No exploitable thread scenario for OSCI

On 30th June 2017 Austrian-based SEC Consult published an advisory regarding possible weak points in the OSCI library version 1.6.1 and referred to it on social media sites. Corresponding actions – update of the published OSCI library by KoSIT as well as a patch for the intermediary – have already been taken as early as March respectively February of this year and all operators of the intermediary have been informed accordingly.

It is particularly highlighted that the tests according to SEC Consult have been carried out without an intermediary and with a modified library in a test infrastructure not recommended for use. The test scenario does not correspond to any operational scenario known to us within the German eGovernment.

There is no reason in our opinion to imply a threat to the German eGovernment infrastructure due to those identified and in the meantime corrected, possible weak points. The principle of the double envelope is a proven method within XÖV scenarios. It means that the encryption of the content data takes place first, followed by the encryption of the transport level. The test was carried out as a proof-of-concept attack to the encryption of the transport level without considering the additional encryption of the content data. This is not a realistic scenario practised in the German OSCI infrastructure.