Security

Introduction

This article is not specifically about security in NeuroomNet, but, since NeuroomNet is a web-based tool, about the security of web-based tools in general. In other words, what you should consider operating a system like NeuroomNet securely. We are happy to help you with any questions you may have, but you can get some ideas below about what to consider.

Security issue: Shadow of hand opening a door that is not locked

Security is a double-edged sword: If the security is too high, the authorized user is so massively hindered in the tasks that acceptance suffers significantly. But if it is too low, this can lead to very serious consequences.
In this respect, the internet is once again both a curse and a blessing.
The dissemination of knowledge is a great strength, but with it, the knowledge of how to undermine a system’s security is also quickly spread. Just as the connection to the internet itself creates the possibility of being able to conveniently attack a system. On the other hand, certain subsystems can be automatically kept up to date via the internet and protected from harmful influences.
So if you want to be on the safe side, you have to move with the times and adapt your system to the constantly increasing requirements. There are areas where you can take a breather because the concept already provides a great deal of security. Other areas adapt automatically (if there is access to the internet) and finally, there are areas where you have to regularly check whether everything is working as intended or react appropriately.

Encryption

A very successful and long-lasting method is to encrypt the communication between two parties. This means that an attacker can neither draw conclusions nor get hold of the actual data. Anyone who wants to read this data has to make an enormous effort and has a much easier time, for example, at the end points of the communication, i.e. before it is encrypted/decrypted. Because modern encryption still cannot be cracked in short periods. This means that data can then also be transmitted via connections that run over the internet, WLAN, mobile radio, or other publicly visible networks without a guilty conscience. And thanks to sophisticated mechanisms for establishing the encryption, the user does not even notice this in the best case and is not disturbed by the daily routine. Except when a time limit for renewing a secure connection has expired. Because one aspect of secure communication is to renew the underlying keys so that the lengthy attacks remain unsuccessful.

Firewall

Another aspect of a long-lasting security concept is the protection of endpoints by firewalls. A firewall is a security system that protects a computer network and individual computers from unwanted network access. In short, a modern system must be able to handle encrypted communication and protected networks. If the front door and windows in your house were the firewall, then the safe where you store your most valuable things would be the encryption.

Infrastructure

A prerequisite for encryption is the possibility of securely sending the keys to legitimate participants and regularly updating them. This is done with the help of so-called certificates. A certificate can use a signature to make it credible by whom, for whom, and until when it was issued. A distinction is made between whether a certificate must be publicly accessible or whether it is used within a closed system. The underlying technology, and thus the security, is identical for both variants.

Public application (CA-signed certificates)

For public applications with publicly accessible certificates, specialized companies are used. These only issue certificates through verified applications that are subject to a fee. Such a certificate can then be used for a certain period to secure one’s systems and does not require any special preparation on the computers that already know the issuer.
The duration of such a certificate is currently limited to 2 years and is even to be shortened to 13 months.

Browser message: This Connection is Untrusted

Internal application (self-signed certificates)

For internal applications, a self-issued certificate can be used. When issuing these certificates, certain limits can be exceeded to reduce the frequency of administrative work. For such internal applications, however, an administration of these certificates must first be established and the issuer must be made known to the participants. This enables the users (or computers) to check whether a certificate is (still) valid or to be provided with a new certificate. Often both certification systems (internal and external) are used to keep the effort for the users as low as possible or because it is technically necessary.

Browser message: This is not a secure connection

Costs and benefits

In principle, everything could be handled by public certification authorities, but this would cause more costs. It would also be possible to handle everything with internal certification authorities, but this would cause higher costs for the distribution of the certificates in the public space. Apart from that, installing the internal certificates would be an additional effort for the users. Acceptance would quickly drop to zero.

Tabular comparison: Public-signed certificates, self-signed certificates, without a certificate

Conclusion

To ensure that everything functions as smoothly as possible, a so-called PKI (private key infrastructure) must be established. This helps with administration and control and can automate individual aspects. There are differences due to the manufacturers used in each case. It also requires appropriately trained staff to set it all up and renew it every few years or months, as described above. The regular installation of renewed certificates must be ensured, as they cannot replace themselves.
The more complex a system becomes, the greater the need to set up a separate certification authority and PKI. The days of “we just plug everything into the network switch” are over, because otherwise anyone can connect to the connection, read everything along with the login data, and even manipulate it during use (see also man-in-the-middle attack).

Today, it is impossible to imagine networks such as the Internet (World Wide Web) and intranets (local networks/WLAN) without securing data connections. Almost everyone has heard the names of the protocols used for protection. Nevertheless, it is probably not clear to everyone what the difference is between SSL, TLS, and HTTPS and what security properties these protocols have.

Why is a secured data connection useful?

Let’s assume a user wants to control an exhibit in NeuroomNet. When using a secured connection, this user benefits from the security features of encrypted and secured communication. Without encryption, data that is transmitted can be read as plain text by anyone who has access to the corresponding network. With the increasing spread of open (i.e. unencrypted) WLANs, the importance of HTTPS is growing because it allows content to be encrypted regardless of the network used. Encryption makes it impossible for third parties to see, among other things, exactly which pages of a website have been visited.
By using certificates, it can be ensured that no manipulation of the content by third parties is possible during transmission and, for example, that no false information about your company is injected into your company website.

The most important protocols for securing data connections for operators of websites and web applications

SSL short for Secure Sockets Layer, was designed by Netscape and first released together with HTTPS in 1994 with their browser. Development continued until version 3.0. Today, vulnerabilities in SSL are known and the protocol should therefore no longer be used.

TLS stands for Transport Layer Security and is the successor protocol to SSL 3.0. The first version 1.0 of TLS is a slightly modified variant of the third version of SSL and was standardized by the IETF.

The Internet Engineering Task Force (IETF) is an organization that deals with the technical development of the Internet to improve its functioning. Currently, TLS is in version 1.3 and is now also in widespread use.
TLS consists of two main components: TLS Handshake and TLS Record. In TLS Handshake, secure key exchange and authentication take place. TLS Record then uses the symmetric key negotiated in TLS Handshake for secure data transmission — the data is encrypted and transmitted with a MAC protected against changes.

MAC stands for Message Authentication Code and is used to obtain certainty about the origin of data or messages and to verify their integrity. MAC algorithms require two input parameters, firstly the data to be protected and secondly a secret key, and calculate a checksum from both, the Message Authentication Code.
Note: SSL is the more common term nowadays and often TLS is meant when talking about SSL.

HTTPS stands for Hypertext Transfer Protocol Secure and is a communication protocol in the network with which data can be transmitted in a tap-proof manner. It represents transport encryption.

HTTPS is used to establish confidentiality and integrity in the communication between the NeuroomNet server and the web browser (client) in the network. HTTPS refers to the use of HTTP via SSL (TLS). The use of HTTPS can be recognized in the browser by the fact that the visited Internet address is preceded by https instead of http. In addition, most modern browsers highlight a secure connection visually.
A secure connection is often equated with encryption of the connection. However, SSL/TLS offers additional security features.
According to the original interpretation, the client browser should first display the certificate to the user after selecting the HTTPS address. The user then decides whether he trusts the certificate for this session, possibly saving it permanently, if necessary after checking it via the specified links. Otherwise, the HTTPS connection is not established (“Leave this page” with Firefox or “Click here to leave this page.” with Internet Explorer).

The three main purposes when using SSL/TLS are:

Confidentiality (through encryption)
Data integrity
Authenticity

These three purposes are explained below.

Confidentiality is ensured by encrypting the connection. This guarantees the user that their access data and, for example, control information cannot be intercepted and misused by third parties. Likewise, it protects all your data in NeuroomNet and thus also forms the basis for compliance with the European DSGVO.

By guaranteeing the integrity of the data, it is guaranteed that manipulation of the control system is not possible. The user would probably not be very happy if, instead of a switch-on command, for example, a delete command was issued, and in such a case the museum would be annoyed about the costs and the effort required for recovery. It is even more unpleasant if someone else could take over the entire control system and thus cause great or even existentially threatening damage.

Authenticity means that the identity of the museum operator is verifiable for the user. By ensuring the identity of the museum, the user knows exactly who they are communicating with. Criminals can exploit a lack of authenticity, for example, by registering domain names that are very similar to a museum’s domain and providing a copy of the control under these domains. The potential customer can now be lured to the fake site via a phishing email and, if the website is not secured, cannot directly see whether he has landed at the right museum. He may enter his access data and someone else can now go to the right museum unhindered.
Authentication is used so that both sides of the connection can check the identity of the connection partner when establishing the communication.

Secured connections in practice

An SSL/TLS certificate is required to establish a secure connection. Among other things, the issuer of the certificate, the certificate holder, and the public key of the certificate holder are stored in a certificate. Certificates are stored on the server with which a secure connection is to be established later. To ensure the integrity of a certificate, it is signed.
A security certificate can be generated and signed by anyone. However, self-signed certificates are not authentic to third parties because no independent institution has verified the identity of the issuer. Most browsers, therefore, display a warning message for websites with self-signed certificates. To verify the authenticity of a website or web application, a chain of trust is formed between the end user’s browser and the server of the visited website. The browser and operating system manufacturers verify and trust selected organizations whose certificates are then stored in the browser or operating system. These organizations are also called certificate authorities. The certification authorities can verify the identity of third parties and sign their certificates after verification. To ensure that a minimum standard is maintained during verification, the organizations classified as trustworthy go through a certification process beforehand. Visitors to a website or users of a web application are then asked to verify that the chain of trust is intact.
There are various levels for verifying identity, which differ in the extent of the verification. At the lowest level (class 1), only it is checked whether the applicant has the domain noted in the certificate. For class 2 certificates, the identity of the applicant (individual or company) is verified in more detail, for example with copies of identification documents and company documents. For class 3 certificates, the verification is even more intensive and additional documents are required. Class 3 certificates are also referred to as extended validation certificates and are characterized, among other things, by the fact that their use in modern browsers is clearly highlighted.

Recommendations for the use of HTTPS

When transmitting sensitive data, the use of an SSL/TLS certificate signed by a certification authority is always mandatory. If only a personal login area is to be protected, a self-signed certificate or a certificate signed by the hosting provider may be sufficient. In the case of self-signed certificates, however, the issuing certification authority must also be stored as trustworthy for the client so that the browser does not issue warning messages. These settings can be made by IT experts. Setting up a network-wide PKI structure is possible under both Linux and Windows. If there is no suitable IT expert/administrator on site, NeuroomNet can also arrange suitable experts and even take over the maintenance. If necessary, these experts clarify the necessary documents for obtaining external certificates and then also set them up. Internal certificates can have very long terms, while external certificates have to be renewed after just one year.

Notes on authenticity

In theory, authenticity is given when using SSL/TLS certificates, but in practice, there are problems with authenticity and whether one can trust the identity of the operator of a website must be decided on a case-by-case basis. On the one hand, Level 1 certificates are usually issued automatically. This means that valid certificates can also be acquired for typo domains, which are often used for phishing attacks. On the other hand, authenticity stands and falls with trust in the work of the certification authorities. If there is only one certification authority that works carelessly when checking the authenticity of the applicant’s documents or ignores similarities in names with other companies, it is possible for criminals to have certificates signed for companies with which they have nothing to do.

Certificate

An SSL/TLS certificate is required to build up a secure connection. Among other things, the issuer of the certificate, the certificate holder, and the public key of the certificate holder are stored in a certificate. Certificates are stored on the server with which a secure connection is to be established later. To ensure the integrity of a certificate, it is signed.
A security certificate can be generated and signed by anyone. However, self-signed certificates are not authentic for third parties because no independent institution has verified the identity of the issuer. Most browsers, therefore, display a warning message for websites with self-signed certificates. To verify the authenticity of a website or web application, a chain of trust is formed between the end user’s browser and the server of the visited website. The browser and operating system manufacturers verify and trust selected organizations whose certificates are then stored in the browser or operating system. These organizations are also called certification authorities. The certification authorities can verify the identity of third parties and sign their certificates after verification. To ensure that a minimum standard is maintained during the verification, the organizations classified as trustworthy first undergo a certification process. The visitor of a website or user of a web application is finally checked whether the chain of trust is intact.
There are different levels for the verification of identity, which differ in the extent of the verification. At the lowest level (class 1), it is only checked whether the applicant has the domain noted in the certificate. For class 2 certificates, the identity of the applicant (individual or company) is checked in more detail, for example with copies of identification documents and company documents. For class 3 certificates, the verification is even more intensive, and further documents are required. Class 3 certificates are also referred to as extended validation certificates and are characterized, among other things, by the fact that their use in modern browsers is clearly highlighted.

Certification Authority (CA)

In information security, a certificate authority (CA) is an organization that issues digital certificates. A digital certificate is used to assign a specific public key to a person or organization. This assignment is authenticated by the certification authority by affixing its own digital signature to it.

Digital certificates contain “keys” and additional information that are used for authentication as well as encryption and decryption of confidential data that is distributed via the internet and other networks. Additional information includes, for example, validity periods, references to certificate revocation lists, etc., which are included in the certificate by the CA.

The task of a certification authority is to issue and verify these digital certificates. It is responsible for the provision, allocation, and integrity assurance of the certificates it issues. It thus forms the core of the public key infrastructure.

A certification authority can be a specific company or an institution within a company that has installed its corresponding server (for example with OpenSSL/enterprise PKI from Microsoft). Public organizations or government agencies can also serve as a certification authority, e.g. in Germany the Federal Network Agency.

In Germany, additional, legally defined requirements must be met for the issuance of advanced electronic certificates according to § 2 number 2 Signature Act (SigG) or for qualified electronic signatures according to § 2 number 3 Signature Act. In particular, the issuers of the certificates are subject to supervision by the Federal Network Agency to ensure the reliability and integrity of these certificates in legal transactions. For example, the applicant for such a signature must personally identify himself to an approved body through his identity card so that such an electronic certificate can be issued to him. The data centers operated by the issuers must be particularly secure and thus meet high-security requirements.

PKI

PKI stands for Public-Key-Infrastructure and in cryptology refers to a system that can issue, distribute and verify digital certificates. The certificates issued within a PKI are used to secure computer-based communication.
Today’s security in companies relies on multi-level systems so that the highest certification authority and its private key cannot be compromised (i.e. read out and misused by crooks or malicious people).
https://en.wikipedia.org/wiki/Public_key_infrastructure

Key (Cryptology)

In cryptology, a key is information that parameterizes a cryptographic algorithm and thus controls it.
In modern, computer-based symmetric and also asymmetric procedures, the key is a bit sequence.
The key is the central component for decrypting a ciphertext and thus obtaining the plaintext.

Diagram: Secret text decrypted with secret key to plain text

Key for symmetrical methods

In symmetrical procedures, i.e. in all classical methods of cryptography and also in modern algorithms such as the Data Encryption Standard (DES) or its successor, the Advanced Encryption Standard (AES), both communication partners use the same (secret) key for both encryption and decryption. While classical methods, in which the text must be encrypted (i.e. encrypted and/or decrypted) by hand, almost always use a password as the key, the key in modern, i.e. computer-based, symmetrical methods usually consists of a bit sequence.
The security of a procedure depends not only on the algorithm itself but also on the key length. If an attack is found against a procedure that is more efficient than the brute force method, i.e. trying out all possible keys, the procedure is considered broken. The key length therefore directly indicates the security level of a secure procedure.

The key to asymmetrical methods

Asymmetric methods, such as the RSA cryptosystem, use key pairs consisting of a public key and a private key.
The public key is not secret, it is supposed to be known to other users, for example by distribution via key servers or certification authorities. It can be used to perform public operations, i.e., to encrypt messages or verify digital signatures. It is important that a public key can be clearly assigned to a user or company. If this is not the case, for example, if a message is encrypted with the public key of another user, that user can read the message even though it was not intended for him. To be able to name keys easily, one uses a fingerprint, a short hash value that uniquely identifies a key.
To decrypt a ciphertext or to sign a message, the private key is needed. In contrast to symmetric procedures, in which several users share a secret key, in the asymmetric procedure only one user/company has the private (secret) key. This circumstance is what makes it possible in the first place to assign a signature uniquely to a user/company. It is therefore fundamental that the private key cannot be derived from the public key.

For more examples and explanations, take a look at our documentation.

To the documentation

Secu­rity

Intro­duc­tion

Conclu­sion

Why is a secured data connec­tion useful?

Security

Introduction

Conclusion

Why is a secured data connection useful?