Presentation is loading. Please wait.

Presentation is loading. Please wait.

Account Authority Digital Signature AADS Lynn Wheeler First Data Corporation

Published byDeirdre Grant Modified over 8 years ago

Similar presentations

Presentation on theme: "Account Authority Digital Signature AADS Lynn Wheeler First Data Corporation"— Presentation transcript:

1 Account Authority Digital Signature AADS Lynn Wheeler First Data Corporation lynn@garlic.com http://www.garlic.com/~lynn

2 AADS Infrastructure l Adaptable, long life (tens of years) infrastructure l Adaptable payment infrastructure l Adaptable authentication infrastructure l Adaptable authorization infrastructure l Adaptable risk management

3 AADS Infrastructure l Small granularity of pieces that are parameterized l Support wide range of cost/value applications l Allow coexistence of different cost/value implementations l Allow, incremental upgrades of individual pieces of infrastructure

4 AADS Infrastructure l Parameterized assurance levels –cryptography –hardware l Incrementally reflect assurance level changes l Incrementally upgrade individual components

5 AADS Infrastructure l Parameterized Risk Management –certified audit trail establishing component assurance levels l adaptable, parameterized –assurance levels –authentication levels –authorization levels –cost –value

6 AADS Infrastructure l Establish best-of-breed components l Establish optimal implementations at multiple cost points l Establish business process for component assurance level certified audit trail

7 AADS Infrastructure l Adapt card personalization process l On chip public/private key generation l Certified audit trail binding public key to hardware and cryptography assurance levels l Certified assurance level binding made available to parameterized risk management business processes l Assurance levels change over time

8 AADS Infrastructure CFI consumer account public key registration consumer Personalization certified audit trail hardware token

9 AADS Infrastructure l Card personalization infrastructure optimal business process for enabling consumer AADS l Certified Audit Trail Binding –public key –hardware token assurance –cryptography assurance –consumer delivery –activation process l Trusted Infrastructure for delivery of certified information

10 Account Authority Digital Signature AADS l Business-centric strong authentication l Integrated into existing business processes l Leverages existing investment in high-integrity, account based operations l Basic building block for all electronic business operations l Fast, efficient, compact ECC

11 Compared to Certificate Authority model l leverages existing infrastructure investment l maintains existing business and customer relationships l does not disintermediate with additional business operations l introduces no new liability problems l introduces no new privacy problems l introduces no systemic risks

12 X9.59 Payment CFIMFI Merchant Consumer account X9.59 X9.15 ISO8583 public key registration

13 AADS Strong Authentication –single ECC digital signature card –single function, secure card –multiple online applications supported AADS chip financial applications ISPs Web servers

14 Certificate Authority Model l Creates new expensive infrastructure l Requires new trust and risk models l Changes existing business relationships l Creates privacy concerns l Disintermediates existing account holders l Designed for electronic but offline operation l No real time information

15 AADS l Businesses have long used accounts for identity and attribute binding. l Current financial infrastructure use information binding in accounts to authenticate non-face-to- face transactions –mother's maiden name –PIN - Personal Identification Number –SSN - social security number l ECC short key lengths represent low impact on account records

16 AADS l Current financial infrastructure can extend existing business processes to support higher integrity electronic commerce by adding public key binding and digital signature verification to existing account infrastructures

17 AADS Based Authentication l compute secure hash of document or transaction l use private key to encrypt the hash (forming digital signature) l push document/transaction and digital signature to recipient

18 AADS Based Authentication l recipient (account authority) –uses public key in account to authenticate digital signature –used identity/attribute information in the account to validate/authorize document or transaction

19 AADS Cost Sharing –majority of Certificate Authority operation is account management –digital signature capability can be added to financial accounts for 1%-5% –existing non-digital signature applications cover 95%-99% of account costs –financial digital signature applications cover 90%- 95% of digital signature costs –non-financial digital signature applications need to cover 1/200th to 1/2000th of account infrastructure

20 AADS Cost Sharing Existing Financial applications continue to fund majority of infrastructure Account Infrastructure Costs AADS fraction

21 AADS l leverages existing account infrastructures l operates within existing business processes l adds public key registration to existing process l doesn't spray identity certificates all over the world raising privacy concerns l doesn't rely on third parties and/or create additional liability problems –no new identity databases –privacy neutral

22 AADS l digital signature (only) appended on transactions –easily fits into existing legacy financial networks –doesn't create new business dependencies –doesn't create systemic risks –no new failure modes »especially critical to triple redundant, high integrity financial infrastructure

23 AADS - Account Operation l debit-card account: | accnt# | balance | name | addr | MM name | pin | ssn | –Mother's maiden name, PIN, and SSN have drawback that they can be used to both originate a non-face-to-face transaction as well as verify a transaction (can generate fraudulent transaction by knowing value)

24 AADS | account# | balance | limit | name | address | public key| –existing business process can be used for public key registration –in existing PKI terms, the account record represents the binding of attributes to the public key; however the actual orientation is core business operation (not an external operation) –can’t originate fraudulent transaction by knowing the public key

25 X9.59 l Finance Industry standard for all account-based payment methods l based on AADS l public key is registered in account record l all transactions are digital signed l privacy neutral –no identity information needed, even at POS

26 X9.59 l consumer's financial institution both authenticates and authorizes the transactions –doesn't separate authentication & authorization... security 101 l merchant not involved in authentication or identification l no certificates spewing identity information all over the world

27 X9.59 Payment CFIMFI Merchant Consumer account X9.59 X9.15 ISO8583 public key registration

28 AADS Chip-card l Business Centric –no “cryptography is the answer, now what is the question” –no “smartcard is the answer, now what is the question” l Strong Authentication is the business requirement –create fundamental business building block –optimal cost/benefit

29 AADS Strawman l Tempested l Immune to all known smartcard attacks l Simple function in support of AADS –generate public/private key –export public key –private key never known –EC-DSS signing l Less than $1.50

30 AADS Strawman l Additional Chip Functions –support for on-card biometrics sensor –contactless l Compelling business case for strong authentication only –EC-DSS digital signature only –additional functions as business requirements are justified –strong authentication is fundamental business building block

Download ppt "Account Authority Digital Signature AADS Lynn Wheeler First Data Corporation"

Similar presentations

What is. Digital Certificate It is an identity.

What is. Digital Certificate It is an identity.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.

CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
3SKey 3SKey.

3SKey 3SKey.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Cryptography and Network Security

Cryptography and Network Security
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Similar presentations

Ads by Google