Download presentation
Presentation is loading. Please wait.
1
FIT3105 Smart card based authentication and identity management Lecture 4
2
FIT3105 - Security and Identity Management2 Outline The importance of smart cards in authentication and identity management The importance of smart cards in authentication and identity management How smart cards work? How smart cards work? How cryptography is applied in smart card technology. How cryptography is applied in smart card technology. Authentication and identity systems with smart cards Authentication and identity systems with smart cards Smart cards: challenges, benefits, and vulnerabilities. Smart cards: challenges, benefits, and vulnerabilities.
3
FIT3105 - Security and Identity Management3 Recommended readings Smart card tutorial : http://www.smartcard.co.uk/tutorials/sct- itsc.pdf Smart card tutorial : http://www.smartcard.co.uk/tutorials/sct- itsc.pdf http://www.smartcard.co.uk/tutorials/sct- itsc.pdf http://www.smartcard.co.uk/tutorials/sct- itsc.pdf Smart card information from federal gov: http://www.smart.gov/ Smart card information from federal gov: http://www.smart.gov/ http://www.smart.gov/ Smart card from Gemplus: http://www.gemplus.com/northamerica/in dex.htm Smart card from Gemplus: http://www.gemplus.com/northamerica/in dex.htm http://www.gemplus.com/northamerica/in dex.htm http://www.gemplus.com/northamerica/in dex.htm
4
FIT3105 - Security and Identity Management4 The importance of smart cards Secure access to a building Secure access to a building Secure access to a computer system Secure access to a computer system Secure access to health and services Secure access to health and services Contain a smaller amount of money for payment without exposing card numbers as credit cards Contain a smaller amount of money for payment without exposing card numbers as credit cards Can be used as another authentication level for access control or id verification Can be used as another authentication level for access control or id verification
5
FIT3105 - Security and Identity Management5 Generic smart card structure Smart Card Reader Host computer Application programs with Smart cards Smart Card Applications Network Host Computer OS Card “OS” Reader Driver Borrowed from another author
6
FIT3105 - Security and Identity Management6 Smart cards: architecture and design Smart cards are special computers with predefined functions and limitations. Smart cards are special computers with predefined functions and limitations. –Architecture specification –smart card OS –API (so we can program the card) –Applications
7
FIT3105 - Security and Identity Management7 Smart card OS Most smart cards use their own OS for underlying communications and functions Most smart cards use their own OS for underlying communications and functions Smart card OS can be built to allow programmers to write applications independent of the architecture of the card. E.g; JavaCard Smart card OS can be built to allow programmers to write applications independent of the architecture of the card. E.g; JavaCard –JavaCard was developed by Sun. –applications based on JavaCard OS can be used on other smart cards that support JavaCard OS.
8
FIT3105 - Security and Identity Management8 Smart card application development Find our what type of smart card you will work on: Find our what type of smart card you will work on: –Study the architecture of the selected smart card –Find out smart card OS –Find out the smart card API –Find out the encryption/decryption algorithms implemented on the smart card. –Design your application accordingly
9
FIT3105 - Security and Identity Management9 Smart cards: benefits and security challenges Smart cards can provide stronger authentication. Smart cards can provide stronger authentication. It can carry important information with certain degree of security (e.g: medical information for patients with heart conditions, diabetic patients, and emergency treatment requirement people). It can carry important information with certain degree of security (e.g: medical information for patients with heart conditions, diabetic patients, and emergency treatment requirement people). It is an important hardware for access control to a number of services. It is an important hardware for access control to a number of services. It also can carry certain information that is essential for many services (crime prevention, services for special law enforcers, and government or military emergency services). It also can carry certain information that is essential for many services (crime prevention, services for special law enforcers, and government or military emergency services). Used to pay bills without revealing much personal information such as card number. Used to pay bills without revealing much personal information such as card number. E-business E-business
10
FIT3105 - Security and Identity Management10 Smart cards: benefits and security challenges ECC (lighter cipher than RSA) can be built on smart cards to improve security. ECC (lighter cipher than RSA) can be built on smart cards to improve security. –The development of new ciphers makes smart cards more secure and hence more important for authentication. Smart cards can be made as another level of authentication for computer system access. Smart cards can be made as another level of authentication for computer system access. –Authentication to servers should be enhanced with smart cards. Smart cards can also be used as the second degree of identification. Smart cards can also be used as the second degree of identification. –Biometrics and access control means will be part of the smart cards for this application. We can integrate smart card technology into ID systems. We can integrate smart card technology into ID systems. –It is likely that biometric technologies will be implemented on smart cards for many applications with strong authentication. Software written for smart cards can be portable if we have standard smart card OS. Software written for smart cards can be portable if we have standard smart card OS. –So choose your smart cards carefully before you develop applications on it.
11
FIT3105 - Security and Identity Management11 Smart cards and authentication Authentication enhanced by smart cards without public key cryptography Authentication enhanced by smart cards without public key cryptography –Smart cards without public key system are widely used because they are less expensive (smart cards with public key cryptography such as RSA or ECC are more expensive and they need to have better hardware and API to support heavier cryptographic algorithms. These cards often have built-in cryptographic coprocessor) The client with the smart card shares a secrete key with the server before hand. The client with the smart card shares a secrete key with the server before hand. The server sends a random challenge to the client and request a message authentication code (MAC) which is generated over the card ID and the challenge. The server sends a random challenge to the client and request a message authentication code (MAC) which is generated over the card ID and the challenge. The client enters a password to use the card to generate the MAC using the shared key, card ID and the challenge. The client enters a password to use the card to generate the MAC using the shared key, card ID and the challenge. The client sends the card ID and MAC to the server. The client sends the card ID and MAC to the server. The server uses the client’s smart card ID to derive the shared key and verify the MAC. The server uses the client’s smart card ID to derive the shared key and verify the MAC.
12
FIT3105 - Security and Identity Management12 Smart cards and Authentication Authentication enhanced by smart cards with public key cryptography Authentication enhanced by smart cards with public key cryptography –Smart cards with public key system such as RSA or ECC can be used to provide stronger authentication. The server sends a random challenge to the client (smart card), the client uses his/her private key (on his/her smart card) to generate a digital signature of the challenge, The server sends a random challenge to the client (smart card), the client uses his/her private key (on his/her smart card) to generate a digital signature of the challenge, The client sends the digital signature and his/her digital certificate from the smart card which contains his/her public key to the server, The client sends the digital signature and his/her digital certificate from the smart card which contains his/her public key to the server, The server verifies the client’s certificate and uses the public key contained in the client’s certificate to verify the signature of the challenge. The server verifies the client’s certificate and uses the public key contained in the client’s certificate to verify the signature of the challenge.
13
FIT3105 - Security and Identity Management13 Smart card benefits as personal cryptographic token (e.g) Smart cards can be used as mobile personal cryptographic token. Smart cards can be used as mobile personal cryptographic token. –Mobile user access, especially for accessing home network from anywhere (user name and password are not good enough, they can be stolen). The smart cards can carry many one time passwords and other information for authentication such as unique secret key or digital signature.
14
FIT3105 - Security and Identity Management14 Smart cards: E-business benefits (e.g) Smart cards can be used as mobile personal cryptographic token. Smart cards can be used as mobile personal cryptographic token. –For e-business: to secure individual transactions smart cards can be used to enhance the security. Non-repudiation can be achieved using the signature of the user. The digital signature is generated on the user’s smart card, and users’ smart cards are protected by passwords or biometrics.
15
FIT3105 - Security and Identity Management15 Smart cards and identification Smart cards can be used to store unique personal information for identifying an individual Smart cards can be used to store unique personal information for identifying an individual –Dental record or DNA information (more memory is needed though) –Personal details such as name, address, photo, etc. –Digital signature and cryptographic keys (already prototyped and used in some organisations) –Biometric data (finger print has been integrated with smart cards) –Universal information based on the card information and personal details (being developed for international e-business).
16
FIT3105 - Security and Identity Management16 Smart cards: security challenges Smart cards are vulnerable to serious attacks to cryptosystem on the cards. This is because limitations of the hardware, OS of smart cards, and the light weight cryptographic algorithms. Smart cards are vulnerable to serious attacks to cryptosystem on the cards. This is because limitations of the hardware, OS of smart cards, and the light weight cryptographic algorithms. –It is not efficient with strong crypto algorithms because of the hardware and software limitation. Wireless smart cards are as vulnerable as wireless communications. Wireless smart cards are as vulnerable as wireless communications. Software applications written for smart cards have limitations and therefore vulnerable to attacks (mini versions of programming languages and libraries are used in developing applications and therefore more security problems are introduced). Software applications written for smart cards have limitations and therefore vulnerable to attacks (mini versions of programming languages and libraries are used in developing applications and therefore more security problems are introduced).
17
FIT3105 - Security and Identity Management17 Smart cards: security challenges It is more difficult to securely software applications for smart cards. It is more difficult to securely software applications for smart cards. –How can developers create secure software when they have much smaller libraries? There is no standard for smart cards and therefore most applications for smart cards are not portable. There is no standard for smart cards and therefore most applications for smart cards are not portable. –Smart cards OS is not like Unix OS and there has been no free smart card OS available for several different smart cards. Using PIN number to access the card is not secure enough. Using PIN number to access the card is not secure enough. –Many cheaper smart cards still rely of this for accessing smart cards.
18
FIT3105 - Security and Identity Management18 Conclusion Smart cards and their applications are becoming popular for authentication and identification. Smart cards and their applications are becoming popular for authentication and identification. Cryptographic algorithms on smart cards can be improved by lighter and more secure ciphers such as ECC. Cryptographic algorithms on smart cards can be improved by lighter and more secure ciphers such as ECC. Smart cards can be used together with the other authentication methods to enhance the security. Smart cards can be used together with the other authentication methods to enhance the security. Smart cards can also be implemented with biotechnologies to provide strong authentication. Smart cards can also be implemented with biotechnologies to provide strong authentication.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.