FIT3105 Smart card based authentication and identity management Lecture 4.

Slides:



Advertisements
Similar presentations
Digital Certificate Installation & User Guide For Class-2 Certificates.
Advertisements

Smart Cards Our Inevitable Future Mark Shippy. What are smart cards? Credit card sized plastic card with an embedded chip. Credit card sized plastic card.
Digital Certificate Installation & User Guide For Class-2 Certificates.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Increased Security, while protecting Privacy ? True or False ? Christer Bergman, President and CEO, Precise Biometrics.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
Cryptography Basic (cont)
FIT3105 Security and Identity Management Lecture 1.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
FIT5037 Advanced Network Security --- Modern Computing and Security --- Lecture 1.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
By: Piyumi Peiris 11 EDO. Swipe cards are a common type of security device used by many people. They are usually a business-card-sized plastic card with.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 10: Authentication Guide to Computer Network Security.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Electronic Payment Systems. How do we make an electronic payment? Credit and debit cards Smart cards Electronic cash (digital cash) Electronic wallets.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
ECE Lecture 1 Security Services.
LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Csci5233 computer security & integrity 1 Cryptography: an overview.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
1 Thuy, Le Huu | Pentalog VN Web Services Security.
Electronic Payment Systems Presented by Rufus Knight Veronica Ogle Chris Sullivan As eCommerce grows, so does our need to understand current methods of.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Biometrics and Security Colin Soutar, CTO Bioscrypt Inc. 10th CACR Information Security Workshop May 8th, 2002.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
11/18/2003 Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer.
Biometric Encryption Base RSA Algorithm Supervisor: Ass. Prof. Dr. Dang Tran Khanh Student: Dung Ngo Dinh.
Electronic Banking & Security Electronic Banking & Security.
Cryptography CSS 329 Lecture 13:SSL.
Information Systems Design and Development Security Precautions Computing Science.
Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
e-Health Platform End 2 End encryption
COEN 351 Authentication.
Presentation transcript:

FIT3105 Smart card based authentication and identity management Lecture 4

FIT Security and Identity Management2 Outline The importance of smart cards in authentication and identity management The importance of smart cards in authentication and identity management How smart cards work? How smart cards work? How cryptography is applied in smart card technology. How cryptography is applied in smart card technology. Authentication and identity systems with smart cards Authentication and identity systems with smart cards Smart cards: challenges, benefits, and vulnerabilities. Smart cards: challenges, benefits, and vulnerabilities.

FIT Security and Identity Management3 Recommended readings Smart card tutorial : itsc.pdf Smart card tutorial : itsc.pdf itsc.pdf itsc.pdf Smart card information from federal gov: Smart card information from federal gov: Smart card from Gemplus: dex.htm Smart card from Gemplus: dex.htm dex.htm dex.htm

FIT Security and Identity Management4 The importance of smart cards Secure access to a building Secure access to a building Secure access to a computer system Secure access to a computer system Secure access to health and services Secure access to health and services Contain a smaller amount of money for payment without exposing card numbers as credit cards Contain a smaller amount of money for payment without exposing card numbers as credit cards Can be used as another authentication level for access control or id verification Can be used as another authentication level for access control or id verification

FIT Security and Identity Management5 Generic smart card structure Smart Card Reader Host computer Application programs with Smart cards Smart Card Applications Network Host Computer OS Card “OS” Reader Driver Borrowed from another author

FIT Security and Identity Management6 Smart cards: architecture and design Smart cards are special computers with predefined functions and limitations. Smart cards are special computers with predefined functions and limitations. –Architecture specification –smart card OS –API (so we can program the card) –Applications

FIT Security and Identity Management7 Smart card OS Most smart cards use their own OS for underlying communications and functions Most smart cards use their own OS for underlying communications and functions Smart card OS can be built to allow programmers to write applications independent of the architecture of the card. E.g; JavaCard Smart card OS can be built to allow programmers to write applications independent of the architecture of the card. E.g; JavaCard –JavaCard was developed by Sun. –applications based on JavaCard OS can be used on other smart cards that support JavaCard OS.

FIT Security and Identity Management8 Smart card application development Find our what type of smart card you will work on: Find our what type of smart card you will work on: –Study the architecture of the selected smart card –Find out smart card OS –Find out the smart card API –Find out the encryption/decryption algorithms implemented on the smart card. –Design your application accordingly

FIT Security and Identity Management9 Smart cards: benefits and security challenges Smart cards can provide stronger authentication. Smart cards can provide stronger authentication. It can carry important information with certain degree of security (e.g: medical information for patients with heart conditions, diabetic patients, and emergency treatment requirement people). It can carry important information with certain degree of security (e.g: medical information for patients with heart conditions, diabetic patients, and emergency treatment requirement people). It is an important hardware for access control to a number of services. It is an important hardware for access control to a number of services. It also can carry certain information that is essential for many services (crime prevention, services for special law enforcers, and government or military emergency services). It also can carry certain information that is essential for many services (crime prevention, services for special law enforcers, and government or military emergency services). Used to pay bills without revealing much personal information such as card number. Used to pay bills without revealing much personal information such as card number. E-business E-business

FIT Security and Identity Management10 Smart cards: benefits and security challenges ECC (lighter cipher than RSA) can be built on smart cards to improve security. ECC (lighter cipher than RSA) can be built on smart cards to improve security. –The development of new ciphers makes smart cards more secure and hence more important for authentication. Smart cards can be made as another level of authentication for computer system access. Smart cards can be made as another level of authentication for computer system access. –Authentication to servers should be enhanced with smart cards. Smart cards can also be used as the second degree of identification. Smart cards can also be used as the second degree of identification. –Biometrics and access control means will be part of the smart cards for this application. We can integrate smart card technology into ID systems. We can integrate smart card technology into ID systems. –It is likely that biometric technologies will be implemented on smart cards for many applications with strong authentication. Software written for smart cards can be portable if we have standard smart card OS. Software written for smart cards can be portable if we have standard smart card OS. –So choose your smart cards carefully before you develop applications on it.

FIT Security and Identity Management11 Smart cards and authentication Authentication enhanced by smart cards without public key cryptography Authentication enhanced by smart cards without public key cryptography –Smart cards without public key system are widely used because they are less expensive (smart cards with public key cryptography such as RSA or ECC are more expensive and they need to have better hardware and API to support heavier cryptographic algorithms. These cards often have built-in cryptographic coprocessor) The client with the smart card shares a secrete key with the server before hand. The client with the smart card shares a secrete key with the server before hand. The server sends a random challenge to the client and request a message authentication code (MAC) which is generated over the card ID and the challenge. The server sends a random challenge to the client and request a message authentication code (MAC) which is generated over the card ID and the challenge. The client enters a password to use the card to generate the MAC using the shared key, card ID and the challenge. The client enters a password to use the card to generate the MAC using the shared key, card ID and the challenge. The client sends the card ID and MAC to the server. The client sends the card ID and MAC to the server. The server uses the client’s smart card ID to derive the shared key and verify the MAC. The server uses the client’s smart card ID to derive the shared key and verify the MAC.

FIT Security and Identity Management12 Smart cards and Authentication Authentication enhanced by smart cards with public key cryptography Authentication enhanced by smart cards with public key cryptography –Smart cards with public key system such as RSA or ECC can be used to provide stronger authentication. The server sends a random challenge to the client (smart card), the client uses his/her private key (on his/her smart card) to generate a digital signature of the challenge, The server sends a random challenge to the client (smart card), the client uses his/her private key (on his/her smart card) to generate a digital signature of the challenge, The client sends the digital signature and his/her digital certificate from the smart card which contains his/her public key to the server, The client sends the digital signature and his/her digital certificate from the smart card which contains his/her public key to the server, The server verifies the client’s certificate and uses the public key contained in the client’s certificate to verify the signature of the challenge. The server verifies the client’s certificate and uses the public key contained in the client’s certificate to verify the signature of the challenge.

FIT Security and Identity Management13 Smart card benefits as personal cryptographic token (e.g) Smart cards can be used as mobile personal cryptographic token. Smart cards can be used as mobile personal cryptographic token. –Mobile user access, especially for accessing home network from anywhere (user name and password are not good enough, they can be stolen). The smart cards can carry many one time passwords and other information for authentication such as unique secret key or digital signature.

FIT Security and Identity Management14 Smart cards: E-business benefits (e.g) Smart cards can be used as mobile personal cryptographic token. Smart cards can be used as mobile personal cryptographic token. –For e-business: to secure individual transactions smart cards can be used to enhance the security. Non-repudiation can be achieved using the signature of the user. The digital signature is generated on the user’s smart card, and users’ smart cards are protected by passwords or biometrics.

FIT Security and Identity Management15 Smart cards and identification Smart cards can be used to store unique personal information for identifying an individual Smart cards can be used to store unique personal information for identifying an individual –Dental record or DNA information (more memory is needed though) –Personal details such as name, address, photo, etc. –Digital signature and cryptographic keys (already prototyped and used in some organisations) –Biometric data (finger print has been integrated with smart cards) –Universal information based on the card information and personal details (being developed for international e-business).

FIT Security and Identity Management16 Smart cards: security challenges Smart cards are vulnerable to serious attacks to cryptosystem on the cards. This is because limitations of the hardware, OS of smart cards, and the light weight cryptographic algorithms. Smart cards are vulnerable to serious attacks to cryptosystem on the cards. This is because limitations of the hardware, OS of smart cards, and the light weight cryptographic algorithms. –It is not efficient with strong crypto algorithms because of the hardware and software limitation. Wireless smart cards are as vulnerable as wireless communications. Wireless smart cards are as vulnerable as wireless communications. Software applications written for smart cards have limitations and therefore vulnerable to attacks (mini versions of programming languages and libraries are used in developing applications and therefore more security problems are introduced). Software applications written for smart cards have limitations and therefore vulnerable to attacks (mini versions of programming languages and libraries are used in developing applications and therefore more security problems are introduced).

FIT Security and Identity Management17 Smart cards: security challenges It is more difficult to securely software applications for smart cards. It is more difficult to securely software applications for smart cards. –How can developers create secure software when they have much smaller libraries? There is no standard for smart cards and therefore most applications for smart cards are not portable. There is no standard for smart cards and therefore most applications for smart cards are not portable. –Smart cards OS is not like Unix OS and there has been no free smart card OS available for several different smart cards. Using PIN number to access the card is not secure enough. Using PIN number to access the card is not secure enough. –Many cheaper smart cards still rely of this for accessing smart cards.

FIT Security and Identity Management18 Conclusion Smart cards and their applications are becoming popular for authentication and identification. Smart cards and their applications are becoming popular for authentication and identification. Cryptographic algorithms on smart cards can be improved by lighter and more secure ciphers such as ECC. Cryptographic algorithms on smart cards can be improved by lighter and more secure ciphers such as ECC. Smart cards can be used together with the other authentication methods to enhance the security. Smart cards can be used together with the other authentication methods to enhance the security. Smart cards can also be implemented with biotechnologies to provide strong authentication. Smart cards can also be implemented with biotechnologies to provide strong authentication.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.