Data security and trustworthiness in online public services: An assessment of Portuguese institutions

Providing public services through the internet is an effective approach towards an encompassing number of citizens being covered by them and for cost reduction. However, the fast development of this area has fostered discussion and legislation regarding information security and trustworthiness. In addition to security mechanisms for data processed and stored internally, service providers must ensure that data exchanged between their servers and citizens are not intercepted or modified when traversing heterogeneous and uncontrolled networks. Moreover, such institutions should provide means enabling the citizen to verify the authenticity of the services offered. In this way, the present work provides a comprehensive overview regarding the security posture of Portuguese public institutions in their online services. It consists of non-invasive robustness evaluation of the deployed solutions for end-to-end data encryption and the correct use of digital certificates. As a result, we provide some recommendations aiming to enhance the current panorama in the majority of the 111 online services considered in this study.This paper is a result of the project SmartEGOV: Harnessing EGOV for Smart Governance (Foundations, Methods, Tools) NORTE-01-0145-FEDER-000037, supported by Norte Portugal Regional Operational Programme (NORTE 2020), under the PORTUGAL 2020 Partnership Agreement, through the European Regional Development Fund (EFDR)

The main stages of development of the cryptographic protocols SSL/TLS and IPsec

Рассматриваются основные этапы развития криптографических протоколов от SSL 2.0 (Secure Socket Layer) до TLS 1.3 (Transport Layer Security), обеспечивающих защиту данных транспортного уровня модели OSI. Приводится краткое описание модификации протокола RuTLS, построенного на базе TLS 1.3, и их основные отличия. Развитие IPsec, предоставляющего криптографическую защиту коммуникаций на сетевом уровне модели OSI, рассмотрено на примерах развития трёх наиболее часто применяемых протоколов, на основе которых он строится. В их число входят IKE (Internet Key Exchange), AH (Authentication Header), ESP (Encapsulation Security Payload)

The SAVE System: Secure Architecture for Voting Electronically: Existing Technology, with Built-in Redundancy, Enables Reliability

Existing technology is capable of yielding secure, reliable, and auditable voting systems. This system outlines an architecture based on redundancy at each stage of the ballot submission process that is resistant to external hacking and internal insertion of malicious code. The proposed architecture addresses all layers of the system beyond the point when a voter commits the ballot. These steps include the verification of eligibility to vote, authentication, and aggregation of the vote. A redundant electronic audit trail keeps track of all of the votes and messages received, rendering a physical paper trail unnecessary. There is no single point of failure in the system, as none of the components at a particular layer relies on any of the others; nor is there a single component that decides what tally is correct. Each system arrives at the result on its own. Programming time for implementation is minimal. The proposed architecture was written in Java in a short time. A second programmer was able to write a module in less than a week. Performance and reliability are incrementally improvable by separate programmers writing new redundant modules

A security analysis of email communications

The objective of this report is to analyse the security and privacy risks of email communications and identify technical countermeasures capable of mitigating them effectively. In order to do so, the report analyses from a technical point of view the core set of communication protocols and standards that support email communications in order to identify and understand the existing security and privacy vulnerabilities. On the basis of this analysis, the report identifies and analyses technical countermeasures, in the form of newer standards, protocols and tools, aimed at ensuring a better protection of the security and privacy of email communications. The practical implementation of each countermeasure is evaluated in order to understand its limitations and identify potential technical and organisational constrains that could limit its effectiveness in practice. The outcome of the above mentioned analysis is a set of recommendations regarding technical and organisational measures that when combined properly have the potential of more effectively mitigating the privacy and security risks of today's email communications.JRC.G.6-Digital Citizen Securit

DTKI: a new formalized PKI with no trusted parties

The security of public key validation protocols for web-based applications has recently attracted attention because of weaknesses in the certificate authority model, and consequent attacks. Recent proposals using public logs have succeeded in making certificate management more transparent and verifiable. However, those proposals involve a fixed set of authorities. This means an oligopoly is created. Another problem with current log-based system is their heavy reliance on trusted parties that monitor the logs. We propose a distributed transparent key infrastructure (DTKI), which greatly reduces the oligopoly of service providers and allows verification of the behaviour of trusted parties. In addition, this paper formalises the public log data structure and provides a formal analysis of the security that DTKI guarantees.Comment: 19 page

Security for constrained IoT devices

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2020In the recent past the Internet of Things has been the target of a great evolution, both in terms of applicability and of use. Society increasingly wants to use and massify the IoT to obtain information and act in the environment, for example, to remotely control an irrigation system. The reduction in the cost of devices and the constant evolution of personal mobile devices has largely contributed to their spread. However, its implementation is carried out in adverse environments and outside the typical information systems. The devices are, as a rule, limited in terms of resources, both computation and memory. The applicability to the IoT of the security techniques already known to conventional systems has therefore to be adapted, because it does not take into account the characteristics of the resources of the devices and require additional load when exchanging messages between these system elements. In addition, the development of applications is difficult because there is not yet developed tools and standards as there are for the traditional HTTPS or TLS when considering conventional systems. In this work, we intend to present a prototype of a low-cost solution (compared to existing equivalent solutions) that uses a secure communication channel based on standard protocols. An application is also developed based on technologies more familiar to programmers, similar to traditional Web development. We took into account the ”Green By Web” project as a case study. We have concluded that it is possible to have a secure communication, using UDP/DTLS over the CoAP protocol. With this approach we optimized the number of exchanged messages between the client and the server to be up to 8 times less and their size to be up to 10%, comparing against applications that use TCP/TLS connections, such as web applications that use HTTPS. This allows the energy spent by the low-cost components to be lower and increases their battery lifetime