Research in Information Security Management

Security management is becoming a strategic, tactical and operational objective of almost any enterprise or organization. In the banking sector for instance, the new rules of the Basel II agreement impose to financial institutes to manage not only the financial risks, but also the operational risks of the bank. These risks are strongly related to the use of IT-technology and cover all aspects of IT-risk management. In the public sector, the development of e-government applications becomes possible only if IT-risks are correctly managed.

Security management involves user authentication and identity management, digital rights management and data integrity, certificate management for Public Key Infrastructures (PKI).

User authentication is the starting point of making IT-systems more secure. It is also one of the most critical weaknesses of many internet-based systems, since attackers often try to get access to the system by using the identity of another user. Password identification is no longer considered as being secure, so alternatives must be searched. Most of the present approaches rely on strong authentication, combining a secret the user knows, with something he holds (for instance some portable memory device). On the other hand, experiences in biometrics have not been fully satisfying until now. As a consequence, it is important to explore new means of authentication and to evaluate the efficiency of these approaches. Very often authentication is only done at the entry point of an IT-system. Today this is no longer sufficient, since an attacker could get access to any point of the IT-system; so it is important to generalize the authentication model to all interactions between hard- or software components. Therefore completely new approaches in system design and threat modelling are needed.

Authentication is only as strong as the user management processes and these rely on efficient identity policies. Identity management has become an active research topic since the events of 9-11 and the subsequent growing awareness of the dangers of terrorism. All countries now have the problem of correctly identifying each member of the society, as the old identification schemes are outdated. The Luxembourg national personal identity number for instance is based on the date of birth and the sex of the identified person. This is no longer in accordance with the modern requirements of protection of personal data, where there should be no information leaking from the identification data. LACS will cooperate with the public authorities (Centre Informatique de l'Etat, R?pertoire des personnes) in order to propose new identity management mechanisms.

One way of authentication and identity management relies on the use of a Public Key Infrastructure. LuxTrust SA, a common initiative of the banking and the public sector in Luxembourg, has been launched autumn 2005. Such a highly secure infrastructure requires very important investments and an excellent technical, organizational and legal know-how. Our research unit could contribute to provide part of this know-how. Moreover it is not sure that PKIs will be profitable in the next future. Therefore it is essential to explore new business cases for these infrastructures, which cannot survive in selling only identity certificates. Research activities are needed in order to find alternative opportunities. There are several tracks to explore:

• Electronic identity card is a possibility generating an intensive need for certificates, but there are many organizational, technical and legal problems which have not yet been solved; LACS should contribute to find solutions to these problems in an interdisciplinary approach.

• Digital rights management (DRM) corresponds to a growing need of the multimedia sector. For example, many internet pages are co-productions of a great number of contributors (writers, graphic designers, animation programmers, etc). This leads to a lot of unsolved problems:

  • how to protect multimedia resources from being copied, used or transformed illegally ? Watermarking techniques offer some solutions and the research unit should explore the state of the art in this field and if possible contribute to invent new techniques in cooperation with partner universities (for instance the Swiss Federal Institute of Technology, Lausanne ; Prof. Ebrahimi).
  • how to manage the rights of the various contributors and find ways to collect the price of using the multimedia works ?
  The solution of these problems or at least an excellent know-how of this domain could be important for the Luxembourg economy, by the existence of powerful actors in the multimedia field in Luxembourg, such as SES, Microsoft or Apple. The management of these rights is an activity of trust in the same way as the management of financial assets. DRM could represent an interesting business case for the extension of PKI activities.
• Protection of identity: in the banking sector it is important to correctly identify the customers and simultaneously protect their identity against undesired observers; research in anonymity providing techniques should be explored within the research unit.