Secure Information Technology Center – Austria




Security Aspects of Web-APIs

Kategorie: eGovernment

Web-APIs represent a significant building block of the modern Web. They enable efficient and technology neutral data and process integration between diverse entities and platforms. As an innovation driver, they facilitate the creation of new business models and products. The broad variety of APIs, as well as the need to efficiently manage their lifecycles, motivated the inception of specifications and tools to ease and accelerate their development and integration in programmatic environments. Weiter lesen…

Browser Addon for Certificate Validation using EU Trust Lists

Kategorie: Electronic signatures, IT-Security

Intended for demonstration purposes, A-SIT realised an addon for Mozilla Firefox capable of verifying and displaying the trust status of a website certificate according to the EU Trust List (TL). The extension adds a symbol to the browser’s address bar, indicating the trustworthiness of certificates on HTTPS-protected websites according to the eIDAS regulation via TL. Inspired by common usage of a coloured lock icon in order to signalize the trust status in browsers, the addon displays a blue EU flag for trustworthy, a crossed out flag for untrustworthy domains after completion of the browser-specific handshake validation. Besides, the user has the ability to learn more about the validation results by clicking onto the icon. As a result, certificate characteristics as well as TL-specific attributes are denoted. Weiter lesen…

Decentralisation of Centralised Services

Kategorie: Cloud Computing, IT-Security

In recent years, the way users utilise their personal devices changed drastically due to the increasing popularity of smartphones and other mobile devices. A modern-day user typically owns multiple devices running a wide variety of different services which (ideally) should be available anywhere at all times. Service operators cater to these needs. From a software-architectural point of view, this is oftentimes achieved by relying on traditional client-server architectures. Central instances still play a major role when it comes to delivering internet-based services to end users. In essence, existing systems have often been extended and adapted to meet today’s user requirements. Their underlying structure, however, remained unchanged in many cases. Weiter lesen…

Flexible Communication using cross platform and web technologies

Kategorie: Web Technologies

Web technologies as used in web applications and cross platform applications, offer all the capabilities required to built full-fledged applications.
One identified drawback is the direct communication between different instances of these applications. In this project, different approaches were analyzed to solve this issue and to provide a ready to use framework for various different kinds of applications.
One of the analyzed approaches was scrutinized and was finally realized and can be downloaded here.

Weiter lesen…

Static Analysis of iOS Applications

Kategorie: IT-Security

The behavioral analysis of mobile applications for Apple iOS is still a very challenging procedure, both in terms of time and resources required. In the end, it is usually not clear which measures an application provides to protect sensitive data. Similarly, it is difficult to determine whether apps violate established security principles, such as when cryptographic functions are used, and thus facilitate attacks on critical data.
Weiter lesen…

CA-less Authentication of Cloud Services

Kategorie: IT-Security

Recent advances in web technology, such as WebRTC, paved the road for providing short-lived services on end-user devices. Similar to legacy services (static and stationary), short-lived services need to be authenticated as well. This project evaluates and compares different authentication methods which might be suitable for use with for short-lived services without relying on traditional certification authority (CA) structures.

Weiter lesen…

Orchestration of distributed cloud applications

Kategorie: IT-Security

Today, many web services offer a separate interface in the form of a Web-API that enables the data exchange and consumption of remote services. However, the management of secuirity aspects of these interfaces is often complex and opaque. Considering the role of Web-APIs as a corner stone and driver of modern Internet and cross-domain transactions, it is necessary to reconsider the modeling of underlying security features and data models applied in the cross-domain communication.

Weiter lesen…

Analysis of Car-Applications

Kategorie: IT-Security

It is due to the sustained popularity of mobile communication technologies in the last years, that they are now heavily deployed in the automotive sector. One example for this are mobile applications, which allow drivers to interact with their vehicles. Locking and unlocking or the remote starting of the climate control and the pre-heating are only one example for possible use cases of mobile applications.

However, several incidents in the past have shown, that the applications provided by manufacturers are not resilient to attacks and thus compromise the security of the overall system. As a result, mobile applications pose a potential field of application, which can benefit from the correct usage of secure information and communication technologies.

Weiter lesen…

Contextual Data Exchange

Kategorie: Cloud Computing, eGovernment, IT-Security

In this project we present the reusable data structure that addresses the issues of static, inflexible and practically non-interoperable authorization definitions. We first establish the structure that introduces enhanced expressivity, context-sensitivity and adaptability in descriptions of authorization constraints. We then develop the supporting software component and the web-based interface for definition and inspection of access authorizations established using the proposed structure. Based on that, we present a demonstration prototype and describe the application of the proposed structure both in terms of emerging solutions and existing authorization frameworks