1 Using EMV cards for Single Sign-On 26 th June 2004 1 st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.

Slides:



Advertisements
Similar presentations
Digital Certificate Installation & User Guide For Class-2 Certificates.
Advertisements

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Digital Certificate Installation & User Guide For Class-2 Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
CP3397 ECommerce.
Cryptography and Network Security
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos
Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security. Typical Grid Scenario Users Resources.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Electronic Transaction Security (E-Commerce)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Brooks Evans – CISSP-ISSEP, Security+ IT Security Officer Arkansas Department of Human Services.
© 2010, University of KentPrimeLife Vienna, 10 Sept CardSpace in the Cloud David Chadwick, George Inman University of Kent.
Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Single Sign-On -Mayuresh Pardeshi M.Tech CSE - I.
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Chapter 10: Authentication Guide to Computer Network Security.
BZUPAGES.COM Electronic Payment Systems Most of the electronic payment systems on internet use cryptography in one way or the other to ensure confidentiality.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
May 28, 2002Mårten Trolin1 Protocols for e-commerce Traditional credit cards SET SPA/UCAF 3D-Secure Temporary card numbers Direct Payments.
Secure Electronic Transaction (SET)
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
1 Addressing security challenges on a global scaleGeneva, 6-7 December 2010.
Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Single Sign-On
1 Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Creating and Managing Digital Certificates Chapter Eleven.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.
Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.
Smart Money Concept.
Data and Applications Security Developments and Directions
Cryptography and Network Security
Secure Electronic Transaction
Presentation transcript:

1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell

2 Outline of Talk Introduction & Motivation. Introduction to EMV cards. How to use them for SSO. Conclusions.

3 Outline of Talk Introduction & Motivation. Introduction to EMV cards. How to use them for SSO. Conclusions.

4 Why do we need SSO ? Current Situation: Network users interact with multiple service providers.

5 Why do we need SSO ? Problems: Usability, security, privacy…

6 What is SSO ? A mechanism that allows users to authenticate themselves only once, and then log into multiple service providers, without necessarily having to re-authenticate.

7 SSO – How ? Introduce a component, called the Authentication Service Provider (ASP).

8 SSO – How ? 1) Initially the user authenticates himself to the ASP. 2) ASP takes care of subsequent user-to-SP authentications.

9 1. Service providers are aware of the ASP SPs/ASP have to establish explicit trust relations, policies, contracts and supporting security infrastructure (e.g. PKI). ASP is either a trusted third party or part of the user system (requires tamper-resistant hardware, e.g. smartcard, TPM). 2. Service providers are NOT aware of ASP ASP is transparent to SPs – no trust relations. Either local software or proxy-based. SSO – Different Approaches

10 1. Service providers are aware of the ASP SPs/ASP have to establish explicit trust relations, policies, contracts and supporting security infrastructure (e.g. PKI). ASP is either a trusted third party or part of the user system (requires tamper-resistant hardware, e.g. smartcard, TPM). 2. Service providers are NOT aware of ASP ASP is transparent to SPs – no trust relations. Either local software or proxy-based. SSO – Different Approaches

11 General SSO Protocol Typical Information Flow } Repeated as necessary

12 SSO – some examples Microsoft Passport  ASP =  Assertion = (symmetrically) encrypted cookie Liberty Alliance  ASP = “Identity Provider”  Assertion = digitally signed XML document Kerberos  ASP = Kerberos server  Assertion = ticket (+ proof-of-knowledge of session key)

13 Motivation Fact 1: SPs need to establish a (typically costly) security infrastructure with the ASP. Fact 2: ASP has to be available. Question 1: Can we construct an SSO scheme based on credit/debit smartcards? Question 2: Can we construct the scheme s.t. it uses the PKI already established for credit cards? it does not require an online external party? it provides proof of possession of the card?

14 Outline of Talk Introduction & Motivation. Introduction to EMV cards. How to use them for SSO. Conclusions.

15 EMV payments Cardholder Merchant Acquiring BankIssuing Bank EMV network

16 Card/Terminal Interaction SELECT (Application selection, session begins). GET PROCESSING OPTIONS, READ RECORDS (Card sends necessary data files to Terminal). INTERNAL AUTHENTICATE (Terminal authenticates card’s validity). CARDHOLDER VERIFICATION (Cardholder has to insert his/her PIN). …remainder of transaction…

17 Card/Terminal Interaction SELECT (Application selection, session begins.) GET PROCESSING OPTIONS, READ RECORDS (Card sends necessary data files to Terminal). INTERNAL AUTHENTICATE (Terminal authenticates card’s validity). CARDHOLDER VERIFICATION (Cardholder has to insert his/her PIN). …remainder of transaction…

18 INTERNAL AUTHENTICATE Static or Dynamic Data Authentication. Each DDA-capable card contains: Issuer public key certificate (signed by scheme). A unique Key Pair (installed by Issuer). Certificate for its public key (signed by Issuer). Terminal contains the scheme’s root key. 1) Terminal reads and verifies certificates. 2) Challenge/Response protocol is executed.

19 CARDHOLDER VERIFICATION Cardholder enters PIN into keypad. PIN is verified either Online to the Issuer, or Offline to the card (VERIFY). Blocked after a certain limit of failures. CARDHOLDER VERIFICATION is optional.

20 Outline of Talk Introduction & Motivation. Introduction to EMV cards. How to use them for SSO. Conclusions.

21 System Entities The Card. Cardholder System (CS). Service Provider. CS and Card act as the ASP. Online presence of Issuer not required.

22 Card Requirements Needs an additional EMV application, the Authentication Application (AA). In the AA The PAN and all PII has to be replaced with non-identifying information. The certificate for the card public key must not contain any PII (hence, new certificate). A “Pin Verification Data Element” (PVDE) has to maintain state within the current session.

23 CS Requirements Network access device, wired or wireless. Needs smartcard reader. Needs special software that communicates with card and Service Providers for login, the “SSO Agent”.

24 Service Provider Requirements Acts in an analogous manner to merchant terminals. Needs a copy of the scheme’s public key. Needs to have a human-readable, unique identifier (SPID), e.g. a DNS name. Needs special software in order to support the SSO scheme.

25 SSO Protocol

26 SSO Protocol

27 SSO Protocol

28 SSO Protocol

29 SSO Protocol

30 SSO Protocol

31 SSO Protocol

32 SSO Protocol

33 SSO Protocol Authentication Assertion

34 Advantages SP chooses strength of user authentication Proof of possession of card. Proof of knowledge of PIN. A rogue CS cannot compromise the above. Manual interaction minimal. Initial goals met. Uses already established PKI. Does not require online party.

35 Disadvantages Works only for EMV cardholders. Requires a card reader in the CS. Card cannot authenticate reader/terminal. No trust management at the Issuer level.

36 Outline of Talk Introduction & Motivation. Introduction to EMV cards. How to use them for SSO. Conclusions.

37 Conclusions SSO using EMV cards is technically possible. Reusing existing PKI. Optionally two factor user authentication. “Business” questions: who pays for…  card readers?  additional application on card?  software?

38 Thanks! Questions? website:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.