Public-Key Infrastructures and Applications
Public-Key Infrastructures (PKI) enable confidential, authentic and non-repudiable communication even in large and open digital networks like the internet. We examine, how such PKIs can be integrated into already existing contexts and workflows. We thereby focus on a flexible design which is capable of exchanging the underlying cryptographic algorithms and which can be tailored to the needs of certain scenarios. Another topic of research is the usability of PKIs. This aims at how such an infrastructure should be integrated with applications and how this integration can support the secure usage of the PKI's services. Our third area of interest deals with digital identities that can be established on basis of PKI technology.
FlexiProvider - A comprehensive library of modern cryptographic algorithms
This project provides the cryptographic base. It integrates standard as well as modern cryptographic algorithms with the JavaTM Cryptographic Architecture (JCA) and therefore is the link to the ongoing research in modern cryptography in our department. The JCA yields good properties in terms of plattform independency and integratability into both server and client applications. The most striking feature is that the types of algorithms as well as their implementation can be exchanged easily without changing the application itself.
The FlexiProvider homepage provides more information about this project. Dr. Vangelis Karatsiolis manages it.
FlexiTRUST - A flexible and secure Trustcenter application
FlexiTRUST is a flexible trustcenter software being developed entirely in the JavaTM programming language. It serves as the backbone of a (hierarchical) Public-Key Infrastructure. In this project the term "flexibility" has a variety of meanings.
First of all, FlexiTRUST allows to easily exchange the cryptographic algorithms provided for and used within the PKI. We therefore employ the JavaTM Cryptographic Architecture and the FlexiProvider. We consider this a very important feature, since the security of none of the currently used algorithms is proven.
The architecture can be enhanced to a Fail-Safe PKI which uses two distinct sets of cryptographic algorithms in parallel. Usually each set consists of an asymmetric cipher, a signature scheme, a symmetric cipher and a hash algorithm. Using multiple signatures and iterative encryption, this concept assures that the PKI remains safe and in operation even if one algorithm becomes insecure. Even more, the forged algorithm can be easily replaced by a new and secure one without having to roll out an entirely new PKI.
Quite a different aspect of "flexibility" is integratability of a PKI- / trustcenter-solution into specific scenarios. A PKI may be operated with heterogenious network topologies, computers, operating systems and PKI enabled applications. It needs to synchronize information with existing databases and already established procedure which they are gathered in. Furthermore, it should be possible to enhance and extend an already established PKI with new applications and services, which may demand new types of certificates to be issued and possibly new keys to be distributed.
The concept of FlexiTRUST has already proven successful in a diversity of projects including universities, companies and, most prominent, the trustcenter of the "Regulierungsbehörde für Telekommunikation und Post", the German national root according to the signature law. Our spinoff FlexSecure conducts such projects. This approach gurantees the applicability of our research results in real-world scenarios.
Dr. Vangelis Karatsiolis coordinates the FlexiTrust project.
