BU Now is an independent college blog/newsite that celebrates its 2nd year in April 2010. This presentation at College Media Advisors 2010 Convention in New York City in March 2010 summarizes BU Now's progress while addressing challenges from academic department, communication faculty and campus media.
Smart Cards & Devices Forum 2013 - Mobile financial servicesOKsystem
This document discusses mobile financial services and payments. It begins by outlining different types of mobile payments like in-shop, online, P2P, loyalty programs, and ticketing. It then discusses three emerging models for point of sale mobile payments: in the device, in the cloud, and hybrid approaches. Several companies adopting each model are described like PayPal, Google Wallet, and Square. The document also discusses new related services like offers, discounts, and social aspects. Finally, it provides an overview of Bitcoin, how the blockchain works, mining incentives, and challenges.
BU Now is an independent college blog/newsite that celebrates its 2nd year in April 2010. This presentation at College Media Advisors 2010 Convention in New York City in March 2010 summarizes BU Now's progress while addressing challenges from academic department, communication faculty and campus media.
Smart Cards & Devices Forum 2013 - Mobile financial servicesOKsystem
This document discusses mobile financial services and payments. It begins by outlining different types of mobile payments like in-shop, online, P2P, loyalty programs, and ticketing. It then discusses three emerging models for point of sale mobile payments: in the device, in the cloud, and hybrid approaches. Several companies adopting each model are described like PayPal, Google Wallet, and Square. The document also discusses new related services like offers, discounts, and social aspects. Finally, it provides an overview of Bitcoin, how the blockchain works, mining incentives, and challenges.
Smart Cards & Devices Forum 2013 - Cards going mobileOKsystem
Mobile payments are evolving in three key ways: 1) the role of mobile is expanding as phones and devices replace plastic cards; 2) implementation requires educating cardholders and merchants on new contactless and digital payment options; 3) convergence is occurring as payments integrate with other services in virtual wallets across devices. MasterCard is leading this change by enabling mobile wallets and partnerships to increase adoption through convenience and choice for consumers.
This document introduces Gemalto and their solution called Armored Office. It discusses how static passwords are no longer enough for security and compliance with regulations. Armored Office provides a solution for strong authentication and encryption to securely access networks and data from any device. It offers a single credential to log in to endpoints, access networks remotely, and encrypt files/emails. The target market is security-sensitive organizations for executives and users with access to sensitive information. It aims to protect data and enable secure access from any device while meeting compliance requirements.
Smart Cards & Devices Forum 2013 - Security on mobileOKsystem
The document discusses how mobile devices can be leveraged for strong identity authentication in a more convenient, secure, and cost-effective way than traditional authentication methods. It analyzes traditional authenticators like passwords, hardware and paper tokens, biometrics, smart cards, and PKI certificates. It then outlines how mobile devices, which are always with users and connected, can be provisioned with additional authenticators and used for multi-factor authentication for a variety of identity use cases including physical and logical access, VPN access, and cloud applications. The conclusion is that mobile represents the next generation of identity and authentication should leverage its capabilities.
Smart Cards & Devices Forum 2013 - Wi-fi protected setupOKsystem
The document summarizes Wi-Fi Protected Setup (WPS) and discusses vulnerabilities in its use of a static PIN for device authentication. It describes how WPS and similar Bluetooth protocols use bit commitment and splitting the PIN to enable mutual authentication, but how this opens them to online and offline brute force attacks. It then proposes a "Swamp Walk" approach for the access point to transition to after initial connection attempts to restore security by reintroducing exponential complexity to the PIN cracking problem.
Smart Cards & Devices Forum 2013 - [NFC@Telefonica CZ] Near Future CasesOKsystem
Telefónica Czech Republic has been a leader in NFC adoption, being the first to launch NFC-enabled transport payments in 2009 and merchant payments in 2013. They see the NFC SIM card as uniquely positioned to serve as a "one card to rule them all" for various use cases like payments, transportation, loyalty programs, IDs and access control due to its online and multi-application capabilities. Telefónica is developing a "SIM.me" identity service that stores personal information and credentials on the SIM, enabling it to securely authenticate users for remote services and authorize transactions like document signing through a mobile device.
Smart Card and Strong Cryptography for instant securityOKsystem
- OKsystem is a Prague-based software company with over 200 employees that provides cryptography and smart card solutions.
- They offer products like BABEL for encrypted messaging, OKsmart for smart card usage, and OKbase for key management, certificate management, and card management.
- Their solutions provide strong encryption using proven algorithms like AES and Diffie-Hellman to securely transmit and store encrypted messages and keys.
Smart Cards & Devices Forum 2013 - Cards going mobileOKsystem
Mobile payments are evolving in three key ways: 1) the role of mobile is expanding as phones and devices replace plastic cards; 2) implementation requires educating cardholders and merchants on new contactless and digital payment options; 3) convergence is occurring as payments integrate with other services in virtual wallets across devices. MasterCard is leading this change by enabling mobile wallets and partnerships to increase adoption through convenience and choice for consumers.
This document introduces Gemalto and their solution called Armored Office. It discusses how static passwords are no longer enough for security and compliance with regulations. Armored Office provides a solution for strong authentication and encryption to securely access networks and data from any device. It offers a single credential to log in to endpoints, access networks remotely, and encrypt files/emails. The target market is security-sensitive organizations for executives and users with access to sensitive information. It aims to protect data and enable secure access from any device while meeting compliance requirements.
Smart Cards & Devices Forum 2013 - Security on mobileOKsystem
The document discusses how mobile devices can be leveraged for strong identity authentication in a more convenient, secure, and cost-effective way than traditional authentication methods. It analyzes traditional authenticators like passwords, hardware and paper tokens, biometrics, smart cards, and PKI certificates. It then outlines how mobile devices, which are always with users and connected, can be provisioned with additional authenticators and used for multi-factor authentication for a variety of identity use cases including physical and logical access, VPN access, and cloud applications. The conclusion is that mobile represents the next generation of identity and authentication should leverage its capabilities.
Smart Cards & Devices Forum 2013 - Wi-fi protected setupOKsystem
The document summarizes Wi-Fi Protected Setup (WPS) and discusses vulnerabilities in its use of a static PIN for device authentication. It describes how WPS and similar Bluetooth protocols use bit commitment and splitting the PIN to enable mutual authentication, but how this opens them to online and offline brute force attacks. It then proposes a "Swamp Walk" approach for the access point to transition to after initial connection attempts to restore security by reintroducing exponential complexity to the PIN cracking problem.
Smart Cards & Devices Forum 2013 - [NFC@Telefonica CZ] Near Future CasesOKsystem
Telefónica Czech Republic has been a leader in NFC adoption, being the first to launch NFC-enabled transport payments in 2009 and merchant payments in 2013. They see the NFC SIM card as uniquely positioned to serve as a "one card to rule them all" for various use cases like payments, transportation, loyalty programs, IDs and access control due to its online and multi-application capabilities. Telefónica is developing a "SIM.me" identity service that stores personal information and credentials on the SIM, enabling it to securely authenticate users for remote services and authorize transactions like document signing through a mobile device.
Smart Card and Strong Cryptography for instant securityOKsystem
- OKsystem is a Prague-based software company with over 200 employees that provides cryptography and smart card solutions.
- They offer products like BABEL for encrypted messaging, OKsmart for smart card usage, and OKbase for key management, certificate management, and card management.
- Their solutions provide strong encryption using proven algorithms like AES and Diffie-Hellman to securely transmit and store encrypted messages and keys.
BI Forum 2012 - Oracle Exalytics zrychluje českou veřejnou správu
SmartCard Forum 2011 - Důkazy s nulovou znalostí
1. Důkazy s nulovou znalostí
aneb jak prokázat svou identitu a nic při tom nevyzradit
Martin Primas
manažer informační bezpečnosti
Praha, 19.5.2011
Spojujeme software, technologie a služby
4. Co je to autentizace
Autentizace je proces ověření identity mezi Dokazovatelem – P
(Prover - nejčastěji uživatel) a Ověřovatelem – V (Verifier - například
informační systém)
Spočívá v důkazu, že Dokazovatel je držitelem
předmětu (např.: občanský průkaz, kryptografický token),
informace (např.: heslo, klíč),
biometrické vlastnosti (např.: otisk prstu, obraz sítnice) nebo
o které Ověřovatel ví, že je bezpečně spojena s dokazovanou identitou.
Velmi starý proces, podle biometriky rozeznávají identitu i zvířata.
Omezíme se na případ, kdy je P držitelem tajné informace -
tajemství.
4
5. Vlastnosti a použití autentizace
Proces autentizace musí mít následující vlastnosti:
úplnost – pravděpodobnost odmítnutí pravé identity P je zanedbatelná
spolehlivost – pravděpodobnost přijetí falešné identity P je zanedbatelná
(Jak moc musí být daná metoda úplná a spolehlivá závisí na konkrétním použití.)
Dokazovatel musí držet tajemství v utajení.
Tajemství je v autentizačním protokolu to jediné, co odděluje
dokazovatele od ostatních. V případě, že se tajná informace vyzradí,
může se za dokazovatele vydávat někdo jiný.
V některých případech nastává problém, pokud o tajemství uniká
informace již během procesu autentizace.
Problém autentizačních mechanismů: tajemství se musí při
autentizaci použít, nesmí se ale vyzradit.
5
6. Nulová znalost?
Klasické příklady autentizace:
Jméno a heslo. Heslo je chráněno šifrováním.
Využití asymetrické kryptografie, například RSA.
Ani v jednom případě není během autentizace pod kontrolou unikající znalost o tajemství.
Abychom měli pod kontrolou množství informace, které o tajemství během
autentizačního protokolu uniká, byly navrženy důkazy s nulovou znalostí, které
zaručují, že v rámci protokolu o tajemství neuniká informace žádná.
Při důkazu s nulovou znalostí se o tajemství nedozví žádnou informaci ani
ověřovatel a to ani po libovolném opakování protokolu.
Zjednodušeně má autentizace vlastnost nulové znalosti, pokud vše co může být
spočteno po autentizaci z komunikace s P, může být spočteno také bez této
komunikace.
6
8. Ali Baba v jeskyni – popis
P přesvědčuje V, že zná tajemství jak projít jeskyní. Budeme opakovat t-krát následující:
1. 2. 3.
Nastane jedna z možností:
V - čeká před jeskyní P – dojde ke dveřím uvnitř jeskyně P – vyjde stejnou cestou
P - vybere náhodně cestu V – poté vybere náhodně cestu návratu P P – cesty se liší, použije tajemství
k otevření dveří
Pokud P vždy splní požadavek V, V uvěří identitě P.
8
14. Ohta-Okamoto - Běh protokolu
t-krát opakuj:
P - Dokazovatel V – Ověřovatel
1.
Obdrží X
2.
3.
Obdrží Y
4.
V uvěří P jeho identitu, pokud přijme Y ve všech t iteracích
14
17. ZK-SSH implementace pro OpenSSH
Využívá pro autentizaci výše popsaný algoritmus Ohta-
Okamoto, který je důkazem s nulovou znalostí. Ohta-
Okamoto je použit s paramtery: L=4, k=10, t=4. Délka
modulu N je doporučováná 2048 bitů.
Používání ZK-SSH se uživateli jeví stejně jako používání
SSH se standardní autentizací založenou na RSA.
Kódy ke stažení na http://zk-ssh.cms.ac
17
18. Závěr
Důkazy s nulovou znalostí jsou stále přednášeny hlavně na
teoretické úrovni, ačkoliv je možné je již dnes využívat v praxi.
Existují technické návrhy pro používání důkazů s nulovou znalostí
například na čipových kartách.
Důkazy s nulovou znalostí jsou dlouhodobě zakotveny také ve
standardech, například v ISO/IEC 9798-5.
Proč tedy nejsou v praxi více používány?
Domnívám se, že je to způsobeno především setrvačností a tím, že nás
nic nenutí na tyto techniky přecházet.
Měli bychom, podle mého názoru, uvažovat o důkazech s nulovou
znalostí alespoň při implementaci nových systémů .
18
19. Mgr. Martin Primas
manažer informační bezpečnosti
OKsystem s.r.o.
Na Pankráci 125, 140 21 Praha 4
www.oksystem.cz
primas@oksystem.cz
Otázky?
Děkuji za pozornost
19
20. Zdroje
M. Burmester, Y. Desmedt, T. Beth; Efficient Zero-Knowledge Identification Schemes for Smart Cards;
THE COMPUTER JOURNAL, VOL. 35, NO. 1, 1992
Andreas Gaupmann, Christian Schausberger, Ulrich Zehl; Documentation of the zk-ssh Project, 2005
Goldreich O.: Foundations of Cryptography Volume I Basic Tools, Cambridge University Press,
Cambridge, 2003.
Jean-Jacques Quisquater, Myriam Quisquater, Muriel Quisquater, Michaël Quisquater and Louis Guillou,
et al.; How to Explain Zero-Knowledge Protocols to Your Children; Advances in Cryptology - CRYPT0
‘89, LNCS 435, pp. 628-631, 1990.
Kazuo Ohta and Tatsuaki Okamoto, A modification of the Fiat-Shamir scheme, Advances in Cryptology –
Crypto 1988 (Shafi Goldwasser, ed.), Lecture Notes in Computer Science, vol. 403, Springer, 1988, pp.
232–243.
ISO/IEC 9798-5:1999
ZK-SSH; A Zero Knowledge Implementation for OpenSSH; http://zk-ssh.cms.ac, 2005.
20