New identity management relies on transparency
The DENIC ID Single Sign-On (SSO) solution is based on the open standard ID4me. But not only the underlying standard is openly accessible: The results of a comprehensive penetration test, carried out by an external party, are publicly available, too. As part of our security testing, DENIC's new identity service has been subjected to an extensive test to identify vulnerabilities and security gaps, so as to ensure that the service complies with the registry's high security standards.
An advantage of so-called open standards is that a large community of experts can be involved in developing and improving them. Nevertheless, flaws in the design or implementation of the standards cannot be ruled out. Possible mistakes that may have been made by people during implementation should be identified and eliminated through comprehensive security checks, so that the users of a DENIC ID can rely on the security of their digital identity. Making these test reports public is part of DENIC's consistent transparency approach.
In a penetration test, the security of software components and systems is checked in an agreed time frame with the methods and means employed by potential attackers. For the domain-based DENIC ID SSO solution, this independent testing was carried out by Hackmanit GmbH. This IT security company was founded by experts of Bochum University (Ruhr-Universität Bochum) and is very experienced in the field of SSO security. In particular, the security experts scrutinized authentication and authorisation of registered users. By clever manipulation, they tried to bypass validation in the login process, get access to user data by unauthorised means or prevent the server from distinguishing between valid, user-initiated requests and invalid requests that are made without the user's consent. Some isolated flaws detected during the tests were eliminated immediately by DENIC's developers while the penetration test was still ongoing. As a result, the Hackmanit team could verify that the flaws have been successfully eliminated.
„ID4me is a novel protocol for federated identity management. We were pleased to take up the challenge of carrying out thorough testing on it. SSO systems are one of our main areas of expertise", said Hackmanit's CTO Dr. Juraj Somorovsky. "The novel, open approach of this protocol and the readiness to make the results of the penetration test available to the public were especially appealing to us. As the cryptography specialist emphasised: "The tests have shown that DENIC ID-based login processes meet the most demanding security standards.
So users of ID4me-based logins such as DENIC ID can be sure that they use a login procedure that complies with data protection requirements and is universal and secure. Thus, users can use a single account to log in with all participating online service providers, change freely between login providers and decide themselves on an individual basis which data are passed on in a login process. For online service providers, DENIC ID is an option to get access to an independent, central user authentication that is compliant with data protection requirements and enables also new customers to be integrated without problems.