“E-mail attachments, WLANs, and PDAs involve significant security problems.”

Dr. Claudia Eckert
Dr. Claudia Eckert

What was the impetus for the foundation of DZI, and what does it do?

Eckert: DZI bundles the activities of the Technical University of Darmstadt (TUD) in regard to IT security. The competency areas of DZI are supplemented by the two Frauenhofer Institutes in Darmstadt: the Frauenhofer Institute for Secure Telecooperation (SIT) and the Institute for Graphical Data Processing (IGD).

For example, researchers in Darmstadt study the following questions:

  • Security in mobile and networked systems
  • Encryption and digital signatures
  • Secure electronic collaboration and secure applications
  • Security for mobile devices
  • Security in graphical data processing
  • Elements of information law

The impetus for the foundation of the center was to provide a platform for the tremendous competency in the area of IT security at TUD. Some 20 professors from 5 subject areas are assigned to the center. The tasks of the new center include: training on IT security, supporting research, working with the public on questions of IT security, and functioning as a contact for the transfer of technology to business and government.

What’s the focus of research at DZI?

Eckert: I see three foci. The first would be security with mobile systems. Compared with traditional applications and networks, mobile applications and mobile devices involve a series of new security issues. In my working group at TUD and SIT, we deal with questions of how these new technologies can be integrated securely into existing architectures and what new opportunities for applications result from their use.

As an enhancement to these topics, working groups at DZI also deal with problems and solutions in the context of pervasive computing – the idea that computers are becoming increasingly integrated into day-to-day objects, that they are becoming pervasive. We need research into what this means for the protection of individual privacy, for example, and what security measures must therefore result.
The second focus involves cryptography and public key infrastructures. These topics are being worked on by the working groups and by our colleagues from the math and informatics departments at TUD and in various projects at SIT.
The third focus is on quantum computing. In this area we work with our DZI colleagues from physics. We’re observing new developments in quantum cryptography and are researching their affects on traditional cryptography and therefore on the security of today’s systems.

Where are there still serious deficiencies in data transfer and storage today?

Eckert: Just as before, frivolous use of e-mail attachments and the viruses they contain are significant problems for private persons and for companies. But wireless networks or small, all-around mobile devices – PDAs – involve serious security problems. For example, data traffic moving inside a building can easily be overheard or manipulated with commercial PDAs or laptops. The same is true for other miniature devices. If the device ends up in the wrong hands, the data stored in such devices can be read directly, or with one of the many tools available on the Internet once the password has been hacked. And because these devices are used for critical transactions, such as home banking or electronic payments, the damage can be considerable.

There are still lots of other problem areas, one of which I’d like to address briefly: the filtering of active content by current firewall architectures. We’re confronted almost constantly with active content when we access sites on the Web. We download such content – JavaScript programs or ActiveX controls – to our computers and execute it there. However, executing it means that this external code has access to data stored locally. There’s an enormous potential for damage here.

Home banking and electronic payments involve posting money. How secure are these applications and how does DZI plan on making them even more secure?

Eckert: From a technical perspective, there are certainly solutions for home banking or e-commerce in general. For home banking, the home-banking computer interface (HBCI) guarantees the confidentiality, authenticity, and integrity of the transmitted data. To use it correctly, the bank customer must install additional software and buy a chip card with a reading device. And that’s exactly where total use fails. Limited acceptance among customers means that more and more banks retreat from the HBCI offer.

In my view, the acceptance of a product is not the job of universities, but of business, government, and, in the example noted here, banks. Added value must be created for customers if they are to use the technology. DZI has set itself a general goal of increasing security awareness among users. Indirectly, I see an indirect benefit for market acceptance because we create a readiness among users to use security techniques.

What security standards does DZI want to develop for mobile data transfer?

Eckert: As a university center, DZI will not get involved in international protocol standardization. First of all, what we develop and offer are opportunities for training to create the appropriate awareness of security among users. Second, we plan to develop something like guidelines for working securely with these technologies. In this regard, we’re looking at both small and midsize companies. As part of our research, we’re also quite naturally developing innovative concepts and solutions.

Such as?

Eckert: For example, for certificates – digital identification – today’s public key infrastructures (PKIs) use the procedure developed and recognized by RSA Corporation. We know the key lengths for the basic cryptographic problem. From today’s perspective, the key lengths cannot be hacked and are therefore regarded as secure. Nonetheless, we can’t assume that this will continue to be the case in the future. Today’s PKIs have no answer to the question of what is to be done if the RSA key can suddenly be decrypted.

Accordingly, at DZI we’re developing and implementing alternative procedures to which the PKIs can switch if they need to use something other than the RSA procedure. Great value is placed upon ergonometric factors in the configuration of PKIs. Incorrect configuration can often lead to security problems. In addition, DZI is studying attacks on cryptographic protocols. Based on this research, we’re trying to make the protocols more secure.
Together with SIT, we’re developing a server-based PKI architecture. The goal is to relieve the several hundred clients that require management in a company. The protocols under development will lead to a much easier rollout and maintenance of a PKI. The entire process will then be less prone to errors and therefore more secure. And the administrative effort will also be reduced.

What directions is DZI research taking in terms of network security?

Eckert: We’re looking, for example, at the technical foundations for security in mobile and ad hoc networks and at the establishment of trusted relationships in systems without an infrastructure. We’re also dealing with questions about the security of peer-to-peer networks in multimedia applications and are trying to adapt biological procedures to recognize and defend against attacks. And furthermore, we’re focusing research on the area of seamless computing, the secure integration of various networking techniques.

What’s your personal motto?

Eckert: My personal motto is carpe diem – seize the day. The world is full of problems and questions that are exciting, scientifically demanding, and interesting. Grappling with them is worth it.