Security's Once and Future King
-
Upload
ksachdeva -
Category
Technology
-
view
4.142 -
download
1
description
Transcript of Security's Once and Future King
![Page 1: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/1.jpg)
Security’s Once and Future King
Smart Cards for Web 2.0
Kapil SachdevaSoftware TechnologistTechnology & InnovationGemalto, Austin
![Page 2: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/2.jpg)
Smart Card : The Hardware
• Integrated Circuit Card (ICC)• Micro processor (8,16,32-bit)• Non-volatile memory (EEPROM, Flash)• Volatile memory (RAM)• Read only memory (ROM, FLASH)
Plastic card
Contact pad
Gold wiring
Epoxy fill
SecureSecurechipchip
ROM CryptoCPU
RAM
NVM
ROM,
Operating system
EEPROM,Application Memory
![Page 3: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/3.jpg)
Smart Card : The Security Device
• Tamper resistant • Cryptography
– RSA, AES, 3DES, ECC, SHA1, MD5 etc• Security Evaluation – FIPS, Common Criteria
Domain specific knowledge and an attack-aware design approach enables smart card technology to be up to date vis-à-vis security
![Page 4: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/4.jpg)
Smart Card : The Comm. Protocol
• ISO 7816-3 – APDU : Application Protocol Data Unit
• Master Slave• Synchronous communication• Transport protocol overloaded as the application protocol
![Page 5: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/5.jpg)
Smart Card : The Form Factors
• SIM
• Credit Card
• USB tokens
• Electronic Documents
![Page 6: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/6.jpg)
Smart Card : The Business Verticals
300 Million 20 Million
2600 Million 500 Million
2007 Shipment EstimatesSource: EUROSMART
![Page 7: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/7.jpg)
Smart Card : The Infrastructure
ICC-Aware ApplicationICC-Aware ApplicationSmart Card Aware Application
Resource Manager
IFDHandler
IFD IFD IFD
SC SC SC
Reader Driver(USB CCID Class)
Smart Card Readers
Smart Cards
PC/SC IFD Handler Interface
PC/SC RM Interface
![Page 8: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/8.jpg)
Smart Card : The History
• 1983 : Commercial chip card for Pay Phones• 1991 : SIM card• 1992 : Commercial debit card• 1997 : Java Card• 2002 : .NET Smart Card
![Page 9: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/9.jpg)
JavaCard : A Revolution
![Page 10: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/10.jpg)
JavaCard: The revolutionary Smart Card
• Programmable Smart Card
• ‘Write once, run anywhere’ mantra with pragmatism
• Platform openness rocks
Anecdote: The first Java Card prototype used an 8-bit processor, 26K of ROM, 400 bytes of RAM & 1KB of EEPROM.
Today smart cards have 32-bit chips, 16KB of RAM, 512KB of ROM/Flash
![Page 11: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/11.jpg)
JavaCard Virtual Machine & Runtime
• Pragmatic subset of functionality (data types, features)
• Some specialized bytecodes
• Special treatment of static fields
• JC Virtual machine never terminates
• Persistent memory model – objects live in EEPROM
• Transaction management
• Firewall between applications
![Page 12: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/12.jpg)
package com.gemalto.wallet;
public class MyWallet extends Applet {
public void select() {...} public void install() {...}
public void debit(byte[] buff){ } public void credit(byte[] buff){ }
public void process(APDU apdu) { byte[] buff = apdu.getBuffer();
switch(Util.getShort(buff,(short)0) { case INS_WALLET_DEBIT:
debit(buff); break; case INS_WALLET_CREDIT:
credit(buff); break; default:
ISOException.throwIT(INVALID_INS); } }}
A JavaCard toy Application
![Page 13: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/13.jpg)
JavaCard : Some misses
• Provided shim on operating system communication layer but still mixes the transport and application protocol.
• Object based data store without any of the capabilities of Persistent Stores– Application update problematic
![Page 14: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/14.jpg)
.NET Card : An Innovation
![Page 15: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/15.jpg)
.NET Card: The evolutionary Smart Card
• Remoting as the communication paradigm from get go– Do not expose the communication protocol
• User programmable access to File System– Separation of application and data
• Use metadata to address domain specific requirements– Transactions, Security, Legacy-support
• Geek bonus points –– Visual Studio.NET integration– Richer type Support (primitives, strings, etc)– Exact GC– XML Parsing– Serialization– Strong-name signing
![Page 16: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/16.jpg)
namespace MyCompany {
public class MyWallet : MarshalByRefObject { [Transaction] public void Debit(int amount) { }
[Transaction] public void Credit(int amount) { }
public static void Main(string[] args) { ChannelServices.RegisterChannel(new APDUServerChannel());
RemotingServices.Marshal(new MyWallet(), “Wallet.uri"); } }}
A .NET Card toy Application
![Page 17: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/17.jpg)
Smart Card : The Applications
• Authentication
• Digital signature & encryption
• Secure storage
• All of the above (manage/enforce a policy)
• Sophisticated ice scratching device
![Page 18: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/18.jpg)
Fitting in the client crypto architecture
• CAPI : Windows (native)
• CDSA : Mac OS X (native)
• PKCS#11 : Windows, Linux, Mac OS X
Outlook, Thunderbird, Adobe Writer, PGP Clients, VPN Clients,
Browsers
![Page 19: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/19.jpg)
A Quick Recap
![Page 20: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/20.jpg)
Smart Card : The Client Infrastructure
ICC-Aware ApplicationICC-Aware ApplicationSmart Card Aware Application
Resource Manager
IFDHandler
IFD IFD IFD
SC SC SC
Reader Driver
Smart Card Readers
Smart Cards
PC/SC IFD Handler Interface
PC/SC RM Interface
Service Providers
Service Providers
Service Provider
Service Provider Interfaces
Middleware
![Page 21: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/21.jpg)
The Web
![Page 22: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/22.jpg)
Ubiquity is key for Web applications
![Page 23: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/23.jpg)
Smart Cards and the Web: Classical
To access Smart Card capabilities
• On the User’s computer– Internet explorer : card specific CSP impl.– Firefox : card specific PKCS#11 impl.– Safari : card-specific tokend
• On the Server– Different server/client scripts to handle
browser & crypto stack differences (Herculean!)
![Page 24: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/24.jpg)
In other words,
Break the ubiquity of web
&
Lose the mobility of Smart Cards
![Page 25: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/25.jpg)
A security mechanism should not make accessing a resource, or taking some action more difficult than it would be if security
mechanism were not present.
Principle of Psychological Acceptability
![Page 26: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/26.jpg)
DEMO: Let me show you what I mean
![Page 27: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/27.jpg)
Web 2.0
![Page 28: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/28.jpg)
Blogs AJAXPhishing
E-govTheft
Web Services
XML
SOAP
RSS
Flickr
Google Maps
REST
Social Networking
![Page 29: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/29.jpg)
A platform and application agnostic connectivity bridge to help JavaScript in a
web page to communicate with server.
XMLHttpRequest
![Page 30: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/30.jpg)
If I have seen further it is bystanding on the shoulders of Giants
- Issac Newton
![Page 31: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/31.jpg)
A platform and application agnostic connectivity bridge to help JavaScript in a web page to communicate with Smart Card
SConnect
![Page 32: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/32.jpg)
OPERATINGSYSTEMS
BROWSERS
DOWNLOAD
15
• Connectivity plumbing that works withclassical smart cards
• Digitally signed browser extension enabling scripts embedded in a web page to access the PC/SC channel on client machine
• A toolkit for developing SSmart card AAware WWeb AApplications
• Ubiquitous – all relevant OS/browsercombinations
• Lightweight – 15 second download and install
SConnect
![Page 33: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/33.jpg)
<html> <head> <script src=“http://www.sconnect.com/scripts/sconnect.js” language=“javascript”/> <script language=“javascript”> var _otp; function getOtp() {
var scom = new SConnect.PCSC();
var readersWithCards = scom.listReaders(true);
// if more then one reader, employ some discovery mechanism scom.connect(readerWithCards[idx]);
var response = scom.exchange(“00A4040007A0000000020302”); if (response == “9000”){ _otp = scom.exchange(“002100000106”); }
scom.dispose();
// put the _otp value in text box } </script> </head> <body> <label>Press the button to get the OTP</label> <input type=“button” value=“click me” onclick=“getOtp(); submit();”/> </body></html>
A few lines of JavaScript…
![Page 34: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/34.jpg)
<html> <head> <script src=“http://www.sconnect.com/scripts/sconnect.js” language=“javascript”/> <script src=“http://www.sconnect.com/scripts/marshaller.js” language=“javascript”/> <script src=“oath_stub.js” language=“javascript”/>
<script language=“javascript”> var _otp; function getOtp(){ var oathApp = new Samples.OATHApp(“selfdiscover”,0,”OATHService.uri”); _otp = oathApp.get_OTP();
// put the value of _otp in text box } </script> </head>
<body> <label>Press the button to get the OTP</label> <input type=“button” value=“click me” onclick=“getOtp(); submit();”/> </body>
</html>
Fewer lines of JavaScript…
![Page 35: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/35.jpg)
DEMO: Device Administration Service
• Lightweight device management
• Routine security tasks performed in a cross browser, cross-platform setting
![Page 36: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/36.jpg)
DEMO: Two-factor auth. for Web Apps
• MeHuNa: A fictional identity & security savvy company using cloud computing
• MeHuNa uses Google Apps(!) as it Office back-end
• Employees must use strong authentication for audit & security compliance purposes
• Employees get an OpenID for their personal use
![Page 37: Security's Once and Future King](https://reader030.fdocuments.us/reader030/viewer/2022020217/5538f84c4a795971788b4875/html5/thumbnails/37.jpg)
Begin at the beginning and go on till you come to the end: then stop.
Thank You