The Cryptographic Security of the German Electronic Identity Card

In November 2010, the German government started to issue the new electronic identity card (eID) to its citizens. Besides its original utilization as a ’visual’ identification document, the eID card can be used by the cardholder to prove one’s identity at border control and to enhance security of authentication processes over the Internet, with the eID card serving as a token to reliably transmit personal data to service providers or terminals, respectively. To this end, the German Federal Office for Information Security (BSI) proposed several cryptographic protocols now deployed on the eID card. The Password Authenticated Connection Establishment (PACE) protocol secures the wireless communication between the eID card and the user’s local card reader, based on a cryptographically weak password like the PIN chosen by the card owner. Subsequently, the Extended Access Control (EAC) protocol is executed by the chip and the service provider to mutually authenticate and agree on a shared secret session key. This key is then used in the secure channel protocol, called Secure Messaging (SM). Finally, an optional protocol, called Restricted Identification (RI), provides a method to use pseudonyms such that they can be linked by individual service providers, but not across different service providers (even not by malicious ones). This thesis consists of two parts. First, we present the above protocols and provide a rigorous analysis on their security from a cryptographic point of view. We show that the Germen eID card provides reasonable security for authentication and exchange of sensitive information allaying concerns regarding its usage. In the second part of this thesis, we introduce two possible modifications to enhance the security of these protocols even further. Namely, we show how to (a) add to PACE an additional efficient chip authentication step, and (b) augment RI to allow also for signatures under pseudonyms

IP, phone home: The uneasy relationship between copyright and privacy, illustrated in the laws of Hong Kong and Australia

published_or_final_versio

Hajusraamatutehnoloogia kasutuselevõtu õiguslikud takistused: tehnoloogia neutraalsuse ja funktsionaalse samaväärsuse põhimõtetele tuginev analüüs

Väitekirja elektrooniline versioon ei sisalda publikatsiooneKäesolev väitekiri käsitleb hajusraamatutehnoloogia (HT) kohtlemist Eesti ja EL õiguse alusel konkreetsete kasutusjuhtude näitel. HT on “mitmeotstarbeline tehnoloogia”, millel on rida erinevaid kasutusvõimalusi, sh. selle kõige tuntumad näited nagu plokiahelatehnoloogia ning bitimünt. Kuivõrd olemasolev õigusraamistik on loodud tsentraliseeritud infrastruktuuride ning mitte hajutatud andmestruktuuride jaoks nagu seda on HT, siis tihtipeale takistab olemasolev õigusraamistik HT kasutamist selles sisalduvate nii otseste kui ka kaudsete kallutatud nõuete tõttu. Nimetatud dissonants on sarnane analoogmaailma jaoks loodud õigusnormide takistava mõjuga digitaalsete lahenduste kasutuselevõtmisel. Seega ei ole väitekirjas käsitletavad takistused vaid HT-le omased vaid seotud iga uue tehnoloogia kasutuselevõtuga. Toodud probleemi uuritakseväitekirjas kolme konkreetse HT kasutusjuhu pinnal: (i) bitimündi vahetusteenuse osutamine; (ii) HT-põhise osanike nimekirja pidamine ; (iii) HT-põhise hübriid-targa lepingu ning elektroonilise allkirja kasutamine. Uurimise mõõdupuuna kasutatakse tehnoloogia neutraalsuse põhimõtet ning funktsionaalse samaväärsuse alampõhimõtet, et tuvastada kallutatud nõudeid ning piirata riigivõimu voli eelistada konkreetseid tehnoloogiaid samas teisi tehnoloogiaid diskrimineerides. HT kasutusjuhtude pinnal saab järeldada, et olemasolev õigsraamistik ei ole tehnoloogia-neutraalne ning eelistab tsentraliseeritud lahendusi ning ei taga HT-põhistele funktsionaalselt samaväärsetele lahendustele samaväärset kohtlemist. Arvestades toodud järeldusi uuritakse väitekirjas ka kallutatud nõuete põhjuseid ning strateegiaid kuidas jätkusuutlikult lahendada kallutatusest tekkinud takistused HT kasutusele. Väitekirja teema on oluline arvestades ka 2020. aasta lõpus avaldatud EL-i digitaalse finantspaketi määruste eesmärki, milleks on toetada HT kasutuselevõttu EL-is.This dissertation focuses on the treatment of distributed ledger technology (DLT) applications under the existing regulation in Estonia and the EU based on the analysis of specific use cases. The existing regulatory frameworks in most jurisdictions were built for centralized infrastructures and not for distributed ones, such as built on DLT. Consequently, current legal frameworks may inhibit the use of DLT due to either apparent or non-apparent biases written into the regulation. DLT on the other hand represents a “general-purpose technology” that, therefore, has abundance of applications including its most well known examples of blockchain and Bitcoin. The discrepancy between old rules and new tools is nothing new as the development of the digital world in comparison to the physical world led to the same problem. Therefore, the research problem addressed in the dissertation is not specific to DLT, but linked to the uptake of any new technology. With the aim to explore the potentially inhibiting effect of existing regulation, specific DLT use cases are investigated: (i) bitcoin exchange-service provision; (ii) DLT-based shareholder ledger maintenance and (iii) use of DLT-based electronic signature and hybrid smart contract agreements. In this exploration, the principle of technology neutrality and its sub-principle of functional equivalence are utilized as benchmarks for the identification of biases. The aim of these principles is to prohibit regulators from favouring some technologies and discriminating against others. The use case analyses show that some of the existing regulation is not technology-neutral due to inbound bias for centralized solutions. Furthermore, effects equivalence is not granted by existing regulation to functionally equivalent DLT-based solutions. Against this background, the dissertation discusses the reasons for these biases and regulative strategies to resolve these in a sustainable manner. The dissertation is especially relevant considering the goal of the proposed EU regulations of the Digital Finance Package introduced in late 2020 to promote the use of DLT in the EU.https://www.ester.ee/record=b542731

The Rise of iWar: Identity, Information, and the Individualization of Modern Warfare

During a decade of global counterterrorism operations and two extended counterinsurgency campaigns, the United States was confronted with a new kind of adversary. Without uniforms, flags, and formations, the task of identifying and targeting these combatants represented an unprecedented operational challenge for which Cold War era doctrinal methods were largely unsuited. This monograph examines the doctrinal, technical, and bureaucratic innovations that evolved in response to these new operational challenges. It discusses the transition from a conventionally focused, Cold War-era targeting process to one optimized for combating networks and conducting identity-based targeting. It analyzes the policy decisions and strategic choices that were the catalysts of this change and concludes with an in depth examination of emerging technologies that are likely to shape how this mode of warfare will be waged in the future.https://press.armywarcollege.edu/monographs/1436/thumbnail.jp

On the adoption of end-user IT security measures

[no abstract

Ethical and Unethical Hacking

The goal of this chapter is to provide a conceptual analysis of ethical, comprising history, common usage and the attempt to provide a systematic classification that is both compatible with common usage and normatively adequate. Subsequently, the article identifies a tension between common usage and a normativelyadequate nomenclature. ‘Ethical hackers’ are often identified with hackers that abide to a code of ethics privileging business-friendly values. However, there is no guarantee that respecting such values is always compatible with the all-things-considered morally best act. It is recognised, however, that in terms of assessment, it may be quite difficult to determine who is an ethical hacker in the ‘all things considered’ sense, while society may agree more easily on the determination of who is one in the ‘business-friendly’ limited sense. The article concludes by suggesting a pragmatic best-practice approach for characterising ethical hacking, which reaches beyond business-friendly values and helps in the taking of decisions that are respectful of the hackers’ individual ethics in morally debatable, grey zones