Secure Information Technology Center – Austria

Analysis of Car-Applications

Kategorie: IT-Security

It is due to the sustained popularity of mobile communication technologies in the last years, that they are now heavily deployed in the automotive sector. One example for this are mobile applications, which allow drivers to interact with their vehicles. Locking and unlocking or the remote starting of the climate control and the pre-heating are only one example for possible use cases of mobile applications.

However, several incidents in the past have shown, that the applications provided by manufacturers are not resilient to attacks and thus compromise the security of the overall system. As a result, mobile applications pose a potential field of application, which can benefit from the correct usage of secure information and communication technologies.

Weiter lesen…

Contextual Data Exchange

Kategorie: Cloud Computing, eGovernment, IT-Security

In this project we present the reusable data structure that addresses the issues of static, inflexible and practically non-interoperable authorization definitions. We first establish the structure that introduces enhanced expressivity, context-sensitivity and adaptability in descriptions of authorization constraints. We then develop the supporting software component and the web-based interface for definition and inspection of access authorizations established using the proposed structure. Based on that, we present a demonstration prototype and describe the application of the proposed structure both in terms of emerging solutions and existing authorization frameworks

 

Flexible Two-Factor Authentication with FIDO

Kategorie: Electronic signatures, IT-Security

FIDO Universal Second Factor (U2F) is an industry standard for a generally applicable two-factor authentication. Using a USB security token users can authenticate against a variety of web services. A key feature of the U2F concept is that the corresponding hardware element is physically connected at the time of registration process with the computer, so that the web browser can interact directly via a suitable interface. The wide applicability of FIDO U2F precludes that certified hardware element is required. This impedes, for example, the applicability of U2F applications on smart phones, since it is often not feasible to connect USB tokens to these devices. Often, due to lack of support, NFC is also no viable alternative.
Weiter lesen…

13

July

2016

Server-side Solutions for Cloud-based Mobile Augmentation

Kategorie: Cloud Computing, IT-Security

Although mobile end-user devices are getting more and more powerful, they still suffer from limited processing capabilities and battery capacities. To address this problem, the augmentation of mobile devices with resources from surrounding devices or with cloud-based resources has gained popularity in the recent years. Existing solutions that follow this approach and offload computationally intensive tasks already yield great results for specific use cases. Unfortunately, most of these solutions are tailored to specific operating systems or programming languages, and do not support the flexible usage of resources. To overcome these limitations, we introduce a secure and flexible resource discovery solution for mobile augmentation systems.
Weiter lesen…

14

June

2016

Dynamic Key Usage Policies

Kategorie: Cloud Computing, IT-Security

More and more data and resources are moved to the cloud. Even cryptographic primitives do benefit from the advantages of the cloud. However, state-of-the-art authentication methodologies and defense strategies mostly cannot cope with attacks while simultaneously allowing the legitimate user to use the service. The legitimate user often is required to do manual steps to gain access to the service again. Denial-of-Service attacks against a user therefore persist. Weiter lesen…

12

May

2016

Managing Security of API-based Integration Workflows

Kategorie: Cloud Computing, IT-Security

Security requirements, particularly those on confidentiality, require IT processes to be compliant to the least privilege principle. OAuth 2.0, a currently broadly adopted authorization protocol, meets these requirements only partially. For example, due to unilateraly defined and service provider specific representation of access scopes, the possibility to granulary and interoperably structure access restrictions and authorizations is virtually eliminated. This problem concerns in particular cross-domain data exchanges, as the security measures in different organizations can be applied only in limited extent.

The architecture and relevant first results of ongoing work were presented in the scope of DISSECT Workshop at IEEE / IFIP NOMS Conference. The proposed approach addresses the security management of API-based interactions. The prospects of service providers, clients and data owners are taken into consideration to enable the contextual dependence in API-based data exchanges, as well as to support the granularity and interoperability in security management.

19

April

2016

Secure Integration in the Cloud

Kategorie: IT-Security

Novel product category related to cloud integration platforms (iPaaS) provides additional value to customers by integrating a diverse range of cloud services offered by third-parties. This way, the service providers of iPaaS deliver a cloud service that composes, integrates and reuses a range of different products and services offered by other providers or organisations. This concept assumes that the interactions, data-flows and service consumptions take place in a complex environment that spans across several domains. The resulting complexity, however, extends the attack surface and increases the security risk of these interactions. This is especially important to consider for cross-domain interactions, where the service provider may have access to broader range of user’s service than necessary to accomplish the task.

The paper that deals with the topic of secure integration in the cloud has been presented on 7th April, in the scope of ACM SAC 2016 conference. In this work we particularly considered the aspects of protocols, integration platforms, and security requirements in the case of the relevant building block of a typical integration platform.

  • Securing Integration of Cloud Services in Cross-Domain Distributed Environments
    [Presentation]  [Paper]

17

March

2016

Security Implications of Emerging Web-Technologies

Kategorie: IT-Security

In this report existing web-tracking technologies are analyzed. Backed by this knowledge two new web technologies, WebSockets and WebRTC, are analyzed focusing on user’s privacy implications.
Four scenarious were developed to tamper user’s privacy on one hand and to enable a vast improvement of unperceived user identification on the other hand.
Weiter lesen…

Security Recommendations for the Public Sector

Kategorie: eGovernment, IT-Security

Cryptography is a powerful tool, which—if applied correctly—provides confidentiality, integrity, and authenticity of electronically stored, processed, and transmitted data. Electronic Internet-based services from security-critical fields such as e-government or e-banking would be infeasible without cryptography. Hence, the correct application of cryptographic methods is also for public administrations of special relevance.
Weiter lesen…

SSL Check for Clients/Cerver

Kategorie: IT-Security

The A-SIT SSL tool consists of two parts. The “Browser test” is capable of reviewing and evaluating the SSL/TLS capabilities of web browsers, while the “Server test” performs investigative actions on web servers. A classification is performed on the tested components, indicating whether the tested components are qualified for use in security-critical environments.
Weiter lesen…