Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Security and Payment Nour El Kadri University Of Ottawa.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Mobile Security and Payment Nour El Kadri University Of Ottawa."— Presentation transcript:

1 Mobile Security and Payment Nour El Kadri University Of Ottawa

2 Security Keep in mind: Security requires an overall approach A system is as secure as its weakest component –Securing network transmission is only part of the equation The sad part is that people often prove to be the weakest link in the chain –Employee who hacks company’s billing database –Careless user who writes his/her PIN on the back of their handset and forget in on the bus

3 The Role of Cryptography SIM Module and Authentication centers in GSM Architecture WAP Gateway security gaps and their solution in the new WAP protocol stack for built-in IP How does cryptography complement such solutions? What are the business implications?

4 Network Transmission Security Requirements Authentication Confidentiality Integrity Non-repudiation Cryptography plays a central role in satisfying these requirements Other techniques include: Packet acknowledgements Checksums

5 Cryptography Sender: plaintext  cipher text …. Using encryption algorithms Receiver cipher text  plaintext …. Using a matching decryption algorithm

6 Secret-Key or Symmetric Cryptography Alice and Bob agree on an encryption method and a shared key. Alice uses the key and the encryption method to encrypt (or encipher) a message and sends it to Bob. Bob uses the same key and the related decryption method to decrypt (or decipher) the message.

7 Advantages of Symmetric Cryptography There are some very fast classical encryption (and decryption) algorithms Since the speed of a method varies with the length of the key, faster algorithms allow one to use longer key values. Larger key values make it harder to guess the key value -- and break the code -- by brute force.

8 Disadvantages of Symmetric Cryptography Requires secure transmission of key value Requires a separate key for each group of people that wishes to exchange encrypted messages (readable by any group member) –For example, to have a separate key for each pair of people, 100 people would need about 5000 different keys.

9 Public-Key Cryptography AKA Asymmetric Cryptography Alice generates a key value (usually a number or pair of related numbers) which she makes public. Alice uses her public key (and some additional information) to determine a second key (her private key). Alice keeps her private key (and the additional information she used to construct it) secret.

10 PK Cryptography – cont’d Bob (or Carol, or anyone else) can use Alice’s public key to encrypt a message for Alice. Alice can use her private key to decrypt this message. No-one without access to Alice’s private key (or the information used to construct it) can easily decrypt the message.

11 Public Key Cryptography Source: N. Sadeh

12 Man-in-the-Middle Attack Solution: Certificate Authorities Keys are certified, that means a third person/institution confirms (with its digital signature) the affiliation of the public key to a person

13 Certificate Authorities Three types of organizations for certification systems (PKIs?): Central certification authority (CA) –A single CA, keys often integrated in checking software –Example: older versions of Netscape (CA = Verisign) Hierarchical certification system –CAs which in turn are certified by “higher” CA –Examples: PEM, Teletrust, infrastructure according to Signature Law Web of Trust –Each owner of a key may serve as a CA –Users have to assess certificates on their own –Example: PGP (but with hierarchical overlay system)

14 Hybrid Encryption Systems All known public key encryption algorithms are much slower than the fastest secret- key algorithms. In a hybrid system, Alice uses Bob’s public key to send him a secret shared session key. Alice and Bob use the session key to exchange information.

15

16 Digital Signatures A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document

17 Digital Signatures Source: N. Sadeh

18 Elliptic Curve Cryptography ECC was introduced by Victor Miller and Neal Koblitz in 1985. For DSA, RSA we need larger key length. ECC requires significantly smaller key size with same level of security. Benefits of having smaller key sizes : faster computations, need less storage space. ECC ideal for constrained environments: Pagers ; PDAs ; Cellular Phones ; Smart Cards

19 Key player Certicom is a key player. Acquired by Research in Motion (two days ago. Verisign was bidding on the company too This will set new research ahead in the wireless security arena

20 Smart card: –A card that contains a processor, memory, and an interface to the outside world. –Vary based on the capabilities of the processor and size of the memory –A smart card needs a reader –Not very common in north America, but it is widespread in other places. –Problems: Lack of standard interfaces Smart Cards

21 GSM’s SIM-Based Authentication

22 Message Authentication Codes Checksums –used mostly to verify the integrity of messages Use a hybrid approach Recipient can verify both the authenticity and the integrity of the message MACs are also referred to as “Message Integrity Codes”

23 Security: The Combinations are Many IPSec protocol has been adopted by GPRS –Negotiation of security parameters between sender and recipient –Negotiation carried out using Internet Key Exchange Flexibility in adapting security parameters to mobile environments is very important –Keys might be stored on SIM or WIM modules –Limited memory and processing power –Low bandwidth and high latency

24 Wired Equivalent Privacy Aka “WEP” Represents Wi-Fi first attempt at security Works at data link layer (Layer 2) Uses static 40 or 104 bit keys for authentication and encryption. Based on RC4 symmetric stream cipher. Key stream generated from initial key, used to encrypt and decrypt data

25 WAP Security: WTLS Keys generally placed in normal phone storage. New standards emerging (WAP Identity Module [WIM]) for usage of tamper-resistent devices. Aside from crypto problems: –User interface attacks likely (remember SSL problems) –WTLS terminates at WAP gateway; MITM attacks possible.

26 WAP Transaction layer WTP Three classes of transactions: –Class 0: unreliable –Class 1: reliable without result –Class 2: reliable with result Does the minimum a protocol must do to create reliability. No security elements at this layer. Protocol not resistant to malicious attacks.

27 WAP Session Layer WSP Meant to mimic the HTTP protocol. No mention of security in spec except for WTLS. Distinguishes a connected and connectionless mode. Connected mode is based on a SessionID given by the server.

28 Wireless Identity Module Can be used to hold private and secret keys required by WTLS TLS and non-WAP applications Computes crypto operations –“unwrapping master secret” –client signature in WTLS Handshake –key exchange (ECC WTLS Handshake) It can also store certificates and generate keys WIM does not necessarily need to be issued by the mobile operator It can be implemented on the SIM card

29 WMLScript SignText Allows developers to write applications where users are prompted with a text that they reject or accept Acceptance requires the user to punch his/her WIM PIN code and that results in the generation of a digital signature DS is transmitted back to the content server

30 WAP Security Models Operator Hosts Gateway –Without PKI –With PKI Content Provider Hosts Gateway –Static Gateway Connection –Dynamic Gateway Connection

31 Operator Hosts Gateway

32 Without PKI: –Advantages No extra work for Content Provider No extra work for user System only requires one logical gateway –Disadvantages Content Provider must trust Operator (NDA) Operator can control home deck Operator can introduce advertising

33 Operator Hosts Gateway With PKI: –Advantages Content providers does not need to trust Operator. –Disadvantages PKI Infrastructure must be in place.

34 Content Provider Hosts Gateway Static Gateway Connection –Advantages Content Provider does not need to trust Operator Content Provider can control home deck OTA can be used to configure mobile terminal –Disadvantages Mobile terminal may have limited number of gateway config sets (i.e., Nokia 7110 has 10) Mobile Terminal needs to be configured. –OTA via WAP Push / SMS may not work with gateway / mobile terminal combination –Content Provider may have to pre-configure mobile terminals

35 Content Provider Hosts Gateway Internet WAP Gateway WTLS Class 2SSL Operator Web Server SSL Content Provider WAP Gateway

36 Content Provider Hosts Gateway Dynamic Gateway Connection –Advantages Content Provider does not need to trust Operator. Content Provider does not need to worry about mobile terminal configuration –Disadvantages Operator needs to trust Content Provider. Deployment very slow.

Download ppt "Mobile Security and Payment Nour El Kadri University Of Ottawa."

Similar presentations

CP3397 ECommerce.

CP3397 ECommerce.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Chapter 11: Cryptography

Chapter 11: Cryptography
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Introduction to Cryptography

Introduction to Cryptography
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
A Survey of WAP Security Architecture Neil Daswani

A Survey of WAP Security Architecture Neil Daswani
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Similar presentations

Ads by Google