Cryptography and Information Cryptography and Information Security Security Bridging Theory with Practice Bridging Theory with Practice

Personal secure devices, payments and financial transactions

George SharkovEuropean Software Institute - Center Bulgaria

ASTEL “Digital Democracy” Conference, Sofia, May 2008

For internal educational use only! All data copyrighted by ESI, SEI, ESI Center BG, or respective sources as indicated

Submitted by Security Renegades on Wed, 2007-08-15 23:14.

I was just interviewed by a local news station about a story they were doing on daring hackers that have started advertising their abilities to destroy a person’s life for as little as $20 per month. Apparently the deal goes something like this: you make a deal with a hacker to destroy somebody’s life by signing them up online and the hacker will ensure the target can’t get a good job, can’t apply for credit cards, will be denied for loans, etc.

hacker must return to the scene monthly to determine if the target’s life is still truly ruined

Innovative “business”: subscription model

The price of our personalityThe price of our personality

Protected personality Protected personality = =

eID AspectseID AspectsIdentifier

• Uniqueness• Structured according to some context: Name & address, EGN (Social security number), Bank account number, IMSI (International Mobile Subscriber Identity), MSISDN (Mobile Subscriber Integrated Services Digital Network Number), IP-address, URL, MAC

eID token (ID-bearer): Smart Card, SSCD (Secure Signature Creation Device), etc.,

The eID Management (infrastructure): Life cycle, Registration, Security, PKI, interoperability, etc

Service layer: From physical Identification through eAuthentication,eSignature, time stamping, long term storage, third party validation, all applications.

The sad truthThe sad truth

Usability

Convenience

“Unbreakable”

Security

You can make a secure system either by making it so simple you know it's secure, or so complex that no one can find an exploit.

allegedly Dan Geer

Do we make it right?Do we make it right?

VERIFICATION Did we build it right?

Engineering QA

Test plan(s)

Software

Designdocuments

Technicalrequirements

VALIDATION Did we build the right thing?

Userrequirements

Acceptance tests

UserCustomer

User manual

Software System

Standards

Things we usually don’t think Things we usually don’t think aboutabout

Accessibility - disabled people

ICT & security awareness

Information security is not IT issue ONLY

Cost of security

Cost of Cost of Security?Security?

Cost of Nonconformance+

Cost of Conformance

Fraud, Privacy, Internal + External Failures

Prevention+ Assessment (standards)

Worldwide Damage from Digital AttacksWorldwide Damage from Digital Attacks

This chart shows estimates of the average annual worldwide damage from hacking, malware, and spam since 1999. These data are based on figures from mi2G and the authors. 9

ExamplesExamples

Integrated Security Management, Standards

E-administration, document management

E-health

E-procurement, e-bidding, e-signatures

All possible B, C, G combinations

EU ReportsEU Reports

PKI in EU (2006):

http://www.ecom.jp/report/Study_on_PKI_2006_in_EUROPE-FINAL.pdf

Commission eSignature Workshop : December 2007Study on the standardisation aspects of eSignature (Sealed, 2007)http://www.esstandardisation.eu/e_signatures_standardisation.pdf

Implementation of EU-DIR Implementation of EU-DIR 93/9993/99

12

SSCD: Secure Signature Creation Device

EESSIEESSISpesifiserer SignaturdeviceSpesifiserer Signaturdevice

Specifies Qualified Certificates,Signature formats and their Framework

Specifies: Smart Cards, Biometrics and Digital Signature and SSCD

All financed by EU

Legends: White: Basic Certificate (QC/NQC) services, Red stripes: Additional services Solid red: on creation and verification of el.sign.

From Study on the standardisation aspects of eSignature (Sealed, 2007)

EU i2010 eID infrastuctureEU i2010 eID infrastucture

Pioneers: Banks & integrated eIDPioneers: Banks & integrated eID

Austria: January 2005, the first country in the world to offer citizens the possibility to integrate a citizen card in bank cards (agreement between the Ministry of Finance and bank card issuer Europay, a ‘citizen card’ function can be included in all Maestro bank cards issued in Austria).

Cost: Until 31 August 2004, Maestro cardholders were able to exchange their current cards against new ones containing a digital signature at no cost. After that date, this ‘premium’ function costs EUR 12 per year.

Examples: The mobile Examples: The mobile approachapproach

managed IDs for routing and billing purposes.

functions on the handset or in the SIM card.

SIM = recognized as ’Security Element’

A SIM card in a phone = a Smart Card fully integrated with reader and display in combination with networking functions :GSM, IP/Internet, WLAN, BlueTooth, IR and NFC)

Price for a SIM: ranging from 0,8 USD and to a few Euros

3 billion mobile subscribers world-wide today

SIM cards available with PKI key generation and signature functions since 2001

In use: Finland, Sweden, Turkey, Estonia and Norway

SIM card is a SMART CARD

17

                                                                        

BrowseBrowse

Back-Back-endend

SystemSystem

SomeSomeAppli-Appli-cation.cation.

WAPWAPSMSSMSWebWeb

Inter-Inter-FaceFace

modulemodule

SIM PKISIM PKIwirelesswirelessinterfaceinterface

RARACACA

SMS Sign.SMS Sign.ChallengeChallengeFormattingFormatting

ValidationValidation

SIM: KeysSIM: Keys& PKCS#1& PKCS#1

Sign Sign SMSSMS

Transaction Transaction signing etc. signing etc.

PKI-based Services for mCommerce Services: Transaction signing in combination with payment

!

18

PKI-based Services for BankID Services: Login/Authentication + transaction signing

                                                                        

Login & Browse

Login & Browse

Back-Back-endend

SystemSystem

NetBankNetBankAppli-Appli-cationcation

WAPWAPSMSSMSWebWeb

Inter-Inter-FaceFace

modulemodule

SIM PKISIM PKIwirelesswirelessinterfaceinterface

RARACACA

SMS Sign.SMS Sign.ChallengeChallengeFormattingFormatting

ValidationValidation

SIM: KeysSIM: Keys& PKCS#1& PKCS#1

Sign Sign SMSSMS

Login requestLogin requestTransaction Transaction signing etc. signing etc.

Now handled by the banks

19

eHealtheHealth

UICC – elements

UICC UICC ID = ICCIDID = ICCID

12 Mb/s USBFull speed IF

NFC (or other) IF(1 connector)

GSM Allocated(2G/3G) IFs

(5 connectors)

New UICC Architecture / SIM advances

SIM Application ToolkitSIM Application Toolkit

PKI / eIDPKI / eID

PaymentPaymentEMVEMV

MultimediaMultimediaDRM ?DRM ?

TicketingTicketing (DRM !)(DRM !)

ElectronicElectronic Purse Purse

Common Common StorageStorage

USIMUSIMID= IMSIID= IMSI

& MSISDN & MSISDN

SIMSIMID= IMSIID= IMSI

& MSISDN & MSISDN

PhonebookPhonebook

To carrya number of new functions

E-cash versus paper cashE-cash versus paper cash

Micropayment and anonymous e-cash

Electronic purse

Mobile payments: end of the debit andcredit card

End of the privacy

New frauds

WarningsWarnings: PKI obstacles: PKI obstacles

OASIS TC PKI Survey on PKI Obstacles (Source: [OASIS-PKI])

http://www.ecom.jp/report/Study_on_PKI_2006_in_EUROPE-FINAL.pdf

The realityThe reality

•90% of the people in the audience have at least 1 smart card with them

•most of have NOT used a smart card for anything other than

oto make a call/message owithdraw moneyopay for goods/service

•When it comes to securing the computer or the network, the card is NOT there. Why?

Net securityNet security

Confidentiality, Integrity, and Authenticity (CIA) of content?

Smart cards, biometrics, tokens – for identification and coding

Pairing based security – compromise complexity<>usability/reliability

Elliptic curves over a finite fields

Gartner forecastGartner forecast

Business (10 Sq.)

Typical custom

er

Micro & Small

SME

Large-E2-3 weeks, 2 assessors

7-8 days, 2 assessors (L2)

3 days, 1 assessor Level 2

Class C

102

Interview

Level 2Class B

102

Doc. Review

SPI (CMMI)

Inf. Security(ISO 27001)

InfoSec Snapshot

Level 3Class B

Processes

Finances

Customers

Learning

ESI Assessment of SMEs maturityESI Assessment of SMEs maturityInformation as an AssetInformation as an Asset

And BeyondAnd BeyondQuantum cryptography, Quantum Digital Quantum cryptography, Quantum Digital

Signature (QDS)Signature (QDS)

In 1994, Dr. Shor invented an algorithm that would allow a quantum computer to do the calculations simultaneously, factoring numbers hundreds of digits long in perhaps minutes. It can break RSA.

The RSA algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT

In 2001, Shor's algorithm was demonstrated by a group at IBM, who factored 15 into 3 x 5, using a quantum computer with 7 qubits.

And further…And further…

Thank youThank you

George SharkovGeorge Sharkov

gesha@esicenter.bg gesha@esicenter.bg

Credits:Credits:

Presentations Financial Cryptography (Mexico, 2008)Presentations Financial Cryptography (Mexico, 2008)

Presentations Presentations Recent Developments in Cryptography and Information SecurityRecent Developments in Cryptography and Information Security (Bulgaria, 2007) (Bulgaria, 2007)

EU/EC reportsEU/EC reports