Account Authority Digital Signature AADS Lynn Wheeler First Data Corporation

Slides:



Advertisements
Similar presentations
What is. Digital Certificate It is an identity.
Advertisements

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Public Key Infrastructure and Applications
CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
3SKey 3SKey.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Cryptography and Network Security
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Cryptographic Technologies
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Summary of Reading Assignments: Credits and Debits on the Internet & New Payment Systems Hope To Cash In Dr. Deepak Khazanchi.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
I DENTITY M ANAGEMENT Joe Braceland Mount Airey Group, Inc.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Copyright ©1997 NetDox, Inc. All Rights Reserved. CONFIDENTIAL 1 DATE HERE Julie Grace - NetDox, Inc. Emerging Internet Commerce.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
Secure Electronic Transaction (SET)
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
Logo Add Your Company Slogan China Financial Certification Authority Third-party certification authority Team 13 :吉露露、吴莹莹、潘韦韦 ( CFCA )
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Chapter 18: Doing Business on the Internet Business Data Communications, 4e.
Chapter 18: Doing Business on the Internet Business Data Communications, 4e.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
1 7 th CACR Information Workshop Vulnerabilities of Multi- Application Systems April 25, 2001 MAXIMUS.
NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
Electronic Payment Systems Presented by Rufus Knight Veronica Ogle Chris Sullivan As eCommerce grows, so does our need to understand current methods of.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
GGF11 Naked Keys1 Naked Keys Lynn Wheeler Chief Scientist First Data
Electronic Banking & Security Electronic Banking & Security.
LESSON 12 Business Internet. Electronic business, or e-business, is the application of information and communication technologies (ICT) in support of.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
TAG Presentation 18th May 2004 Paul Butler
TAG Presentation 18th May 2004 Paul Butler
BY GAWARE S.R. DEPT.OF COMP.SCI
CS 465 Certificates Last Updated: Oct 14, 2017.
Cryptography and Network Security
Presentation transcript:

Account Authority Digital Signature AADS Lynn Wheeler First Data Corporation

AADS Infrastructure l Adaptable, long life (tens of years) infrastructure l Adaptable payment infrastructure l Adaptable authentication infrastructure l Adaptable authorization infrastructure l Adaptable risk management

AADS Infrastructure l Small granularity of pieces that are parameterized l Support wide range of cost/value applications l Allow coexistence of different cost/value implementations l Allow, incremental upgrades of individual pieces of infrastructure

AADS Infrastructure l Parameterized assurance levels –cryptography –hardware l Incrementally reflect assurance level changes l Incrementally upgrade individual components

AADS Infrastructure l Parameterized Risk Management –certified audit trail establishing component assurance levels l adaptable, parameterized –assurance levels –authentication levels –authorization levels –cost –value

AADS Infrastructure l Establish best-of-breed components l Establish optimal implementations at multiple cost points l Establish business process for component assurance level certified audit trail

AADS Infrastructure l Adapt card personalization process l On chip public/private key generation l Certified audit trail binding public key to hardware and cryptography assurance levels l Certified assurance level binding made available to parameterized risk management business processes l Assurance levels change over time

AADS Infrastructure CFI consumer account public key registration consumer Personalization certified audit trail hardware token

AADS Infrastructure l Card personalization infrastructure optimal business process for enabling consumer AADS l Certified Audit Trail Binding –public key –hardware token assurance –cryptography assurance –consumer delivery –activation process l Trusted Infrastructure for delivery of certified information

Account Authority Digital Signature AADS l Business-centric strong authentication l Integrated into existing business processes l Leverages existing investment in high-integrity, account based operations l Basic building block for all electronic business operations l Fast, efficient, compact ECC

Compared to Certificate Authority model l leverages existing infrastructure investment l maintains existing business and customer relationships l does not disintermediate with additional business operations l introduces no new liability problems l introduces no new privacy problems l introduces no systemic risks

X9.59 Payment CFIMFI Merchant Consumer account X9.59 X9.15 ISO8583 public key registration

AADS Strong Authentication –single ECC digital signature card –single function, secure card –multiple online applications supported AADS chip financial applications ISPs Web servers

Certificate Authority Model l Creates new expensive infrastructure l Requires new trust and risk models l Changes existing business relationships l Creates privacy concerns l Disintermediates existing account holders l Designed for electronic but offline operation l No real time information

AADS l Businesses have long used accounts for identity and attribute binding. l Current financial infrastructure use information binding in accounts to authenticate non-face-to- face transactions –mother's maiden name –PIN - Personal Identification Number –SSN - social security number l ECC short key lengths represent low impact on account records

AADS l Current financial infrastructure can extend existing business processes to support higher integrity electronic commerce by adding public key binding and digital signature verification to existing account infrastructures

AADS Based Authentication l compute secure hash of document or transaction l use private key to encrypt the hash (forming digital signature) l push document/transaction and digital signature to recipient

AADS Based Authentication l recipient (account authority) –uses public key in account to authenticate digital signature –used identity/attribute information in the account to validate/authorize document or transaction

AADS Cost Sharing –majority of Certificate Authority operation is account management –digital signature capability can be added to financial accounts for 1%-5% –existing non-digital signature applications cover 95%-99% of account costs –financial digital signature applications cover 90%- 95% of digital signature costs –non-financial digital signature applications need to cover 1/200th to 1/2000th of account infrastructure

AADS Cost Sharing Existing Financial applications continue to fund majority of infrastructure Account Infrastructure Costs AADS fraction

AADS l leverages existing account infrastructures l operates within existing business processes l adds public key registration to existing process l doesn't spray identity certificates all over the world raising privacy concerns l doesn't rely on third parties and/or create additional liability problems –no new identity databases –privacy neutral

AADS l digital signature (only) appended on transactions –easily fits into existing legacy financial networks –doesn't create new business dependencies –doesn't create systemic risks –no new failure modes »especially critical to triple redundant, high integrity financial infrastructure

AADS - Account Operation l debit-card account: | accnt# | balance | name | addr | MM name | pin | ssn | –Mother's maiden name, PIN, and SSN have drawback that they can be used to both originate a non-face-to-face transaction as well as verify a transaction (can generate fraudulent transaction by knowing value)

AADS | account# | balance | limit | name | address | public key| –existing business process can be used for public key registration –in existing PKI terms, the account record represents the binding of attributes to the public key; however the actual orientation is core business operation (not an external operation) –can’t originate fraudulent transaction by knowing the public key

X9.59 l Finance Industry standard for all account-based payment methods l based on AADS l public key is registered in account record l all transactions are digital signed l privacy neutral –no identity information needed, even at POS

X9.59 l consumer's financial institution both authenticates and authorizes the transactions –doesn't separate authentication & authorization... security 101 l merchant not involved in authentication or identification l no certificates spewing identity information all over the world

X9.59 Payment CFIMFI Merchant Consumer account X9.59 X9.15 ISO8583 public key registration

AADS Chip-card l Business Centric –no “cryptography is the answer, now what is the question” –no “smartcard is the answer, now what is the question” l Strong Authentication is the business requirement –create fundamental business building block –optimal cost/benefit

AADS Strawman l Tempested l Immune to all known smartcard attacks l Simple function in support of AADS –generate public/private key –export public key –private key never known –EC-DSS signing l Less than $1.50

AADS Strawman l Additional Chip Functions –support for on-card biometrics sensor –contactless l Compelling business case for strong authentication only –EC-DSS digital signature only –additional functions as business requirements are justified –strong authentication is fundamental business building block