Docstoc

Practice Test Bank Financial Management Theory and Practice

Document Sample
Practice Test Bank Financial Management Theory and Practice Powered By Docstoc
					Cryptography and Information
Security
Bridging Theory with Practice

Personal secure devices, payments and financial
transactions


George Sharkov
European Software Institute - Center Bulgaria



ASTEL “Digital Democracy” Conference, Sofia, May 2008

For internal educational use only! All data copyrighted by ESI, SEI, ESI Center BG, or respective sources as indicated
                         The price of our personality
                               Submitted by Security Renegades on Wed,
                               2007-08-15 23:14.

                               I was just interviewed by a local news station
                               about a story they were doing on daring
                               hackers that have started advertising their
                               abilities to destroy a person’s life for as little as
                               $20 per month. Apparently the deal goes
                               something like this: you make a deal with a
                               hacker to destroy somebody’s life by signing
                               them up online and the hacker will ensure the
                               target can’t get a good job, can’t apply for
                               credit cards, will be denied for loans, etc.


Innovative “business”:         hacker must return to the scene monthly to
subscription model             determine if the target’s life is still truly ruined
                           Protected personality
                                    =
                               eID Aspects
Identifier
    • Uniqueness
    • Structured according to some context: Name & address, EGN (Social security
    number), Bank account number, IMSI (International Mobile Subscriber Identity),
    MSISDN (Mobile Subscriber Integrated Services Digital Network Number), IP-
    address, URL, MAC

eID token (ID-bearer): Smart Card, SSCD (Secure Signature Creation Device), etc.,

The eID Management (infrastructure): Life cycle, Registration, Security, PKI,
interoperability, etc

Service layer: From physical Identification through eAuthentication,
eSignature, time stamping, long term storage, third party validation, all applications.
              The sad truth




Usability               “Unbreakable”

Convenience                   Security
You can make a secure system either by making it so
simple you know it's secure, or so complex that no one
can find an exploit.

allegedly Dan Geer
                                       Do we make it right?

            Technical    Design
                                   Standards
            requirements documents


     Test plan(s)
       Software
                     VERIFICATION                   Did we build it right?

                    Engineering   QA

                        User
                        requirements


Software System
Acceptance tests     VALIDATION                Did we build the right thing?
  User manual

                     Customer     User
             Things we usually don’t think
                        about


Accessibility - disabled people

ICT & security awareness

Information security is not IT issue ONLY

Cost of security
      Cost of Security?



                          Fraud, Privacy,
Cost of Nonconformance    Internal + External
                          Failures
           +
 Cost of Conformance
                          Prevention
                          + Assessment
                          (standards)
             Worldwide Damage from Digital Attacks




This chart shows estimates of the average annual worldwide damage from hacking, malware, and
spam since 1999. These data are based on figures from mi2G and the authors.                9
                         Examples


Integrated Security Management, Standards

E-administration, document management

E-health

E-procurement, e-bidding, e-signatures

All possible B, C, G combinations
                                  EU Reports

PKI in EU (2006):
http://www.ecom.jp/report/Study_on_PKI_2006_in_EUROPE-FINAL.pdf


Commission eSignature Workshop : December 2007
Study on the standardisation aspects of eSignature (Sealed, 2007)
http://www.esstandardisation.eu/e_signatures_standardisation.pdf
                             Implementation of EU-DIR 93/99

                                  EESSI
                                  Spesifiserer Signaturdevice

                                                            All financed by EU




             Specifies: Smart Cards,
                Biometrics and Digital         Specifies Qualified Certificates,
                Signature and SSCD          Signature formats and their Framework


SSCD: Secure Signature Creation Device

                                                                                    12
Legends:    White: Basic Certificate (QC/NQC) services, Red stripes: Additional services
            Solid red: on creation and verification of el.sign.
From Study on the standardisation aspects of eSignature (Sealed, 2007)
EU i2010 eID infrastucture
           Pioneers: Banks & integrated eID

Austria: January 2005, the first country in the world to
offer citizens the possibility to integrate a citizen card in
bank cards (agreement between the Ministry of Finance
and bank card issuer Europay, a ‘citizen card’ function can
be included in all Maestro bank cards issued in Austria).

Cost: Until 31 August 2004, Maestro cardholders were
able to exchange their current cards against new ones
containing a digital signature at no cost. After that date,
this ‘premium’ function costs EUR 12 per year.
                              Examples: The mobile
                                   approach
                           managed IDs for routing and billing purposes.
                           functions on the handset or in the SIM card.
                           SIM = recognized as ’Security Element’

                           A SIM card in a phone = a Smart Card fully
                           integrated with reader and display
                           in combination with networking
                           functions :GSM, IP/Internet, WLAN, BlueTooth,
                           IR and NFC)
                           Price for a SIM: ranging from 0,8 USD and to a few
                           Euros
                           3 billion mobile subscribers world-wide today
                           SIM cards available with PKI key generation and
SIM card is a SMART CARD   signature functions since 2001
                           In use: Finland, Sweden, Turkey, Estonia and Norway
        PKI-based Services for mCommerce
            Services: Transaction signing in combination with payment



                   WAP
SIM: Keys
& PKCS#1           SMS
                   Web
                                           !
                                                   Some
                            Transaction            Appli-
Sign                        signing etc.           cation.
SMS                                                            Back-
            SIM PKI                                             end
                                                    Inter-    System
            wireless                                Face
            interface                              module

            SMS Sign.
            Challenge
                                                      Validation
            Formatting
                                                    CA         RA


                                                                   17
            PKI-based Services for BankID
             Services: Login/Authentication + transaction signing



SIM: Keys          WAP
& PKCS#1           SMS
                   Web
                                                  NetBank
                            Login request          Appli-
Sign                        Transaction            cation
SMS                         signing etc.                       Back-
            SIM PKI                                             end
                                                    Inter-    System
            wireless                                Face
            interface                              module

            SMS Sign.
            Challenge
                                                      Validation
            Formatting
                                                    CA         RA

                             Now handled by
                                  the banks
                                                                    18
                                                   UICC – elements
                                   New UICC Architecture / SIM advances

           eHealth           Payment     Multimedia
                              EMV         DRM ?
                                                           To carry
      PKI / eID                     Ticketing
                                       (DRM !)             a number
   USIM           SIM             Electronic               of new
  ID= IMSI      ID= IMSI            Purse
  & MSISDN      & MSISDN                                   functions
                              Common
       Phonebook               Storage

        SIM Application Toolkit


                UICC
                ID = ICCID



                                          GSM Allocated
12 Mb/s USB     NFC (or other) IF          (2G/3G) IFs
Full speed IF    (1 connector)            (5 connectors)

                                                                     19
E-cash versus paper cash
      Micropayment and
      anonymous e-cash

      Electronic purse

      Mobile payments: end of
      the debit and
      credit card

      End of the privacy

      New frauds
                                Warnings: PKI obstacles




                  OASIS TC PKI Survey on PKI Obstacles (Source: [OASIS-PKI])


http://www.ecom.jp/report/Study_on_PKI_2006_in_EUROPE-FINAL.pdf
                      The reality

•90% of the people in the audience have at
least 1 smart card with them

•most of have NOT used a smart card for
anything other than
       oto make a call/message
       owithdraw money
       opay for goods/service

•When it comes to securing the computer or the
network, the card is NOT there. Why?
                                       Net security




Confidentiality, Integrity, and Authenticity (CIA) of content?

Smart cards, biometrics, tokens – for identification and coding

Pairing based security – compromise
complexity<>usability/reliability

Elliptic curves over a finite fields
Gartner forecast
                              ESI Assessment of SMEs maturity
                                 Information as an Asset
                                                                      Typical
                                                                     customer
     2-3 weeks, 2 assessors            Level 3
                                       Class B                        Large-E


                                                  102
   7-8 days, 2 assessors              Level 2     Doc.
   (L2)                               Class B    Review                SME




                            InfoSec   Level 2          102           Micro &
3 days, 1 assessor
                           Snapshot   Class C       Interview         Small



                     Inf. Security      SPI               Business
                     (ISO 27001)      (CMMI)              (10 Sq.)
                                                          Finances
                                                  Customers
                                Processes
                                                    Learning
            And Beyond
Quantum cryptography, Quantum Digital
          Signature (QDS)

In 1994, Dr. Shor invented an algorithm that would allow a quantum
computer to do the calculations simultaneously, factoring numbers
hundreds of digits long in perhaps minutes. It can break RSA.

The RSA algorithm was publicly described in 1977 by Ron Rivest,
Adi Shamir, and Leonard Adleman at MIT

In 2001, Shor's algorithm was demonstrated by a group at IBM, who
factored 15 into 3 x 5, using a quantum computer with 7 qubits.
                          And further…


                  CryptoBG’08

              www.cryptobg.org

  Second International Symposium
Recent Developments in Cryptography
      and Information Security
                 September 11-13, 2008
 National Institute of Education, Oriahovitza, Bulgaria

                   Organized by
             Minu Balkanski Foundation

•Cryptography for Personal Secure Devices
•E-signature and Secure Encryption – Modern Trends
•Finances, Banking and Payments – Trust & Security
•Cryptography - Bridging Theory with Practice
Thank you

George Sharkov

gesha@esicenter.bg




Credits:

Presentations Financial Cryptography (Mexico, 2008)

Presentations Recent Developments in Cryptography and Information Security
 (Bulgaria, 2007)

EU/EC reports

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:460
posted:7/11/2011
language:English
pages:28
Description: Practice Test Bank Financial Management Theory and Practice document sample