Thomas Zefferer

Android encryption systems

The high usability of smartphones and tablets is embraced by consumers as well as the corporate and public sector. However, especially in the non-consumer area the factor security plays a decisive role for the platform-selection process. All of the current companies within the mobile device sector added a wide range of security features to the initially consumer-oriented devices (Apple, Google, Microsoft), or have dealt with security as a core feature from the beginning (RIM, now Blackerry). One of the key security features for protecting data on the device or in device backups are encryption systems, which are available in the majority of current devices. However, even under the assumption that the systems are implemented correctly, there is a wide range of parameters, specific use cases, and weaknesses that need to be considered when deploying mobile devices in security-critical environments. As the second part in a series of papers (the first part was on iOS), this work analyzes the deployment of the Android platform and the usage of its encryption systems within a security-critical context. For this purpose, Androids different encryption systems are assessed and their susceptibility to different attacks is analyzed in detail. Based on these results a workflow is presented, which supports deployment of the Android platform and usage of its encryption systems within security-critical application scenarios.

Towards interoperability: an architecture for pan-European eID-based authentication services

In the last years several EU Member States have rolled out smartcard based electronic ID (eID) solutions to their citizens. Not all of these solutions are directly compatible to each other. However, with respect to the i2010 e-Government initiative and the upcoming EU Services Directive, cross-border identification and authentication is now on the agenda of all EU Member States. In this paper we present a smart-card based eID identification and authentication solution, which supports smart-cards from different Member States. The proposed solution can be easily integrated into existing authentication and identity management solutions and does not necessarily require any additional client software to be installed by citizens.

Secure and privacy-preserving eGovernment: best practice Austria

In the past, contact with public authorities often appeared as winding way for citizens. Enabled by the tremendous success of the Internet, public authorities aimed to react on that shortcoming by providing various governmental services online. Due to these services, citizens are not forced to visit public authorities during office hours only but have now the possibility to manage their concerns everywhere and anytime. Additionally, this user friendly approach also decreases costs for public authorities. Austria was one of the first countries that seized this trend by setting up a nation-wide eGovernment infrastructure. The infrastructure builds upon a solid legal framework supported by various technical concepts preserving security and privacy for citizens. These efforts have already been awarded in several international benchmarks that have reported a 100% online availability of eGovernment services in Austria. In this paper we present best practices that have been followed by the Austrian eGovernment and that have paved the way for its success. By virtually following a traditional governmental procedure and mapping its key stages to corresponding online processes, we provide an insight into Austrias comprehensive eGovernment infrastructure and its key concepts and implementations. This paper introduces the most important elements of the Austrian eGovernment and shows how these components act in concert in order to realize secure and reliable eGovernment solutions for Austrian citizens.

An electronic-signature based circular resolution database system

Secure and efficient decision making processes are of particular importance especially for small and medium-sized enterprises. In this context, delocalization of responsible decision makers often leads to decision making processes relying on circular resolutions. Although circular resolutions based on written consent are usually efficiently manageable for a limited number of decision makers, involving a potential large number of persons inevitably complicates these processes in practice. In this paper, a circular resolution database system that addresses this problem is introduced. Our solution, which is based on the Austrian citizen card concept, makes use of qualified electronic signatures that provide means for secure authentication of users as well as for electronic signing of digital documents. By enhancing decision making processes in terms of security, usability, and effectiveness while assuring auditing acceptability, the presented circular resolution database system especially contributes to the future competitiveness of small and medium-sized enterprises.

Paving the Way for Security in Cloud-Based Mobile Augmentation Systems

Despite their steadily increasing capabilities, mobile end-user devices such as smart phones often suffer from reduced processing and storage resources. Cloud-based mobile augmentation (CMA) has recently emerged as a potential solution to this problem. CMA combines concepts of cloud computing and surrogate computing in order to offload resource-intensive tasks to external resources. During the past years, different CMA frameworks have been introduced that enable the development and usage of CMA-based applications. Unfortunately, these frameworks have usually not been designed with security in mind but instead mainly focus on efficient offloading and reintegration mechanisms. Hence, reliance on CMA concepts in security-critical fields of application is currently not advisable. To address this problem, this paper surveys currently available CMA frameworks and assesses their suitability and applicability in security-critical fields of application. For this purpose, relevant security requirements are identified and mapped to the surveyed CMA frameworks. Results obtained from this assessment show that none of the surveyed CMA framework is currently able to meet all relevant security requirements. By identifying security limitations of currently available CMA frameworks, this paper represents a first important step towards development of a secure CMA framework and hence paves the way for a use of CMA-based applications in security-critical fields of application.

WebCrySIL - Web Cryptographic Service Interoperability Layer

Today’s applications need to work with a heterogeneous collection of platforms. Servers, desktops, mobile devices, and web browsers share data and workload. Many of these applications handle sensitive data or even have security as their core feature. Secure messaging, password storage, encrypted cloud storage applications or alike make use of cryptographic algorithms and protocols. These algorithms and protocols require keys. The keys in turn have to be provisioned, securely stored, and shared between various devices. Unfortunately, handling the keys and the availability of cryptographic APIs evokes non-trivial challenges in current heterogeneous platform environments. Also, the implementation of APIs supporting cryptographic protocols on arbitrary platforms require significant effort, which is a major challenge when new cryptographic protocols become available. Our approach, the Crypto Service Interoperability Layer (CrySIL), enables applications to securely store/use/share key material and supports a wide range of cryptographic protocols and algorithms on heterogeneous platforms. CrySIL complements existing solutions that mitigate the aforementioned problems through central services by allowing for more flexible deployment scenarios. In this work, we explain the motivation of CrySIL, describe its architecture, highlight its deployment in a typical heterogeneous application use case and reflect on achievements and shortcomings.

Mobile Device Encryption Systems

The initially consumer oriented iOS and Android platforms, and the newly available Windows Phone 8 platform start to play an important role within business related areas. Within the business context, the devices are typically deployed via mobile device management (MDM) solutions, or within the bring-your-own-device (BYOD) context. In both scenarios, the security depends on many platform security functions, such as permission systems, management capabilities, screen locks, low-level malware protection systems, and access and data protection systems. Especially, the latter play a crucial rule for the security of stored data. While the access protection part is related to the typically used passcodes that protect the smartphone from unauthorized tempering, the data protection facility is used to encrypt the core assets – the application data and credentials. The applied encryption protects the data when access to the smartphone is gained either through theft or malicious software. While all of the current platforms support these systems and market these features extensively within the business context, there are huge differences in the implemented systems that need to be considered for deployment scenarios that require high security levels. Even under the assumption, that the underlying encryption systems are implemented correctly, the heterogeneity of the systems allows for a wide range of attacks that exploit various issues related to deployment, development and configuration of the different systems.

Secure and privacy-preserving cross-border authentication: The STORK pilot 'SaferChat'

Secure user authentication, provision of identity attributes, privacy preservation, and cross-border applicability are key requirements of security and privacy sensitive ICT based services. The EU large scale pilot STORK provides a European cross-border authentication framework that satisfies these requirements by establishing interoperability between existing national eID infrastructures. To allow for privacy preservation, the developed framework supports the provision of partial identity information and pseudonymization. In this paper we present the pilot application SaferChat that has been developed to evaluate and demonstrate the functionality of the STORK authentication framework. SaferChat makes use of age claim based authentication mechanisms that allow for an online environment where kids and teenagers are able to communicate with their peers in a safe way. We first identify relevant prerequisites for the SaferChat pilot application and then give an introduction to the basic architecture of the STORK authentication framework. We finally show how this framework has been integrated into the SaferChat pilot application to meet the identified requirements and to implement a secure and privacy preserving cross-border user authentication mechanism.

Flexible and Secure Resource Sharing for Mobile Augmentation Systems

Although mobile end-user devices are getting more and more powerful, they still suffer from limited processing capabilities and battery capacities. To address this problem, the augmentation of mobile devices with resources from surrounding devices or with cloud-based resources has gained popularity in the recent years. Existing solutions that follow this approach and offload computationally intensive tasks already yield great results for specific use cases. Unfortunately, most of these solutions are tailored to specific operating systems or programming languages, and do not support the flexible usage of resources. Furthermore, existing solutions implicitly assume external resources to be trustworthy, which is usually not the case in practice. To overcome these limitations, we introduce a secure and flexible resource-discovery solution for mobile augmentation systems especially targeting the pervasive-computing paradigm. This solution enables a dynamic use of external resources and assures that security-critical computations are offloaded to trusted resources only. We demonstrate the feasibility and applicability of our proposed solution by means of a proof-of-concept implementation. The potential of this implementation to improve performance and save energy at the same time is evaluated by means of two resource-intensive applications. Obtained evaluation results show that the proposed solution significantly speeds up applications on mobile devices and reduces their power consumption by 50%. Thus, the proposed solution enables fast, secure, and energy-saving execution of complex mobile applications.

Hybrid Mobile Edge Computing: Unleashing the Full Potential of Edge Computing in Mobile Device Use Cases

Many different technologies fostering and supporting distributed and decentralized computing scenarios emerged recently. Edge computing provides the necessary on-demand computing power for Internet-of-Things (IoT) devices where it is needed. Computing power is moved closer to the consumer, with the effect of reducing latency and increasing fail-safety due to absent centralized structures. This is an enabler for applications requiring high-bandwidth uplinks and low latencies to computing units. In this paper, a new use case for edge computing is identified. Mobile devices can overcome their battery limitations and performance constraints by dynamically using the edge-computing-provided computational power. We call this new technology Hybrid Mobile Edge Computing. We present a general architecture and framework, which targets the mobile device use case of hybrid mobile edge computing, not only considering the improvement of performance and energy consumption, but also providing means to protect user privacy, sensitive data and computations. The achieved results are backed by the results of our analysis, targeting the energy saving potentials and possible performance improvements.