Domain: bsi.de
Stories and comments across the archive that link to bsi.de.
Comments · 12
-
Banking secrecy lawsNot a theoretical concern, but a very real one.
Many European countries (Germany, Belgium) now have electronic identity cards, which double as PKI signing tokens, with which you can authenticate yourself to web services, such as your bank.
When Luxembourg introduced a similar system they didn't piggy back it on an id card, but issued "signing stick" and smart cards just for the purpose of PKI.
You may wonder why, especially since an electronic id card is already in planning in Luxembourg as well.
The answer is obvious: many customers of Luxembourgish banks are foreigners, couldn't thus get a Luxembourgish id card, but wouldn't trust their own government's id cards, so an ad-hoc system was needed: Luxtrust.
Unfortunately, Luxembourg doesn't have any native smartcard industry, so they had to buy the chips from the French... who just shipped units with a predictable random number generator, dramatically reducing the number of possible private keys. FAIL.
And the BSI institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL.
-
Re:Nothing to see here...The encryption and message authentication keys for the so called basic access control, specified by ICAO, are based on the machine readable zone of the passport. It's the funny lines at the bottom of the passport, with a lot of filler characters '<'. Passport number, date of birth, and expiration date are the only fields that have a check digit, which is why they were chosen as the base for the keys. The entropy is not very high, especially because the fields are not random.
The machine readable zone was chosen for key seed, because it is already there, and the readers are already there. I guess the idea is that it's better than nothing. It makes eavesdropping and cloning slightly harder than without. But just slightly. It is indeed possible to do both without very much effort. Forging (i.e. creating a passport with phony information but with a correct digital signature) is another story, very hard.
The EU is going to mandate the use of so called advanced security mechanisms, a.k.a. extended access control, for biometric passports that contain sensitive data, such as fingerprint or iris images. Such passports will have a Diffie-Hellman key exchange for encryption and message authentication, and a PKI based terminal authentication for granting access to sensitive data. The EAC spec is available from German BSI by request.
Oh, and before someone shouts that all RFID tags should burn in hell, I'll just say that the passport chips are contactless, or RFID, smart cards, and have next to nothing to do with RFID tags. The chips can, among other neat things, perform RSA operations using 2K-bit keys in reasonable time. Cracking the actual chip is very difficult.
-
Also used in Germany
NEDAP voting machines have been used (in small numbers) in Germany as well, including the last big goverment election of 2004.
But it seems like the german goverment really wants these machines. The offical specification for any voting machine in germany looks like it has been copied from the NEDAP specs. And the certification of these|any voting computer will not be done at the obvious choice of federal agency for computer security (BSI), but insted at the Physikalisch-Technische Bundesanstalt (PTB), an agency that's mostly known for keeping the official german time (and does some consulting in physics and engineering). Computer Security is definatly not on their agenda and the closest thing to certifying a voting computer the PTB has done is certifying "non-automatic weighing instruments". (Source and suggested reading for german readers: c't magazine, 20/06)
-
Re:German passport - protection against tracing
"The problem is the RFID serial number used for collisions will not be encrypted as is required for communication, thus still allowing tracking."
In a CAST Forum presentation http://www.cast-forum.de/events/cast/2005/Biometr
i e/ earlier this year the BSI (http://www.bsi.de/ Germany National Security Agency) claimed that German passports are protected against tracing, because they generate their serial number randomly, each time they get powered on via microwaves.The idea of using something printed in the passport to protect the access to the RF chip is called basic access control and is regarded as moderately secure by BSI (who claim that this protection is a European/German - don't remember exactly - idea). Even this basic protection is optional by ICAO standards and not implemented by many countries.
A a more advanced PKI based access control will be implemented by Germany in a second step (in 1-2 years, as far as I remember).
-
Re:Oh Great....
Bundesamt für Sicherheit in der Informationstechnik(Federal Agency for security in information technology) funds it indirect as a research project. They also provide Knoppix - CDs. Their goal is to improve IT security.
click here: BSI - english
They also provide Windows-related material, software (chiasmus for Windows), documentation, education but German taxpayers don't like to pay for Software that benefits for one single company and makes oss adoption/diffusion less likely. -
Info found on
An interesting read. Recommendations for the Protection against DDOS found at the task force sicheres internet )
-
Another CD
The Ministry for Security and Information Technology has another CD on their CeBIT stand - and for free (I guess "as in beer") order. I don't know if that's the same CD, but this one is about security in Internet/eMail, too.
Here's the link from the BSI: http://www.bsi.de/presse/aktuell/sich_cd.htm. -
Another CD
The Ministry for Security and Information Technology has another CD on their CeBIT stand - and for free (I guess "as in beer") order. I don't know if that's the same CD, but this one is about security in Internet/eMail, too.
Here's the link from the BSI: http://www.bsi.de/presse/aktuell/sich_cd.htm. -
Re:German Parliament and Linux / Windows...I was at a presentation at Linuxworld in Frankfurt where the politician responsible for this states (I believe he also chqairs the committee for new media) that MS had offered to make the source code of Win2K (not XP) available to representatives of the Bundestag to inspect. Please note that a knowledge of C or C++ is not normally amongst the qualifications needed to be an elected federal representative.
This guy knew enough to say that he hadn't the expertise, but he would like to accept their offer and bring some experts from the from the Bundesamt fuer Sicherheit in Informationstechnik and, of course, the Chaos Computer Club. Microsoft Germany did not respond after that.
To be honest, it could have been a good advertisement for MS if these guys had passed Win2K, but oh well, obviously they had their doubts.
-
In Germany the converse happens ...Maybe encryption/privacy on the net goes down in the US, but at the same time it receives substantial funding by the German government.
This is not only true for GnuPG, which has funding by the government (for the development of more user-friendly frontends, I think), but there is also a project for the development of an open source anonymity service (JAP) as strong as (or even stronger than) the Freedom anonymizer service, and there is also the Sphinx project to build a PKI for the public authorities and maybe others.
One of the main drivers for the JAP project (and maybe others) seems to be that many consumers (at least in Germany) apparently avoid E-commerce because of privacy concerns.
-
The German Government is
a mixture of Linux and Windows but with a strong movement towards open source software. See also this story. The German Government nevertheless signed a large contract with Microsoft for future upgrades and deliverables (see here for a German article on that). One of the driving forces behind the open source movement has been the BSI, the german government agency for security in information technology (again Website is in German). They support open standards especially for security sensitive applications.
-
Re:Nice, but...
Here some information about Sphinx as translated by google and here the original in german.
It seems to be a project to assure interoperability of different commercial products (and now obviously one GPL project) inencryption and to assist in developing a public key infrastructure (pki).
This all happens on international standards like S/MIME, X.509v3, PKIX.
So its not a (binary) program, but a system concept.
While writing this, there seems to be a different source
on english, which does not rely on my or google translation abilities and also has some pictures :).