Secure Information Technology Center – Austria

Threats posed by malicious USB devices

Kategorie: IT-Security

The flexibility of USB supports the integration of a variety of devices via a common interface without authentication. Since a computer cannot recognize a USB device until it is connected, it identifies a device by using the information it provides about itself. A user, in turn, expects from USB devices, the functionality they are designed for. In the recent past, manipulated USB devices have appeared that can not be detected as a threat to current protection measures.

Within the scope of a short study, known methods have been summarized that enable the manipulation of USB devices in order to attack a computer. After a brief introduction to the USB standard, known attack vectors have been subsumed. Particular attention has been paid to the manipulation of the firmware of USB flash drives (“BadUSB” attack). Practical case studies have been used to highlight the problem and to illustrate the possible consequences of an attack. Finally, the use of possible protective mechanisms has been discussed.
Weiter lesen…

Secure Peer-to-Peer communication

Kategorie: IT-Security

This project proposes a flexible and modular approach for existing peer-to-peer frameworks to enable a secure communication using well-established and proven protocols and algorithms. It introduces an interoperability layer where existing peer-to-peer frameworks and transport security protocols can be plugged in seamlessly and analyses the components of end-to-end security protocols. Finally a proof-of-concept application using the proposed framework is introduced which enables peers to establish secure connections with different types of identities. It can be found in the download area Weiter lesen…

Analyzing HTTPS services offered by GV.AT domains

Kategorie: eGovernment, IT-Security

In this project several properties of the services offered by domains have been analyzed. The main emphasis of the analysis was placed on services that were offered via HTTPS (SSL, TLS protocols). The results of this analysis are presented in a technical report. In addition to the analysis, a basic framework for the automated analysis has been implemented.
The main results of the analysis are summarized as follows:

  • 1285 services have been analyzed, 763 of those services do not support HTTPS
  • For the 552 services which offer HTTPS the following details were observed:
    • 59 services were configured for HTTPS. The other 463 services offered default HTTPS services (e.g. provider-specific default HTTPS certificates, or non-valid test certificates)
    • The services have then been analyzed for their supported cipher-suites, which have a strong influence on the security of the TLS protocol.
    • cipher

All details are available in the following report (in German):

Use of SHA-1 in certificates

Multiple vendors of web browsers are intending to retire the popular hash algorithm SHA-1 in favour of more recent alternatives. Therefore, guidelines have been elaborated that plan to take a leave of SHA-1 in multiple steps.

The subsequent table illustrates the support for SHA-1 in a chronological manner and highlights the handling according to the browser. The gradual sunset of SHA-1 is shown separated into steps whereas each is assigned an individual color: Notice (green), Warning (yellow) and escalation (red).


During the HTTPS analysis, a list of signature algorithms used on servers of public institutions, has been composed. Based on that, the following key figures can be derived:

  • 41 servers use a certificate which is no longer valid after 1/1/2016.
  • 21 out of 91 certificates are still valid in 2016. Major browsers will consider the affected servers secure, with minor errors.
  • 27 remaining certificates will be still valid after 1/1/2017. As a consequence, they will appear indifferent to unprotected HTTP connections, starting with the release of Google Chrome in version 40.

A detailed description of all deprecation policies and the list of investigated certificates are explained in the following report (in German):

Cloud-based signature solutions: a survey

Kategorie: Electronic signatures

Cloud-based signing solutions are on the rise and attempt to revolutionize business processes while integrating themselves well into cloud storage infrastructures. The combination promises faster process flows for signing a contract than the classic paper-based approach. In this survey we reviewed seven representative examples of cloud-based signature services and assessed them at the provided cryptographic features, the interfaces they offer, the authentication methods they provide and the key storage implementations used. We found that multi-factor authentication and hardware security module back-ends are common features. Interfaces range from APIs over web user interfaces to proprietary applications. Yet, there are shortcomings in flexibility and security.

Weiter lesen…

Create and decode CMS in Javascript

Kategorie: eGovernment

In order to process sensitive data in a browser-based application, several cryptographic functions have to be implemented by developers. Currently basic functions as RSA or AES encryption are covered by publicly available Javascript libraries, but they lack the support for advanced mechanisms as Cryptographic Message Syntax or XML signatures. This project implements a demo that provides encryption and decryption using CMS. As the report of this project is available in German only, this article covers the most relevant results.
Weiter lesen…

Alternative Two-Factor Authentication

Kategorie: IT-Security

Two-factor authentication (2FA) is an essential mechanism that enables secure access to remote services. The Austrian Citizen Card is only on example of many solutions that rely on the concept of 2FA. Most 2FA methods have been designed and developed for classical end-user devices such as desktop PCs and laptops. Examples are smart card based solutions or the SMS-TAN approach. During the past years, mobile end-user devices have significantly gained importance. As these devices differ from classical end-user devices in terms of handling, security features, and functionality, established 2FA methods can often not be applied on these devices.

As a first step towards a solution to this issue, A-SIT has systematically analyzed and assessed different approaches to securely implement 2FA methods on current mobile end-user devices. Results of these analyses and assessments have been collected in a survey. This survey basically covers the following aspects:

  • The survey provides a brief overview of underlying concepts of 2FA.
  • It identifies requirements of 2FA methods for mobile end-user devices by means of an abstract model.
  • Existing 2FA approaches are assessed against the identified requirements.
  • Obtained assessment results are used to develop an appropriate solution.
  • The applicability of the developed solution is evaluated by applying it to the concrete use case of server-based signature solutions.
  • The feasibility of the developed solution is assessed by means of a prototype implmentation.

In summary, the survey shows that mobile end-user devices offer various opportunities to implement alternative 2FA methods. Furthermore, the survey shows that these methods can be integrated into existing applications, in order to ensure their security and to prepare them for access by mobile end-user devices.

The survey (available in german only) can be downloaded from the following link:

Alternative Zweifaktorauthentifizierung (DE, PDF)




Security Analysis of Current Smartphone Platforms

Kategorie: IT-Security

A-SIT has published a survey paper regarding the security of current smartphone platforms. Currently the survey is available in German only.

However for detailled information about encryption systems on mobile platforms, you can consult the following publications of A-SIT:

iOS Encryption Systems – Deploying iOS Devices in Security-Critical Environments, SECRYPT 2013 (EN, PDF)
Peter Teufl, Thomas Zefferer, Christof Stromberger, Christoph Hechenblaikner

Android Encryption Systems, PRISMS 2014 (EN, PDF)
Peter Teufl, Andreas Gregor Fitzek, Daniel Hein, Alexander Marsalek, Alexander Oprisnik, Thomas Zefferer





Kategorie: IT-Security

This project consists of tools, that help to create:

  • E-Mail encryption certificates (CRYPT)
  • Encrypting File System (EFS) – certificates
  • Certificates for foreign bPKs  encryption.

All created certificates have the same root certificate. It does not matter which tool is used for initialization, every tool uses the existing root certificate if it already exists.

Weiter lesen…