SlideShare una empresa de Scribd logo

Intro to Smart Cards & Multi-Factor Authentication

Descargar como PPTX, PDF
H
hon1nbo

I did a short presentation for some students at SMU back when I attended. Uploading here for future students and posterity.

Software
1 de 20
Hon1nbo Security Consultant Hon1nbo - Smart Cards & MFA 1
Authentication Factors  Three types:  Something you Know  Passwords, PIN, security questions  Something you Have  Hardware token, mobile phone, key file  Something you Are  Fingerprints, Iris, Retina, Voice, Facial Structure, Typing Analysis Hon1nbo - Smart Cards & MFA 2
Which is best?  Depends on the application  Web forum logged account not as valuable as bank account  Resources available to server and client side  Can we combine multiple factors? Hon1nbo - Smart Cards & MFA 3
Multi-factor Authentication (MFA)  Two or more authentication factors used together  Very secure  Allows loss of one factor without loss of security  Can be any combination of the three factors  What uses MFA?  ATM cards (pin + physical card), Chip and Pin (outside USA)  Twitter, Google, Facebook, and others allow MFA (mobile phones and hardware tokens) Hon1nbo - Smart Cards & MFA 4
Implementations  Most common two-factor auth (2FA) is Password/PIN and a token given to user  User enters both a password and a One Time Password (OTP) generated by token into system  User enters PIN into token, generating OTP or key signing operation  User enters password, server “pushes” auth to token for approval by user (mobile phone push)  Token is attached to system, and user enters password or PIN (ATMs, hardware keys for software licensing) Hon1nbo - Smart Cards & MFA 5
Other Implementations  Password/token and biometric  Not common due to expense and complexity of biometrics  Cannot replace biometric token if stolen  Increasing use of 3FA (PIN + token + biometric) Hon1nbo - Smart Cards & MFA 6
Hardware Security Modules  Implement cryptographic processors in a secure assembly  Use by CAs, banks, SSL/TLS endpoints  Larger, bulky, expensive to design and implement.  Very powerful Hon1nbo - Smart Cards & MFA 7
Smart Cards  Powerful hardware tokens  Onboard cryptographic processor  Secure key storage  Extremely difficult to attack without advanced tools, knowledge, and ample time  Easy to reprogram if compromised  Cost decreasing in recent years  Partly due to common use in government and payment industry Hon1nbo - Smart Cards & MFA 8
Smart Cards  Simpler cryptographic token implementation than HSMs  Some “HSM” devices are really just smart cards with a permanently attached reader  Key storage often contains multiple keys  A master key has subkeys and their “stubs”  Encryption key  Signing Key  Authentication Key  Each used for different application  Allows for enhanced security through key isolation Hon1nbo - Smart Cards & MFA 9
Smart Cards  Authentication flow  User inserts card  Card presents public key of user, matching the stored public key on server  Server sends message to card, which is signed with the authentication private key in addition to the time, when the user enters a valid PIN onto card  Server verifies message with stored public key  Session is authenticated  Similar process for Non-repudiation and encryption Hon1nbo - Smart Cards & MFA 10
File System Encryption  Smart Cards can be used for local encryption  Can store large AES, RSA, and other key types  Programs such as Truecrypt, Bitlocker, and others support this  Advantages  Key not stored on target device  Key difficult to extract from static system  Disadvantages  Key usually in memory while system operational for speed Hon1nbo - Smart Cards & MFA 11
Types of Smart Cards  Most size of standard plastic credit card  Electrical contacts on surface  Others size of fingernail (cellular SIM cards)  May contain USB or similar interface  Various support for encryption and key types  Limiting factor: ensuring cards and systems are compatible  New systems may not work with previous cards. Can’t reformat like passwords Hon1nbo - Smart Cards & MFA 12
PKCS  Public Key Cryptography Standards  Smart cards and HSMs do not have standard implementation, but we need standard application interface  PKCS allows for common API for application development  Communication with smart card done through middleware driver  Pkcs#11 is the most common Hon1nbo - Smart Cards & MFA 13
OpenPGP Smart Card  Smart Card designed for PGP support  Cross platform support with various applications Hon1nbo - Smart Cards & MFA 14
PIV  Personal Identity Verification  Federal Information Processing Standard (FIPS) 201  Government employee ID, universal ID in some countries  Card can contain:  Public/Private keys  Symmetrical keys  Biometric data  CA data  Advanced cryptographic processors  Implemented with PKCS15 Hon1nbo - Smart Cards & MFA 15
EMV  Europay, Mastercard, Visa  Replacement for Magnetic Stripe  Implements Smart Cards as payment token  Standard outside of USA Hon1nbo - Smart Cards & MFA 16
Smart Card Attacks  Simple (practical)  PIN scraping  RAM Scrapers  Keyloggers  Fixed with a hardware secure pin entry device  Static key export  FDE needs volume key in memory for efficiency  Hardware HSM may fix this, but it is much slower  Advanced (nation state, extended physical access)  Simple/Differential Power Analysis Hon1nbo - Smart Cards & MFA 17
Contactless  Smart cards using wireless communication to host  Usually NFC (Not RFID)  Challenge Response  Systems using this:  Contactless Credit Cards outside of US (part of EMV)  Enterprise access cards (including the SMU Student and Faculty ID)  May or may not require a PIN to access secret  Target service performing authentication provides the response to card challenge Hon1nbo - Smart Cards & MFA 18
Questions? Hon1nbo - Smart Cards & MFA 19
Multi-factor Authentication @hon1nbo Security Consultant @ Cigital, Inc. hon1nbo@hackingand.coffee If you’re in SSIG and interested in experimenting with Smart Cards or other tokens, contact me so we can get a group order. Hon1nbo - Smart Cards & MFA 20

Recomendados

Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor AuthenticationRonnie Isherwood
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationLumension
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers GuideLumension
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...Sirius
 
2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary ResultsLumension
 

Recomendados

Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor AuthenticationRonnie Isherwood
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationLumension
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers GuideLumension
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...Sirius
 
2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary ResultsLumension
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSORohit Kapoor
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Two Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactTwo Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactSalesforce Admins
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the EnterpriseWill Adams
 
Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobilityDATA SECURITY SOLUTIONS
 
Secure Element Solutions
Secure Element SolutionsSecure Element Solutions
Secure Element SolutionsUgo Chirico
 
Mobile (in)security ?
Mobile (in)security ?Mobile (in)security ?
Mobile (in)security ?Cláudio André
 
Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile Edge Event
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Bank security
Bank securityBank security
Bank securityPLN9 Security Services Pvt. Ltd.
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet5h1vang
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 
HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®HYPR
 
Psdot 19 four factor password authentication
Psdot 19 four factor password authenticationPsdot 19 four factor password authentication
Psdot 19 four factor password authenticationZTech Proje
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentRamesh Nagappan
 
3D PASSWORD
3D PASSWORD 3D PASSWORD
3D PASSWORD Rajashree Swain
 

Más contenido relacionado

La actualidad más candente

Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSORohit Kapoor
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Two Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactTwo Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactSalesforce Admins
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the EnterpriseWill Adams
 
Secure Element Solutions
Secure Element SolutionsSecure Element Solutions
Secure Element SolutionsUgo Chirico
 
Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile Edge Event
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet5h1vang
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 
HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®HYPR
 
Psdot 19 four factor password authentication
Psdot 19 four factor password authenticationPsdot 19 four factor password authentication
Psdot 19 four factor password authenticationZTech Proje
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 

La actualidad más candente (20)

Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor Authentication
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSO
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8
 
Two Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactTwo Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major Impact
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 
Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobility
 
Secure Element Solutions
Secure Element SolutionsSecure Element Solutions
Secure Element Solutions
 
Mobile (in)security ?
Mobile (in)security ?Mobile (in)security ?
Mobile (in)security ?
 
Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Bank security
Bank securityBank security
Bank security
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®
 
Psdot 19 four factor password authentication
Psdot 19 four factor password authenticationPsdot 19 four factor password authentication
Psdot 19 four factor password authentication
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 

Destacado

PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentRamesh Nagappan
 
3D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 13D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 1Swagato Dey
 
How are wearables going to shape digital marketing strategy in the future?
How are wearables going to shape digital marketing strategy in the future?How are wearables going to shape digital marketing strategy in the future?
How are wearables going to shape digital marketing strategy in the future?Dean Demellweek, MFA
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8Kohei Hoshi
 
3d passwords
3d passwords3d passwords
3d passwordsshwetaag
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 

Destacado (11)

PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
 
3D PASSWORD
3D PASSWORD 3D PASSWORD
3D PASSWORD
 
3D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 13D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 1
 
Biometric authentication reiew
Biometric authentication reiewBiometric authentication reiew
Biometric authentication reiew
 
How are wearables going to shape digital marketing strategy in the future?
How are wearables going to shape digital marketing strategy in the future?How are wearables going to shape digital marketing strategy in the future?
How are wearables going to shape digital marketing strategy in the future?
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
 
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
組織利用におけるMFA管理方法を考える OpsJAWS Meetup#8
 
3d passwords
3d passwords3d passwords
3d passwords
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
MFA
MFAMFA
MFA
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 

Similar a Intro to Smart Cards & Multi-Factor Authentication

End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card ProcessingEnd-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card ProcessingLennon808
 
Access Control in Enterprises with Key2Share
Access Control in Enterprises with Key2ShareAccess Control in Enterprises with Key2Share
Access Control in Enterprises with Key2ShareFaheem Nadeem
 
ePassport reloaded goes mobile
ePassport reloaded goes mobileePassport reloaded goes mobile
ePassport reloaded goes mobileJeroen van Beek
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security modelMicro Focus
 
811719104102_Tamilmannavan S.pptx
811719104102_Tamilmannavan S.pptx811719104102_Tamilmannavan S.pptx
811719104102_Tamilmannavan S.pptxDEVIKAS92
 
Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEGreg Stone
 
Ict project (1)
Ict project (1)Ict project (1)
Ict project (1)spy007s
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryNarudom Roongsiriwong, CISSP
 
Ynamono Hs Lecture
Ynamono Hs LectureYnamono Hs Lecture
Ynamono Hs Lectureynamoto
 
Electronic key-card & ELC;elc
Electronic key-card & ELC;elcElectronic key-card & ELC;elc
Electronic key-card & ELC;elcMohitKataria15
 

Similar a Intro to Smart Cards & Multi-Factor Authentication (20)

End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card ProcessingEnd-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
 
Smart Cards
Smart CardsSmart Cards
Smart Cards
 
Smartcard
SmartcardSmartcard
Smartcard
 
Smart Card
Smart CardSmart Card
Smart Card
 
Smart Card
Smart CardSmart Card
Smart Card
 
Access Control in Enterprises with Key2Share
Access Control in Enterprises with Key2ShareAccess Control in Enterprises with Key2Share
Access Control in Enterprises with Key2Share
 
ePassport reloaded goes mobile
ePassport reloaded goes mobileePassport reloaded goes mobile
ePassport reloaded goes mobile
 
Smart card ppt
Smart card pptSmart card ppt
Smart card ppt
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model
 
Smart cards
Smart cardsSmart cards
Smart cards
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Ewallet
EwalletEwallet
Ewallet
 
E banking security
E banking securityE banking security
E banking security
 
811719104102_Tamilmannavan S.pptx
811719104102_Tamilmannavan S.pptx811719104102_Tamilmannavan S.pptx
811719104102_Tamilmannavan S.pptx
 
Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PE
 
Ict project (1)
Ict project (1)Ict project (1)
Ict project (1)
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
Ynamono Hs Lecture
Ynamono Hs LectureYnamono Hs Lecture
Ynamono Hs Lecture
 
Electronic key-card & ELC;elc
Electronic key-card & ELC;elcElectronic key-card & ELC;elc
Electronic key-card & ELC;elc
 
smart card
smart cardsmart card
smart card
 

Último

Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

Último (20)

Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 

Intro to Smart Cards & Multi-Factor Authentication

  • 2. Authentication Factors  Three types:  Something you Know  Passwords, PIN, security questions  Something you Have  Hardware token, mobile phone, key file  Something you Are  Fingerprints, Iris, Retina, Voice, Facial Structure, Typing Analysis Hon1nbo - Smart Cards & MFA 2
  • 3. Which is best?  Depends on the application  Web forum logged account not as valuable as bank account  Resources available to server and client side  Can we combine multiple factors? Hon1nbo - Smart Cards & MFA 3
  • 4. Multi-factor Authentication (MFA)  Two or more authentication factors used together  Very secure  Allows loss of one factor without loss of security  Can be any combination of the three factors  What uses MFA?  ATM cards (pin + physical card), Chip and Pin (outside USA)  Twitter, Google, Facebook, and others allow MFA (mobile phones and hardware tokens) Hon1nbo - Smart Cards & MFA 4
  • 5. Implementations  Most common two-factor auth (2FA) is Password/PIN and a token given to user  User enters both a password and a One Time Password (OTP) generated by token into system  User enters PIN into token, generating OTP or key signing operation  User enters password, server “pushes” auth to token for approval by user (mobile phone push)  Token is attached to system, and user enters password or PIN (ATMs, hardware keys for software licensing) Hon1nbo - Smart Cards & MFA 5
  • 6. Other Implementations  Password/token and biometric  Not common due to expense and complexity of biometrics  Cannot replace biometric token if stolen  Increasing use of 3FA (PIN + token + biometric) Hon1nbo - Smart Cards & MFA 6
  • 7. Hardware Security Modules  Implement cryptographic processors in a secure assembly  Use by CAs, banks, SSL/TLS endpoints  Larger, bulky, expensive to design and implement.  Very powerful Hon1nbo - Smart Cards & MFA 7
  • 8. Smart Cards  Powerful hardware tokens  Onboard cryptographic processor  Secure key storage  Extremely difficult to attack without advanced tools, knowledge, and ample time  Easy to reprogram if compromised  Cost decreasing in recent years  Partly due to common use in government and payment industry Hon1nbo - Smart Cards & MFA 8
  • 9. Smart Cards  Simpler cryptographic token implementation than HSMs  Some “HSM” devices are really just smart cards with a permanently attached reader  Key storage often contains multiple keys  A master key has subkeys and their “stubs”  Encryption key  Signing Key  Authentication Key  Each used for different application  Allows for enhanced security through key isolation Hon1nbo - Smart Cards & MFA 9
  • 10. Smart Cards  Authentication flow  User inserts card  Card presents public key of user, matching the stored public key on server  Server sends message to card, which is signed with the authentication private key in addition to the time, when the user enters a valid PIN onto card  Server verifies message with stored public key  Session is authenticated  Similar process for Non-repudiation and encryption Hon1nbo - Smart Cards & MFA 10
  • 11. File System Encryption  Smart Cards can be used for local encryption  Can store large AES, RSA, and other key types  Programs such as Truecrypt, Bitlocker, and others support this  Advantages  Key not stored on target device  Key difficult to extract from static system  Disadvantages  Key usually in memory while system operational for speed Hon1nbo - Smart Cards & MFA 11
  • 12. Types of Smart Cards  Most size of standard plastic credit card  Electrical contacts on surface  Others size of fingernail (cellular SIM cards)  May contain USB or similar interface  Various support for encryption and key types  Limiting factor: ensuring cards and systems are compatible  New systems may not work with previous cards. Can’t reformat like passwords Hon1nbo - Smart Cards & MFA 12
  • 13. PKCS  Public Key Cryptography Standards  Smart cards and HSMs do not have standard implementation, but we need standard application interface  PKCS allows for common API for application development  Communication with smart card done through middleware driver  Pkcs#11 is the most common Hon1nbo - Smart Cards & MFA 13
  • 14. OpenPGP Smart Card  Smart Card designed for PGP support  Cross platform support with various applications Hon1nbo - Smart Cards & MFA 14
  • 15. PIV  Personal Identity Verification  Federal Information Processing Standard (FIPS) 201  Government employee ID, universal ID in some countries  Card can contain:  Public/Private keys  Symmetrical keys  Biometric data  CA data  Advanced cryptographic processors  Implemented with PKCS15 Hon1nbo - Smart Cards & MFA 15
  • 16. EMV  Europay, Mastercard, Visa  Replacement for Magnetic Stripe  Implements Smart Cards as payment token  Standard outside of USA Hon1nbo - Smart Cards & MFA 16
  • 17. Smart Card Attacks  Simple (practical)  PIN scraping  RAM Scrapers  Keyloggers  Fixed with a hardware secure pin entry device  Static key export  FDE needs volume key in memory for efficiency  Hardware HSM may fix this, but it is much slower  Advanced (nation state, extended physical access)  Simple/Differential Power Analysis Hon1nbo - Smart Cards & MFA 17
  • 18. Contactless  Smart cards using wireless communication to host  Usually NFC (Not RFID)  Challenge Response  Systems using this:  Contactless Credit Cards outside of US (part of EMV)  Enterprise access cards (including the SMU Student and Faculty ID)  May or may not require a PIN to access secret  Target service performing authentication provides the response to card challenge Hon1nbo - Smart Cards & MFA 18
  • 19. Questions? Hon1nbo - Smart Cards & MFA 19
  • 20. Multi-factor Authentication @hon1nbo Security Consultant @ Cigital, Inc. hon1nbo@hackingand.coffee If you’re in SSIG and interested in experimenting with Smart Cards or other tokens, contact me so we can get a group order. Hon1nbo - Smart Cards & MFA 20