Other Security

Issues
- Dr. G.S. Rawat
Smart Cards

• A smart card contains an integrated circuit chip that can hold information, which
then can be used as part of the authentication process.
Smart cards
• Contact Cards: allowing electronic access to the contents of the chip
• Contactless: do not require physical contact with the card itself

Canadian Penny vs Chip Near Field Communication (NFC)

Smart Card Technology and Security

• Technology and security are strongly related

• Crackers find sophisticated ways to get at supposedly secure data on
cards
• Manufacturers have to come up with more sophisticated locks and keys
on cards
• Crackers come up with better techniques to bypass these
• forming an infinite improvement loop
 Smart Card security

COMMUNICATION HARDWARE OPERATING SOFTWARE

SYSTEM (OS)
Smart Card: Communication

• Smart Card and a Card Accepting Device (CAD) communicate via means
of small data packets called APDUs (Application Protocol Data Units)
• harder for third parties to attack the system successfully
• Small bit rate (9600 bits per second) using a serial bi-directional transmission line
(ISO standard 7816/3),
• half duplex mode for sending the information (data only travels in one direction
at a time)
• most common encryption methods are symmetric DES (Data Encryption
Standard), 3DES (triple DES) and public key RSA
Smart Card: Hardware Security
• All data and passwords on a card are stored in the EEPROM
• can be erased or modified by an unusual voltage supply
• heating the controller to a high temperature or focusing the UV light on the EEPROM
• removing the security lock
• Invasive physical attacks
• card is cut and processor removed
• layout of the chip can be reverse engineered
• Differential Power Analysis (DPA)
• statistical attack on a cryptographic algorithm
• measuring the precise time and electric current required for certain encryption or decryption
operations
• Simple Power Analysis (SPA)
• direct analysis of the recorded power data
Smart Card: Hardware Security Solutions

• Technology barrier. Advanced 0.6 micron technology greatly reduces the size and
power consumption of cards as well as the relative variations in their operating
parameters. This makes it very hard for external SPA/DPA methods to distinguish
between normal card fluctuations and data-related fluctuations.
• Clock fluctuation. A special Clock Software Management facility, when properly used,
results in highly variable software timing when the embedded application program is
executing.
• Unpredictable behavior. A built-in timer with Interrupt capability and an
Unpredictable Number Generator is used to impose unpredictable variations on
software execution behavior, with consequent changes in the pattern of power
consumption.
Smart Card: Hardware Security
Solutions
• Robust design. A modular design allows new hardware variations, including custom
variations, to be produced quickly and efficiently, thereby allowing fast response to
new attack scenarios.
• Memory control for multi-applications. An enhanced Memory Access Control
system provides secure operating system support for multi-application cards.
• Security mechanisms and firmware functions. An enhanced set of security
mechanisms and firmware functions allow the application to detect and respond
appropriately to the occurrence of conditions that might indicate an attack. These
conditions include invalid operating conditions, bad opcodes, bad addresses and
violations of chip integrity; the possible responses include interrupts, program
reset, immediate erasure of all RAM data and flash programming of the entire
EEPROM array.
Smart Cards: OS security
• Data on Smart Cards is organized into a tree hierarchy
Smart Cards: OS Security
Five basic levels of access rights to a file (both DF and EF)
• Always (ALW): Access of the file can be performed without any
restriction.
• Card holder verification 1 (CHV1): Access can only be possible when a
valid CHV1 value is presented.
• Card holder verification 2 (CHV2): Access can only be possible when a
valid CHV2 value is presented.
• Administrative (ADM): Allocation of these levels and the respective
requirements for their fulfilment are the responsibility of the
appropriate administrative authority.
• Never (NEV): Access of the file is forbidden.
Smart Cards: OS Security
• The PINs are stored in separate elementary files
• OS blocks the card after a wrong PIN is entered several consecutive
times
• Once blocked, the card can only be unblocked with a specific
unblocking PIN stored in the card
• unblocking PIN can become blocked in the same way.
• irreversible blockage and may have to be scrapped for security
reasons
Zero Knowledge Protocol

• Zero Knowledge Proof (ZKP) is an encryption scheme originally

proposed by MIT researchers Shafi Goldwasser, Silvio Micali and Charles
Rackoff in the 1980s
• Zero knowledge proof or protocol is method in which a party A can
prove that given statement X is certainly true to party B without
revealing any additional information
Zero Knowledge Protocol
• Zero knowledge protocol must have three properties.
• Completeness: If the statement is true, the honest verifier will be
convinced by honest prover.
• Soundness: If the statement is false, prover can not convince the verifier
that it is true , except with some small probability.
• Zero-knowledge: If the statement is true no cheating verifier learns
anything other than this fact.
Zero Knowledge Protocol

• Interactive Zero Knowledge Proof –

It requires the verifier to constantly ask a series of questions about the “knowledge”
the prover possess. The “prover” does a series of actions to prove about the
soundness of the knowledge to the verifier.
• Non-Interactive Zero Knowledge Proof –
For “interactive” solution to work, both the verifier and the prover need to be online
at the same time making it difficult to scale up on the real world application.
• Non-interactive Zero-Knowledge Proof do not require an interactive process,
avoiding the possibility of collusion. It requires picking a hash function to randomly
pick the challenge by the verifier.
• In 1986, Fiat and Shamir invented the Fiat-Shamir heuristic and successfully changed
the interactive zero-knowledge proof to non-interactive zero knowledge proof.
Zero- knowledge : Pros and Cons

Pros:
• Secured – Not requiring the revelation of one’s secret.
• Simple – Does not involve complex encryption methods.
Cons:
• Limited – Secret must be numerical, otherwise a translation is needed.
• Lengthy – There are 2k computations, each computation requires a
certain amount of running time.
• Imperfect – The malice can still intercept the transmission (i.e.
messages to the Verifier or the prover might be modified or destroyed)
Enterprise Application Security
• the protection of enterprise applications from external attacks, privilege
abuse and data theft
• implementing security across all applications, enterprises
• greater data security and protect applications from vulnerabilities
Enterprise Application Security Threats
• Device specific threats
• personal devices, insecure applications, outdated OS
• Network-specific threats
• Unsecure wifi
• App-specific threats
• Injection flaws, Broken authentication, Security misconfiguration
• User-specific threats
• Malicious employees, negligent ones
Enterprise Application Security

• Educate
• dos and don’ts of technology.
• Implement strict access control policy
• Force strong user authentication
• Encrypt all data
• Updating firmware, software and applications
• Identify all points of vulnerability
• Monitor, track, and attack
• Make security a part of the business process
Biometrics
• analysis of unique biological and physiological characteristics with the
aim of confirming a person's identity
• common biometric identifiers:
• Fingerprints
• Facial
• Voice
• Iris
• palm or finger vein patterns
Biometric Authentication

• Security measure that matches the biometric features of a user looking to access a
device or a system
• Access to the system is granted only when the parameters match those stored in the
database for that particular user
• Biometric characteristics are the physical and biological features unique to every
individual
• These are saved in a database and can be easily compared to the user attempting
to access the data or device
• biometric authentication can be placed in various physical environments such as
doors, gates, server rooms, military bases, airports, and ports
Biometric Authentication: Types
Multi-Factor Authentication

• Security that necessitates two or more credentials to authenticate an

individual’s identity
• passwords, hardware tokens, numerical codes, biometrics, specific
times, or even locations
• if one factor is compromised, the overall authentication process remains
secure
• most common MFA factors are one-time passwords (OTPs) which are 4
to 8 digit codes received through email, SMS, or even through mobile
apps
Multi-Factor Authentication
• three main types of MFA authentication methods:
• Possession: A badge with a code or a smartphone to receive OTPs.
• Knowledge: For example, a password or a pin.
• Inherence: Biometric recognition methods of fingerprints, voice, or eye
scanners.
Biometric Authentication: Enterprise Security
Biometric Authentication: Features
Biometric Authentication: The Good
Biometric Authentication: The Bad
Biometric Authentication: The Ugly
Database Access Control
• Method of allowing access to sensitive information only to
user groups allowed to access such data
• restricting access to unauthorized persons to prevent data
breaches in database systems.
• Database Access Control in DBMS includes two main
components:
• authentication
• authorization
Database Access Control

• Discretionary Access Control (DAC)

• The data owner grants access to DAC models.
• DAC is a method for assigning access rights based on rules defined by the user.
• Mandatory Access Control (MAC)
• permitted access based on an information clearance, designed using a
nondiscretionary paradigm
• refers to a policy that assigns access permissions based on central authority
regulations
Database Access Control

• Role-Based Access Control (RBAC)

• uses fundamental security principles like “least privilege” and “separation of
privilege” to give access depending on a user’s role
• only access the data required for their function
• Attribute-Based Access Control (ABAC)
• Each resource and user in ABAC receives a set of attributes
• dynamic approach makes a judgment on resource access based on comparing
the user’s features
• such as time of day, position, and location
Database Access Control

Works on three sides:

• The User: When an employee wishes to enter a restricted area, they must provide
their credentials. An unlock request gets made at a card reader, which sends the
information to an Access Control Unit, subsequently authorizing the user and
opening the door.
• The Administrator: An access control system has a management dashboard or portal
on the administrative side. Office administrators, IT managers, and security chiefs
can use the control portal to specify who has access to the premises and under what
conditions.
• The System Infrastructure: An access control system’s infrastructure includes
electric locks, card readers, door status for traffic monitoring, and requests to exit
devices, all of which report to the control panel and the server.
Database Access Control: Best
Practices
• Focus on Access to Sensitive Data
• Data Encryption
• Education to all Data Stakeholders
• Apply the Doctrine of Least Privilege
• Auditing and Monitoring
Radio Frequency Identification (RFID)
• RFID was created back in 1948 by Harry Stockman and was initially
utilized for military applications
• RFID tags are a type of tracking system that use radio frequency to
search, identify, track, and communicate with items or individuals.
• RFID tags, like barcodes, are smart labels that can store a range of
information from serial numbers to a short description, and even pages
of data
Radio Frequency Identification (RFID)
• RFID is a wireless technology made up of two main parts; i.e. tags and
readers
• The reader is a device which has one or more antennas that send and
receive electromagnetic signals back from RFID tags
• These tags, which store a serial number or cluster of information, use
radio waves to send their data to nearby readers.
• RFID belongs to a group of technologies called Automatic Identification
and Data Capture (AIDC)
• AIDC tools to identify items, collect data about them, and send that data
to a computer system with little to no human interaction
RFID TAG
RFID Attacks
RFID: Privacy Concerns
•unique identifiers within RFID tags can be used for profiling and identifying consumer
and individual patterns.
•stealth readers can track people with RFID tags on them
•tracking is possible even if a fixed tag serial number is random and carries no intrinsic
data
•threat to privacy grows when a tag serial number is combined with personal
information
•susceptible to attacks or viruses from hackers and fraudsters
•RFID tag data can be read by anyone with a compatible reader