Secure Information Technology Center – Austria

Browser Addon for Certificate Validation using EU Trust Lists

Kategorie: Electronic signatures, IT-Security

Intended for demonstration purposes, A-SIT realised an addon for Mozilla Firefox capable of verifying and displaying the trust status of a website certificate according to the EU Trust List (TL). The extension adds a symbol to the browser’s address bar, indicating the trustworthiness of certificates on HTTPS-protected websites according to the eIDAS regulation via TL. Inspired by common usage of a coloured lock icon in order to signalize the trust status in browsers, the addon displays a blue EU flag for trustworthy, a crossed out flag for untrustworthy domains after completion of the browser-specific handshake validation. Besides, the user has the ability to learn more about the validation results by clicking onto the icon. As a result, certificate characteristics as well as TL-specific attributes are denoted. Weiter lesen…

Flexible Two-Factor Authentication with FIDO

Kategorie: Electronic signatures, IT-Security

FIDO Universal Second Factor (U2F) is an industry standard for a generally applicable two-factor authentication. Using a USB security token users can authenticate against a variety of web services. A key feature of the U2F concept is that the corresponding hardware element is physically connected at the time of registration process with the computer, so that the web browser can interact directly via a suitable interface. The wide applicability of FIDO U2F precludes that certified hardware element is required. This impedes, for example, the applicability of U2F applications on smart phones, since it is often not feasible to connect USB tokens to these devices. Often, due to lack of support, NFC is also no viable alternative.
Weiter lesen…

Certificate Status Application

Kategorie: Electronic signatures

The Certificate Status Tool is designed to provide certificate status information based on manually defined trust anchors as well as the EU Trusted Lists of Certification Service Providers (TSL). This status information includes OCSP and CRL-based revocation information. The tool also directly supports querying LDAP services for certificates. Some services are already configured by default (those used by the Austrian Citizen Card, in particular). Users can update the list of configured services using the provided Online Update functionality. In addition, the configuration can be extended locally. Version 3.2.0 introduces an interactive TSL explorer.

Weiter lesen…

Cloud-based signature solutions: a survey

Kategorie: Electronic signatures

Cloud-based signing solutions are on the rise and attempt to revolutionize business processes while integrating themselves well into cloud storage infrastructures. The combination promises faster process flows for signing a contract than the classic paper-based approach. In this survey we reviewed seven representative examples of cloud-based signature services and assessed them at the provided cryptographic features, the interfaces they offer, the authentication methods they provide and the key storage implementations used. We found that multi-factor authentication and hardware security module back-ends are common features. Interfaces range from APIs over web user interfaces to proprietary applications. Yet, there are shortcomings in flexibility and security.

Weiter lesen…

Signature verification in the cloud

Kategorie: Electronic signatures

E-Government services can benefit if hosted as cloud services. They allow for better scaling and significant reduction of cost. Considering the deployment of existing web services administrators are often facing various restrictions and challenges. This project analyzes the suitability for cloud deployment of some of the basic building blocks of the Austrian e-Government services. In detail we tried to deploy the Signature Verification Service and therefor services like MOA-SPSS in cloud environments. This project only analyzes technical restrictions regarding cloud deployment but it does not take into account any legal implications. Weiter lesen…