Secure Information Technology Center – Austria

Analyzing HTTPS services offered by GV.AT domains

Kategorie: eGovernment, IT-Security

In this project several properties of the services offered by gv.at domains have been analyzed. The main emphasis of the analysis was placed on services that were offered via HTTPS (SSL, TLS protocols). The results of this analysis are presented in a technical report. In addition to the analysis, a basic framework for the automated analysis has been implemented.
The main results of the analysis are summarized as follows:

  • 1285 services have been analyzed, 763 of those services do not support HTTPS
  • For the 552 services which offer HTTPS the following details were observed:
    • 59 services were configured for HTTPS. The other 463 services offered default HTTPS services (e.g. provider-specific default HTTPS certificates, or non-valid test certificates)
    • The services have then been analyzed for their supported cipher-suites, which have a strong influence on the security of the TLS protocol.
    • cipher

All details are available in the following report (in German):

Use of SHA-1 in certificates

Multiple vendors of web browsers are intending to retire the popular hash algorithm SHA-1 in favour of more recent alternatives. Therefore, guidelines have been elaborated that plan to take a leave of SHA-1 in multiple steps.

The subsequent table illustrates the support for SHA-1 in a chronological manner and highlights the handling according to the browser. The gradual sunset of SHA-1 is shown separated into steps whereas each is assigned an individual color: Notice (green), Warning (yellow) and escalation (red).

SHA-1

During the HTTPS analysis, a list of signature algorithms used on servers of public institutions, has been composed. Based on that, the following key figures can be derived:

  • 41 servers use a certificate which is no longer valid after 1/1/2016.
  • 21 out of 91 certificates are still valid in 2016. Major browsers will consider the affected servers secure, with minor errors.
  • 27 remaining certificates will be still valid after 1/1/2017. As a consequence, they will appear indifferent to unprotected HTTP connections, starting with the release of Google Chrome in version 40.

A detailed description of all deprecation policies and the list of investigated certificates are explained in the following report (in German):

Create and decode CMS in Javascript

Kategorie: eGovernment

In order to process sensitive data in a browser-based application, several cryptographic functions have to be implemented by developers. Currently basic functions as RSA or AES encryption are covered by publicly available Javascript libraries, but they lack the support for advanced mechanisms as Cryptographic Message Syntax or XML signatures. This project implements a demo that provides encryption and decryption using CMS. As the report of this project is available in German only, this article covers the most relevant results.
Weiter lesen…

Signature-Verification Tool

Kategorie: eGovernment

The Signature-Verification Tool is a server-based solution for the verification of electronic signatures. The tool supports the verification of different document and signature formats.

To implement this functionality, a format-detection process is started first. According to the determined document format, an appropriate verification process is triggered. Additionally, the tool supports the definition of message filters for certain groups of document formats. This yields inclusion of additional information in the created verification report. This way, appropriate verification reports can be obtained also for documents such as PDF or XML that potentially contain different signature types and formats.

More information on this tool can be found at joinup.ec.europa.eu …

Circular-Resolution Database

Kategorie: eGovernment

Electronic documents in general and in particular resolution proposals usually need to be created, signed, and made accessible to a predefined group of people. This web application provides opportunities to facilitate these processing steps with the help of the Austrian Citizen Card.

Authenticated users of this web application can be dynamically assigned different roles and rights. This enables authorized users to upload PDF files or to create such files according to data previously entered by the user. Created or uploaded documents are subsequently automatically submitted to a predefined user group for electronic signature. Completely signed documents are finally made accessible for review and download to authorized users.

Additionally, the web application provides opportunities to maintain and backup created and signed documents. A configurable email-based notification system is also integrated into this web application to improve the overall efficiency of document creation and signing processes.
Weiter lesen…