Holger Kinkelin

Holger Kinkelin, Richard von Seck, Christoph Rudolf et al.

The security of cryptographic communication protocols that use X.509 certificates depends on the correctness of those certificates. This paper proposes a system that helps to ensure the correct operation of an X.509 certification authority and its registration authorities. We achieve this goal by enforcing a policy-defined, multi-party validation and authorization workflow of certificate signing requests. Besides, our system offers full accountability for this workflow for forensic purposes. As a foundation for our implementation, we leverage the distributed ledger and smart contract framework Hyperledger Fabric. Our implementation inherits the strong tamper-resistance of Fabric which strengthens the integrity of the computer processes that enforce the validation and authorization of the certificate signing request, and of the metadata collected during certificate issuance.

Holger Kinkelin, Heiko Niedermayer, Marc Müller et al.

Configuration management in networks with highest security demands must not depend on just one administrator and her device. Otherwise, problems can be caused by mistakes or malicious behavior of this admin, or when her computer got compromised, which allows an attacker to abuse the administrator's far-reaching permissions. Instead, we propose to use a reliable and resilient configuration management process orchestrated by a configuration management system (CMS). This can be achieved by separation of concerns (proposing a configuration vs. authorizing it), employing multi-party authorization (MPA), and enforcing that only authorized configurations can be deployed. This results in a configuration management process that is decentralized on a human, decision-making level, and a technical, device level. However, due to different opinions or adversarial interference, the result of an MPA process can end in a conflict. This raises the question how such conflicts can be mediated in a better way than just employing majority voting, which is insufficient in certain situations. As an alternative, this paper introduces building blocks of customizable conflict mediation strategies which we integrated into our CMS TANCS . The conflict mediation functionality as well as the initial TANCS implementation run on top of the distributed ledger and smart contract framework Hyperledger Fabric which makes all processes resilient and tamper-resistant.

Holger Kinkelin, Valentin Hauner, Heiko Niedermayer et al.

Numerous IoT applications, like building automation or process control of industrial sites, exist today. These applications inherently have a strong connection to the physical world. Hence, IT security threats cannot only cause problems like data leaks but also safety issues which might harm people. Attacks on IT systems are not only performed by outside attackers but also insiders like administrators. For this reason, we present ongoing work on a configuration management system (CMS) that provides control over administrators, restrains their rights, and enforces separation of concerns. We reach this goal by conducting a configuration management process that requires multi-party authorization for critical configurations to achieve Byzantine fault tolerance against attacks and faults by administrators. Only after a configuration has been authorized by multiple experts, it is applied to the targeted devices. For the whole configuration management process, our CMS guarantees accountability and traceability. Lastly, our system is tamper-resistant as we leverage Hyperledger Fabric, which provides a distributed execution environment for our CMS and a blockchain-based distributed ledger that we use to store the configurations. A beneficial side effect of this approach is that our CMS is also suitable to manage configurations for infrastructure shared across different organizations that do not need to trust each other.

Marcel von Maltitz, Stefan Smarzly, Holger Kinkelin et al.

Secure multiparty computation (SMC) is a promising technology for privacy-preserving collaborative computation. In the last years several feasibility studies have shown its practical applicability in different fields. However, it is recognized that administration and management overhead of SMC solutions are still a problem. A vital next step is the incorporation of SMC in the emerging fields of the Internet of Things and (smart) dynamic environments. In these settings, the properties of these contexts make utilization of SMC even more challenging since some of its vital premises regarding environmental stability and preliminary configuration are not initially fulfilled. We bridge this gap by providing FlexSMC, a management and orchestration framework for SMC which supports the discovery of nodes, supports a trust establishment between them and realizes robustness of SMC session by handling nodes failures and communication interruptions. The practical evaluation of FlexSMC shows that it enables the application of SMC in dynamic environments with reasonable performance penalties and computation durations allowing soft real-time and interactive use cases.

Cornelius Diekmann, Stephan-A. Posselt, Heiko Niedermayer et al.

For the formal verification of a network security policy, it is crucial to express the verification goals. These formal goals, called security invariants, should be easy to express for the end user. Focusing on access control and information flow security strategies, this work discovers and proves universal insights about security invariants. This enables secure and convenient auto-completion of host attribute configurations. We demonstrate our results in a civil aviation scenario. All results are machine-verified with the Isabelle/HOL theorem prover.