Secure Information Technology Center – Austria




Automated Reasoning over Security Policies

Kategorie: Cloud Computing, eGovernment, IT-Security, Web Technologies

Applied approaches on authorization management often focus on a single system or environment, neglecting the need to address the security of data sharing processes that span various entities and organizations.
In the course of this work, we address the shortcomings of existing frameworks by separating authorization management from particular organizations, their business or resource models. We establish a framework that defines abstract means to manage the security of resources distributed across diverse services using a unified service and policy description models. Weiter lesen…




Security Aspects of Web-APIs

Kategorie: Cloud Computing, eGovernment, IT-Security, Web Technologies

Web-APIs represent a significant building block of the modern Web. They enable efficient and technology neutral data and process integration between diverse entities and platforms. As an innovation driver, they facilitate the creation of new business models and products. The broad variety of APIs, as well as the need to efficiently manage their lifecycles, motivated the inception of specifications and tools to ease and accelerate their development and integration in programmatic environments. Weiter lesen…

Contextual Data Exchange

Kategorie: Cloud Computing, eGovernment, IT-Security

In this project we present the reusable data structure that addresses the issues of static, inflexible and practically non-interoperable authorization definitions. We first establish the structure that introduces enhanced expressivity, context-sensitivity and adaptability in descriptions of authorization constraints. We then develop the supporting software component and the web-based interface for definition and inspection of access authorizations established using the proposed structure. Based on that, we present a demonstration prototype and describe the application of the proposed structure both in terms of emerging solutions and existing authorization frameworks





Ontologies in the e-Government Domain

Kategorie: eGovernment

During the past years, ontology-based concepts have gained importance especially in the context of applications related to the Semantic Web. In addition, these concepts are currently in the focus of various research activities. The capability to amend stored and processed data by a semantic dimension enables numerous use cases and fields of application.
Weiter lesen…

Security Recommendations for the Public Sector

Kategorie: eGovernment, IT-Security

Cryptography is a powerful tool, which—if applied correctly—provides confidentiality, integrity, and authenticity of electronically stored, processed, and transmitted data. Electronic Internet-based services from security-critical fields such as e-government or e-banking would be infeasible without cryptography. Hence, the correct application of cryptographic methods is also for public administrations of special relevance.
Weiter lesen…

Analysis of Modern Cross-platform Development Frameworks for Mobile Applications

Kategorie: eGovernment

This study analyzes which security mechanisms are available in popular cross-platform frameworks. This study covers the two most popular frameworks, Apache Cordova and Xamarin, and additionally Alpha Anywhere. Alpha Anywhere was selected because of the advertised security features. The selected frameworks cover both development approaches, hybrid and interpreded applications. Apache Cordova and Alpha Anywhere create interpreted applications, while Xamarin creates hybrid applications.

Weiter lesen…




Apache Cordova Cryptography Plugin

Kategorie: eGovernment

This project implements a cryptography plugin for the Cross-Platform Framework Apache Cordova. The plugin is currently available for Android only. The plugin implements the Web Crypto API. Therefore, cryptographic methods can be invoked using the interface provided by the Web Crypto API. The cryptographic methods are implemented natively and cryptographic keys are stored using the on-device key storage facilities. As many Android devices use a KeyStore backed by a Secure Element, this cryptography plugin provides protection against software attacks on the key material.

Weiter lesen…

Analyzing HTTPS services offered by GV.AT domains

Kategorie: eGovernment, IT-Security

In this project several properties of the services offered by domains have been analyzed. The main emphasis of the analysis was placed on services that were offered via HTTPS (SSL, TLS protocols). The results of this analysis are presented in a technical report. In addition to the analysis, a basic framework for the automated analysis has been implemented.
The main results of the analysis are summarized as follows:

  • 1285 services have been analyzed, 763 of those services do not support HTTPS
  • For the 552 services which offer HTTPS the following details were observed:
    • 59 services were configured for HTTPS. The other 463 services offered default HTTPS services (e.g. provider-specific default HTTPS certificates, or non-valid test certificates)
    • The services have then been analyzed for their supported cipher-suites, which have a strong influence on the security of the TLS protocol.
    • cipher

All details are available in the following report (in German):

Use of SHA-1 in certificates

Multiple vendors of web browsers are intending to retire the popular hash algorithm SHA-1 in favour of more recent alternatives. Therefore, guidelines have been elaborated that plan to take a leave of SHA-1 in multiple steps.

The subsequent table illustrates the support for SHA-1 in a chronological manner and highlights the handling according to the browser. The gradual sunset of SHA-1 is shown separated into steps whereas each is assigned an individual color: Notice (green), Warning (yellow) and escalation (red).


During the HTTPS analysis, a list of signature algorithms used on servers of public institutions, has been composed. Based on that, the following key figures can be derived:

  • 41 servers use a certificate which is no longer valid after 1/1/2016.
  • 21 out of 91 certificates are still valid in 2016. Major browsers will consider the affected servers secure, with minor errors.
  • 27 remaining certificates will be still valid after 1/1/2017. As a consequence, they will appear indifferent to unprotected HTTP connections, starting with the release of Google Chrome in version 40.

A detailed description of all deprecation policies and the list of investigated certificates are explained in the following report (in German):

Create and decode CMS in Javascript

Kategorie: eGovernment

In order to process sensitive data in a browser-based application, several cryptographic functions have to be implemented by developers. Currently basic functions as RSA or AES encryption are covered by publicly available Javascript libraries, but they lack the support for advanced mechanisms as Cryptographic Message Syntax or XML signatures. This project implements a demo that provides encryption and decryption using CMS. As the report of this project is available in German only, this article covers the most relevant results.
Weiter lesen…