Rajat Moona j CSE, IIT Kanpur October 11, Reach IIT K

Transcription

1 Rajat Moona j CSE, IIT Kanpur October 11, 2010 Reach IIT K

2 Identity Establishment Problem Smart Card Technology IIT Kanpur Contribution ID related applications DL/RC, MNIC, e Passport Protection against Phishing ATM Enabler for Micro financing

3 The issue of giving right information to right person. Problem: Am I talking to the right person/equipment? On a telephone line: the party on the other side is right person or not? For ATM transactions: is it a genuine ATM? Simple schemes: Voice recognition? Face recognition? Secret sharing? Shared trust? Simple schemes are not robust. Not secure.

4 Real world is however build over simple things. Password based login The passwords are easy to guess. Web logins (bank account/credit cards etc.) Identity loss (lost passwords from sites) Fingerprint based identifications. Detective movies are full of ideas on how to crack them. Credit cards based frauds. 3 digit CVV protection? Try only 900 times to crack a card. Is it worthwhile to use such mechanisms?

5 Mechanism Password or PIN ( What you know ) Secret information shared between two parties Cryptographic challenge Response ( What you carry ) Entity authentication Biometric i information ( What is part of you ) Person s identification A combination of one or more

6 Device asks the user (person or a device) to provide a password. Password is matched hdfor verification with a reference one. For example: ATM

7 Enter PIN 2344 Withdraw Rs Rs given Bank Rs given. Bank Server informed for keeping transaction record.

8 Enter PIN 2344 No Authentication with Bank!!! Withdraw Rs User Given the amount or told ATM out of money.

9 Secret Key Cryptography Two communicating sides share the same secret Public Key Cryptography Public key is used for encryption while private key is used for decryption. Private key is secret. Authentication is based on proving the possession of secret key by its use. Challenge Response Authentication

10 Cryptanalyst/ Attacker p K p Encryption c c Decryption Algorithm Algorithm p Sender K Secure Channel Receiver Key Source

11 Cryptanalyst/ Attacker p Pr p Encryption c c Decryption Algorithm Algorithm p Sender Pu Pr Receiver Known to the world Pu Key Gen

12 Password based Identification Where to store passwords securely? Password Guessability Prone to Identity theft Address based Identification Assumes that atthe identity ty of a person can be inferred ed across the network. Prone to identity attacks. Symmetric key cryptography ybased Identification Challenge Response based Identification (authentication) Public key cryptography based identification Cryptographic techniques are immune to identity theft provided keys are not leaked.

13 Visual identity application Plain plastic card is enough Magnetic strip (e.g. credit cards) Visual data also available in machine readable form No security of data Electronic memory cards Machine readable data Some security (vendor specific) Processor cards (and therefore memory too) Cards have an operating system that provides A standard way of interchanging information An interpretation t ti of the commands and data

14 VCC Reset Clock Reserved GND VPP I/O

15 Contact Card Contactless (RF) Card RFU CLK RST Vcc RF Antenna GND RFU I/O Vpp

16 256 bytes to 4KB RAM. 8KB to 0.5MB ROM. 1KB to 1MB EEPROM. Crypto coprocessors (implementing AES, 3DES, RSA etc., in hardware) are optional. 8 bit to 16 bit CPU based designs are common. The price of a mid level chip when produced in bulk is about US$0.50.

17 Computer based readers Connect through USB or COM (Serial) ports Dedicated terminals Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.

18 Electronics Technology Memory Memory Contact Cards Memory Contact-less Cards (aka RFID) Processor Processor Contact Cards Processor Contact-less Cards ) Cont tact Radio (RF Commun nication n Techno ology

19 Smart cards can store and control access to data in most flexible manner. To specific users who know the passwords To a specific devices who know the secret Cryptography based operations Data stored can include Personal information and Biometric i reference data (e.g. fingerprint i template) Keys and passwords Capabilities include Data storage (persistent) Cryptography (encryption/decryption/digital signatures etc.) Auxiliary mechanisms (hash computations, random number generation)

20 Smart Card group had developed the Indian National Standard for the OS SCOSTA and SCOSTA CL Certification process and mechanisms Key management system design for the Indian Driving License and Vehicle Registration, National ID Card data layout and processes for DL/RC, National ID (MNIC), Indian epassport Defined the standard for the Indian epassport (a step over the ICAO standards) Card Readers and programming interfaces for application development.

21 ID Applications i National ID, Driving License, Electronic Passports, Health Care Electronic Cash Payment, e Purse Purse, Toll Tax, Credit cards, purse to purse transactions Loyalty Banking Cards, Membership cards Authenticity Security Tokens, Resource Access

22 Can store information such as Personal Information Name, Name in local language, Sex, Names of parents, spouse, marital status, Date and place of birth, aliases, National ID, Issuer s Name/designation, Issue date, address Validity checks Valid up to information, validity keys, Digital signature mechanisms Biometric information Photograph, finger print (machine verifiable) Possible applications Electronic tax filing, electronic authenticated voting, irrefutable proof of citizenship, social security Access Control (read write control based on the entity) Certain information is record once once (national ID number, Sex...) Certain information is modifiable (such as address )

23 Electronic Passport is passport with smart card chip in the binding (e.g. cover page) Chip stores the personal information. Additionally the data is digitally it signed by the document signer (such as a passport issuing officer). Non repudiation is possible. Passport data can be verified at immigration control world wide. Provided the country specific public keys are exchanged between the countries through h bi lateral l exchange mechanism Personal information may include the biometric which can be verified at the home immigration counters for entry/exit. Authentic photograph of the owner is stored on chip.

24 Security Issue Fake outlet attack Shoulder attack Fake padoverlay attack Network Issue Dedicated network is required Network is unreliable Cost Issue Display / Input device required Cost for Network Connectivity Cooling costs

25 Several scenarios are possible. Case I: Use of Mobile and Card. Ultimate protection Case II: Use of card only. Protection against keyboard overlay or shoulder attack not possible. Case III: Protection against lost mobile possible.

26 Smart cards are the devices for the future Can be used for several applications. Document signing (for example tax returns) Identification and authentication Such as Driving License, National ID (MNIC), Voter Card, e Passports etc. Bank Transactions E cash and e purse application. Ticketing and Toll Metro Ticketing and Toll gate operations. Access Control Access to rooms/facilities, Club memberships, vending applications. Secure, robust and dependable storage of data, keys and Passwords. Data can be protected against tampering and can be made reliable and dependable. Innovations are possible in the use of the technology and the technology itself.

27 _(India)/ Nitin Munjal and Rajat Moona, Secure and Cost Effective Transaction Model for Financial Services, ICUMT 2009, St. Petersburg. Nitin Munjal, Ashish Paliwal, Rajat Moona, Low Cost Secure Transaction Model for Financial Services, Security and Identity Management (SIM), Ahmedabad, Abhishek Gaurav, Ankit Sharma, Vikas Gelara, Rajat Moona, Using Personal Electronic Device for Authentication based Service Access, IEEE International Conference on Communications (ICC2008), Beijing, May 2008.

28 BTech Students Abhishek Gaurav, Ankit Sharma, Vikas Gelara MTech Students S Ravinder, Aditi Gupta, Deepak Nagawade, Anshul Data, Nitin Munjal, N Karthik, Nikhil Khande Faculty Members Deepak Gupta, Manindra Agrawal Funding Agencies and collaborators MCIT, NIC, RGI, MoRST, MEA