In this project, we developed a configurable software encryption module. This module was used to encrypt data on a mobile device via a bandwidth-constrained medium, making efficiency in terms of data format and power consumption critical requirements. We implemented a software component that enabled the segmentation into secured and public areas, as well as the protection of data in the public area.

The solution utilized a certified cryptographic library for the implementation of low-level encryption algorithms, as well as a smart card with PIN for key generation and management. Additionally, we prepared the necessary documentation for successful certification, which was comparable to Common Criteria EAL4.

This project focused on defining communication protocols for vehicle services in the context of car-to-infrastructure communication.

To gain customer trust in these connected services and meet regulatory requirements, confidential and authenticated service usage as well as data protection play an essential role. Authentication and authorization were designed using the OAuth2 and OIDC protocols.

Together with the client, we developed a secure, multi-user connected system consisting of server components and client nodes. A publicly available operating system was hardened and further modified to utilize smart cards for security.

Cryptography was used for both data at rest protection and communication security. Firewalls were employed for network segmentation. The trust base was established through a Public Key Infrastructure (PKI), with keys secured by a Hardware Security Module (HSM). Additionally, dynamic security policies for client nodes could be configured.

For an embedded device in a critical infrastructure (KRITIS) environment, we secured an existing Linux security architecture.

Only a few components were modified, and an SELinux policy was created to isolate different areas of the operating system. 

A customer employee was trained to perform maintenance and adjustments of the SELinux policy internally. 

We also supported the documentation for certification according to Common Criteria EAL4.

We provided consulting services to a government organization regarding organizational processes for the use of PKI services for trustworthy authentication and encryption.

Furthermore, the infrastructure and its processes were upgraded to a security level that complies with post-2022 security standards, ensuring suitability for governmental communication.

We evaluated the requirements for encryption and signature algorithms, the capabilities of HSMs, as well as the policies and processes of the Certificate Authority (CA).

We developed software for full disk encryption to protect data at rest.

Originally developed for Windows and Linux, this software is now the leading standard in its category. Unlocking the encrypted disk is performed via a smart card. Regular updates have been carried out to meet increasing security requirements.

A PKI enabled multi-user access. The software was certified for the German security level "VS – Nur für den Dienstgebrauch" (comparable to NATO RESTRICTED).