Transcript Slide 1
Cryptography and Information Security Bridging Theory with Practice Personal secure devices, payments and financial transactions George Sharkov European Software Institute - Center Bulgaria ASTEL “Digital Democracy” Conference, Sofia, May 2008 For internal educational use only! All data copyrighted by ESI, SEI, ESI Center BG, or respective sources as indicated The price of our personality Submitted by Security Renegades on Wed, 2007-08-15 23:14. I was just interviewed by a local news station about a story they were doing on daring hackers that have started advertising their abilities to destroy a person’s life for as little as $20 per month. Apparently the deal goes something like this: you make a deal with a hacker to destroy somebody’s life by signing them up online and the hacker will ensure the target can’t get a good job, can’t apply for credit cards, will be denied for loans, etc. Innovative “business”: subscription model hacker must return to the scene monthly to determine if the target’s life is still truly ruined Protected personality = eID Aspects Identifier • Uniqueness • Structured according to some context: Name & address, EGN (Social security number), Bank account number, IMSI (International Mobile Subscriber Identity), MSISDN (Mobile Subscriber Integrated Services Digital Network Number), IPaddress, URL, MAC eID token (ID-bearer): Smart Card, SSCD (Secure Signature Creation Device), etc., The eID Management (infrastructure): Life cycle, Registration, Security, PKI, interoperability, etc Service layer: From physical Identification through eAuthentication, eSignature, time stamping, long term storage, third party validation, all applications. The sad truth Usability Convenience “Unbreakable” Security You can make a secure system either by making it so simple you know it's secure, or so complex that no one can find an exploit. allegedly Dan Geer Do we make it right? Technical Design Standards requirements documents Test plan(s) Software Software System Acceptance tests User manual VERIFICATION Engineering Did we build it right? QA User requirements Did we build the right thing? VALIDATION Customer User Things we usually don’t think about Accessibility - disabled people ICT & security awareness Information security is not IT issue ONLY Cost of security Cost of Security? Cost of Nonconformance + Cost of Conformance Fraud, Privacy, Internal + External Failures Prevention + Assessment (standards) Worldwide Damage from Digital Attacks This chart shows estimates of the average annual worldwide damage from hacking, malware, and 9 spam since 1999. These data are based on figures from mi2G and the authors. Examples Integrated Security Management, Standards E-administration, document management E-health E-procurement, e-bidding, e-signatures All possible B, C, G combinations EU Reports PKI in EU (2006): http://www.ecom.jp/report/Study_on_PKI_2006_in_EUROPE-FINAL.pdf Commission eSignature Workshop : December 2007 Study on the standardisation aspects of eSignature (Sealed, 2007) http://www.esstandardisation.eu/e_signatures_standardisation.pdf Implementation of EU-DIR 93/99 EESSI Spesifiserer Signaturdevice All financed by EU Specifies: Smart Cards, Biometrics and Digital Signature and SSCD Specifies Qualified Certificates, Signature formats and their Framework SSCD: Secure Signature Creation Device 12 Legends: White: Basic Certificate (QC/NQC) services, Red stripes: Additional services Solid red: on creation and verification of el.sign. From Study on the standardisation aspects of eSignature (Sealed, 2007) EU i2010 eID infrastucture Pioneers: Banks & integrated eID Austria: January 2005, the first country in the world to offer citizens the possibility to integrate a citizen card in bank cards (agreement between the Ministry of Finance and bank card issuer Europay, a ‘citizen card’ function can be included in all Maestro bank cards issued in Austria). Cost: Until 31 August 2004, Maestro cardholders were able to exchange their current cards against new ones containing a digital signature at no cost. After that date, this ‘premium’ function costs EUR 12 per year. Examples: The mobile approach managed IDs for routing and billing purposes. functions on the handset or in the SIM card. SIM = recognized as ’Security Element’ A SIM card in a phone = a Smart Card fully integrated with reader and display in combination with networking functions :GSM, IP/Internet, WLAN, BlueTooth, IR and NFC) Price for a SIM: ranging from 0,8 USD and to a few Euros 3 billion mobile subscribers world-wide today SIM card is a SMART CARD SIM cards available with PKI key generation and signature functions since 2001 In use: Finland, Sweden, Turkey, Estonia and Norway PKI-based Services for mCommerce Services: Transaction signing in combination with payment SIM: Keys & PKCS#1 WAP SMS Web ! Transaction signing etc. Sign SMS SIM PKI wireless interface SMS Sign. Challenge Formatting Some Application. InterFace module Backend System Validation RA CA 17 PKI-based Services for BankID Services: Login/Authentication + transaction signing SIM: Keys & PKCS#1 WAP SMS Web Login request Transaction signing etc. Sign SMS SIM PKI wireless interface NetBank Application InterFace module SMS Sign. Challenge Formatting Backend System Validation RA CA Now handled by the banks 18 UICC/ SIM – elements New UICC Architecture advances eHealth Payment EMV Multimedia DRM ? Ticketing PKI / eID (DRM !) USIM SIM ID= IMSI & MSISDN ID= IMSI & MSISDN Phonebook Electronic Purse To carry a number of new functions Common Storage SIM Application Toolkit UICC ID = ICCID 12 Mb/s USB Full speed IF NFC (or other) IF (1 connector) GSM Allocated (2G/3G) IFs (5 connectors) 19 E-cash versus paper cash Micropayment and anonymous e-cash Electronic purse Mobile payments: end of the debit and credit card End of the privacy New frauds Warnings: PKI obstacles OASIS TC PKI Survey on PKI Obstacles (Source: [OASIS-PKI]) http://www.ecom.jp/report/Study_on_PKI_2006_in_EUROPE-FINAL.pdf The reality •90% of the people in the audience have at least 1 smart card with them •most of have NOT used a smart card for anything other than oto make a call/message owithdraw money opay for goods/service •When it comes to securing the computer or the network, the card is NOT there. Why? Net security Confidentiality, Integrity, and Authenticity (CIA) of content? Smart cards, biometrics, tokens – for identification and coding Pairing based security – compromise complexity<>usability/reliability Elliptic curves over a finite fields Gartner forecast ESI Assessment of SMEs maturity Information as an Asset Typical customer Level 3 Class B 2-3 weeks, 2 assessors 7-8 days, 2 assessors (L2) 3 days, 1 assessor Level 2 Class B InfoSec Snapshot Inf. Security (ISO 27001) Level 2 Class C SPI (CMMI) Large-E 102 Doc. Review SME 102 Interview Business (10 Sq.) Finances Customers Processes Learning Micro & Small And Beyond Quantum cryptography, Quantum Digital Signature (QDS) In 1994, Dr. Shor invented an algorithm that would allow a quantum computer to do the calculations simultaneously, factoring numbers hundreds of digits long in perhaps minutes. It can break RSA. The RSA algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT In 2001, Shor's algorithm was demonstrated by a group at IBM, who factored 15 into 3 x 5, using a quantum computer with 7 qubits. And further… CryptoBG’08 www.cryptobg.org Second International Symposium Recent Developments in Cryptography and Information Security September 11-13, 2008 National Institute of Education, Oriahovitza, Bulgaria Organized by Minu Balkanski Foundation •Cryptography for Personal Secure Devices •E-signature and Secure Encryption – Modern Trends •Finances, Banking and Payments – Trust & Security •Cryptography - Bridging Theory with Practice Thank you George Sharkov [email protected] Credits: Presentations Financial Cryptography (Mexico, 2008) Presentations Recent Developments in Cryptography and Information Security (Bulgaria, 2007) EU/EC reports