Home » Things to know »
SecuÂrity
IntroÂducÂtion
This article is not speciÂfiÂcally about secuÂrity in NeuroomNet, but, since NeuroomNet is a web-based tool, about the secuÂrity of web-based tools in general. In other words, what you should consider operaÂting a system like NeuroomNet secuÂrely. We are happy to help you with any quesÂtions you may have, but you can get some ideas below about what to consider.
SecuÂrity is a double-edged sword: If the secuÂrity is too high, the authoÂrized user is so massiÂvely hindered in the tasks that accepÂtance suffers signiÂfiÂcantly. But if it is too low, this can lead to very serious conseÂquences.
In this respect, the internet is once again both a curse and a blesÂsing.
The disseÂmiÂnaÂtion of knowÂledge is a great strength, but with it, the knowÂledge of how to underÂmine a system’s secuÂrity is also quickly spread. Just as the connecÂtion to the internet itself creates the possibility of being able to conveÂniÂently attack a system. On the other hand, certain subsysÂtems can be autoÂmaÂtiÂcally kept up to date via the internet and protected from harmful influences.
So if you want to be on the safe side, you have to move with the times and adapt your system to the constantly increÂasing requiÂreÂments. There are areas where you can take a breaÂther because the concept already provides a great deal of secuÂrity. Other areas adapt autoÂmaÂtiÂcally (if there is access to the internet) and finally, there are areas where you have to reguÂlarly check whether everÂyÂthing is working as intended or react approÂpriaÂtely.
EncrypÂtion
FireÂwall
InfraÂstrucÂture
Public appliÂcaÂtion (CA-signed certificates)
The duraÂtion of such a certiÂfiÂcate is currÂently limited to 2 years and is even to be shorÂtened to 13 months.
Internal appliÂcaÂtion (self-signed certificates)
Costs and beneÂfits
ConcluÂsion
To ensure that everÂyÂthing funcÂtions as smoothly as possible, a so-called PKI (private key infraÂstrucÂture) must be estabÂlished. This helps with admiÂnisÂtraÂtion and control and can autoÂmate individual aspects. There are diffeÂrences due to the manuÂfacÂtuÂrers used in each case. It also requires approÂpriaÂtely trained staff to set it all up and renew it every few years or months, as described above. The regular instalÂlaÂtion of renewed certificates must be ensured, as they cannot replace themÂselves.
The more complex a system becomes, the greater the need to set up a sepaÂrate certiÂfiÂcaÂtion authoÂrity and PKI. The days of “we just plug everÂyÂthing into the network switch” are over, because otherÂwise anyone can connect to the connecÂtion, read everÂyÂthing along with the login data, and even maniÂpuÂlate it during use (see also man-in-the-middle attack).
Why is a secured data connecÂtion useful?
By using certificates, it can be ensured that no maniÂpuÂlaÂtion of the content by third parties is possible during transÂmisÂsion and, for example, that no false information about your company is injected into your company website.
The most important protoÂcols for secuÂring data connecÂtions for operaÂtors of websites and web appliÂcaÂtions
TLS stands for TransÂport Layer SecuÂrity and is the successor protocol to SSL 3.0. The first version 1.0 of TLS is a slightly modiÂfied variant of the third version of SSL and was stanÂdarÂdized by the IETF.
The Internet EngiÂneeÂring Task Force (IETF) is an orgaÂnizaÂtion that deals with the technical deveÂloÂpÂment of the Internet to improve its funcÂtioÂning. CurrÂently, TLS is in version 1.3 and is now also in wideÂspread use.
TLS consists of two main componÂents: TLS HandÂshake and TLS Record. In TLS HandÂshake, secure key exchÂange and authenÂtiÂcaÂtion take place. TLS Record then uses the symmeÂtric key negoÂtiated in TLS HandÂshake for secure data transÂmisÂsion — the data is encrypted and transÂmitted with a MAC protected against changes.
Note: SSL is the more common term nowaÂdays and often TLS is meant when talking about SSL.
A secure connecÂtion is often equated with encrypÂtion of the connecÂtion. However, SSL/TLS offers additional secuÂrity features.
AccorÂding to the original interÂpreÂtaÂtion, the client browser should first display the certiÂfiÂcate to the user after selecÂting the HTTPS address. The user then decides whether he trusts the certiÂfiÂcate for this session, possibly saving it permaÂnently, if necesÂsary after checking it via the speciÂfied links. OtherÂwise, the HTTPS connecÂtion is not estabÂlished (“Leave this page” with Firefox or “Click here to leave this page.” with Internet Explorer).
The three main purposes when using SSL/TLS are:
- ConfiÂdenÂtiaÂlity (through encrypÂtion)
- Data inteÂgrity
- AuthenÂtiÂcity
These three purposes are explained below.
AuthenÂtiÂcaÂtion is used so that both sides of the connecÂtion can check the idenÂtity of the connecÂtion partner when estabÂliÂshing the commuÂniÂcaÂtion.
Secured connecÂtions in pracÂtice
An SSL/TLS certiÂfiÂcate is required to estabÂlish a secure connecÂtion. Among other things, the issuer of the certiÂfiÂcate, the certiÂfiÂcate holder, and the public key of the certiÂfiÂcate holder are stored in a certiÂfiÂcate. Certificates are stored on the server with which a secure connecÂtion is to be estabÂlished later. To ensure the inteÂgrity of a certiÂfiÂcate, it is signed.
A secuÂrity certiÂfiÂcate can be geneÂrated and signed by anyone. However, self-signed certificates are not authentic to third parties because no indeÂpenÂdent instiÂtuÂtion has veriÂfied the idenÂtity of the issuer. Most browÂsers, therÂeÂfore, display a warning message for websites with self-signed certificates. To verify the authenÂtiÂcity of a website or web appliÂcaÂtion, a chain of trust is formed between the end user’s browser and the server of the visited website. The browser and operaÂting system manuÂfacÂtuÂrers verify and trust selected orgaÂnizaÂtions whose certificates are then stored in the browser or operaÂting system. These orgaÂnizaÂtions are also called certiÂfiÂcate authoÂriÂties. The certiÂfiÂcaÂtion authoÂriÂties can verify the idenÂtity of third parties and sign their certificates after veriÂfiÂcaÂtion. To ensure that a minimum stanÂdard is mainÂtained during veriÂfiÂcaÂtion, the orgaÂnizaÂtions clasÂsiÂfied as trustÂworthy go through a certiÂfiÂcaÂtion process beforeÂhand. Visitors to a website or users of a web appliÂcaÂtion are then asked to verify that the chain of trust is intact.
There are various levels for veriÂfying idenÂtity, which differ in the extent of the veriÂfiÂcaÂtion. At the lowest level (class 1), only it is checked whether the appliÂcant has the domain noted in the certiÂfiÂcate. For class 2 certificates, the idenÂtity of the appliÂcant (individual or company) is veriÂfied in more detail, for example with copies of identification docuÂments and company docuÂments. For class 3 certificates, the veriÂfiÂcaÂtion is even more intenÂsive and additional docuÂments are required. Class 3 certificates are also referred to as extended valiÂdaÂtion certificates and are characÂteÂrized, among other things, by the fact that their use in modern browÂsers is clearly highÂlighted.
RecomÂmenÂdaÂtions for the use of HTTPS
Notes on authenÂtiÂcity
CertiÂfiÂcate
A secuÂrity certiÂfiÂcate can be geneÂrated and signed by anyone. However, self-signed certificates are not authentic for third parties because no indeÂpenÂdent instiÂtuÂtion has veriÂfied the idenÂtity of the issuer. Most browÂsers, therÂeÂfore, display a warning message for websites with self-signed certificates. To verify the authenÂtiÂcity of a website or web appliÂcaÂtion, a chain of trust is formed between the end user’s browser and the server of the visited website. The browser and operaÂting system manuÂfacÂtuÂrers verify and trust selected orgaÂnizaÂtions whose certificates are then stored in the browser or operaÂting system. These orgaÂnizaÂtions are also called certiÂfiÂcaÂtion authoÂriÂties. The certiÂfiÂcaÂtion authoÂriÂties can verify the idenÂtity of third parties and sign their certificates after veriÂfiÂcaÂtion. To ensure that a minimum stanÂdard is mainÂtained during the veriÂfiÂcaÂtion, the orgaÂnizaÂtions clasÂsiÂfied as trustÂworthy first undergo a certiÂfiÂcaÂtion process. The visitor of a website or user of a web appliÂcaÂtion is finally checked whether the chain of trust is intact.
There are diffeÂrent levels for the veriÂfiÂcaÂtion of idenÂtity, which differ in the extent of the veriÂfiÂcaÂtion. At the lowest level (class 1), it is only checked whether the appliÂcant has the domain noted in the certiÂfiÂcate. For class 2 certificates, the idenÂtity of the appliÂcant (individual or company) is checked in more detail, for example with copies of identification docuÂments and company docuÂments. For class 3 certificates, the veriÂfiÂcaÂtion is even more intenÂsive, and further docuÂments are required. Class 3 certificates are also referred to as extended valiÂdaÂtion certificates and are characÂteÂrized, among other things, by the fact that their use in modern browÂsers is clearly highÂlighted.
CertiÂfiÂcaÂtion AuthoÂrity (CA)
PKI
Today’s secuÂrity in compaÂnies relies on multi-level systems so that the highest certiÂfiÂcaÂtion authoÂrity and its private key cannot be comproÂmised (i.e. read out and misused by crooks or maliÂcious people).
https://en.wikipedia.org/wiki/Public_key_infrastructure
Key (CrypÂtoÂlogy)
In modern, computer-based symmeÂtric and also asymÂmeÂtric proceÂdures, the key is a bit sequence.
The key is the central compoÂnent for decrypÂting a cipherÂtext and thus obtaiÂning the plainÂtext.
Key for symmeÂtrical methods
The secuÂrity of a proceÂdure depends not only on the algoÂrithm itself but also on the key length. If an attack is found against a proceÂdure that is more effiÂcient than the brute force method, i.e. trying out all possible keys, the proceÂdure is considered broken. The key length therÂeÂfore directly indiÂcates the secuÂrity level of a secure proceÂdure.
The key to asymÂmeÂtrical methods
AsymÂmeÂtric methods, such as the RSA crypÂtoÂsystem, use key pairs consisÂting of a public key and a private key.
The public key is not secret, it is supposed to be known to other users, for example by distriÂbuÂtion via key servers or certiÂfiÂcaÂtion authoÂriÂties. It can be used to perform public operaÂtions, i.e., to encrypt messages or verify digital signaÂtures. It is important that a public key can be clearly assiÂgned to a user or company. If this is not the case, for example, if a message is encrypted with the public key of another user, that user can read the message even though it was not intended for him. To be able to name keys easily, one uses a fingerÂprint, a short hash value that uniquely idenÂtiÂfies a key.
To decrypt a cipherÂtext or to sign a message, the private key is needed. In contrast to symmeÂtric proceÂdures, in which several users share a secret key, in the asymÂmeÂtric proceÂdure only one user/company has the private (secret) key. This circumÂsÂtance is what makes it possible in the first place to assign a signaÂture uniquely to a user/company. It is therÂeÂfore fundaÂmental that the private key cannot be derived from the public key.
For more examples and explÂanaÂtions, take a look at our documentation.