Security's Once and Future King
Upcoming SlideShare
Loading in...5
×
 

Security's Once and Future King

on

  • 4,057 views

Slides of the google techtalk : See the techtalk here - http://youtube.com/watch?v=0L5tydvxNM0

Slides of the google techtalk : See the techtalk here - http://youtube.com/watch?v=0L5tydvxNM0

Statistics

Views

Total Views
4,057
Views on SlideShare
3,430
Embed Views
627

Actions

Likes
1
Downloads
76
Comments
0

9 Embeds 627

http://www.sconnect.com 602
http://sconnect.com 9
http://www.slideshare.net 6
http://translate.googleusercontent.com 4
http://www.linkedin.com 2
http://www.lmodules.com 1
https://www.sconnect.com 1
http://web.archive.org 1
https://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security's Once and Future King Security's Once and Future King Presentation Transcript

  • Security’s Once and Future King Smart Cards for Web 2.0 Kapil Sachdeva Software Technologist Technology & Innovation Gemalto, Austin
  • Smart Card : The Hardware
    • Integrated Circuit Card (ICC)
    • Micro processor (8,16,32-bit)
    • Non-volatile memory (EEPROM, Flash)
    • Volatile memory (RAM)
    • Read only memory (ROM, FLASH)
    Plastic card Contact pad Gold wiring Epoxy fill Secure chip ROM Crypto CPU RAM NVM ROM, Operating system EEPROM, Application Memory
  • Smart Card : The Security Device
    • Tamper resistant
    • Cryptography
      • RSA, AES, 3DES, ECC, SHA1, MD5 etc
    • Security Evaluation – FIPS, Common Criteria
    • Domain specific knowledge and an attack-aware design approach enables smart card technology to be up to date vis-à-vis security
  • Smart Card : The Comm. Protocol
    • ISO 7816-3
      • APDU : Application Protocol Data Unit
    • Master Slave
    • Synchronous communication
    • Transport protocol overloaded as the application protocol
  • Smart Card : The Form Factors
    • SIM
    • Credit Card
    • USB tokens
    • Electronic Documents
  • Smart Card : The Business Verticals 300 Million 20 Million 2600 Million 500 Million 2007 Shipment Estimates Source: EUROSMART
  • Smart Card : The Infrastructure ICC-Aware Application ICC-Aware Application Smart Card Aware Application Resource Manager IFD Handler IFD IFD IFD SC SC SC Reader Driver (USB CCID Class) Smart Card Readers Smart Cards PC/SC IFD Handler Interface PC/SC RM Interface
  • Smart Card : The History
    • 1983 : Commercial chip card for Pay Phones
    • 1991 : SIM card
    • 1992 : Commercial debit card
    • 1997 : Java Card
    • 2002 : .NET Smart Card
  • JavaCard : A Revolution
  • JavaCard: The revolutionary Smart Card
    • Programmable Smart Card
    • ‘ Write once, run anywhere’ mantra with pragmatism
    • Platform openness rocks
    Anecdote: The first Java Card prototype used an 8-bit processor, 26K of ROM, 400 bytes of RAM & 1KB of EEPROM. Today smart cards have 32-bit chips, 16KB of RAM, 512KB of ROM/Flash
  • JavaCard Virtual Machine & Runtime
    • Pragmatic subset of functionality (data types, features)
    • Some specialized bytecodes
    • Special treatment of static fields
    • JC Virtual machine never terminates
    • Persistent memory model – objects live in EEPROM
    • Transaction management
    • Firewall between applications
  • package com.gemalto.wallet; public class MyWallet extends Applet { public void select() {...} public void install() {...} public void debit(byte[] buff){ } public void credit(byte[] buff){ } public void process(APDU apdu) { byte[] buff = apdu.getBuffer(); switch(Util.getShort(buff,(short)0) { case INS_WALLET_DEBIT: debit(buff); break; case INS_WALLET_CREDIT: credit(buff); break; default: ISOException.throwIT(INVALID_INS); } } } A JavaCard toy Application
  • JavaCard : Some misses
    • Provided shim on operating system communication layer but still mixes the transport and application protocol.
    • Object based data store without any of the capabilities of Persistent Stores
      • Application update problematic
  • .NET Card : An Innovation
  • .NET Card: The evolutionary Smart Card
    • Remoting as the communication paradigm from get go
      • Do not expose the communication protocol
    • User programmable access to File System
      • Separation of application and data
    • Use metadata to address domain specific requirements
      • Transactions, Security, Legacy-support
    • Geek bonus points –
      • Visual Studio.NET integration
      • Richer type Support (primitives, strings, etc)
      • Exact GC
      • XML Parsing
      • Serialization
      • Strong-name signing
  • namespace MyCompany { public class MyWallet : MarshalByRefObject { [Transaction] public void Debit(int amount) { } [Transaction] public void Credit(int amount) { } public static void Main(string[] args) { ChannelServices.RegisterChannel(new APDUServerChannel()); RemotingServices.Marshal(new MyWallet(), “Wallet.uri"); } } } A .NET Card toy Application
  • Smart Card : The Applications
    • Authentication
    • Digital signature & encryption
    • Secure storage
    • All of the above (manage/enforce a policy)
    • Sophisticated ice scratching device
  • Fitting in the client crypto architecture
    • CAPI : Windows (native)
    • CDSA : Mac OS X (native)
    • PKCS#11 : Windows, Linux, Mac OS X
    • Outlook, Thunderbird, Adobe Writer, PGP Clients, VPN Clients, Browsers
  • A Quick Recap
  • Smart Card : The Client Infrastructure ICC-Aware Application ICC-Aware Application Smart Card Aware Application Resource Manager IFD Handler IFD IFD IFD SC SC SC Reader Driver Smart Card Readers Smart Cards Service Providers Service Providers Service Provider Middleware PC/SC IFD Handler Interface PC/SC RM Interface Service Provider Interfaces
  • The Web
  • Ubiquity is key for Web applications
  • Smart Cards and the Web: Classical
    • To access Smart Card capabilities
    • On the User’s computer
      • Internet explorer : card specific CSP impl.
      • Firefox : card specific PKCS#11 impl.
      • Safari : card-specific tokend
    • On the Server
      • Different server/client scripts to handle browser & crypto stack differences (Herculean!)
  • In other words, Break the ubiquity of web & Lose the mobility of Smart Cards
  • A security mechanism should not make accessing a resource, or taking some action more difficult than it would be if security mechanism were not present. Principle of Psychological Acceptability
  • DEMO: Let me show you what I mean
  • Web 2.0
  • Blogs AJAX Phishing E-gov Theft Web Services XML SOAP RSS Flickr Google Maps REST Social Networking
  • A platform and application agnostic connectivity bridge to help JavaScript in a web page to communicate with server. XMLHttpRequest
  • If I have seen further it is by standing on the shoulders of Giants - Issac Newton
  • A platform and application agnostic connectivity bridge to help JavaScript in a web page to communicate with Smart Card SConnect
    • Connectivity plumbing that works with classical smart cards
    • Digitally signed browser extension enabling scripts embedded in a web page to access the PC/SC channel on client machine
    • A toolkit for developing S mart card A ware W eb A pplications
    • Ubiquitous – all relevant OS/browser combinations
    • Lightweight – 15 second download and install
    SConnect OPERATING SYSTEMS BROWSERS DOWNLOAD 15
  • <html> <head> <script src=“http://www.sconnect.com/scripts/sconnect.js” language=“javascript”/> <script language=“javascript”> var _otp; function getOtp() { var scom = new SConnect.PCSC(); var readersWithCards = scom.listReaders(true); // if more then one reader, employ some discovery mechanism scom.connect(readerWithCards[idx]); var response = scom.exchange(“00A4040007A0000000020302”); if (response == “9000”){ _otp = scom.exchange(“002100000106”); } scom.dispose(); // put the _otp value in text box } </script> </head> <body> <label>Press the button to get the OTP</label> <input type=“button” value=“click me” onclick=“getOtp(); submit();”/> </body> </html> A few lines of JavaScript…
  • <html> <head> <script src=“http://www.sconnect.com/scripts/sconnect.js” language=“javascript”/> <script src=“http://www.sconnect.com/scripts/marshaller.js” language=“javascript”/> <script src=“oath_stub.js” language=“javascript”/> <script language=“javascript”> var _otp; function getOtp(){ var oathApp = new Samples.OATHApp(“selfdiscover”,0,”OATHService.uri”); _otp = oathApp.get_OTP(); // put the value of _otp in text box } </script> </head> <body> <label>Press the button to get the OTP</label> <input type=“button” value=“click me” onclick=“getOtp(); submit();”/> </body> </html> Fewer lines of JavaScript…
  • DEMO: Device Administration Service
    • Lightweight device management
    • Routine security tasks performed in a cross browser, cross-platform setting
  • DEMO: Two-factor auth. for Web Apps
    • MeHuNa: A fictional identity & security savvy company using cloud computing
    • MeHuNa uses Google Apps(!) as it Office back-end
    • Employees must use strong authentication for audit & security compliance purposes
    • Employees get an OpenID for their personal use
  • Begin at the beginning and go on till you come to the end: then stop. Thank You