Online Services Computer Interface

Online Services Computer Interface ( OSCI ) is a collection of network protocols for the German public administration , the common feature of which is their particular suitability for e-government :

OSCI transport for the secure, confidential and legally binding transmission of digital data over the Internet as well
a number of different protocols ( OSCI-XÖV standards ) for the exchange of technical content data on an XML basis between customers and authorities or authorities among themselves.

OSCI transport protocol

OSCI Transport is a protocol standard for the confidential and secure transmission of messages in a security environment tailored to the German Signature Act . The development began as part of the Media @ Komm city competition. OSCI is primarily tailored to e-government communication requirements.

OSCI transport messages have a two-stage "security container". This makes it possible to strictly separate content and usage data from one another and to treat them cryptographically differently. The content data is encrypted by the author of an OSCI Transport message in such a way that only the authorized reader can decrypt it. The usage data are required by the intermediary for the purposes of relaying messages and providing value-added services ; they are therefore encrypted for the intermediary. However, the intermediary cannot access the content data. The "double envelope principle" is often used here: the encrypted content data is in turn embedded in an encrypted container. Because of this encryption, a man-in-the-middle can neither intercept the usage nor the content data.

Each security container (for user data and content data) allows the digital signature and encryption of the respective content. This ensures the confidentiality, integrity and authenticity of the messages.

The public key infrastructure (PKI) within the OSCI communication partners is - at least for natural persons - usually defined by the German Signature Act. There is therefore no closed user group . The possession of a signature card with a qualified signature certificate according to the signature law and an encryption certificate are sufficient for OSCI communication. Depending on the security requirements, the use of advanced electronic signatures (without a chip card ) can also be useful; this is also supported by OSCI Transport.

In 2017, security experts found several serious vulnerabilities in the OSCI 1.2 transport library (CVE-2017-10668, CVE-2017-10669, CVE-2017-10670). These were recorded by the BSI as warning message CB-K17 / 1100 . However, there is currently no exploitable threat scenario for OSCI.

OSCI-XÖV standards

Historically, transport protocols and data formats were developed by the so-called OSCI control center , which has called itself the coordination center for IT standards (KoSIT) since 2011 . The OSCI control center also took over the operational project “XML in public administration”, from which today's XÖV framework arose. Before the renaming of the OSCI control center to KoSIT, the data format XÖV also ran under the label "OSCI-XÖV standards".

literature

Christian Welzel: Model-driven software development in e-government . 1st edition. Vdm Verlag Dr. Müller, 2008, ISBN 978-3-639-01026-8 .

Web links

OSCI reference point. Federal Information Technology Center; accessed on October 16, 2018

Individual evidence

↑ Pierluigi Paganini: Severe flaws found in German e-Government OSCI 1.2 Communication Library . In: Security Affairs . July 3, 2017 ( source ).
↑ BSI - CERT Bund - Reports - CB-K17 / 1100. Retrieved July 4, 2017 .
↑ Governikus KG: No exploitable threat scenario for OSCI. Retrieved July 4, 2017 .

[1] Pierluigi Paganini: Severe flaws found in German e-Government OSCI 1.2 Communication Library . In: Security Affairs . July 3, 2017 ( source ).

[2] BSI - CERT Bund - Reports - CB-K17 / 1100. Retrieved July 4, 2017 .

[3] Governikus KG: No exploitable threat scenario for OSCI. Retrieved July 4, 2017 .