Upload
calvin-cummings
View
235
Download
0
Tags:
Embed Size (px)
Citation preview
Cryptography and Information Cryptography and Information Security Security Bridging Theory with Practice Bridging Theory with Practice
Personal secure devices, payments and financial transactions
George SharkovEuropean Software Institute - Center Bulgaria
ASTEL “Digital Democracy” Conference, Sofia, May 2008
For internal educational use only! All data copyrighted by ESI, SEI, ESI Center BG, or respective sources as indicated
Submitted by Security Renegades on Wed, 2007-08-15 23:14.
I was just interviewed by a local news station about a story they were doing on daring hackers that have started advertising their abilities to destroy a person’s life for as little as $20 per month. Apparently the deal goes something like this: you make a deal with a hacker to destroy somebody’s life by signing them up online and the hacker will ensure the target can’t get a good job, can’t apply for credit cards, will be denied for loans, etc.
hacker must return to the scene monthly to determine if the target’s life is still truly ruined
Innovative “business”: subscription model
The price of our personalityThe price of our personality
Protected personality Protected personality = =
eID AspectseID AspectsIdentifier
• Uniqueness• Structured according to some context: Name & address, EGN (Social security number), Bank account number, IMSI (International Mobile Subscriber Identity), MSISDN (Mobile Subscriber Integrated Services Digital Network Number), IP-address, URL, MAC
eID token (ID-bearer): Smart Card, SSCD (Secure Signature Creation Device), etc.,
The eID Management (infrastructure): Life cycle, Registration, Security, PKI, interoperability, etc
Service layer: From physical Identification through eAuthentication,eSignature, time stamping, long term storage, third party validation, all applications.
The sad truthThe sad truth
Usability
Convenience
“Unbreakable”
Security
You can make a secure system either by making it so simple you know it's secure, or so complex that no one can find an exploit.
allegedly Dan Geer
Do we make it right?Do we make it right?
VERIFICATION Did we build it right?
Engineering QA
Test plan(s)
Software
Designdocuments
Technicalrequirements
VALIDATION Did we build the right thing?
Userrequirements
Acceptance tests
UserCustomer
User manual
Software System
Standards
Things we usually don’t think Things we usually don’t think aboutabout
Accessibility - disabled people
ICT & security awareness
Information security is not IT issue ONLY
Cost of security
Cost of Cost of Security?Security?
Cost of Nonconformance+
Cost of Conformance
Fraud, Privacy, Internal + External Failures
Prevention+ Assessment (standards)
Worldwide Damage from Digital AttacksWorldwide Damage from Digital Attacks
This chart shows estimates of the average annual worldwide damage from hacking, malware, and spam since 1999. These data are based on figures from mi2G and the authors. 9
ExamplesExamples
Integrated Security Management, Standards
E-administration, document management
E-health
E-procurement, e-bidding, e-signatures
All possible B, C, G combinations
EU ReportsEU Reports
PKI in EU (2006):
http://www.ecom.jp/report/Study_on_PKI_2006_in_EUROPE-FINAL.pdf
Commission eSignature Workshop : December 2007Study on the standardisation aspects of eSignature (Sealed, 2007)http://www.esstandardisation.eu/e_signatures_standardisation.pdf
Implementation of EU-DIR Implementation of EU-DIR 93/9993/99
12
SSCD: Secure Signature Creation Device
EESSIEESSISpesifiserer SignaturdeviceSpesifiserer Signaturdevice
Specifies Qualified Certificates,Signature formats and their Framework
Specifies: Smart Cards, Biometrics and Digital Signature and SSCD
All financed by EU
Legends: White: Basic Certificate (QC/NQC) services, Red stripes: Additional services Solid red: on creation and verification of el.sign.
From Study on the standardisation aspects of eSignature (Sealed, 2007)
EU i2010 eID infrastuctureEU i2010 eID infrastucture
Pioneers: Banks & integrated eIDPioneers: Banks & integrated eID
Austria: January 2005, the first country in the world to offer citizens the possibility to integrate a citizen card in bank cards (agreement between the Ministry of Finance and bank card issuer Europay, a ‘citizen card’ function can be included in all Maestro bank cards issued in Austria).
Cost: Until 31 August 2004, Maestro cardholders were able to exchange their current cards against new ones containing a digital signature at no cost. After that date, this ‘premium’ function costs EUR 12 per year.
Examples: The mobile Examples: The mobile approachapproach
managed IDs for routing and billing purposes.
functions on the handset or in the SIM card.
SIM = recognized as ’Security Element’
A SIM card in a phone = a Smart Card fully integrated with reader and display in combination with networking functions :GSM, IP/Internet, WLAN, BlueTooth, IR and NFC)
Price for a SIM: ranging from 0,8 USD and to a few Euros
3 billion mobile subscribers world-wide today
SIM cards available with PKI key generation and signature functions since 2001
In use: Finland, Sweden, Turkey, Estonia and Norway
SIM card is a SMART CARD
17
BrowseBrowse
Back-Back-endend
SystemSystem
SomeSomeAppli-Appli-cation.cation.
WAPWAPSMSSMSWebWeb
Inter-Inter-FaceFace
modulemodule
SIM PKISIM PKIwirelesswirelessinterfaceinterface
RARACACA
SMS Sign.SMS Sign.ChallengeChallengeFormattingFormatting
ValidationValidation
SIM: KeysSIM: Keys& PKCS#1& PKCS#1
Sign Sign SMSSMS
Transaction Transaction signing etc. signing etc.
PKI-based Services for mCommerce Services: Transaction signing in combination with payment
!
18
PKI-based Services for BankID Services: Login/Authentication + transaction signing
Login & Browse
Login & Browse
Back-Back-endend
SystemSystem
NetBankNetBankAppli-Appli-cationcation
WAPWAPSMSSMSWebWeb
Inter-Inter-FaceFace
modulemodule
SIM PKISIM PKIwirelesswirelessinterfaceinterface
RARACACA
SMS Sign.SMS Sign.ChallengeChallengeFormattingFormatting
ValidationValidation
SIM: KeysSIM: Keys& PKCS#1& PKCS#1
Sign Sign SMSSMS
Login requestLogin requestTransaction Transaction signing etc. signing etc.
Now handled by the banks
19
eHealtheHealth
UICC – elements
UICC UICC ID = ICCIDID = ICCID
12 Mb/s USBFull speed IF
NFC (or other) IF(1 connector)
GSM Allocated(2G/3G) IFs
(5 connectors)
New UICC Architecture / SIM advances
SIM Application ToolkitSIM Application Toolkit
PKI / eIDPKI / eID
PaymentPaymentEMVEMV
MultimediaMultimediaDRM ?DRM ?
TicketingTicketing (DRM !)(DRM !)
ElectronicElectronic Purse Purse
Common Common StorageStorage
USIMUSIMID= IMSIID= IMSI
& MSISDN & MSISDN
SIMSIMID= IMSIID= IMSI
& MSISDN & MSISDN
PhonebookPhonebook
To carrya number of new functions
E-cash versus paper cashE-cash versus paper cash
Micropayment and anonymous e-cash
Electronic purse
Mobile payments: end of the debit andcredit card
End of the privacy
New frauds
WarningsWarnings: PKI obstacles: PKI obstacles
OASIS TC PKI Survey on PKI Obstacles (Source: [OASIS-PKI])
http://www.ecom.jp/report/Study_on_PKI_2006_in_EUROPE-FINAL.pdf
The realityThe reality
•90% of the people in the audience have at least 1 smart card with them
•most of have NOT used a smart card for anything other than
oto make a call/message owithdraw moneyopay for goods/service
•When it comes to securing the computer or the network, the card is NOT there. Why?
Net securityNet security
Confidentiality, Integrity, and Authenticity (CIA) of content?
Smart cards, biometrics, tokens – for identification and coding
Pairing based security – compromise complexity<>usability/reliability
Elliptic curves over a finite fields
Gartner forecastGartner forecast
Business (10 Sq.)
Typical custom
er
Micro & Small
SME
Large-E2-3 weeks, 2 assessors
7-8 days, 2 assessors (L2)
3 days, 1 assessor Level 2
Class C
102
Interview
Level 2Class B
102
Doc. Review
SPI (CMMI)
Inf. Security(ISO 27001)
InfoSec Snapshot
Level 3Class B
Processes
Finances
Customers
Learning
ESI Assessment of SMEs maturityESI Assessment of SMEs maturityInformation as an AssetInformation as an Asset
And BeyondAnd BeyondQuantum cryptography, Quantum Digital Quantum cryptography, Quantum Digital
Signature (QDS)Signature (QDS)
In 1994, Dr. Shor invented an algorithm that would allow a quantum computer to do the calculations simultaneously, factoring numbers hundreds of digits long in perhaps minutes. It can break RSA.
The RSA algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT
In 2001, Shor's algorithm was demonstrated by a group at IBM, who factored 15 into 3 x 5, using a quantum computer with 7 qubits.
And further…And further…
Thank youThank you
George SharkovGeorge Sharkov
[email protected] [email protected]
Credits:Credits:
Presentations Financial Cryptography (Mexico, 2008)Presentations Financial Cryptography (Mexico, 2008)
Presentations Presentations Recent Developments in Cryptography and Information SecurityRecent Developments in Cryptography and Information Security (Bulgaria, 2007) (Bulgaria, 2007)
EU/EC reportsEU/EC reports