Studies & Reports
CRA: Risk Management

The EU Cyber Resilience Act (CRA)1 entered into force on December 10, 2024. Following an implementation period of 21 or 36 months, standardized cross-sector and cross-area requirements for the cybersecurity of connected hardware and software products will then apply Europe-wide. The comprehensive regulatory approach created by the CRA will apply cybersecurity rules for the first time to many companies that were not covered by existing product-specific, consumer-specific, or sector-specific regulations. This white paper provides an analysis of cybersecurity risk management within the framework of the CRA, offering both conceptual insights and practical implementation guidance for manufacturers of products with digital elements.
China Electric Vehicle and Connected Vehicle Security and Privacy

The world's largest automotive market, China, is experiencing high growth rates for electric cars. In order to successfully compete in China, international automakers must comply with Chinese cybersecurity, cryptography and data security regulations. Fraunhofer SIT and Fraunhofer Singapore have summarized these in a joint study: It contains an overview of laws and regulations, including the responsible institutions in China, from 2015 until 2021. The study also addresses research and development facilities as well as standardization authorities.
Download
Eberbacher Gespräch: Next Generation Cryptography
R. Niederhagen, M. Waidner, O. Küch

From online-banking to the blockchain – most IT security mechanisms for protecting data and digital communication are based on cryptography. Quantum computers and new forms of attacks are threatening many of these IT security mechanisms. How businesses and society can protect the cyber-world from such devastating threats in the future was discussed by experts in the realm of business, research, and politics at the “Eberbacher Gespräch” on “Next Generation Cryptography”. The experts’ opinion: Cryptography must become more flexible in order to be able to react quickly to technical changes.
Download
Practical Post-Quantum Cryptography
R. Niederhagen, M. Waidner

Quantum computers are hanging over the security of our information like a sword of Damocles: We do not know when or even if quantum computers will become a reality — but once they arrive, they will break confidentiality, privacy, and authenticity of our modern communication. It will no longer be possible to trust digital certificates and signatures and it will no longer be possible to exchange secret keys for data encryption using current cryptographic primitives like RSA, ECC, DH, DSA, and so on. However, there is hope: The cryptographic community is working on post-quantum cryptography in order to provide alternatives using hard mathematical problems that cannot be broken by quantum computers. There is a zoo of alternative cryptographic primitives and protocols that are under investigation and standardization bodies like NIST and ETSI are starting processes to standardize post-quantum algorithms.
Download
Eberbach Talk on »Security for Industrie 4.0«
M. Waidner, M. Kasper, Th. Henkel, C. Rudolph, O. Küch
07/2015

Information technology (IT) is one of the most important drivers of innovation in production and automation. In Germany, the term Industrie 4.0 summarizes various activities and developments involved in the evolution of industrial processes in production, logisitics, automation, etc. Many research and development projects work on different aspects of these developments. In the view of politics, industry, and IT enterprises, sufficient IT security is considered an essential prerequisite for the future of production. However, although many current IT security solutions can be applied in Industrie 4.0 context, they do not satisfy all requirements of processes in Industrie 4.0. Work needs to be done on underlying security mechanisms as well as on security architectures. Fraunhofer Institute for Secure Information Technology hosted the Eberbach Workshop »security in Industrie 4.0« to formulate guidelines and recommendations for a secure Industrie 4.0. Representatives from the industry, research, and politics identified the most important practical challenges in the realm of IT security.
Download
Emerging Trends In Software Developement & Implications For IT Security: An Explorative Study
Carsten Ochs
SIT-TR-2014-2

There have been numerous transformations in the interrelated realms of software development (SD) and IT security. To form a clear picture of the SD trends and account for their implications, we conducted an explorative study comprising 23 interviews with SD and IT security experts from industry, academia and regulating institutions. The analysis reveals six major trends.
Download
Development of Secure Software with Security by Design
M. Waidner, M. Backes, J. Müller-Quade
SIT-TR-2013-01
This trends and strategy report argues that the development and integration of secure software has to follow the Security by Design principle and defines respective challenges for a practice oriented research agenda. Software is the most important driver for innovations in many industries today and will remain so in the future. Many vulnerabilities and attacks are due to security weaknesses in application software. During application software development or integration, security issues are either taken into account insufficiently or not at all, which
constantly leads to new openings for attacks.
Keywords: Security by Design, Secure Engineering, Software Engineering, Security Development Lifecycle, Application Security, Supply Chain, Software Development
Download
On the Security of Cloud Storage Services
M. Borgmann, T. Hahn, M. Herfert, T. Kunz, M. Richter, U. Viebeg, S. Vowé
SIT-TR-001

The ever-increasing amount of valuable digital data both at home and in business needs to be protected, since its irrevocable loss is unacceptable. Cloud storage services promise to be a solution for this problem. They offer user-friendly, easily accessible and costsaving ways to store and automatically back up arbitrary data, as well as data sharing between users and synchronization of multiple devices.
However, recent successful attacks on cloud storage provider have shown that the security of cloud storage services is often poor. That is also the result of a study "On the Security of Cloud Storage Services" of the Fraunhofer Institute for Secure Information Technology that testet different cloud storage providers. None of the providers testet was able to fully meet all the security requirements. The study was updated recently, the alterations are summarized in an addendum.
Keywords: Cloud Computing, Cloud Storage, Security, Privacy, Encryption, Condentiality, Outsourcing
Download
More studies (available in German language only)
- Chancen durch Big Data und die Frage des Privatsphärenschutzes
 Opportunities through Big Data and the Question of Privacy Protection (PDF, 2.07 MB)
- Vertraulichkeitsschutz durch Verschlüsselung
 Privacy by means of encryption (PDF, 2.95 MB)
- Eberbacher Gespräch zu »Sicherheit in der Industrie 4.0«
 Security in Industie 4.0
- Eberbacher Gespräch »Sichere Softwareentwicklung«
 Secure Software Development (PDF, 3.10 MB)
- Web-Tracking-Report 2014
 (PDF, 4.79 MB)
- Herausforderungen für die IT-Sicherheitsforschung
 Challenges for IT security research (PDF, 408 KB)
- Sicherheitstechnik im IT-Bereich
 Security Technology in the IT Sector (PDF, 1.18 MB)
- Privatsphärenschutz und Vertraulichkeit im Internet
 Privacy Protection and Confidentiality in the Internet (PDF, 661 KB)
- Soziale Netzwerke bewusst nutzen
 Awareness in the use of social networks (PDF, 3.62 MB)
- Eberbacher Gespräch zu »Cloud Computing«
 Cloud Computing
- Untersuchung von reputationsbasierten Schutzmechanismen gegen Malware-Angriffe in Browsern
 Analysis of protection mechanisms against malware attacks in browsers (PDF, 2.53 MB)

