E-transaction Security The PKI Tunis, January 2010 H. Kaffel-Ben Ayed 1 Security of Mobile...

e-transaction Security The PKI Tunis, January 2010

H. Kaffel-Ben Ayed

1

Security of Mobile Transactions Over

Wireless Pervasive Networks

Hella KAFFEL-BEN AYEDEsma HAMED

Anis ZOUAOUI

CRISTAL LabENSI


H. Kaffel-Ben Ayed

2

OUTLINE

Wireless systems The m-transactions over hotspots New pervasive systems The security requirements Conclusion


H. Kaffel-Ben Ayed

3

WIFI Hotspots presentation HotSpot (or Hotzone) :

Limited public zone covered by a wireless network Allows to connect to the Internet Deployed in high traffic sites:

Airports, hotels, squares, conference sites,…

Customers types : Mobile professionals needing to connect to their enterprise

network through Internet Mobile customers needing to access Internet services:

Reservation Tourist information E-mail E-Gov + E-commerce…


H. Kaffel-Ben Ayed

4

WIFI Hotspots characteristics

802.11b standard Ubiquitous: anywhere anytime High transmission rate : 54Mb/s Ease of use Rapid access Low costs Diversity of mobile communication devices

Attractive environment for conducting m-commerce, m-Gov, …m-transactions


H. Kaffel-Ben Ayed

5

M-Commerce over hotspots

Wireless device

Internet

Access Point (AP)

Server

Catalogs/ Service Navigation

Order Request

Authorization/Settlement

Request

Authorization

/SettlementResponse

Order Response

Information Phase:

Payment Phase:


H. Kaffel-Ben Ayed

6

M-Government / M-Administration

…”the use of mobile technologies in the provision of the services in the public area”

strong penetration of mobiles (mobile phones, PDA, etc)

+ Benefit from of innovative wireless and

mobile technologies.


H. Kaffel-Ben Ayed

7

M-Gov System Architecture


H. Kaffel-Ben Ayed

8

The wireless context vulnerabilities

Wireless medium of transmission Interferences, mobility, …

Exposed wireless communications Multiple attacks :

Spoofing Sniffing DoS Possible duplication of payment systems (SIM cards, pre-

paid cards, …)


H. Kaffel-Ben Ayed

9

Security requirement services for m-Gov

Authentication Confidentiality Integrity Non-repudiation Protection against

replay attacks …


H. Kaffel-Ben Ayed

10

Available security solutions

Mutual authentication EAP (Extensible Authentication Protocol): Extension of the

RADIUS protocol (Remote Access Dial-In User Service) 802.1X: Network standard used in switches

Encryption key distribution method with 802.1X protocol AES encryption algorithm

Tunneling

Ex: Encryption of IP traffic with IPsec protocol


H. Kaffel-Ben Ayed

11

EAP and 802.1X

Authentication traffic: The AP encapsulates 802.1X traffic into RADIUS traffic, and vice versa

Data traffic: The AP blocks everything but 802.1X to- RADIUS authentication traffic

Wireless device

WiredNetwork

WiredNetwork

Access PointRADIUS server

EAP over Wireless

802.1X traffic

EAP over RADIUS

RADIUS traffic


H. Kaffel-Ben Ayed

12

802.11i security features

Mutual authentication Dynamic session keys Message Integrity Check (MIC) TKIP: Temporal Key Integrity Protocol PPK (Per-Packet Key) for encryption Initialization vector sequencing Rapid re-keying Unicast and Broadcast key rotation AES Encryption Authentication and security for control and management frames


H. Kaffel-Ben Ayed

13

New Mobile Environment Embedded and pervasive systems:

Restricted resources memory processor Power supply

Wireless networks: Bandwidth, frequent disconnexions

Relatively cheap and cost sensitive because they often involve high-volume products

The extremely diverse nature of embedded Applications a wide range of damage that can be done through abuse in a pervasive world


H. Kaffel-Ben Ayed

14

Embedded Pervasive Systems

A wide variety of applications : hand-held devices household appliances RFID tags washing machines, refrigerators or microwave ovens. safety-critical applications

—e.g., in ITS (intelligent transport systems such as automotive, railroad or airplane),

military, control systems

…


H. Kaffel-Ben Ayed

15

Potential Threats (1/3)

From privacy violation to financial loss or even bodily harm…

Risk Potential: the close coupling with the physical environment

threats against our real physical environment

Financials an increasing number of pervasive applications that involve

financial aspects, digital entertainment content in home and mobile devices, location-based services for hand-held devices, smart cards with e-wallet functions.


H. Kaffel-Ben Ayed

16


New business models : sophisticated security solutions New pervasive applicationswhere the business model

relies on strong security functionality. Manipulation may lead to a loss of revenue. Pay-TV, time-limited feature activation in fielded products,

Privacy Pervasive computing :intimate link between human user

and “computing” device = disclosure of a user’s location or of his/her behavior,


H. Kaffel-Ben Ayed

17


Reliability manipulations harm the reliability of a product E.g.. remote software updates of pervasive devices

E.g.. “chip tuning“ in the automotive context.

Legislation Legislative requirement will force certain pervasive

applications to provide strong security, e.g., road toll systems, e-voting systems,or mobile banking

applications.


H. Kaffel-Ben Ayed

18

Conclusion

Pervasive security : an emerging discipline There is an active academic and industrial

community working on strong security solutions.


H. Kaffel-Ben Ayed

19

Thank you for attending this presentation

E-transaction Security The PKI Tunis, January 2010 H. Kaffel-Ben Ayed 1 Security of Mobile...

Documents

Transcript of E-transaction Security The PKI Tunis, January 2010 H. Kaffel-Ben Ayed 1 Security of Mobile...