukturen imInternet; 2. Auflage; dpunkt-Verlag; 2001.

[Schwenk 2002] Schwenk, J.: Sicherheit und Kryptographie im Internet; Vie-weg; 2002.

[Selke 2000] Selke, G.W.: Kryptographie – Verfahren, Ziele, Einsatzmöglich-kei-ten; O’Reilly; 2000.

[SigG 2001] Gesetz über Rahmenbedingungen für elektronische Signatu-ren (Signaturgesetz); Bundesministerium der Justiz;16.05.2001.http://www.gesetze-im-internet.de/sigg_2001/index.html

[Vaudenay 2006] Vaudenay, S.: A Classical Introduction to Cryptography; Sprin-ger; 2006.

[Wolf 1998] Wolf, R.: Verifikation digitaler Signaturen; TU Darmstadt;1998.http://www.informatik.tu-darmstadt.de/BS/Lehre/Sem98_99/T11/index.html

138 | Appendix


Appendix D

Return on Security Investment

(ROSI)

1. Einleitung: Messung von IT-Sicherheitsinvestitionen

Was ist der Nutzen meiner Investition in eine IT-Sicherheitsmaßnahme? Diese Fragestellen sich viele Entscheidungsträger, wenn es um das Budget für den Ausbau derIT-Sicherheit im Unternehmen geht. Unsicherheit, Angst und Zweifel reichen nichtmehr als Argument für die permanent wachsenden Fixkosten der IT-Sicherheit.Quantitative und qualitative Ansätze zur Bestimmung einer wirtschaftlich sinnvol-len Investion sind gefragt. Zur Beurteilung des Nutzens einer IT-Sicherheitsmaß-nahme werden Kriterien benötigt, anhand derer man das Ergebnis messen kann.Eventuell ist es sogar sinnvoller, einen möglichen Schaden hinzunehmen alsUnsummen für seine Abwehr auszugeben.

Die Abwehr von Gefahren muss in jedem Unternehmen unterschiedlich bewertetwerden. So kann ein Unternehmen durch starkes Wachstum oder gestiegenesMedieninteresse viel häufiger Opfer von Angriffen sein als ein bedeutungsloserKonkurrent. Ein Anderes begründet seinen Erfolg durch wertvolles geistiges Eigen-tum, welches verstärkt geschützt werden muss. Eine weitere Bedrohung liegt imImageverlust, den ein Unternehmen erleidet, falls ein erfolgreicher Angriff bekanntwird oder geheime Unternehmens- oder Personaldaten im Internet veröffentlichtwerden. Jedoch sind sich viele Unternehmen der Schäden durch Sicherheitsvorfälleund auch der daraus abzuleitenden Kosten nicht bewusst. Nur wenige Firmen sindüberhaupt in der Lage, Angaben zur Schadenshöhe eines erfolgreichen Angriffes zumachen.

Appendix | 139


An den oben genannten Beispielen kann man erkennen, dass eine exakte Bewer-tung von Risiken äußerst schwierig ist. Das Problem liegt in der IT-Sicherheit alsQuerschnittsthema begründet. Es existieren vielfältige Wechselwirkungen mit denProzessen im Unternehmen, weswegen eine Kosten-Nutzen-Betrachtung und -Opti-mierung eine betriebswirtschaftliche Gesamtbetrachtung erfordert. (vgl. [Lubich2006], S. 9)

Ein weiterer Ansatz, Sicherheit in einem Unternehmen zu bewerten, setzt bei denVersicherungen an. Ein in diesem Zusammenhang häufig genanntes Beispiel sindSprinkler-Anlagen für Fabriken. DIese kamen Ende des 19. Jahrhunderts erstmalszum Einsatz. Ihr Nutzen wurde damals als ebenso zweifelhaft angesehen, wie dereiniger Sicherheitsinvestitionen heutzutage. Erst als die Versicherungen günstige-re Angebote für Fabriken mit Sprinkler-Anlagen anboten, konnte der Ertrag derInvestition in solche Anlagen glaubhaft nachgewiesen werden. Das Problembesteht in der Verlässlichkeit und konsistenten Erhebung der zugrunde liegendenDaten. Hier ist eine gemeinsame Basis zur Berechnung zu finden. (vgl. [Berinato2002])

2. Berechungsarten des ROSI

Für die Gesamtheit aller Kosten einer Investition werden häufig die Berechungsme-thoden Total Cost of Ownership (TCO) und Return on Investment (ROI) verwendet.Bei der TCO-Berechnung werden alle Kosten über den gesamten Lebenszyklus derInvestition berücksichtigt. Dazu gehören Anschaffung, Installation und dauerhafteBetriebs- und Wartungskosten. Es wird jedoch kein Nutzen oder Ertrag ermittelt. DerROI geht einen Schritt weiter, indem man von der Annahme ausgeht, dass eineInvestition im Laufe der Jahre einen positiven Nutzen generiert. (vgl. [Müßig 2006],S. 39) In einer Amortisationsrechnung wird die Investition dem Nutzen gegenüber-gestellt. Es wird also ermittelt, ab wann die Investition einen Ertrag erwirtschaftet.(vgl. [Schmeh 2004])

Auf Grundlage des ROI wurde an der Universität Idaho der Return On SecurityInvestment (ROSI) entwickelt. Er bietet ein nutzen- und bilanzorientiertes Modell alsGrundlage für die verbesserte Schätzung der Investitionen in IT-Sicherheit. Es wirdversucht, unter Betrachtung aller Kosten aufzuzeigen, ob und wann ein Investmentin IT-Sicherheitsmaßnahmen zu einem Return On Invest führt oder nicht. Es gibtverschiedene nicht standardisierte Methoden, den ROSI zu ermitteln, die aber aufden gleichen Annahmen beruhen und sich ähnlich berechnen. Dies ist auch als diegrößte Schwäche des ROSI hervorzuheben. Aufgrund unterschiedlicher Berech-nungsmethoden und Einschätzungen von Risiken in Hinsicht auf Eintrittswahr-scheinlichkeit und Schadenshöhe sowie der Missachtung des Faktors Zeit kann einROSI nur als Näherungs- oder Richtwert angesehen werden. Bei gleich bleibenderBerechnungsweise ist aber die Möglichkeit des Vergleichs gegeben. (vgl. [Schadt2006], S. 21)

140 | Appendix


Die erste Berechnungsmöglichkeit ist definiert als Differenz aus den Kosten, die zurBehebung des angefallenen Schadens nötig sind (Recovery Costs – R), sowie der jähr-lichen Verlusterwartung (Annual Loss Expenditure – ALE). Die ALE ist definiert alsdie Summe der wahrscheinlichen Schäden und Investition (Tool Costs – T) minusder Ersparnis (Savings – S). (vgl. [Schadt 2006], S. 21)

Formel 1: ALE = R-S+TR-ALE = S-T = ROSI

Die Recovery Costs – R (Kosten der wahrscheinlichen Schäden) beschreiben alle Auf-wendungen zur Behebung eines Schadens und der Rückkehr zum Ursprungszu-stand. „Sie werden in die Gesamtkosten der geschäftlichen Tätigkeit mit einbezo-gen. Die Wiederherstellungskosten hängen vom tatsächlichen Eintritt von Schädenab, müssen aber aus Erfahrungswerten für die Zukunft abgeschätzt werden.“ ([Pohl-mann 2006], S. 29) Hierbei sind auch aktuelle Entwicklungen auf gesetzlicher Ebenewie Basel II und der Sarbanes Oxley Act zu berücksichtigen. Diese verursachen Kos-ten bei Nichteinhaltung, die in eine Kostenbetrachtung einbezogen werden müssen.(vgl. [Pohlmann 2006], S. 29)

Savings – S (Reduzierung der Kosten der wahrscheinlichen Schäden) umfasst alleKosten, die durch die Einführung der neuen IT-Sicherheitsmaßnahme eingespartwerden können. Es wird davon ausgegangen, dass die IT-Sicherheitsmaßnahmeeine sehr hohe Anzahl von Angriffen abwehren kann. (vgl. [Pohlmann 2006], S. 29f.)Eine Reduzierung des Prämienaufwands für die IT-Versicherung bei Einsatz von IT-Sicherheitsmaßnahmen ist ein Beispiel für indirekte Ersparnisse.

Die Tool Costs – T (Kosten für IT-Sicherheitsmaßnahmen) beinhalten alle mit derneuen Investition verbunden Kosten. In der Regel werden die Total Cost of Owners-hip berechnet. (vgl. [Pohlmann 2006], S. 30) Dabei sind direkte und indirekte Kostenmöglichst genau zu quantifizieren, was die Berechnung, wie oben genannt, proble-matisch und umstritten macht.

Die Annual Loss Expenditure – ALE (verbleibende jährlich erwartete Kosten) sinddie Kosten, die verbleiben, nachdem die IT-Sicherheitmaßnahme installiert wordenist. (vgl. [Pohlmann 2006], S. 30)

Der Return On Security Investment – ROSI (gesparte Kosten, erzielter Profit) sind„die Einsparungen der Recovery Costs (Schäden), die durch das Investment in IT-Sicherheitsmaßnahmen erzielt wurden.“ (vgl. [Pohlmann 2006], S. 30) Für einenpositiven ROSI müssen die Tool Costs immer kleiner sein als die Einsparungen durchdie Investition.

Die zweite Möglichkeit den ROSI zu berechnen, ist mehr an der ursprünglichenBerechnung des ROI angelehnt. Die erwartete Einsparung berechnet sich aus derjährlichen Gefährdung (Risk Exposure – RE) multipliziert mit der prozentualen

Appendix | 141


Wahrscheinlichkeit der Risikominderung (Risk Mitigated – RM). Die jährliche Verlus-terwartung wird also nicht rein monetär berechnet. Es wird der Umstand berück-sichtigt, dass bei einer Gefahrenbetrachtung wahrscheinlich nicht jedes Auftreten(Angriff) abgewehrt oder verhindert werden kann. Die jährliche Gefährdung errech-net sich aus den projizierten Kosten eines Schadensfalls (Single Loss Exposure – SLE)multipliziert mit seiner erwarteten jährlichen Eintrittshäufigkeit (Annual Rate ofOccurence – ARO).

Anschließend subtrahiert man noch die Investitionskosten (Tool Costs – T) und divi-diert nochmals durch diese. Somit erhält man eine Kennziffer, die als Schätzwert dieprozentuale Rendite widerspiegelt.

Im Vergleich berücksichtig der zweite Ansatz in höherem Maße die Eintrittswahr-scheinlichkeit.

Formel 2: ROSI= ((RE * %RM) – T) / TRE = SLE * ARO

Da es keine standardisierten Methoden gibt, den SLE oder ARO zu berechnen, kannman nur auf Erfahrungswerte zurückgreifen oder in versicherungsmathematischenTabellen nachschlagen, die auf echten Schadensfällen beruhen. Erstellt werdendiese aufgrund von Versicherungsfällen, Forschungsdaten oder unabhängigen Stu-dien. Allerdings ist es sehr schwierig, Daten von Schadensfällen zu gewinnen. Nurwenige Firmen verfolgen nach einem Angriff die insgesamt tatsächlich aufgetrete-nen Schäden. (vgl. [Sonnenreich 2006])

3. ROSI und PKI

Der ROSI wird meist mit der Bewertung einer Sicherheitsmaßnahme in Verbin-dung gebracht, die eventuelle Angriffe und somit Schäden vom Unternehmenabwehren soll. Hinsichtlich des Einsatzes einer PKI ist diese Betrachtung jedoch zueinseitig und erfasst nicht den angestrebten systematischen und geschlossenenAnsatz zur Informationssicherheit im Unternehmen. PKI erfordert, dass eine voll-ständige Security Policy etabliert und mit einer Infrastruktur umgesetzt wird.Diese Planung muss die Menschen, Prozesse und Technologien im Unternehmenberücksichtigen und festlegen, wie diese miteinander interagieren, um dieGeschäftstätigkeit in einem sicheren und vertrauenswürdigen Umfeld zu ermög-lichen. Diese Infrastruktur muss Dienste anbieten wie Vertraulichkeit und Inte-grität von Daten, Benutzerauthentifizierung, Belegbarkeit der Datenherkunftgegenüber Dritten und die Sicherstellung der Erreichbarkeit und Verfügbarkeit vonInformationen. Ein weiterer Faktor ist die Freischaltung neuer Tätigkeitsfelder. Erstdurch den Aufbau einer PKI werden Geschäftsprozesse möglich, die vorher zu risi-kobehaftet waren. (vgl. [Lareau 2002], S. 2)

142 | Appendix


4. Berechnung des ROSI am Beispiel von Single Sign On (SSO)

Ein typisches Beispiel für die transparente Darstellung des ROSI für eine IT-Sicher-heitsinvestition in einer PKI-Umgebung stellt ein Single Sign On-System dar. ImUnternehmensumfeld werden häufig eine Vielzahl unterschiedlicher Systemeparallel betrieben. Die Nutzer dieser Systeme erhalten in der Regel unterschiedlicheAnmeldekennungen, mit denen sie sich beim jeweiligen System authentisierenmüssen. Die Nutzer müssen dementsprechend viele Passwörter und Benutzerna-men verwalten. Im Falle von vergessenen Passwörtern benötigen sie schnelle Unter-stützung, damit ihre Produktivität gewährleistet ist. Hierfür dient in der Regel einHelp-Desk System, welches die Störungen schnellstmöglich bearbeitet.

Bei einem SSO wird diese Problematik entschärft. Der Nutzer benötigt nur noch eineAnmeldekennung und muss sich nur gegenüber dem SSO z.B. durch Passwort oderChipkarte ausweisen. Die Anmeldedaten für die anderen Systeme sind hinterlegtund das SSO übernimmt die Anmeldung an diese Systeme automatisch mittelsBenutzerzertifikaten. An den Beispielen soll die Einführung und das erwartete Ein-sparpotential durch die Nutzung eines SSO stellvertretend für ein Mittelstands- undein Großunternehmen verdeutlicht werden. Die verwendeten Daten orientierensich an [Gadatsch 2006], S. 46 und wurden angepaßt.

Beschreibung der Faktoren:Bei dem Beispielprojekt handelt es sich um eine Investition in ein Sicherheitspro-jekt, bei dem ein Prozess mit sicherheitstechnischem Hintergrund optimiert werdensoll. Vorweg soll beschrieben werden, wie man die benötigten Daten zum Vergleichdes Nutzens der Investition ermitteln kann. Im Beispiel entsteht der Schaden durchden Produktivitätsverlust der Mitarbeiter, während sie auf das Rücksetzen einesPassworts oder eine erneute Vergabe warten. Die Zeit und Häufigkeit kann miteinem quantifizierenden Fragebogen ermittelt werden. Bei der Ausarbeitung desFragebogens muss darauf geachtet werden, dass keine offenen Fragen gestellt wer-den. Stattdessen sollten Wahlmöglichkeiten vorgegeben werden, die eine gleichbleibende Auswertung ermöglichen, z.B. Wie häufig vergessen sie ein Passwort? xmal pro Tag, x mal pro Woche, x mal pro Monat.

Die Zeit, die durchschnittlich zur Bearbeitung einer Passwortanfrage am Help Deskbenötigt wird, lässt sich durch eine gleichwertige Evaluierung ermitteln. Zusammenmit dem durchschnittlichen internen Stundensatz der Mitarbeiter lässt sich somitdie jährliche Verlusterwartung (Recovery Costs, Risk Exposure) berechnen.

Zur Ermittlung der Investitionskosten (Tools Costs) hat sich der TCO-Ansatz der Gart-ner Group bewährt. Dieser Ansatz berücksichtigt alle direkten und indirekten Kos-ten, die zur Beschaffung, Nutzbarmachung und zur Sicherstellung des Betriebs nötigsind. Die direkten Kosten setzen sich zusammen aus der Untersuchung potentiellerProdukte (auch die Kosten für Berichte, Tests und Berater), dem Design der Abhän-gigkeiten und benötigten Komponenten, der Beschaffung (Ausschreibungen, Anbie-

Appendix | 143


terauswahl und Marktforschung), dem Kauf (Hardware, Software, Steuern, Zölle,Änderungen an bestehenden Systemen z.B. Upgrades), der Lieferung-/ des Trans-ports, der Installation (Umgebungsanpassung, Downtime anderer Systeme, Endnut-zerproduktivität während der Installation), der Entwicklung/Anpassung, der Schu-lungen und dem Ausfahren in den Betrieb (Anpassung der Prozesse, vollständigeIntegration in die Systemlandschaft, Bekanntmachung unter den Mitarbeitern).

Indirekte Kosten zur Wahrung der Erreichbarkeit des Systems beinhalten Opera-tionsmanagement (alle Aufgaben des normalen Betriebs, Hoch- und Runterfahren,Auftragssteuerung, Ausgabesteuerung, Backup, Wiederherstellung), Systemma-nagement (Problembearbeitung, Veränderungsmanagement, Performancekontrol-le), Instandhaltung der Hardware-/ Softwarekomponenten (Updates, Fehlerbehe-bung, generelle Pflege), Lizenzkosten, Benutzersupport (Schulungen, Helpdesk-Ein-richtung, jede Art von Service) und Umgebungsfaktoren (Klimaanlage, Stromversor-gung, Unterbringung, Flächenbedarf).

Die erwarteten Einsparungen (Savings, Risk Mitigated) werden auf gleiche Weisegegengerechnet wie die jährliche Verlusterwartung. Diesmal natürlich, nachdemprognostiziert wurde, in welcher Höhe die Investition die Anfragen senken kann.Diese Angaben kann man von Erfahrungswerten anderer Unternehmen ableiten(falls man die Daten bekommt), Studien wissenschaftlicher Insitute entnehmen, imjährlichen Bericht des Computer Security Institut und des FBI nachlesen oder ausSchadensberichten von Versicherungen ableiten.

Beispiel 1 – Mittelstand – 100 Mitarbeiter:Passwortbezogene Anfragen pro Monat: 100Produktivitätsverlust durch Anfrage: 20 MinutenInterner Stundensatz der Mitarbeiter: 33 Euro1

Veranschlagte Reduzierung der Anfragen durch SSO: 40%

144 | Appendix

Formel 1:

Recovery Costs:Schaden durch passwortbezogeneAnfragen: 100 Anfragen * 11 Euro anteil.Stundensatz * 12 Monate = 13.200Euro/Jahr

Formel 2:

Risk Exposure:Schaden durch passwortbezogeneAnfragen: 100 Anfragen * 11 Euro anteil.Stundensatz * 12 Monate = 13.200Euro/Jahr

Tool Costs:Einmalige Anschaffungs- und Installa-tionskosten des SSO: 10.000 EuroBetriebskosten des SSO: 4.800Euro/Jahr



Nach Formel 1:

1. Jahr 2. Jahr 3. Jahr 4. Jahr 5. Jahr

Recovery Costs 13.200 13.200 13.200 13.200 13.200

Savings 5.280 5.280 5.280 5.280 5.280

Tool Costs (Installation) 10.000

Tool Costs (Betrieb) 4.800 4.800 4.800 4.800 4.800

Annual Loss Expenditure 22.720 12.720 12.720 12.720 12.720

Recovery Costs 13.200 13.200 13.200 13.200 13.200


ROSI -9.520 -9.040 -8.560 -8.080 -7.600

Nach Formel 2:


Single Loss Exposure 11 11 11 11 11

Annual Rate of Occurence 1.200 1.200 1.200 1.200 1.200

Risk Mitigated 40% 40% 40% 40% 40%

Tool Costs 14.800 4.800 4.800 4.800 4.800

ROSI -64,32% -54,32% -44,32% -34,32% -24,32%

Beispiel 2 – Großunternehmen – 1.000 Mitarbeiter:Passwortbezogene Anfragen pro Monat: 1.000Produktivitätsverlust durch Anfrage: 20 MinutenInterner Stundensatz der Mitarbeiter: 60 EuroVeranschlagte Reduzierung der Anfragen durch SSO: 40%

Appendix | 145

1In [Gadatsch 2006] wird ein interner Stundensatz von 60 Euro angenommen. Für ein mittelständischesUnternehmen scheint uns der Wert zu hoch angesetzt. Ein interner Stundensatz zwischen 30 und 35 Eurodürfte realistischer sein.

Savings:Verringerte Anzahl von Anfragen: 40Anfragen * 11 Euro anteil. Stundensatz *12 Monate = 5.280 Euro/Jahr

Tool Costs:40%


Nach Formel 1:


Recovery Costs 240.000 240.000 240.000 240.000 240.000

Savings 96.000 96.000 96.000 96.000 96.000

Tool Costs (Installation) 60.000

Tool Costs (Betrieb) 14.400 14.400 14.400 14.400 14.400


Recovery Costs 240.000 240.000 240.000 240.000 240.000


ROSI 21.600 103.200 184.800 266.400 348.000

Nach Formel 2:


Single Loss Exposure 20 20 20 20 20

Annual Rate of Occurence 12.000 12.000 12.000 12.000 12.000

Risk Mitigated 40% 40% 40% 40% 40%

Tool Costs 74.400 14.400 14.400 14.400 14.400

ROSI 29,03% 595,70% 1.162,37% 1.729,03% 2.295,70%

146 | Appendix

Formel 1:

Recovery Costs:Schaden durch passwortbezogeneAnfragen: 1000 Anfragen * 20 Euroanteil. Stundensatz * 12 Monate =240.000 Euro/Jahr

Formel 2:

Risk Exposure:Schaden durch passwortbezogeneAnfragen: 1000 Anfragen * 20 Euroanteil. Stundensatz * 12 Monate =240.000 Euro/Jahr



Savings:Verringerte Anzahl von Anfragen: 400Anfragen * 20 Euro anteil. Stundensatz *12 Monate = 96000 Euro/Jahr

Tool Costs:40%


In den Beispielen ist die Berechnung des ROSI sehr einfach gehalten. Bei differen-zierter Betrachtung fallen einige Faktoren auf, die nicht in die Berechnung einbezo-gen wurden. Zum Beispiel ist die Reduzierung der Nutzeranfragen kein statischerWert. Erfahrungen zeigen, dass bei steigender Akzeptanz und Erfahrung mit SSO-Systemen noch höhere Einsparquoten erreicht werden. Weiterhin wird die Häu-figkeit der Anmeldungen mit und ohne SSO nicht berücksichtigt, ebenso wie diefreigewordenen Kapazitäten beim Help-Desk. Ein Beispiel für einen sehr schwer zumessenden Faktor ist der Einfluss der verringerten Anmeldungen auf die Produk-tivität der Mitarbeiter. Es wird z.B. das erneute Eindenken in eine Aufgabe ver-mieden.

Das Problem äußert sich also bei der Bestimmung der relevanten Faktoren zur Mes-sung des ROSI. Es gibt kein standardisiertes Modell, welches festlegt, wie hoch mandas finanzielle Risiko einer Schwachstelle oder die Effektivität von Schutzmaßnah-men bewertet.

4.1 ROSI-Berechnung am Beispiel des elektronischen Dokumentenversands

Im Laufe der täglichen Geschäftstätigkeit enstehen in einem Unternehmen eineVielzahl von Dokumenten, die der Kommunikation nach Außen dienen, z.B. mitPartnern oder Kunden. Auch heutzutage wird noch in vielen Bereichen mit Post aufherkömmlichen Wegen operiert. Häufig werden diese Dokumente jedoch von denEmpfängern digitalisiert, um sie elektronisch verarbeiten oder archivieren zu kön-nen. Um diese Medienbrüche und den zusätzlichen Arbeitsaufwand zu verringernund somit Kosten einzusparen, lassen sich mit Hilfe von PKI Dokumente auch voll-ständig auf dem elektronischen Weg erstellen und versenden. Entscheidend istdabei, dass die Authentizität der Dokumente ebenso gesichert ist, wie z.B. bei einerhandschriftlich unterzeichneten Korrespondenz.

Die Möglichkeiten, den Prozess auf elektronischem Wege ablaufen zu lassen, bedin-gen entweder den Aufbau einer eigenen PKI oder die Beantragung der Zertifikatebei einem Trust-Center. Da die Schaffung einer eigenen Infrastruktur in der Regelnur für große Unternehmen mit mehr als 1000 Mitarbeitern in Betracht kommt,beschränkt sich das Beispiel auf die Erstellung der Zertifikate durch einen externenAnbieter. Die Daten des Beispiels stammen aus [Beilschmidt 2007].

Zur Berechnung eines ROSI wird die Erweiterung des Prozesses des Dokumentenver-sands auf die elektronische Variante betrachtet, d.h. die Dokumente werden elektro-nisch erzeugt, über ein Zertifikat signiert, um die Identität des Absenders zugewährleisten und anschließend elektronisch versendet. Weiterhin müssen diedazu nötigen Investitionen zur Schaffung einer eventuell nicht vorhandenen Hard-waregrundlage und der Beantragung der Zertifikate betrachtet werden. Die Kosten,die zum Aufbau einer solchen Infrastruktur nötig sind, werden den Kosten des Ver-

Appendix | 147


sands auf herkömmlichem Wege über die Poststelle gegenübergestellt. Dabei sollsich nach dem Pareto Ansatz auf die Kostentreiber beschränkt werden, die dengrößten Einfluss auf die Kostenentwicklung haben und möglichst branchenüber-greifend zutreffen.

4.2 Kostenbetrachtung

Zur Berechnung des ROSI sind als Erstes die Kosten der herkömmlichen Variante zubetrachten, die durch die Umstellung auf den elektronischen Versand eingespartwerden können. Das Problem zur Bestimmung konkreter Zahlen zeigt sich hier inder Bestimmung der Kosten eines zu versendeten Dokuments. Aufwendungen fürPapier, Tonerverbrauch und der Arbeitseinsatz der Poststelle für Verpackung,Frankierung und Versand werden in jedem Unternehmen anders eingeschätzt. Hierzeigt sich der Charakter des ROSI als Näherungswert zur Abschätzung derWirtschaftlichkeit einer Investition.

Im Beispiel wird von folgenden Kosten ausgegangen:Y 2,00 Euro Aufwendungen für Papier, Toner usw. je Dokument, von denen 1,40

Euro durch den elektronischen Versand eingespart werden könnenY 0,55 Euro Portokosten je verschicktem DokumentY 19,75 Euro Zertifikatskosten pro Mitarbeiter im Jahr für eine qualifizierte Sig-

naturY Kosten für eine Hardwarelösung, die ausgehende Dokumente automatisch sig-

niert. Die Kosten unterscheiden sich je nach Unternehmensgröße und beinhal-ten Anschaffung, Betrieb, Administration und Wartung.

Y Kosten für die Poststelle, vor und nach der Installation, da die Stelle in der Regelin kleinerer Form erhalten bleibt

Die Beispielunternehmen haben eine Größe von 100 und 3.000 Mitarbeitern, dahierfür konkrete Angaben zu Lizenzkosten für das zentrale Gateway vorlagen.

148 | Appendix


Beispiel 1 – Mittelstand – 100 Mitarbeiter:

Unternehmen A

Mitarbeiteranzahl 100

Dokumentenaufkommen/Monat 130

Kosten/Dokument 12,00 EuroZertifikatskosten/Mitarbeiter 19,75 Euro

Papierbasierter Dokumentenversand

Einmalige Kostenkeine

Monatliche KostenDokumentenkosten 1 260,00 EuroPorto (0,55 Euro / Dokument) 11 71,50 EuroPoststelle (1–2 Mitarbeiter) 1.000,00 Euro

Summe/Monat 1.331,50 Euro

Elektronischer Dokumentenversand

Einmalige KostenZentrales Gateway 6.000 Euro

Monatliche KostenDokumentenkosten (0,60 Euro/Dokument) 178,00 EuroZertifikate 164,58 EuroPoststelle 500,00 EuroWartungskosten Gateway 190,00 Euro

Summe/Monat 832,58 Euro

Appendix | 149


ROSI nach Formel 1

Monat 1 2 3 4 5 6

Investitionskosten 6.000,00

Betriebskosten PKI 832,58 832,58 832,58 832,58 832,58 832,58

Einsparungen 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50

ROSI -5.501,08 -5.002,16 -4.503,24 -4.004,32 -3.505,40 -3.006,48

Monat 7 8 9 10 11 12

InvestitionskostenBetriebskosten PKI 832,58 832,58 832,58 832,58 832,58 832,58

Einsparungen 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50

ROSI -2.507,56 -2.008,64 -1.509,72 -1.010,80 -511,88 -12,96

ROSI nach Formel 2

Monat 1 2 3 4 5 6


Betriebskosten PKI 832,58 832,58 832,58 832,58 832,58 832,58

Kosten kumuliert 6.832,58 7.665,16 8.497,74 9.330,32 10.162,90 10.995,48

Schaden 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50

Schaden gesamt 1.331,50 2.663,00 3.994,50 5.326,00 6.657,50 7.989,00

ROSI -80,51% -65,26% -52,99% -42,92% -34,49% -27,34%

Monat 7 8 9 10 11 12

InvestitionskostenBetriebskosten PKI 832,58 832,58 832,58 832,58 832,58 832,58


Schaden 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50 1.331,50

Schaden gesamt 9.320,50 10.652,00 11.983,50 13.315,00 14.646,50 15.978,00

ROSI -21,20% -15,87% -11,19% -7,06% -3,38% -0,08%

150 | Appendix


Beispiel 2 – Großunternehmen – 3.000 Mitarbeiter:

Unternehmen B

Mitarbeiteranzahl 3.000

Dokumentenaufkommen/Monat 2.800

Kosten/Dokument 12,00 EuroZertifikatskosten/Mitarbeiter 19,75 Euro

Papierbasierter Dokumentenversand

Einmalige Kostenkeine

Monatliche KostenDokumentenkosten 15.600,00 EuroPorto (0,55 Euro/Dokument) 11.540,00 EuroPoststelle (1–2 Mitarbeiter) 13.000,00 Euro


Elektronischer Dokumentenversand

Einmalige KostenZentrales Gateway 1125.000 Euro

Monatliche KostenDokumentenkosten (0,60 Euro/Dokument) 1.680,00 EuroZertifikate 4.937,50 EuroPoststelle 1.000,00 EuroWartungskosten Gateway 1 375,00 Euro


Appendix | 151


ROSI nach Formel 1

Monat 1 2 3 4 5 6


Betriebskosten PKI 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50

Einsparungen 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00

ROSI -22.852,50 -20.705,00 -18.557,50 -16.410,00 -14.262,50 -12.115,00

Monat 7 8 9 10 11 12

InvestitionskostenBetriebskosten PKI 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50

Einsparungen 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00

ROSI -9.967,50 -7.820,00 -5.672,50 -3.525,00 -1.377,50 770,00

ROSI nach Formel 2

Monat 1 2 3 4 5 6


Betriebskosten PKI 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50


Schaden 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00

Schaden gesamt 10.140,00 20.280,00 30.420,00 40.560,00 50.700,00 60.840,00

ROSI -69,27% -50,52% -37,89% -28,80% -21,95% -16,61%

Monat 7 8 9 10 11 12

InvestitionskostenBetriebskosten PKI 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50 7.992,50


Schaden 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00 10.140,00

Schaden gesamt 70.980,00 81.120,00 91.260,00 101.400,00 111.540,00 121.680,00

ROSI -12,31% -8,79% -5,85% -3,36% -1,22% 0,64%

Die Berechnung zeigt, dass durch die Kenntnis der grundlegenden Kostentreibern,d.h. der Faktoren, die den größten Anteil an den Gesamtkosten haben, schon einevergleichende ROSI-Berechnung möglich ist. Im Beispiel wurden qualifizierte Zerti-fikate als Berechnungsgrundlage gewählt. Ebenso wurde für jeden Mitarbeiter einZertifikat beantragt. In diesem Beispiel ließen sich Kosten u.a. durch eine Bestim-mung der Mitarbeiter sparen, die unbedingt teure qualifizierte Zertifikate benöti-

152 | Appendix


gen. Für die restlichen Mitarbeiter reichen möglicherweise fortgeschrittene Zerti-fikate, vielleicht kann aber auch auf qualifizierte Zertifikate grundsätzlichverzichtet werden. Weiterhin kann man Softwarelösungen evaluieren, mit denensich die Anschaffungs- und Betriebskosten des Gateway verringern oder einsparenlassen. Das würde jedoch von den dann erhöhten Administrationskosten und demzusätzlichen Schulungsaufwand für die Mitarbeiter zumindest in Teilen kompen-siert. Was in den Beispielen ebenso nicht einkalkuliert wurde, ist der verringerteArbeitsaufwand der Mitarbeiter, z.B. durch das sonst notwendige Ausdrucken undzur Poststelle bringen. Die Untersuchung solcher Prozesse würde jedoch zuunternehmensspezifisch werden sowie der schnellen und einfachen ROSI-Berech-nung entgegensprechen. Die Konzentration auf wesentliche Faktoren zumschnellen aber dennoch aussagekräftigen Vergleich von Alternativen steht bei derROSI-Ermittlung im Vordergrund.

5. Die Quantifizierung von Risiken

Es stellt sich noch die Frage, inwieweit es sinnvoll ist, Risiken auf Grundlage vonunvollständigen Daten abzuschätzen. Die Anwort ist: Ja! Wenn die Methoden zurBestimmung des ROSI reproduzierbare und einheitliche Ergebnisse liefern, kann derROSI als hilfreiches Mittel zum Vergleich von Sicherheitslösungen auf einer relativ-en Basis dienen.

Da für diesen Zweck die Genauigkeit der zugrunde liegenden Kosten eine unterge-ordnete Rolle spielt, gilt es, die Methodik der Kostenberechnung und –beschreibungkonsistent zu gestalten. In die Ermittlung der Faktoren zur Bemessung deswirtschaftlichen Nutzens der Investition wird häufig die Produktivität höher bew-ertet als der eigentliche Sicherheitsaspekt. Unternehmen müssen also nach Ein-flussgrößen Ausschau halten, die eine Produktivitätssteigerung oder neue Prozesseermöglichen. Bei der Ermittlung sind es in der Regel auch keine Detailfragen die denGesamtnutzen entscheidend beeinflussen. Nach dem Pareto-Ansatz gilt es, dietreibenden 20% Faktoren zu ermitteln, die 80% des wirtschaftlichen Nutzens aus-machen. Da sich Unternehmen, besonders aus unterschiedlichen Branchen, jedochschwerlich auf einen Standard festlegen würden, muss die Berechnung auf Faktorenberuhen, die unabhängig messbar sind und direkt mit dem Schweregrad z.B. einesSicherheitsvorfalls korrelieren. Auch ermöglicht die Konzentration auf wenigeentscheidende Größen eine leichtere Vergleichbarkeit über Produkte, Projekte,Unternehmen und ganze Branchen hinweg. (vgl. [Sonnenreich 2006])

5.1 Problematik bei der Anwendung des ROSI

Die Problematik bei der Berechung des ROSI hängt mit der Abschätzung des direk-ten und indirekten Schadens zusammen, der durch einen Mangel an Sicherheit ein-tritt. Hierdurch wird die Berechnung eines aussagekräftigen Wertes zu einem sehr

Appendix | 153


komplexen Vorgang. Ebenso muss die Abschätzung des Erfolgs der Sicherheitsmaß-nahme gegenübergestellt werden. Die Zusammenhänge zwischen einem konkretenAngriff und einem speziellen Schaden sind schwer herzustellen. Ebenso zwischeneinem Angriff und der unmittelbaren Wirkung der Sicherheitsmaßnahme. Ins-besondere wenn weitere Sicherheitsmaßnahmen getroffen wurden, kann der Erfolgnur schwer anteilig aufgegliedert werden. Bei mehreren Angriffen stellt die verur-sachergerechte Abrechnung das gleiche Problem dar. Ebenso basieren die Rechnun-gen auf groben Schätzungen. Die Varianz der Ergebnisse kann dementsprechendhoch sein. Wird z.B. eine ALE berechnet, dann wird davon ausgegangen, dass beimehrmaligem Eintreten eines Angriffes potentiell immer der gleiche Schaden zuerwarten ist. In der Praxis jedoch unterscheiden sich die Angriffziele und -methodenund möglicherweise verursacht nur ein erfolgreicher Angriff den gleichen Schaden,wie für alle potentiellen Gefahren des ganzen Jahres veranschlagt wurden.

6. Schlussfolgerungen

Der Return on Security Investment ist im Allgemeinen sehr schwer zu messen undauszuweisen. Die Grundlage auf ungenauen Messwerten und schwierig zu beziffer-nden Eintrittswahrscheinlichkeiten hinterlässt den Eindruck eines bloßenNäherungswertes der mitunter bezweifelt wird.

Den Mehrwert von Sicherheitsinvestitionen mit dem ROSI zu beurteilen, beruht aufder Annahme, dass eine Investitionen im Laufe der Jahre positiven Nutzen gener-iert. In einfachen Szenarien werden dazu Anschaffungs-, Implementierungs- undBetriebskosten eines Sicherheitssystems mit den möglichen Schäden verglichen, dieder Missbrauch einer Sicherheitslücke ohne Sicherheitssystem verursachen könnte.Um die Vergleichbarkeit von Sicherheitsinvestitionen zu gewährleisten, ist jedochdie Methode zur Ermittlung des ROSI entscheidend. Nach dem Pareto-Prinzip ist nureine geringe Anzahl von Faktoren zur Kostenbeurteilung entscheidend. Diesemüssen allerdings mit reproduzierbaren und konsistenten Verfahren ermittelt wer-den, auch wenn sie inakkurat sind. Zur Ermittlung der grundlegenden Kosten einerInvestition eignet sich beispielsweise der TCO-Ansatz. Will man den Produktiv-itätsverlust eines Mitarbeiters bewerten, eignen sich Umfragen, die den direktenZusammenhang zwischen Ausfall und der Einschränkung des Mitarbeiters wider-spiegeln. Stellt man sicher, dass die Fragen schnell bewertbar (z.B. Skalen), eindeutigund leicht zu beantworten sind, kann man einen starken Zusammenhang zwischenden Umfragewerten und den finanziellen Auswirkungen herstellen. (vgl. [Sonnen-reich 2006])

Diese statische Berechnung lässt allerdings den Faktor Zeit außer Acht. Ansätze,welche die Diskontierung des Kapitals berücksichtigen, sind z.B. die Kapitalwert-methode (Net Present Value) oder der interne Zinsfuß (Internal Rate of Return).

154 | Appendix


7. Quellen

[Beilschmidt 2007] Beilschmidt, A.: Geschäftsmodelle für die European Bridge-CA; 2007.

[Berinato 2002] Berinato, S.: Finally, a Return on Security Spending. In: CIOAustralia; 08.04.2002.Onine: http://www.cio.com.au/index.php?id=557330171

[Gadatsch 2006] Gadatsch, A.; Uebelacker, H.: Wirtschaftlichkeitsbetrachtun-gen für IT-Security-Projekte. In: [Mörike 2006]; S. 44–50.

[Lareau 2002] Lareau, P.: PKI Basics – A Business Perspective; PKI ForumBusiness Working Group; April 2002.

[Lubich 2006] Lubich, H. P.: IT-Sicherheit: Systematik, aktuelle Probleme undKosten-Nutzen-Betrachtungen. In: [Mörike 2006]; S. 6–15.

[Mörike 2006] Möricke, M.; Teufel, S. (Hrsg.): Kosten & Nutzen von IT-Sicher-heit; HMD – Praxis der Wirtschaftsinformatik; Heft 248 April2006.

[Müßig 2006] Müßig, S.: Haben Sicherheitsinvestitionen eine Rendite? In:[Mörike 2006]; S. 35–43.

[Pohlmann 2006] Pohlmann, N.: Wie wirtschaftlich sind IT-Sicherheitsmaß-nahmen? In: [Mörike 2006], S. 26–34.

[Schadt 2006] Schadt, D.: Über die Ökonomie der IT-Sicherheit – Betrachtun-gen zum Thema „Return on Security Investment“. In: [Mörike2006], S. 16–25.

[Schmeh 2004] Schmeh, K.; Uebelacker, H.: Sicherheit, die sich rechnet. In:Telepolis; 06.12.2004.Online: http://www.heise.de/tp/r4/artikel/18/18954/1.html

[Sonnenreich 2006] Sonnenreich, W.: Return On Security Investment (ROSI): APractical Quantitative Model. In: Journal of Research andPractice in Information Technology; Vol. 38; No. 1; February2006

Appendix | 155


Appendix E: Fragebogen Technische Perspektiven

156 | Appendix


Appendix | 157


158 | Appendix


Appendix | 159


160 | Appendix


Appendix | 161


162 | Appendix


Appendix | 163


164 | Appendix


Appendix | 165


166 | Appendix


Appendix F

Details zum Workshop

Der Veranstaltung „Workshop mit Kaminfachgespräch“, im Folgenden kurz „Work-shop“ genannt, ist der vierte wesentliche Teil des Projekts „Erfolgskriterien für Sig-natur-, Identifizierungs- und Authentifizierungsverfahren auf Basis asymmetri-scher kryptographischer Verfahren“. Auf Grundlage der Abschnitte, die sich mit dentechnischen Perspektiven, den wirtschaftlichen Betrachtungen und den Nutzungs-bedingungen beschäftigen, soll der Workshop abschließend Erfolgskriterien identi-fizieren und Perspektiven aufzeigen. An diesen Zielen wurde sowohl die Organisa-tion des Workshops als auch die Zusammensetzung der Teilnehmer ausgerichtet.

1. Teilnehmer

Die Teilnehmer wurden aus verschiedenen Kompetenzgruppen zusammengestellt:Hersteller und Dienstleister aus dem PKI-Markt, Chief Information Security Officers,die erfolgreiche multinationale PKI-Projekte umgesetzt haben, Wissenschaftler,Unternehmensberater mit Sicherheits- und Betrugsbekämpfungsexpertise, IT-Manager. Dabei wurde besonders auf eine langjährige Erfahrung der Teilnehmerwert gelegt. Neben der grundlegenden Bereitschaft aller, ihr Wissen für die Frage-stellungen des Projekts zur Verfügung zu stellen, war die weitere Motivation zurTeilnahme sehr unterschiedlich. Einige sehen das Engagement in PKI als wichtigenTeil ihrer persönlichen Expertise, die sich durch die Teilnahme und die Diskussionmit den anderen Experten erweitern und ausbauen ließ, andere wollten zudemneue Kontakte in entspanntem Rahmen knüpfen. Demnach war es wichtig, einen

Appendix | 167


geeigneten Rahmen mit „Beiprogramm“ zu finden, der die angesprochenen Exper-ten aus der Industrie zur Teilnahme motiviert. Zum einen war die vielfältigeZusammensetzung der Teilnehmer sicherlich ein motivierender Grund, zum ande-ren musste aufgrund der Seniorität der Experten ein gewisser gesellschaftlicherMindeststandard geboten werden. Es ist im Gegenzug dazu ausdrücklich festzuhal-ten, dass kein Honorar gezahlt wurde, selbst Reisekosten wurden nur von denwenigsten dem Projektteam in Rechnung gestellt, was – nach der initialen Entschei-dung zur Teilnahme – die außergewöhnliche Bereitschaft zur konstruktiven Mitar-beit der Teilnehmer belegt. Wichtig für den Erfolg erwies sich auch, neben der durchdas Projektteam getragenen Expertendiskussion, im Rahmen des gemeinsamenAbendessens und dem anschließenden Kaminfachgespräch genug Raum und Zeitfür bilaterale Gespräche vorzusehen, welche sich im Nachgang zum moderiertenTeil der Veranstaltung auch und gerade für die Erkenntnisse des Projektteams alssehr gewinnbringend erwies. Folgende Teilnehmer konnten wir für die Mitarbeit andem Workshop gewinnen:

Dr. Anders Bally Business Development Manager, VP SECUDE

Prof. Hans-Ottomar Beckmann Chief Information Security Officer Volkswagen

Dr. Gunter Frank Ex-Chief Information Officer Dresdner Bank / DREGIS

Birgit Galley Geschäftsführerin Steinbeis-Institut Risk-and-Fraud

Dr. Saskia Günther Security Officer, PKI Service-Owner Allianz

Wolfgang Hawreluk Geschäftsführer Business Integrity Management

Dr. Franz-Peter Heider Manager Security Consulting T-Systems

Dr. Henning Herzog Geschäftsführer Steinbeis-Institut Risk-and-Fraud

Dr. Rüdiger Mock-Hecker Geschäftsbereichsleiter Kartensysteme Sparkassenverlag

Prof. Norbert Pohlmann Vorstandsvorsitzender TeleTrusT e.V. FH Gelsenkirchen

Dr. Achim Schmidt Chief Information Officer Beta Systems

Wolfgang Schneider Stellvertretender Institutsleiter Fraunhofer SIT

Reinhard Schöpf Ex-Chief Information Security Officer Siemens

Trotz einiger Absagen hat das volle Engagement und die Kompetenz der Teilnehmerin den intensiven Diskussionen den Erfolg des Workshops gewährleistet.

2. Methodik und Ablauf des Workshops

Der Ablauf des Workshops war wie folgt geplant:

13:00–14:00 Ankunft der Teilnehmer, Snacks & leichter Imbiss

14:00–14:10 Begrüßung und Einführung in den Tag, Vorstellung Projekt, unsere Erwartungen

14:10–14:30 Vorstellung der Teilnehmer (Position zur PKI, Erwartungen an die Veranstaltung)

14:30–14:45 Vorstellung bisherige Literaturrecherche und Ergebnisse der Interviews zur Technik

14:45–15:00 Vorstellung wirtschaftliche Betrachtungen und erste Ergebnisse

15:00–15:15 Vorstellung Nutzungsbedingungen und Ergebnisse der anonymen Telefoninterviews

15:15–15:20 Kurze Erklärung der Workshop-Technik (Paulus)

168 | Appendix


15:20–15:40 Kaffeepause

15:40–17:00 Break-Out in 3 parallelen Sitzungen

17:00–18:00 Vorstellung der in den Sitzungen erarbeiteten Ergebnisse

18:00–18:30 Feedback-Runde

18:30–19:00 Pause

19:00–21:00 Gemeinsames Abendessen mit Platzierung der Teilnehmer zur Fortführung der Diskussion

21:00–22:30 Kaminfachgespräch: bilaterale Diskussionen zur Ergänzung und Abrundung

Die Gesamt-Moderation des Workshops bis zum Abendessen wurde von H. Paulusdurchgeführt. Um die Teilnehmer auf die zu einem späteren Zeitpunkt geplantenArbeitsgruppen vorzubereiten wurden sie in einem ersten Schritt über die bisheri-gen Ergebnisse der Arbeiten des Projektteams informiert. In den darauf folgenden„Break-Out-Sessions“ sollten die Teilnehmer auf der Basis ihres Wissens und ihrerErfahrung und der von uns dargestellten Ergebnisse mit Hilfe von Moderationskar-ten jeweils 3–5 Problemfelder identifizieren, daraufhin passende Wunsch-Zuständesowie Lösungen/Aktionsfelder erarbeiten, die den Wunsch-Zustand zum Ziel haben.Die Moderationskarten wurden dann unter Erklärungen und Feedback durch dieSitzungsteilnehmer weiter bearbeitet. Ein Rapporteur jeder Arbeitsgruppe berichte-te eine Zusammenfassung der Diskussion im darauf folgenden Plenum.

Die Diskussionen waren von Anfang an sehr intensiv durch die breit differenzierteKompetenz der Workshop-Teilnehmer, mit Beiträgen aus sehr unterschiedlicherInteressenlage. Durch die Vertiefung in den Arbeitsgruppen wurde eine Fokussie-rung der Kernthematik erreicht, die durch die abschließende Feedback-Runde nocheinmal zusammengefasst wurde. Insbesondere die interdisziplinäre Zusammenset-zung von Technikern und Nicht-Technikern, von IT- und Sicherheitsverantwort-lichen über PKI-Dienstleister bis hin zu Professoren der Betriebswirtschaft war einwesentlicher Erfolgsfaktor für die Ausprägung von differenzierten und durchauskontroversen Aspekten.

Besonderer Wert wurde darauf gelegt, die Zusammensetzung der Break-Out-Ses-sions so gestalten, dass möglichst Personen zusammen gearbeitet haben, die sichnicht vorher kannten. Durch diese Maßnahme wurde eine offene, vorurteilsfreieDiskussion unterstützt. Dieses Vorgehen hat sich unserer Meinung nach als erfolg-reich erwiesen, obwohl das Bestreben in den Diskussionen, ein gemeinsames Ver-ständnis zu Sachthemen zu erreichen, natürlich Zeit kostete.

Auch wenn die Diskussionen über die Zeit sehr breit verteilte Aspekte berührten,war doch der Verlauf geprägt von optimistischen, aber dennoch kritischen Ausein-andersetzungen mit klarem Fokus: dem Erfolg von Public-Key-Infrastrukturen, -Anwendungen und -Technologien. Im weiteren Verlauf dieses Kapitels werden dieErgebnisse der Diskussionen aufgezeigt. Sehr wertvoll waren die Empfehlungen zurweiteren Vorgehensweise, die uns von den Teilnehmern ohne Aufforderung mitge-geben wurden.

Appendix | 169


Schließlich enthielten die eher informellen Kommentare während des gemeinsa-men Abendessens und des anschließenden Kamingesprächs wichtige Detail- undPraxisinformationen sowie persönliche Einschätzungen, die das Projektteam ineiner formellen Befragung wie in dem moderierten Teil des Workshops nicht erfah-ren hätte. Dies gilt in besonderem Maße für Meinungen oder Einschätzungen entge-gen der „herrschenden“ Expertenmeinung, die – vielleicht wegen politischer Moti-vationen – in dieser Form bisher nicht öffentlich diskutiert wurden.

Zusammenfassend kann man zur Methodik des Workshops sagen, dass die beidenAspekte „Interdisziplinarität der Teilnehmer“ und „Mischung aus moderierter Dis-kussion und informellen Gesprächen“ Garanten für den Erfolg des Workshopswaren und damit ein wesentliches Element in der Erkenntnisbildung des Projektsdarstellen. Darüber hinaus ist betonen, dass es vermutlich nur durch den gesell-schaftlichen Rahmen überhaupt möglich war, die in dieser Form selten erreichteZusammensetzung von anerkannten Experten zu erreichen. So konnten wir einfacettenreiches, durchaus mit Spannungen und Widersprüchen versehenes Bildüber Nutzungsbedingungen von PKI in der Praxis gewinnen, was ohne eine solcheVeranstaltung, etwa nur durch Interviews, mit hoher Sicherheit nicht erreicht wor-den wäre. Wir können daher dieses Vorgehen für weitere Themen mit interdiszipli-närem Charakter grundsätzlich empfehlen.

3. Aufteilung in Gruppen

Gruppe „Blau“: Moderation: ReimerProtokoll: HesseY SchöpfY HawrelukY Mock-HeckerY Bally

Gruppe „Grün“: Moderation: MorcinekProtokoll: BeyerY BeckmannY GalleyY HeiderY FrankY Pohlmann

Gruppe „Rot“: Moderation: HollProtokoll: HellmannY GüntherY HerzogY SchneiderY Schmidt

170 | Appendix


4. Einladungstext

Sehr geehrte Damen und Herren,

im Auftrag des BMBF führen wir ein Forschungsprojekt zur Untersuchung der Erfolgs-kriterien von Public-Key-basierten Anwendungen durch. Dabei steht nicht die Technikim Vordergrund, sondern Nutzungsbedingungen und betriebswirtschaftliche Aspekte.

Insbesondere wollen wir erarbeiten, warum die sicherheitstechnisch überlegene Tech-nologie (noch) nicht flächendeckend eingesetzt wird, was Hinderungsgründe sind,warum IT-Verantwortliche oft andere Lösungen bevorzugen und welche Parameterzur erfolgreichen Umsetzung notwendig sind.

Um von Erfahrungen von Entscheidern und deren Umfeld profitieren zu können, füh-ren wir einen High-Level Workshop durch, bei dem wir IT-Entscheider (und nicht unbe-dingt Sicherheitsverantwortliche) zu Wort kommen lassen wollen. In dem seminar-ähnlichen Umfeld, ansprechend moderiert, soll der lockere Austausch nicht zu kurzkommen, um auch Networking und Diskussionen zu anderen Themen Raum zu lassen.

Die Gestaltung der Veranstaltung ist entsprechend folgendermaßen aufgebaut:Y Anreise am Vormittag, leichter Lunch ab 13hY Seminararbeit 14h bis 18hY Gemeinsames Abendessen 19hY Übernachtung im Schlosshotel Grunewald, Berlin

Als mögliche Termine haben wir den 22. Februar oder alternativ den 27. Februar vorge-sehen. Die aktuelle Präferenz liegt auf Donnerstag, dem 22. Februar.

Wir würden uns sehr geehrt fühlen, wenn Sie uns mit Ihrer Expertise zur Verfügung ste-hen könnten. Um eine kurze Rückmeldung per E-Mail in den nächsten Tagen würdenwir uns sehr freuen. Bei einer positiven Rückmeldung wird Ihnen eine offizielle Einla-dung zugesendet. Natürlich übernehmen wir die Reisekosten für die Veranstaltung.

Herzliche Grüße

Friedrich HollSachar PaulusHelmut Reimer

Appendix | 171


Also available:

Band 1: Metastudie Open-Source-Software und ihre Bedeutung für Innovatives HandelnBand 2: Studie zum Innovationsverhalten deutscher Software-Entwicklungsunternehmen

© 2008 Self-published, BerlinDesign: Martin SchüngelTranslation: Stefanie Otersen and Peter MorcinekPrint: digital business and printing GmbH, D-10409 Berlin

ISSN 1863-5016

Study Criteria for success of identification ... fileBand 3 Study Criteria for success of...

Documents

Transcript of Study Criteria for success of identification ... fileBand 3 Study Criteria for success of...