e-transaction security the pki tunis, january 2010 h. kaffel-ben ayed 1 security of mobile...
Post on 30-Mar-2015
213 Views
Preview:
TRANSCRIPT
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
1
Security of Mobile Transactions Over
Wireless Pervasive Networks
Hella KAFFEL-BEN AYEDEsma HAMED
Anis ZOUAOUI
CRISTAL LabENSI
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
2
OUTLINE
Wireless systems The m-transactions over hotspots New pervasive systems The security requirements Conclusion
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
3
WIFI Hotspots presentation HotSpot (or Hotzone) :
Limited public zone covered by a wireless network Allows to connect to the Internet Deployed in high traffic sites:
Airports, hotels, squares, conference sites,…
Customers types : Mobile professionals needing to connect to their enterprise
network through Internet Mobile customers needing to access Internet services:
Reservation Tourist information E-mail E-Gov + E-commerce…
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
4
WIFI Hotspots characteristics
802.11b standard Ubiquitous: anywhere anytime High transmission rate : 54Mb/s Ease of use Rapid access Low costs Diversity of mobile communication devices
Attractive environment for conducting m-commerce, m-Gov, …m-transactions
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
5
M-Commerce over hotspots
Wireless device
Internet
Access Point (AP)
Server
Catalogs/ Service Navigation
Order Request
Authorization/Settlement
Request
Authorization
/SettlementResponse
Order Response
Information Phase:
Payment Phase:
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
6
M-Government / M-Administration
…”the use of mobile technologies in the provision of the services in the public area”
strong penetration of mobiles (mobile phones, PDA, etc)
+ Benefit from of innovative wireless and
mobile technologies.
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
7
M-Gov System Architecture
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
8
The wireless context vulnerabilities
Wireless medium of transmission Interferences, mobility, …
Exposed wireless communications Multiple attacks :
Spoofing Sniffing DoS Possible duplication of payment systems (SIM cards, pre-
paid cards, …)
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
9
Security requirement services for m-Gov
Authentication Confidentiality Integrity Non-repudiation Protection against
replay attacks …
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
10
Available security solutions
Mutual authentication EAP (Extensible Authentication Protocol): Extension of the
RADIUS protocol (Remote Access Dial-In User Service) 802.1X: Network standard used in switches
Encryption key distribution method with 802.1X protocol AES encryption algorithm
Tunneling
Ex: Encryption of IP traffic with IPsec protocol
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
11
EAP and 802.1X
Authentication traffic: The AP encapsulates 802.1X traffic into RADIUS traffic, and vice versa
Data traffic: The AP blocks everything but 802.1X to- RADIUS authentication traffic
Wireless device
WiredNetwork
WiredNetwork
Access PointRADIUS server
EAP over Wireless
802.1X traffic
EAP over RADIUS
RADIUS traffic
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
12
802.11i security features
Mutual authentication Dynamic session keys Message Integrity Check (MIC) TKIP: Temporal Key Integrity Protocol PPK (Per-Packet Key) for encryption Initialization vector sequencing Rapid re-keying Unicast and Broadcast key rotation AES Encryption Authentication and security for control and management frames
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
13
New Mobile Environment Embedded and pervasive systems:
Restricted resources memory processor Power supply
Wireless networks: Bandwidth, frequent disconnexions
Relatively cheap and cost sensitive because they often involve high-volume products
The extremely diverse nature of embedded Applications a wide range of damage that can be done through abuse in a pervasive world
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
14
Embedded Pervasive Systems
A wide variety of applications : hand-held devices household appliances RFID tags washing machines, refrigerators or microwave ovens. safety-critical applications
—e.g., in ITS (intelligent transport systems such as automotive, railroad or airplane),
military, control systems
…
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
15
Potential Threats (1/3)
From privacy violation to financial loss or even bodily harm…
Risk Potential: the close coupling with the physical environment
threats against our real physical environment
Financials an increasing number of pervasive applications that involve
financial aspects, digital entertainment content in home and mobile devices, location-based services for hand-held devices, smart cards with e-wallet functions.
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
16
Potential Threats (2/3)
New business models : sophisticated security solutions New pervasive applicationswhere the business model
relies on strong security functionality. Manipulation may lead to a loss of revenue. Pay-TV, time-limited feature activation in fielded products,
Privacy Pervasive computing :intimate link between human user
and “computing” device = disclosure of a user’s location or of his/her behavior,
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
17
Potential Threats (3/3)
Reliability manipulations harm the reliability of a product E.g.. remote software updates of pervasive devices
E.g.. “chip tuning“ in the automotive context.
Legislation Legislative requirement will force certain pervasive
applications to provide strong security, e.g., road toll systems, e-voting systems,or mobile banking
applications.
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
18
Conclusion
Pervasive security : an emerging discipline There is an active academic and industrial
community working on strong security solutions.
e-transaction Security The PKI Tunis, January 2010
H. Kaffel-Ben Ayed
19
Thank you for attending this presentation
top related