Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Beyond Authentication - an e-banking and e-government perspective - Sean Michael Wykes CTO - Nascent Technology Consultants

Published byAlexandra Kristina Welch Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication Beyond Authentication - an e-banking and e-government perspective - Sean Michael Wykes CTO - Nascent Technology Consultants"— Presentation transcript:

1 Authentication Beyond Authentication - an e-banking and e-government perspective - Sean Michael Wykes CTO - Nascent Technology Consultants sean.wykes@nascent.com.br and representing Banrisul S.A. Banco do Estado do Rio Grande do Sul

2 Trusted EnvironmentBrowserServer Base Architecture: Web-Crypto with HW Token Web-Crypto API Cryptographic Primitives Protected Key Storage Cryptographic Services Cryptographic Token (hard/soft) Authentication Token Driver Web Services Web-App (HTML,JS,CSS) DO WE NEED MORE THAN THIS ?

3 Trusted EnvironmentBrowserServer Base Architecture : Web-Crypto with HW Token Web Services Web-App (HTML,JS,CSS) Web-Crypto API Cryptographic Primitives Protected Key Storage Cryptographic Services Cryptographic Token (hard/soft) Authentication Crypto Driver 1. Existing or new Standard? PKCS#11 ? MS-CryptoAPI ? APDU ? USB ? FIDO ? JCA ? CCA? W3C? ???? 2.Is Low Level Access Secure? 3. No Trusted UI?

4 Authentication can mean different things PIN / Password / Biometrics (human->computer) Strong Authentication (computer->computer) Static / Offline Dynamic / Online No Context (or very little…) Contextual Information Cryptographically– bound Data or Semantics Document-based Digital Signatures (sign this) Transaction-based Digital Signatures (sign to …) - Security + - Context + 2F or MatchOnCard WYSIWYS

5 Brazil: Digital Signature Use Cases e-Governmente-Corporatione-Banking Federal and Local Gov. Services “ICP-Brasil” Offline or Browser-based LoginDoc Signatures TLS client-auth Tax and Invoice Systems, Legal System, Central Bank, President and Congress, Student Cards Legally Binding Contracts Smart Employee Identity Cards Banrisul S.A. Browser-based (java-applets) LoginDoc Signatures TLS or Kerberos client-auth PC & Network Access, Intranet Portal Login, Restricted and Supervisory Functions Agree, Accept, Understand Smart Internet + Payment Cards Banrisul S.A. Browser-based (java-applet) MITM/MITB Countermeasures Transaction Signatures E-Banking Portal Access, Confirmation of Monetary Transactions Funds Transfers, Bill Payments, Foreign Currency Approx. 15,000 Employees ZERO ONLINE FRAUD Approx. 5M Cards Average 5.6B USD / month ZERO ONLINE FRAUD Employee Identity Smart-Cards Banrisul S.A. 9M Certificates in 2014 Est. growth to 12-15M in 2015 Legally Binding Contracts Agree, Accept, Understand Funds Transfers, Bill Payments, Foreign Currency Legally Binding Contracts Agree, Accept, Understand Funds Transfers, Bill Payments, Foreign Currency Agree, Accept, Understand Legally Binding Contracts Funds Transfers, Bill Payments, Foreign Currency Agree, Accept, Understand Legally Binding Contracts Agree, Accept, Understand Funds Transfers, Bill Payments, Foreign Currency Legally Binding Contracts Agree, Accept, Understand Funds Transfers, Bill Payments, Foreign Currency Exchanges Agree, Accept, Understand

6 Banks have always been ‘easy’ targets, even more so since the advent of the Internet Problem: e-Banking Systems are Frequently Attacked PhishingTrojans and MalwareBanking Specific Phishing emails False links and sites False domain names … Key-loggers RATs (Remote Access Trojans) … DNS Poisoning (routers), BHO 2F (SMS/OTP/TAN) Interception MITM – Man In The Middle MITB – Man In The Browser Variants: ZEUS/SpyEye,… MITB : Man In The Browser Attack : example 1. Computer is compromised (Browser/DNS/net) 2. User accesses targetted url (bank) 3. MITM/MITB activated 4. Browser receives modified Javascript (+html) 5. User Authenticates => Credentials Captured 6. Transaction => 2F Captured (incl. m-TAN) 7. Attacker performs fraudulent transaction 8. Browser shows adjusted balance/statement

7 Banrisul’s Secure e-Banking Architecture TRUSTED UI Cryptographic Token Token Middleware Signer and Countermeasures Web-App (HTML,JS,CSS) Java AppletBrowserServer Web-Services Signature Verification and Countermeasures Secret Sauce Secret Sauce PC/SC Driver

8 Secure e-Banking – Going Forward 2014: Reduced browser support for Java Applets and NPAPI JAVA Applets Browser plug-in sandbox technology restricts access to native APIs such as PC/SC for Smart-card access X Cross-Platform functionality is MANDATORY >> Too many different platforms << Window, Linux, Mac x 32/64 Android, iOS, Windows Chrome, IE, Firefox, Safari, Webview A FLEXIBLE WEB-STANDARD for security-related functionality with a TRUSTED UI and “brokered” native access. Can we adapt WEB-TECHNOLOGIES such as HTML, CSS and Javascript ? WE NEED

9 Trusted EnvironmentBrowserServer TRUSTED UI Cryptographic Security Services Native Auth Web-Crypto API Cryptographic Primitives Protected Key Storage Cryptographic Services Cryptographic Token (hard/soft) Authentication Crypto Driver New Architecture: Web-Crypto with Secure Services Web Services Web-App (HTML,JS,CSS)

10 Trusted EnvironmentBrowserServer TRUSTED UI Cryptographic Security Services Native Auth Web-Crypto API Cryptographic Primitives Protected Key Storage Cryptographic Services Cryptographic Token (hard/soft) Authentication Crypto Driver New Architecture: Web-Crypto with Secure Services Web Services Web-App (HTML,JS,CSS) Programmable security-related functions such as FIDO client, document and transaction signatures. Security-fence, isolated from normal browser execution

11 Combine best ideas from: How? Initial implementation idea … WebWorker Isolated execution context with Message Passing Isolated visual context and separate DOM Signed JAR Signed Manifest contains hash of all HTML/CSS/JS used for “Trusted Execution” MIX AND SHAKE ++ New Tag

12 THANK YOU Sean Michael Wykes sean.wykes@nascent.com.br

Download ppt "Authentication Beyond Authentication - an e-banking and e-government perspective - Sean Michael Wykes CTO - Nascent Technology Consultants"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
1 Cypak core technology A new, cool and convenient way to identify your customers Combat fraud and keep your customer happy.

1 Cypak core technology A new, cool and convenient way to identify your customers Combat fraud and keep your customer happy.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Authentication & Kerberos

Authentication & Kerberos
Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
2003 1 Increased Security, while protecting Privacy ? True or False ? Christer Bergman, President and CEO, Precise Biometrics.

Increased Security, while protecting Privacy ? True or False ? Christer Bergman, President and CEO, Precise Biometrics.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.

SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.

Similar presentations

Ads by Google