Secure Information Technology Center – Austria

13

July

2017

Rich End-to-End Encryption

Kategorie: eGovernment

The recent project “Skytrust” being about moving the cryptographic key data from the application to an external service succeeded in relieving the cryptographic key data itself from unwanted attention. However, authentication data used to authorise key usage takes its place in being the weak point. These data are collected by the application and forwarded suitably – hence, the application has access to the now very sensitive authentication data. A better approach would be to also collect the authentication data outside the application. An intermediate authentication data collector service between application and key service is necessary to achieve the functionality. An intermediate, however, calls for end-to-end encryption. The challenge is to collect and route the authentication data without the need for breaking the end-to-end encrypted communication, while being able to add the data.

Weiter lesen…

LOD and LOV for Authorization Concepts

Kategorie: eGovernment

Linked Open Data (LOD) and Linked Open Vocabularies (LOV) deal with the definition of reusable concepts, models, and architectures that facilitate the integration of data and services on a web scale. With the ever-growing heterogeneity of available standards and implementation approaches, such integration faces various barriers that make this process costly and less effective in practice. Open and reusable vocabularies aim to lower these barriers by providing the foundations for conceptual annotations that allow the abstraction and bridging of concepts among different entities and domains in reusable, scalable and machine-readable manner. LOV, as one of the initiatives supporting the underlying paradigm, has emerged from the DataLift project and is supported by the Open Knowledge Foundation. LOV today represents the largest dataset that systematically gathers, analyzes and presents data about semantic vocabularies from different domains.

Weiter lesen…

24

April

2017

Automated Reasoning over Security Policies

Kategorie: Cloud Computing, eGovernment, IT-Security, Web Technologies

Applied approaches on authorization management often focus on a single system or environment, neglecting the need to address the security of data sharing processes that span various entities and organizations.
In the course of this work, we address the shortcomings of existing frameworks by separating authorization management from particular organizations, their business or resource models. We establish a framework that defines abstract means to manage the security of resources distributed across diverse services using a unified service and policy description models. Weiter lesen…

15

March

2017

Security Aspects of Web-APIs

Kategorie: Cloud Computing, eGovernment, IT-Security, Web Technologies

Web-APIs represent a significant building block of the modern Web. They enable efficient and technology neutral data and process integration between diverse entities and platforms. As an innovation driver, they facilitate the creation of new business models and products. The broad variety of APIs, as well as the need to efficiently manage their lifecycles, motivated the inception of specifications and tools to ease and accelerate their development and integration in programmatic environments. Weiter lesen…

Contextual Data Exchange

Kategorie: Cloud Computing, eGovernment, IT-Security

In this project we present the reusable data structure that addresses the issues of static, inflexible and practically non-interoperable authorization definitions. We first establish the structure that introduces enhanced expressivity, context-sensitivity and adaptability in descriptions of authorization constraints. We then develop the supporting software component and the web-based interface for definition and inspection of access authorizations established using the proposed structure. Based on that, we present a demonstration prototype and describe the application of the proposed structure both in terms of emerging solutions and existing authorization frameworks

 

30

April

2016

Ontologies in the e-Government Domain

Kategorie: eGovernment

During the past years, ontology-based concepts have gained importance especially in the context of applications related to the Semantic Web. In addition, these concepts are currently in the focus of various research activities. The capability to amend stored and processed data by a semantic dimension enables numerous use cases and fields of application.
Weiter lesen…

Security Recommendations for the Public Sector

Kategorie: eGovernment, IT-Security

Cryptography is a powerful tool, which—if applied correctly—provides confidentiality, integrity, and authenticity of electronically stored, processed, and transmitted data. Electronic Internet-based services from security-critical fields such as e-government or e-banking would be infeasible without cryptography. Hence, the correct application of cryptographic methods is also for public administrations of special relevance.
Weiter lesen…

Analysis of Modern Cross-platform Development Frameworks for Mobile Applications

Kategorie: eGovernment

This study analyzes which security mechanisms are available in popular cross-platform frameworks. This study covers the two most popular frameworks, Apache Cordova and Xamarin, and additionally Alpha Anywhere. Alpha Anywhere was selected because of the advertised security features. The selected frameworks cover both development approaches, hybrid and interpreded applications. Apache Cordova and Alpha Anywhere create interpreted applications, while Xamarin creates hybrid applications.

Weiter lesen…

21

July

2015

Apache Cordova Cryptography Plugin

Kategorie: eGovernment

This project implements a cryptography plugin for the Cross-Platform Framework Apache Cordova. The plugin is currently available for Android only. The plugin implements the Web Crypto API. Therefore, cryptographic methods can be invoked using the interface provided by the Web Crypto API. The cryptographic methods are implemented natively and cryptographic keys are stored using the on-device key storage facilities. As many Android devices use a KeyStore backed by a Secure Element, this cryptography plugin provides protection against software attacks on the key material.

Weiter lesen…