Practice Test Bank Financial Management Theory and Practice

Document Sample
Practice Test Bank Financial Management Theory and Practice Powered By Docstoc
					Cryptography and Information
Bridging Theory with Practice

Personal secure devices, payments and financial

George Sharkov
European Software Institute - Center Bulgaria

ASTEL “Digital Democracy” Conference, Sofia, May 2008

For internal educational use only! All data copyrighted by ESI, SEI, ESI Center BG, or respective sources as indicated
                         The price of our personality
                               Submitted by Security Renegades on Wed,
                               2007-08-15 23:14.

                               I was just interviewed by a local news station
                               about a story they were doing on daring
                               hackers that have started advertising their
                               abilities to destroy a person’s life for as little as
                               $20 per month. Apparently the deal goes
                               something like this: you make a deal with a
                               hacker to destroy somebody’s life by signing
                               them up online and the hacker will ensure the
                               target can’t get a good job, can’t apply for
                               credit cards, will be denied for loans, etc.

Innovative “business”:         hacker must return to the scene monthly to
subscription model             determine if the target’s life is still truly ruined
                           Protected personality
                               eID Aspects
    • Uniqueness
    • Structured according to some context: Name & address, EGN (Social security
    number), Bank account number, IMSI (International Mobile Subscriber Identity),
    MSISDN (Mobile Subscriber Integrated Services Digital Network Number), IP-
    address, URL, MAC

eID token (ID-bearer): Smart Card, SSCD (Secure Signature Creation Device), etc.,

The eID Management (infrastructure): Life cycle, Registration, Security, PKI,
interoperability, etc

Service layer: From physical Identification through eAuthentication,
eSignature, time stamping, long term storage, third party validation, all applications.
              The sad truth

Usability               “Unbreakable”

Convenience                   Security
You can make a secure system either by making it so
simple you know it's secure, or so complex that no one
can find an exploit.

allegedly Dan Geer
                                       Do we make it right?

            Technical    Design
            requirements documents

     Test plan(s)
                     VERIFICATION                   Did we build it right?

                    Engineering   QA


Software System
Acceptance tests     VALIDATION                Did we build the right thing?
  User manual

                     Customer     User
             Things we usually don’t think

Accessibility - disabled people

ICT & security awareness

Information security is not IT issue ONLY

Cost of security
      Cost of Security?

                          Fraud, Privacy,
Cost of Nonconformance    Internal + External
 Cost of Conformance
                          + Assessment
             Worldwide Damage from Digital Attacks

This chart shows estimates of the average annual worldwide damage from hacking, malware, and
spam since 1999. These data are based on figures from mi2G and the authors.                9

Integrated Security Management, Standards

E-administration, document management


E-procurement, e-bidding, e-signatures

All possible B, C, G combinations
                                  EU Reports

PKI in EU (2006):

Commission eSignature Workshop : December 2007
Study on the standardisation aspects of eSignature (Sealed, 2007)
                             Implementation of EU-DIR 93/99

                                  Spesifiserer Signaturdevice

                                                            All financed by EU

             Specifies: Smart Cards,
                Biometrics and Digital         Specifies Qualified Certificates,
                Signature and SSCD          Signature formats and their Framework

SSCD: Secure Signature Creation Device

Legends:    White: Basic Certificate (QC/NQC) services, Red stripes: Additional services
            Solid red: on creation and verification of el.sign.
From Study on the standardisation aspects of eSignature (Sealed, 2007)
EU i2010 eID infrastucture
           Pioneers: Banks & integrated eID

Austria: January 2005, the first country in the world to
offer citizens the possibility to integrate a citizen card in
bank cards (agreement between the Ministry of Finance
and bank card issuer Europay, a ‘citizen card’ function can
be included in all Maestro bank cards issued in Austria).

Cost: Until 31 August 2004, Maestro cardholders were
able to exchange their current cards against new ones
containing a digital signature at no cost. After that date,
this ‘premium’ function costs EUR 12 per year.
                              Examples: The mobile
                           managed IDs for routing and billing purposes.
                           functions on the handset or in the SIM card.
                           SIM = recognized as ’Security Element’

                           A SIM card in a phone = a Smart Card fully
                           integrated with reader and display
                           in combination with networking
                           functions :GSM, IP/Internet, WLAN, BlueTooth,
                           IR and NFC)
                           Price for a SIM: ranging from 0,8 USD and to a few
                           3 billion mobile subscribers world-wide today
                           SIM cards available with PKI key generation and
SIM card is a SMART CARD   signature functions since 2001
                           In use: Finland, Sweden, Turkey, Estonia and Norway
        PKI-based Services for mCommerce
            Services: Transaction signing in combination with payment

SIM: Keys
& PKCS#1           SMS
                            Transaction            Appli-
Sign                        signing etc.           cation.
SMS                                                            Back-
            SIM PKI                                             end
                                                    Inter-    System
            wireless                                Face
            interface                              module

            SMS Sign.
                                                    CA         RA

            PKI-based Services for BankID
             Services: Login/Authentication + transaction signing

SIM: Keys          WAP
& PKCS#1           SMS
                            Login request          Appli-
Sign                        Transaction            cation
SMS                         signing etc.                       Back-
            SIM PKI                                             end
                                                    Inter-    System
            wireless                                Face
            interface                              module

            SMS Sign.
                                                    CA         RA

                             Now handled by
                                  the banks
                                                   UICC – elements
                                   New UICC Architecture / SIM advances

           eHealth           Payment     Multimedia
                              EMV         DRM ?
                                                           To carry
      PKI / eID                     Ticketing
                                       (DRM !)             a number
   USIM           SIM             Electronic               of new
  ID= IMSI      ID= IMSI            Purse
  & MSISDN      & MSISDN                                   functions
       Phonebook               Storage

        SIM Application Toolkit

                ID = ICCID

                                          GSM Allocated
12 Mb/s USB     NFC (or other) IF          (2G/3G) IFs
Full speed IF    (1 connector)            (5 connectors)

E-cash versus paper cash
      Micropayment and
      anonymous e-cash

      Electronic purse

      Mobile payments: end of
      the debit and
      credit card

      End of the privacy

      New frauds
                                Warnings: PKI obstacles

                  OASIS TC PKI Survey on PKI Obstacles (Source: [OASIS-PKI])
                      The reality

•90% of the people in the audience have at
least 1 smart card with them

•most of have NOT used a smart card for
anything other than
       oto make a call/message
       owithdraw money
       opay for goods/service

•When it comes to securing the computer or the
network, the card is NOT there. Why?
                                       Net security

Confidentiality, Integrity, and Authenticity (CIA) of content?

Smart cards, biometrics, tokens – for identification and coding

Pairing based security – compromise

Elliptic curves over a finite fields
Gartner forecast
                              ESI Assessment of SMEs maturity
                                 Information as an Asset
     2-3 weeks, 2 assessors            Level 3
                                       Class B                        Large-E

   7-8 days, 2 assessors              Level 2     Doc.
   (L2)                               Class B    Review                SME

                            InfoSec   Level 2          102           Micro &
3 days, 1 assessor
                           Snapshot   Class C       Interview         Small

                     Inf. Security      SPI               Business
                     (ISO 27001)      (CMMI)              (10 Sq.)
            And Beyond
Quantum cryptography, Quantum Digital
          Signature (QDS)

In 1994, Dr. Shor invented an algorithm that would allow a quantum
computer to do the calculations simultaneously, factoring numbers
hundreds of digits long in perhaps minutes. It can break RSA.

The RSA algorithm was publicly described in 1977 by Ron Rivest,
Adi Shamir, and Leonard Adleman at MIT

In 2001, Shor's algorithm was demonstrated by a group at IBM, who
factored 15 into 3 x 5, using a quantum computer with 7 qubits.
                          And further…



  Second International Symposium
Recent Developments in Cryptography
      and Information Security
                 September 11-13, 2008
 National Institute of Education, Oriahovitza, Bulgaria

                   Organized by
             Minu Balkanski Foundation

•Cryptography for Personal Secure Devices
•E-signature and Secure Encryption – Modern Trends
•Finances, Banking and Payments – Trust & Security
•Cryptography - Bridging Theory with Practice
Thank you

George Sharkov


Presentations Financial Cryptography (Mexico, 2008)

Presentations Recent Developments in Cryptography and Information Security
 (Bulgaria, 2007)

EU/EC reports

Shared By:
Description: Practice Test Bank Financial Management Theory and Practice document sample