Secure Information Technology Center – Austria

Flexible Communication using cross platform and web technologies

Kategorie: Web Technologies

Web technologies as used in web applications and cross platform applications, offer all the capabilities required to built full-fledged applications.
One identified drawback is the direct communication between different instances of these applications. In this project, different approaches were analyzed to solve this issue and to provide a ready to use framework for various different kinds of applications.
One of the analyzed approaches was scrutinized and was finally realized and can be downloaded here.

Weiter lesen…

Static Analysis of iOS Applications

Kategorie: IT-Security

The behavioral analysis of mobile applications for Apple iOS is still a very challenging procedure, both in terms of time and resources required. In the end, it is usually not clear which measures an application provides to protect sensitive data. Similarly, it is difficult to determine whether apps violate established security principles, such as when cryptographic functions are used, and thus facilitate attacks on critical data.
Weiter lesen…

CA-less Authentication of Cloud Services

Kategorie: IT-Security

Recent advances in web technology, such as WebRTC, paved the road for providing short-lived services on end-user devices. Similar to legacy services (static and stationary), short-lived services need to be authenticated as well. This project evaluates and compares different authentication methods which might be suitable for use with for short-lived services without relying on traditional certification authority (CA) structures.

Weiter lesen…

Orchestration of distributed cloud applications

Kategorie: IT-Security

Today, many web services offer a separate interface in the form of a Web-API that enables the data exchange and consumption of remote services. However, the management of secuirity aspects of these interfaces is often complex and opaque. Considering the role of Web-APIs as a corner stone and driver of modern Internet and cross-domain transactions, it is necessary to reconsider the modeling of underlying security features and data models applied in the cross-domain communication.

Weiter lesen…

Analysis of Car-Applications

Kategorie: IT-Security

It is due to the sustained popularity of mobile communication technologies in the last years, that they are now heavily deployed in the automotive sector. One example for this are mobile applications, which allow drivers to interact with their vehicles. Locking and unlocking or the remote starting of the climate control and the pre-heating are only one example for possible use cases of mobile applications.

However, several incidents in the past have shown, that the applications provided by manufacturers are not resilient to attacks and thus compromise the security of the overall system. As a result, mobile applications pose a potential field of application, which can benefit from the correct usage of secure information and communication technologies.

Weiter lesen…

Contextual Data Exchange

Kategorie: Cloud Computing, eGovernment, IT-Security

In this project we present the reusable data structure that addresses the issues of static, inflexible and practically non-interoperable authorization definitions. We first establish the structure that introduces enhanced expressivity, context-sensitivity and adaptability in descriptions of authorization constraints. We then develop the supporting software component and the web-based interface for definition and inspection of access authorizations established using the proposed structure. Based on that, we present a demonstration prototype and describe the application of the proposed structure both in terms of emerging solutions and existing authorization frameworks

 

Flexible Two-Factor Authentication with FIDO

Kategorie: Electronic signatures, IT-Security

FIDO Universal Second Factor (U2F) is an industry standard for a generally applicable two-factor authentication. Using a USB security token users can authenticate against a variety of web services. A key feature of the U2F concept is that the corresponding hardware element is physically connected at the time of registration process with the computer, so that the web browser can interact directly via a suitable interface. The wide applicability of FIDO U2F precludes that certified hardware element is required. This impedes, for example, the applicability of U2F applications on smart phones, since it is often not feasible to connect USB tokens to these devices. Often, due to lack of support, NFC is also no viable alternative.
Weiter lesen…

13

July

2016

Server-side Solutions for Cloud-based Mobile Augmentation

Kategorie: Cloud Computing, IT-Security

Although mobile end-user devices are getting more and more powerful, they still suffer from limited processing capabilities and battery capacities. To address this problem, the augmentation of mobile devices with resources from surrounding devices or with cloud-based resources has gained popularity in the recent years. Existing solutions that follow this approach and offload computationally intensive tasks already yield great results for specific use cases. Unfortunately, most of these solutions are tailored to specific operating systems or programming languages, and do not support the flexible usage of resources. To overcome these limitations, we introduce a secure and flexible resource discovery solution for mobile augmentation systems.
Weiter lesen…

14

June

2016

Dynamic Key Usage Policies

Kategorie: Cloud Computing, IT-Security

More and more data and resources are moved to the cloud. Even cryptographic primitives do benefit from the advantages of the cloud. However, state-of-the-art authentication methodologies and defense strategies mostly cannot cope with attacks while simultaneously allowing the legitimate user to use the service. The legitimate user often is required to do manual steps to gain access to the service again. Denial-of-Service attacks against a user therefore persist. Weiter lesen…

Certificate Status Application

Kategorie: Electronic signatures

The Certificate Status Tool is designed to provide certificate status information based on manually defined trust anchors as well as the EU Trusted Lists of Certification Service Providers (TSL). This status information includes OCSP and CRL-based revocation information. The tool also directly supports querying LDAP services for certificates. Some services are already configured by default (those used by the Austrian Citizen Card, in particular). Users can update the list of configured services using the provided Online Update functionality. In addition, the configuration can be extended locally. Version 3.2.0 introduces an interactive TSL explorer.

Weiter lesen…