NEWSLETTER 06 | 2008

Dear Readers:

“One-Time Password Replacement” is already a hot topic in the USA – and justifiably so. One-time passwords are expensive to purchase and administer and can only be used in a single way. In contrast, certificates offer more than just authentication. If you are looking for a cost-effective alternative for your token-based Remote Access, we recommend that you read this newsletter.

There was some disturbing news in May: A security gap was detected in the Debian software. We responded immediately and contacted our customers with the corresponding SSL certificates. Every affected user received a new free certificate from us. More on this subject can be found under “Debian security gap – TC TrustCenter provides solution package”.

By the way, we have a new homepage that is designed to guide you faster wherever you want to go on the TC TrustCenter websites. As a new service for our English-speaking customers and partners, we will now also send out an English version of our Newsletter.

Yours sincerely,
TC TrustCenter Team

Tokens have been used since the mid-80s as a proven means of identity and access control. Especially so-called one-time passwords (OTP), which provide mobility to users independent of their location, have become predominant.

This independence, however, comes at a price. High initial investments and high overhead for the physical management of the tokens are combined with a high effort for managing the one-time passwords.

Most importantly, however, the mobile usage scenario is different today, 20 years after the introduction of OTP tokens. If you think mobility today, you also think small notebooks or smartphones: The clients have become mobile. The increasing miniaturisation and convergence of mobile clients accelerates this development considerably: The notebook becomes a token.

This new mobility also demands more than strong authentication. E-mails should be encrypted, data secured as well, especially on notebooks, and the valid signature of documents provides a considerable savings potential.

The alternative is digital certificates. They are cost-effective and have many uses. After all, the notebook becomes the token, and a digital certificate becomes a secure authentication factor. And the best of all is that certificates offer you more than “just” access control. They enable secure e-mail, digital signatures and encryption – all at a lower total cost of ownership.

More information on our Remote Access solutions

Following a faulty patch in 2006, the Open SSL library of the Debian Linux distribution has been generating weak crypto keys. This report has caused a great deal of uncertainty among users. After the security gap in Debian OpenSSH keys became known, TC TrustCenter was the first trustcenter to respond: We checked our entire inventory of certificates for this weakness and immediately informed the affected certificate owners. We offer all currently affected customers secure replacement certificates free of charge and will continue to screen all new certificate requests for this detected Debian key problem.

The weak point, which was detected by the security specialist Luciano Bello, is especially critical because the random numbers on which the Debian OpenSSH keys for the certificates are based, can be easily calculated by programming a simple “run through” of numbers so that they become predictable. In this manner, these keys lose their ability to provide strong protection against hacker attacks, such as brute-force attacks or other unauthorized espionage intrusions (source: http://www.heise.de/security/ – here you will also find additional updates on this topic).

More information on the Debian security gap

TC TrustCenter wins two new customers from the financial sector for certificate gateway solutions

An increasing number of financial institutions rely on the use of e-mail gateways with certificates. A perfect solution is the combination of an e-mail gateway and the TC TrustCenter on-demand certificate platform. E-mail gateway solutions enable the centrally controlled and therefore very convenient use of certificates for secure e-mail, providing an especially fast Return on Investment due to the fast commissioning. Last month, we won two new customers from the financial sector for this solution.

Sending and receiving secure e-mails with Outlook is easy. Outlook supports the use of certificates virtually by mouseclick. Since the TC TrustCenter root certificates are already pre-installed in Outlook, all you need is your own certificate to digitally sign outgoing e-mails, and the certificate of your communication partner to encrypt emails.

Digital signing of outgoing e-mails

To configure Outlook so that you can send your own e-mails with a digital signature, please make the following settings:

1. Under "Extras >Options", tab “Security > Settings...” select your own certificate.

2. In the “Security” tab, select whether messages shall be “Encrypted” by default and/or “Signed”.

By selecting the option “Add digital signature to messages”, outgoing e-mails will be digitally signed from now on.

Using the certificate of a communication partner to encrypt e-mails

To encrypt emails to a communication partner, you need the certificate of that partner.
The easiest way is to have a digitally signed e-mail of the communication partner. In this case, only the following settings need to be made:

1. Open the receiver’s signed e-mail by double-clicking on it.

2. Use the right mouse button to click on the sender’s address and select the option “Add to Outlook contacts…”.

3. Your Contacts will open. These can be edited, and the certificate (Digital ID) of the contact is shown in the “Certificates” tab.

4. If the contact data are correct, confirm this by clicking on “Save and close”.

From now on, you can send encrypted e-mails to this communication partner. You enable the encryption by clicking on the icon with the blue padlock on the letter.
Each communication partner to whom you write a digitally signed mail will have your certificate and can thus also send you encrypted e-mails.

TC TrustCenter will launch the TC ID Store in July. It greatly facilitates the ordering of client certificates and their management using a user-friendly interface. The use of a TC ID Store is also an economical solution for customers that require only a small number of individual certificates.

TC TrustCenter will organise a roadshow on “Using E-mail Gateways and Certificates” in September. If you are interested in visiting this roadshow, you should note the following dates: September 2 in Düsseldorf, September 3 in Frankfurt and September 17 in Munich.

See our next Newsletter to learn more about these topics.