What is CWRV on a bank statement

Avoidance of data traces with smartcard-based authentication systems

Transcript

1 Thomas Hildmann 1 Avoiding data traces in smartcard-based authentication systems Thomas Hildmann FSP / PV PRZ Technische Universit├Ąt Berlin, berlin.de Summary Smartcards not only serve as a key technology for digital signatures, they can also be used as identification features in an authentication system. Many experts regard single sign-on (SSO) as the killer application for smart cards. Unfortunately, common authentication mechanisms based on smart cards leave behind data traces that allow the creation of relatively complete movement profiles. These profiles become more complete the more a cross-organizational SSO is implemented. Do we really have to pay for the additional gain in security through the use of smart card technology with a loss of privacy? In the campus card project at the Technical University of Berlin, a system based on Java cards, a mutual authentication of background system and card as well as a distribution of the respective responsibilities of systems (separation of duty) was developed. This system enables the authentication of people and offers them the highest possible protection of their privacy and, as a side effect, a high level of security against failure. Based on an overview of the most important requirements for the campus card system at the TU Berlin and the planned inter-university system of the universities in Berlin Brandenburg, the data model developed for the chip card and the background system is discussed. Then the current status of the work on the authentication system is presented and an attempt is made to comment on the individual protocol processes and to make their relevance with regard to the requirements clear. The following is an overview of the currently known problems in the implementation of this solution as well as an outlook on further work in the field. 1 Introduction The standard requirements for IT systems "security" and "user friendliness" often conflict with one another. It goes without saying that it is easier to start a program and be able to access data immediately, instead of having to answer a user name / password query first. One tries to defuse this dilemma with the help of Single Sign On (SSO) procedures. Instead of having to authenticate yourself again for each application, the authentication process is run through only once. The identity is then passed on within the system. Username / password queries have their long-known weaknesses. These range from guessable passwords to passed on to notes attached to the screen with all of the user's passwords. Password queries via distributed systems alone cannot be regarded as secure, as these can be spied on without additional encryption of the transmission channels. Smart cards offer a user-friendly alternative here. The disadvantages of smart cards include hardware costs for reading devices and the cards themselves, a usually more time-consuming registration process and the necessary management of cards.

2 2 Avoiding data traces in smartcard-based authentication systems, however, if the introduction of smartcards is coupled with an SSO, the disadvantages mentioned are put into perspective. This effect can be reinforced by introducing multifunctional cards rather than application or application class-specific. The costs can be converted to securing a larger number of services, the time-consuming registration via the card is only necessary once per session and the central administration of the cards has the useful side effect that blocking a card affects all services in the SSO network . If a login using a user name / password only leaves traces of data such as the time of the login and logout process or the location from which the login took place on the application server, then the login via an SSO with the help of a multifunctional card should be viewed more critically! The usage information for all applications that are protected by the card can be collected here in a central location. However, it is not only possible for the employer to spy on the behavior and performance data of the cardholders (employees), but also, if necessary, by third parties, e.g. Listen to network communications or read and merge data from the card yourself at suitable points. Even if a smart card is only used as a container for certificates, movement profiles can be created relatively easily. With certificate-based authentication, the smart card must first reveal its identity. This identity can be cryptically coded as desired. Each certificate can have a unique number as the subject name, which initially does not provide any information about the person behind it. However, it cannot be prevented that records can be made with the times and locations of access to various services. In a final step, the attacker must then appropriately personalize the information that was initially collected anonymously. This can happen in a number of ways. It is usually sufficient to eavesdrop on the network traffic from a specific network node. If the chip card is registered with the ID x and the e-mail account of person a is queried shortly thereafter, it can be assumed that person a has the card with the ID x. Information about the ID / person assignment can also take place via the use of unencrypted information in HTML forms. An attack would also be conceivable in which an HTTPS page with the request to provide personal information is placed on the network by the attacker himself under a pretext. This server only needs to have a key that was issued by a well-known trust center. The change from one HTTPS server to another is reminded by many browsers in the standard setting, usually. However, if there is a change, the certificate issuer is not checked by the user as long as it is a certificate issued by a well-known trust center. These two examples are intended to show that an association between ID and person is by no means impossible or involves extremely high effort. This is a serious risk that we wanted to counter in our project. 2 Requirements for the security infrastructure In March 2000, the "Framework specifications for chip card-based service systems at universities in Berlin and Brandenburg" was published by the campus card working group [NAGE_2000]. In this document, the framework conditions for a cross-university chip card system are defined, which in the further course of the project through requirements of data protection, the staff councils and other requirements by the

3 Thomas Hildmann 3 Administration of the universities and supplemented by the existing IT structures [GEBH_2000]. The most important requirements for the authentication system are briefly summarized below: The login procedure and the use of the application take place via a standard web browser. The basic technologies available here are HTML, Java and special plugins. The installation effort of additional software on the client systems should be kept to a minimum. Ideally, only the driver for the card reader needs to be installed. The user remains authenticated until the browser is closed, a configurable time limit (inactivity) is exceeded, or until the user has explicitly logged off. If the time limit is exceeded, a new authentication is requested. The authorization system has a suitable and easily adaptable user management. The use of smart cards with an integrated cryptographic processor and private keys that cannot leave the card is essential. Use via: PC at home, computer in the office, public terminal or PC pool, each via standard browser and smart card reader. Authentication software is installed as a plug-in or downloaded from the server as a signed app let. Client software available for all common systems, such as MS Windows, Linux, Mac OS, Solaris, Net / Open / FreeBSD. The data stored on the smart card are categorized. It must be specified which groups of people or systems must have access to the respective data in order to carry out their respective activities. It must be ensured that only authorized persons or systems can read the data intended for them from the smart card. The campus card has the following tasks: Service or student ID: i.e. visual identification (comparison of the printed passport photo) e.g. when accessing the premises or when providing evidence of authorization for discounts, etc. Electronic proof of the period of validity of the ID card: It must be electronically verifiable that the ID card is currently valid. is valid. Electronic identification of university members and guests of the universities via classification features. A classification characteristic can e.g. consist of matriculation or personnel numbers as well as a university code and a version number for the card. Use of the card for access to computer systems. The card should be suitable for signing electronic documents. Business documents should be able to be encoded using a key on the card.

4 4 Avoiding data traces with smartcard-based authentication systems Further requirements and tasks can be found in the sources mentioned. This compilation only serves to give an overview of the context in which the campus card is to be used and the basic requirements on which the campus card system is based. From the requirements made it becomes clear that the solution developed is by no means only relevant for use at universities, as the requirements are of a general nature and can be transferred to most IT infrastructures. 3 The data model A data model was developed from the given requirements. Part of the data is on the chip card, while another part is kept in the background system. 3.1 Data on the chip card A small amount of data should be kept electronically legible on the campus card so that it is also possible for systems without a direct network connection to determine information about the cardholder. However, it was assumed that as little data as possible should be stored on the card [SUHR_2000]. The data model divides the accessing systems into six groups, the data-holding or card-issuing body, including students, staff and guest management, university-internal users, users in the university network, university-related users, non-university users and cardholders. The cardholder's name is not electronically stored on the smart card. Only the classification feature can be used for identification at a suitable point. However, since the classification attribute is also a person-related date, access is restricted here as well. The Java applet on the card has to ensure that only authorized persons or systems can access the respective data. Table 1 shows the method abbreviations used, the method names written out and explanations for understanding the method. Abbreviation Method name Explanation c create date can be initialized once, i.e. the creation is triggered on the card (e.g. key generation). w write The value can be written to the card. r read The value can be read from the card. v verify The card can verify a signature using the given key. d decrypt The given key can be used for decryption. s sign This key can be used to carry out a digital signature. a auth With the help of this key, authentication can be carried out using a challenge response procedure. Table 1: Access methods to data elements of the smart card

5 Thomas Hildmann 5 By "university-internal users" we mean in the sense of the data model administrative bodies within the university who have issued the card and offer services on behalf of this university. "Users in the university network" are service providers on behalf of another university that is a member of the "chip card network". "Users close to the university are facilities such as the cafeterias, etc., whereas all other systems fall under the category of" users remote from the university ". Data element Application Profile (AP) Card ID (CID) Cert. The "create" method may only be used by the respective data-holding location. After initialization, the classification attribute can be read by all access groups, except for users who are close to or far from the university. In order to be able to read the OM, it must be at least one system within the university network. 3.2 Data in the background system In addition to the data on the chip card itself, further data is kept in server systems that can be accessed via the Internet. Certain applications can do without the background system. However, as already mentioned, I would like to deal only with those services that can be used via the Internet, in particular the WWW. The campus card management system (CKMS) consists of the card status query system (KSAS) and the campus card public key infrastructure (CKPKI).

6 6 Avoiding data traces with smartcard-based authentication systems Entry Data type Explanation Card number Number Unique number of the issued smartcard. Corresponds to the CID entry on the card. Valid_from date When does the card become valid? Corresponds to the DEB entry on the card. Valid_to date Until when is the card valid. Corresponds to DEE. Status number Indicates the status of the card (e.g. 0 = initialized, 1 = valid, 2 = blocked, ...) Table 3: Data in the card status query system Physically, the entire CKMS could be kept on a server. If necessary, both databases can also be kept on one database system. While the CKPKI is a PKI based on X.509v3 certificates [GUTM_2000], which can be queried via LDAP (Lightweight Directory Access Protocol, [RFC_1777]), the KSAS is a system that only Provides information on the status of an issued card. The idea behind this separation is to have a system that initially manages cards anonymously based on their number and another system that initially manages certificates independently of the cards. Universities that only want to use some of the services in the university network and are currently If you decide not to set up a PKI, you only need to set up a KSAS system. The main advantage of the solution is the treatment of intermediate states that university employees often have. It often happens that there are unclear employment relationships when extending project contracts or the like. In this case, the validity of a certificate does not need to be changed. It is sufficient here to set the card status accordingly. The certificate will only be blocked if the employee leaves the university for good or if the card is reported as stolen or lost. It is noticeable that the validity period for the card is also saved in the KSAS. The typical problem arises here that the data on the card and in the KSAS must be kept synchronous. The advantage of this procedure is that only the card number needs to be known in order to be able to decide whether the card is currently valid. For example, a card could have the status "valid", but the validity period does not start until the new semester. The following problem arose when designing the PKI: A certificate that is used to encrypt e-mails or to sign documents must be publicly stored on a directory server. Publicly accessible certificates may not contain classification features or card numbers at the same time. The email address usually provides information about a person's name directly or indirectly via the mail header and, in the TU context, information about the institute at which the person works or the subject they are studying. This information should e.g. cannot be linked to the matriculation number, since publicly posted grades lists are usually contain the grade and the matriculation number. For this reason, an authentication certificate is needed that does not contain an email address or name, but instead contains the card number. As can be seen later, on the one hand the card number can be determined reliably, on the other hand the name and classification feature remain anonymous.

7 Thomas Hildmann 7 O = Campus card O = Technische Universitaet Berlin CN = Campus cards CA CN = Server CA CN = CN = Person CA OU = Auth OU = Encr OU = Sign CN = CN = . CN = . Figure 1: Directory structure of the PKI campus cards The three types of certificates are held in three subtrees of the PKI (Figure 1). The branch with the authentication certificates (OU = Auth) has restricted access. It can only be queried by authentication systems. It should be noted that the "Hochschulverbund Berlin Brandenburg" (O = campus card) and each university have their own "Server CA" (CA: Certification Authority, [CAMP_2000]). A distinction is also made between "Server CA" and "Person CA". The reason for this is purely technical: While 2048 bit RSA keys are usually used for the CA keys, most of the currentlyAvailable smart cards are only able to check 1024 bit RSA keys. The smart card itself is not able to carry out LDAP queries. It can only check certificates against a previously saved CA certificate. As can be seen in detail later in the authentication process, the separation of "CA", "Server CA" and "Person CA" means that the certificates have already been categorized, which significantly reduces the number of operations on the card. This is necessary because operations on the card and transfers to and from the card take a comparatively long time.

8 8 Avoiding data traces in smart card-based authentication systems Internet firewall application level gateway Figure 2: Network architecture Firewall Application 4 The system architecture Based on the above requirements and the defined data scheme, an authentication scheme was created that is briefly presented and discussed below. As a rule, we are dealing with WWW-based applications that were developed before the introduction of authentication using smart cards. In order to keep the adjustment effort for the applications as low as possible, we equip them with application level firewall gateways that encapsulate the smartcard-based authentication. In order to increase security in the same way, we use application-related firewalls, resulting in the network architecture shown in Fig. 2. 4.1 The client system A browser, a smart card reader and the appropriate drivers as well as a correctly configured Java runtime environment are required on the client system. In the following it is assumed that a signed Java applet can be loaded onto the client system, which then has access to the card reader. This applet is called the Identifier. It serves as an interface between the smart card and the background system. 4.2 The application level gateway Five components are installed on the application level gateway: Web proxy: The web proxy is a simple web server with servlet support that is controlled by the browser on the client system instead of the application. Security controller: The security controller is a servlet that is started by the web proxy for every request that is to be sent to the application. The security controller triggers the authentication, issues tickets for authenticated sessions in the form of signed cookies and checks these for every incoming request. Ticket server: The ticket server is used solely to generate and check signed tickets that contain the data from the smart card that are relevant for the applications. As a rule, these are: Classification feature and personal status. Often, however, data such as program-internal user groups etc. are also added here.

9 Thomas Hildmann 9 Decorator: The decorator is used to map the smart card data (OM and PS) to the application-specific data, such as user name, user group, session number, etc. The term decorator is borrowed from the decorator design pattern (decorator, also bound rewinder, wrapper), da this component takes on exactly such a task from a design point of view [GAMM_1996]. Application proxy: Various applications cannot be adapted to the conditions of the campus card infrastructure because they are too difficult to maintain or because they are, for example, were purchased and their source code is not available, etc. In order to be able to integrate these applications into the infrastructure, this component is intended. It can carry out any number of complex, application-specific transformations of the requests. For example, the application proxy can perform a simple user name / password authentication for the application and pass the responses from the application on to the client system in a filtered manner. The system can later be linked to a role-based access control system via the application proxy. [GEBH_2000b] 4.3 Other server systems In addition to the components mentioned and the server on which the application runs, an authentication server, the aforementioned card status query system and a directory server (LDAP) are also required for authentication. It is possible to set up the infrastructure with just one authentication server. However, this not only reduces the reliability of the system, it also ultimately poses a problem with the log data generated on this authentication server. Depending on the size of the organization, at least three authentication servers should be used. In theory, however, there can be any number of servers. KSAS and LDAP server can be operated on one computer. Here, too, in the interests of failure safety, it is important to ensure the highest possible redundancy, since if one of the two systems fails, it is no longer possible to log on using a chip card. Distribution over different mirrored directory servers also has the advantage that hardly any information can be obtained from the requests to the directory service. 5 The authentication protocol In the following, an example sequence of an authentication according to the developed scheme is described; See dynamic asymmetrical authentication [RANK_1999]. Faults and special cases, e.g. for the discovery of attacks against the individual components, are not dealt with in detail. The main focus is on which systems which data traces are left or avoided. In this article I focus on the question of untraceability or unlinkability. It is important, however, that this is only one aspect of data protection. Further aspects are e.g. discussed in [GEBH_2000c]. The authentication takes place in three phases, the server-side authentication, the authentication between smart card and authentication server and the issue of the ticket.

10 10 Avoiding data traces with smartcard-based authentication systems 5.1 Server-side authentication The user controls the desired application. Instead of being connected directly to the application's web server, a connection to the web proxy is established. On the one hand, to ensure that it is the correct web proxy and not a Trojan horse, and to secure the later communication between web server and web proxy, i.e. indirectly the application, an SSL (Secure Sockets Layer, [ FREI_1996]) secure HTTP connection established. At this point, in our case, only the server is authenticated using the Challenge Response procedure defined in SSL. The user authentication now follows through the campus card system. Security Controller Webproxy Webbrowser get (page) get (page) Identificatore sksec, authpage, nrv, CAuthServer sksec, authpage, nrv, CAuthServer startapplet (sksec, nrv, CAuthServer) Figure 3: Authentication part 1 Figure 3 shows how the web browser creates a any page page requests. The page request is passed on to the Security Controller Servlet. The security controller determines that there is no ticket attached to the request in the form of a cookie. For this reason, he starts the authentication process. The security controller generates a session key sksec (session key, security controller). With the session key of the security controller, classification characteristics and e.g. Encrypted personal status. As we will see, further communication takes place via the authentication server, which, however, should not come into possession of the classification feature. sksec is sent back to the web browser via the web proxy together with a non-recurring number nrv and the certificate of an authentication server CAuthServer on an authentication page authpage, which then starts the signed applet identifier specified on the authpage with the given parameters. The nrv is necessary to recognize the current authentication session. In the further course of the authentication, the applet communicates with the authentication server. Once this communication has been completed, as will be seen later, the security controller must be able to pass the ticket on to the "correct" browser.

11 Thomas Hildmann 11 Alternatively, sksec could be used to identify the session. However, this solution was perceived as "unclean". The nrv identifies the session. sksec is used to encrypt data that only the security controller should be able to decrypt. The identifier runs on the client system. However, since it is an applet loaded from the server, it is relevant from the user's point of view which data the identifier can collect. From the point of view of the university, it must be assumed that attacks by the client against the system can be carried out by the client using a fake Java virtual machine on the client system or by changing the applet. 5.2 Smartcard / authentication server authentication It would now be possible to carry out the rest of the authentication against the security controller. To do this, however, the card would have to send its CID to the security controller in order to check the certificate. Or the card would have to give her OM right away. The security controller would need some value that it could use as a search pattern in the directory service. The consequence would be that certificates would have to be filed with classification features that can be searched for using CIDs or the like. In any case, CID and OM would come together at least at the security controller. Since the CID is used in the KSAS to check the status of the card, but the CID and OM must not be brought together 1, the CID is disclosed to the authentication server, which, however, cannot read the OM because it is linked to the session key for the Security Controller was previously encrypted. Authentication server Identificatore Smartcard reqrnd (sksec, CauthServer, nrv) authcryptsignsc authcryptsignsc authansweras authansweras trojancheck Fig. 4 shows the second phase of authentication. Phase 1 ended with the start of the Identifier applet. This applet now calls the reqrnd () function with the parameters sksec, CAuthServer and nrv. The smart card first checks the correctness of the CAuthServer certificate. The only possibility that the card has to carry out such a check is verification. 1 The only exception here is the data-holding body, because it must be able to block cards again. Figure 4: Authentication part 2

12 12 Avoiding data traces with smartcard-based authentication systems of the signature of the server CA of the university network. It does not necessarily have to be a system at your own university that the cardholder wants to authenticate with. Please note that the smart card cannot manage blacklists. If an authentication server at a university is compromised, a new server CA certificate must be issued and all smart cards must be updated. However, this is not a problem with our authentication process, but a general problem with the authentication of a background system against a smart card. The certificates signed by the server CA contain, among other things, a security level. The security level encodes which data the background system has access to on the smart card. The smart card extracts the security level and checks whether the system for which the CAuthServer certificate was issued is authorized to carry out an authentication. If this is the case, a random number rndsc (RaNDom number SmartCard) is generated and a second session key sksc (SessionKey SmartCard) is generated. Thereafter, the classification attribute OM is encrypted with the session key of the security controller sksec. The result of this operation is stored in the omcrypt variable. A data structure is then created from omcrypt, rndsc, sksc, nrv and CID, which is encrypted with the public key from CAuthServer. The result of the encryption is signed. This means that a hash value is created over the entire data block and encrypted with the private key of the SKA smart card. The result of the entire authcryptsignsc operation is sent to the authentication server via the identifier. Only the owner of the private key that matches the public key in CAuthServer is now able to decrypt authcryptsc. If this succeeds, the CID can be determined and thus the signature can also be checked via authcryptsignsc. The possible attack that could be carried out by transmitting a fake CAuthServer fails because the server CA's signature is missing during the verification. The authentication server now decrypts authcryptsc with the help of its own private key PrivKeyAS. After decryption, the status of the card is first checked at the KSAS. If the card is valid, not blocked and within the validity period, the CSc certificate is requested via the CID. The certificate is checked with the help of the Person CA certificate CPersonCA. Then the entire authcryptsignsc block is checked against the public key from the CSc. If all checks are successful, the tuple (nrv, omcrypt, rndsc, sksc) is saved for a period of a few minutes. The smart card is now able to check whether the decryption of authansweras using the previously generated session key sksc results in rndsc again. If this is the case, it is ensured that the remote station really has to be the authentication server, as only this is in possession of PrivKeyAS, which was necessary to disclose the sksc. Attacks by replaying previously recorded sessions are also not possible, as a different rndsc is very likely to be generated for each session. Even repetitions of the same rndsc cannot be recognized by an attacker because they are always sent to the authentication server in a block with other random numbers. As a confirmation, the smart card sends an extract from the classification attribute if the authansweras check was correct.

13 Thomas Hildmann 13 At the moment the discussion is e.g. send back two pairs, each representing a digit and the corresponding digit. The aim is for the identifier to be able to display a message on the screen: The authentication was successful! To cross-check: The 4th digit of your classification is 3, the 6th digit is 0. If the cross-check is correct, please click on Next! This measure is intended to provide additional protection against Trojan horses and fake web servers. The classification code can only be read from the card by authorized systems. If the user is led to believe that an authentication screen is displayed, the fake program is unable to guess two digits of the order feature. On the other hand, this is easy to check for the user. If no card reader with an integrated PIN input field or e.g. uses a keyboard with secure PIN entry mode so that the PIN is sent directly to the smart card and cannot be evaluated by the software, had the Trojan horse obtained the cardholder's PIN in this case. However, this cannot be associated with a card again, since the cards generally do not issue any identification features to unauthorized background systems. Even public terminals prepared with false certificates that refer to fake websites can be exposed in this way. 5.3 Issuing the ticket The cardholder is asked by the identifier to press the Next button. Authentication server Security Controller Web proxy Web browser getomfornrv (nrv) get (ticketpage, nrv) get (ticketpage, nrv) omcrypt ticketpage, ticket ticketpage, ticket Figure 5: Authentication part 3

14 14 Avoiding data traces with smartcard-based authentication systems Fig. 5 shows how the ticket page is requested from the web proxy after pressing the Next button. The previously set nrv is given to the web proxy as a parameter. The security controller that receives this request now requests the classification attribute for the associated nrv from the authentication server. The authentication server can determine the omcrypt date via the nrv and send it to the security controller. Since we take into account cases in which applications are also allowed to write to the card (e.g. when reporting back), we also transfer the sksc to the card and keep this session key in the ticket. The application is then able to access the card without renewed mutual authentication until the session is ended. The ticket is signed by the ticket server so that tickets cannot be forged by the user. The SSL connection between the web proxy and the server ensures that no data can be spied on the ticket. When the cookie is issued, the browser is instructed not to save the cookie, but only to keep it in memory. If these precautionary measures are not sufficient, it is also possible to have the tickets encrypted by the ticket server. In this case, however, the user is deprived of the opportunity to check which data is stored about him in the cookie. Since the security controller has the sksec session key with which the OM was encrypted, it is able to decrypt the security code. In the next steps, the authorization server would be addressed, which would add further application-specific data to the classification feature. This data is then sent to the ticket server, which serializes and signs it. The security controller finally sets the data as a cookie and sends a welcome page including a cookie to the browser. This completes the authentication. 6 Transparency From the user's point of view, it is not only relevant which data is generated where, but also that the user can see who has saved which data about him.Unfortunately, there are no reliable ways for the user to recognize which data is currently being read from his chip card. It would be conceivable to require different PIN codes for different data or data groups, so that the user would have control over which data is currently being requested. Only that would make the card practically unusable. Even in this case, the user would not be able to tell whether the data would then be passed on to third parties by the application. For this reason we decided to only write a release PIN on the card. Whenever the user is asked to enter it, he can at least recognize that data is now being read from the chip card or that cryptographic functions are being triggered on it. In order to create greater transparency, only protocols, procedures and program code can be disclosed. Signing applets and certificates from SSL-protected web servers can vouch for the correctness of this information. Of course, the employees and students have the option of using a specially set up application to call up and display the data that is stored on the campus map, provided that it can be read out. Exceptions are the private keys, which can never leave the card, but do not make any further statements about the person.

15 Thomas Hildmann 15 7 Conclusion At the end of the authentication, the authentication server has the card number of a cardholder, the IP number of the client and various data relevant for authentication, but otherwise useless, such as rndsc and nrv. The authentication server cannot do anything with the encrypted classification feature. However, since no personal data can be determined for the card number, logging is more of a statistical problem here. KSAS and LDAP server only get data about the fact that the card with a certain CID was used at a given time. You cannot draw any conclusions about the service used or the source of the access. At the end of the day, the security controller is in possession of the classification code, access time and, in combination with the data obtained by the web proxy, also the IP number of the client system. However, if one assumes that the assignment of OM to names can at best be made in the application, the information obtained is not of great relevance here. In the best case scenario, the classification feature, name and time can only be brought together in the application. For this purpose, e.g. lost the IP number again. In summary, it can be stated that with the help of the division of the background system for smart card-based authentication and the use of smart cards that only hand over their data to authorized counterparts, the data traces occurring in the system can be widely dispersed. Relationships can only be established by merging different log files. If the recording of the data is generally prohibited at all points where logging is not absolutely necessary, a criminal association of different bodies must be assumed if the merging of the data is assumed. The procedure presented is more time-consuming than conventional procedures and the demands on the smart card are very high. The cardholder and the operator of the system can be offered a high level of security in the same way. 8 Open Problems The problems that are still open at the moment are mostly of a technical nature. Problems with access by the Java Virtual Machine to the respective card readers, the various types of driver and the procurement of suitable card readers are in the foreground. The users would also be happy about faster crypto processors on the smart card. It should not be forgotten that various operations are carried out on the card during authentication, all of which take time. However, one of the most interesting problems is encountering the unsecure terminals. Manipulation by the cardholder e.g. on the Identificatore applet are largely ineffective. But what about attacks by third parties against the cardholder? A card reader with direct PIN entry attempts to bypass spying on the PIN. What remains as a point of attack is the browser, which could be manipulated with false certificates, for example. The protection against Trojan horses described above should protect against this. Practice will show whether the cardholder can handle this protection mechanism or whether it is not possible to launch much more efficient attacks against the system at other levels (e.g. we are currently working on clarifying how the cookie is

16 16 Avoidance of data traces in smartcard-based authentication systems can be inseparably linked to the client browser connection, so that it is generally useless to steal cookies using a manipulated browser). C. Ellison and B. Schneier compile in an article 10 risks of PKIs which must be countered in an appropriate manner [ELLI_2000]. There is also the question of correct software. Here an attempt was made to set a certain quality standard through the use of an object-oriented process model, the early search for technical discussions, the use of unit test procedures, code reviews and daily builds. At the moment, almost the entire authentication system is implemented in Java, because this reduces the risk of exploitable buffer overflows and, furthermore, code can be reused by all instances up to and including the smart card. However, the system can only be really secure through multiple revisions and disclosures, as well as tests with large user groups. 9 Outlook On May 31st, a first prototype of the campus map and the background systems used was presented to the TU Berlin public. At the same time, efforts are now being made to adapt examination regulations, set up a trust center and create an infrastructure for personalizing the cards. Other universities have already expressed their interest in the solution that has been developed. In my opinion, the authentication scheme described should not only be of interest to universities. I see the applicability wherever a multifunctional smart card is to be introduced, but the operator is careful to offer cardholders as far-reaching protection mechanisms as they do themselves. Chip card systems should slowly be removed from their image as the perfect successor to the time clock or as the last step to the Big Brother state. With this article I have tried to show that this is possible with today's means. Literature BANN_2001 J. Banning: Manage LDAP network information in directory services under Linux, Addison Wesley Munich 2001 CAMP_2000 I. Camphausen et al .: Establishment and operation of a certification authority, DFN PCA Hamburg, March 2000 ELLI_2000 C. Ellison and B. Schneier: Ten Risks of PKI: What you're Not Being Told about Public Key Infrastructure. Computer Security Journal, v 16, n 1, 2000, pp risks.html FREI_1996 AO Freier et al .: The SSL Protocol Version 3.0, Internet Draft, Netscape Communications, November GAMM_1996 E. Gamma et al .: Design pattern: elements of reusable object-oriented Software, Addison Wesley Bonn 1996 GEBH_2000 T. Gebhardt et al .: Requirements model. FSP PV / PRZ Technical University Berlin August 2000.

17 Thomas Hildmann 17 GEBH_2000b T. Gebhardt and T. Hildmann: Enabling Technologies for Role Based Online Decision Engines. Fifth ACM Workshop on Role Based Access Control, Berlin 2000 S GEBH_2000c T. Gebhardt et al .: Security model, FSP PV / PRZ Technical University Berlin October 2000 GUTM_2000 P. Gutmann: X.509 Style Guide. October LANG_2000 S. Lange: Fear of the glass student. the daily Berlin newspaper, LANG_2000b S. Lange: The university invites you to have chips. Die Tageszeitung Berlin local, NAGE_2000 K. Nagel (Editor): Framework specifications for chip card-based service systems at Berlin and Brandenburg universities. Berlin / Brandenburg March berlin.de/tu chipkarte / daskonzept / rahmenpflichtenheft.htm RANK_1999 W. Rankl and E. Effing: Handbook of chip cards. Carl Hanser Verlag Munich Vienna RFC_1777 W. Yeonf, T. Howes, S. Kille: RFC 1777: Lightweight Directory Access Protocol, 1995 SUHR_2000 L. Suhrbier: Smartcard data model. FSP PV / PRZ Technical University Berlin November 2000.