Secure Information Technology Center – Austria

Secure Peer-to-Peer communication

Kategorie: IT-Security

This project proposes a flexible and modular approach for existing peer-to-peer frameworks to enable a secure communication using well-established and proven protocols and algorithms. It introduces an interoperability layer where existing peer-to-peer frameworks and transport security protocols can be plugged in seamlessly and analyses the components of end-to-end security protocols. Finally a proof-of-concept application using the proposed framework is introduced which enables peers to establish secure connections with different types of identities. It can be found in the download area Weiter lesen…

Analyzing HTTPS services offered by GV.AT domains

Kategorie: eGovernment, IT-Security

In this project several properties of the services offered by gv.at domains have been analyzed. The main emphasis of the analysis was placed on services that were offered via HTTPS (SSL, TLS protocols). The results of this analysis are presented in a technical report. In addition to the analysis, a basic framework for the automated analysis has been implemented.
The main results of the analysis are summarized as follows:

  • 1285 services have been analyzed, 763 of those services do not support HTTPS
  • For the 552 services which offer HTTPS the following details were observed:
    • 59 services were configured for HTTPS. The other 463 services offered default HTTPS services (e.g. provider-specific default HTTPS certificates, or non-valid test certificates)
    • The services have then been analyzed for their supported cipher-suites, which have a strong influence on the security of the TLS protocol.
    • cipher

All details are available in the following report (in German):

Use of SHA-1 in certificates

Multiple vendors of web browsers are intending to retire the popular hash algorithm SHA-1 in favour of more recent alternatives. Therefore, guidelines have been elaborated that plan to take a leave of SHA-1 in multiple steps.

The subsequent table illustrates the support for SHA-1 in a chronological manner and highlights the handling according to the browser. The gradual sunset of SHA-1 is shown separated into steps whereas each is assigned an individual color: Notice (green), Warning (yellow) and escalation (red).

SHA-1

During the HTTPS analysis, a list of signature algorithms used on servers of public institutions, has been composed. Based on that, the following key figures can be derived:

  • 41 servers use a certificate which is no longer valid after 1/1/2016.
  • 21 out of 91 certificates are still valid in 2016. Major browsers will consider the affected servers secure, with minor errors.
  • 27 remaining certificates will be still valid after 1/1/2017. As a consequence, they will appear indifferent to unprotected HTTP connections, starting with the release of Google Chrome in version 40.

A detailed description of all deprecation policies and the list of investigated certificates are explained in the following report (in German):

Alternative Two-Factor Authentication

Kategorie: IT-Security

Two-factor authentication (2FA) is an essential mechanism that enables secure access to remote services. The Austrian Citizen Card is only on example of many solutions that rely on the concept of 2FA. Most 2FA methods have been designed and developed for classical end-user devices such as desktop PCs and laptops. Examples are smart card based solutions or the SMS-TAN approach. During the past years, mobile end-user devices have significantly gained importance. As these devices differ from classical end-user devices in terms of handling, security features, and functionality, established 2FA methods can often not be applied on these devices.

As a first step towards a solution to this issue, A-SIT has systematically analyzed and assessed different approaches to securely implement 2FA methods on current mobile end-user devices. Results of these analyses and assessments have been collected in a survey. This survey basically covers the following aspects:

  • The survey provides a brief overview of underlying concepts of 2FA.
  • It identifies requirements of 2FA methods for mobile end-user devices by means of an abstract model.
  • Existing 2FA approaches are assessed against the identified requirements.
  • Obtained assessment results are used to develop an appropriate solution.
  • The applicability of the developed solution is evaluated by applying it to the concrete use case of server-based signature solutions.
  • The feasibility of the developed solution is assessed by means of a prototype implmentation.

In summary, the survey shows that mobile end-user devices offer various opportunities to implement alternative 2FA methods. Furthermore, the survey shows that these methods can be integrated into existing applications, in order to ensure their security and to prepare them for access by mobile end-user devices.

The survey (available in german only) can be downloaded from the following link:

Alternative Zweifaktorauthentifizierung (DE, PDF)

6

May

2014

Security Analysis of Current Smartphone Platforms

Kategorie: IT-Security

A-SIT has published a survey paper regarding the security of current smartphone platforms. Currently the survey is available in German only.

However for detailled information about encryption systems on mobile platforms, you can consult the following publications of A-SIT:

iOS Encryption Systems – Deploying iOS Devices in Security-Critical Environments, SECRYPT 2013 (EN, PDF)
Peter Teufl, Thomas Zefferer, Christof Stromberger, Christoph Hechenblaikner

Android Encryption Systems, PRISMS 2014 (EN, PDF)
Peter Teufl, Andreas Gregor Fitzek, Daniel Hein, Alexander Marsalek, Alexander Oprisnik, Thomas Zefferer

28

April

2014

CA-Toolkit

Kategorie: IT-Security

This project consists of tools, that help to create:

  • E-Mail encryption certificates (CRYPT)
  • Encrypting File System (EFS) – certificates
  • Certificates for foreign bPKs  encryption.

All created certificates have the same root certificate. It does not matter which tool is used for initialization, every tool uses the existing root certificate if it already exists.

Weiter lesen…

Mail Test

Kategorie: IT-Security

Standard email clients usually behave differently with encrypted or signed emails.

This service creates a quantity of different test email and sends them to one particular receiver. You can test if your email client shows discrepancy in handling the different types and forms of emails. The authentication of the user is necessary in order to prevent misuse by sending massive amounts of emails.

Weiter lesen…

DKIM Proxy

Kategorie: IT-Security

DKIM Proxy is a reference implementation of the RFC 4871 (DomainKeys Identified Mail – DKIM) standard. This implementation can be deployed as a proxy in front of a SMTP or POP3/IMAP4 server.

The DKIM standard and the provided implementation facilitate the integration of appropriate means to reliably authenticate sender domains in e-mail transmissions. DKIM Proxy enables an SMTP server to sign sent e-mails according to the DKIM standard, and POP3 or IMAP4 servers to verify DKIM signatures of received e-mails.

Received e-mails are extended with an additional header field to indicate the result of the signature-verification process. This way, local e-mail clients can be configures to automatically classify incoming e-mails and to identify e-mails originating from invalid sender domains.
Weiter lesen…