security's once and future king
DESCRIPTION
Slides of the google techtalk : See the techtalk here - http://youtube.com/watch?v=0L5tydvxNM0TRANSCRIPT
Security’s Once and Future King
Smart Cards for Web 2.0
Kapil SachdevaSoftware TechnologistTechnology & InnovationGemalto, Austin
Smart Card : The Hardware
• Integrated Circuit Card (ICC)• Micro processor (8,16,32-bit)• Non-volatile memory (EEPROM, Flash)• Volatile memory (RAM)• Read only memory (ROM, FLASH)
Plastic card
Contact pad
Gold wiring
Epoxy fill
SecureSecurechipchip
ROM CryptoCPU
RAM
NVM
ROM,
Operating system
EEPROM,Application Memory
Smart Card : The Security Device
• Tamper resistant • Cryptography
– RSA, AES, 3DES, ECC, SHA1, MD5 etc• Security Evaluation – FIPS, Common Criteria
Domain specific knowledge and an attack-aware design approach enables smart card technology to be up to date vis-à-vis security
Smart Card : The Comm. Protocol
• ISO 7816-3 – APDU : Application Protocol Data Unit
• Master Slave• Synchronous communication• Transport protocol overloaded as the application protocol
Smart Card : The Form Factors
• SIM
• Credit Card
• USB tokens
• Electronic Documents
Smart Card : The Business Verticals
300 Million 20 Million
2600 Million 500 Million
2007 Shipment EstimatesSource: EUROSMART
Smart Card : The Infrastructure
ICC-Aware ApplicationICC-Aware ApplicationSmart Card Aware Application
Resource Manager
IFDHandler
IFD IFD IFD
SC SC SC
Reader Driver(USB CCID Class)
Smart Card Readers
Smart Cards
PC/SC IFD Handler Interface
PC/SC RM Interface
Smart Card : The History
• 1983 : Commercial chip card for Pay Phones• 1991 : SIM card• 1992 : Commercial debit card• 1997 : Java Card• 2002 : .NET Smart Card
JavaCard : A Revolution
JavaCard: The revolutionary Smart Card
• Programmable Smart Card
• ‘Write once, run anywhere’ mantra with pragmatism
• Platform openness rocks
Anecdote: The first Java Card prototype used an 8-bit processor, 26K of ROM, 400 bytes of RAM & 1KB of EEPROM.
Today smart cards have 32-bit chips, 16KB of RAM, 512KB of ROM/Flash
JavaCard Virtual Machine & Runtime
• Pragmatic subset of functionality (data types, features)
• Some specialized bytecodes
• Special treatment of static fields
• JC Virtual machine never terminates
• Persistent memory model – objects live in EEPROM
• Transaction management
• Firewall between applications
package com.gemalto.wallet;
public class MyWallet extends Applet {
public void select() {...} public void install() {...}
public void debit(byte[] buff){ } public void credit(byte[] buff){ }
public void process(APDU apdu) { byte[] buff = apdu.getBuffer();
switch(Util.getShort(buff,(short)0) { case INS_WALLET_DEBIT:
debit(buff); break; case INS_WALLET_CREDIT:
credit(buff); break; default:
ISOException.throwIT(INVALID_INS); } }}
A JavaCard toy Application
JavaCard : Some misses
• Provided shim on operating system communication layer but still mixes the transport and application protocol.
• Object based data store without any of the capabilities of Persistent Stores– Application update problematic
.NET Card : An Innovation
.NET Card: The evolutionary Smart Card
• Remoting as the communication paradigm from get go– Do not expose the communication protocol
• User programmable access to File System– Separation of application and data
• Use metadata to address domain specific requirements– Transactions, Security, Legacy-support
• Geek bonus points –– Visual Studio.NET integration– Richer type Support (primitives, strings, etc)– Exact GC– XML Parsing– Serialization– Strong-name signing
namespace MyCompany {
public class MyWallet : MarshalByRefObject { [Transaction] public void Debit(int amount) { }
[Transaction] public void Credit(int amount) { }
public static void Main(string[] args) { ChannelServices.RegisterChannel(new APDUServerChannel());
RemotingServices.Marshal(new MyWallet(), “Wallet.uri"); } }}
A .NET Card toy Application
Smart Card : The Applications
• Authentication
• Digital signature & encryption
• Secure storage
• All of the above (manage/enforce a policy)
• Sophisticated ice scratching device
Fitting in the client crypto architecture
• CAPI : Windows (native)
• CDSA : Mac OS X (native)
• PKCS#11 : Windows, Linux, Mac OS X
Outlook, Thunderbird, Adobe Writer, PGP Clients, VPN Clients,
Browsers
A Quick Recap
Smart Card : The Client Infrastructure
ICC-Aware ApplicationICC-Aware ApplicationSmart Card Aware Application
Resource Manager
IFDHandler
IFD IFD IFD
SC SC SC
Reader Driver
Smart Card Readers
Smart Cards
PC/SC IFD Handler Interface
PC/SC RM Interface
Service Providers
Service Providers
Service Provider
Service Provider Interfaces
Middleware
The Web
Ubiquity is key for Web applications
Smart Cards and the Web: Classical
To access Smart Card capabilities
• On the User’s computer– Internet explorer : card specific CSP impl.– Firefox : card specific PKCS#11 impl.– Safari : card-specific tokend
• On the Server– Different server/client scripts to handle
browser & crypto stack differences (Herculean!)
In other words,
Break the ubiquity of web
&
Lose the mobility of Smart Cards
A security mechanism should not make accessing a resource, or taking some action more difficult than it would be if security
mechanism were not present.
Principle of Psychological Acceptability
DEMO: Let me show you what I mean
Web 2.0
Blogs AJAXPhishing
E-govTheft
Web Services
XML
SOAP
RSS
Flickr
Google Maps
REST
Social Networking
A platform and application agnostic connectivity bridge to help JavaScript in a
web page to communicate with server.
XMLHttpRequest
If I have seen further it is bystanding on the shoulders of Giants
- Issac Newton
A platform and application agnostic connectivity bridge to help JavaScript in a web page to communicate with Smart Card
SConnect
OPERATINGSYSTEMS
BROWSERS
DOWNLOAD
15
• Connectivity plumbing that works withclassical smart cards
• Digitally signed browser extension enabling scripts embedded in a web page to access the PC/SC channel on client machine
• A toolkit for developing SSmart card AAware WWeb AApplications
• Ubiquitous – all relevant OS/browsercombinations
• Lightweight – 15 second download and install
SConnect
<html> <head> <script src=“http://www.sconnect.com/scripts/sconnect.js” language=“javascript”/> <script language=“javascript”> var _otp; function getOtp() {
var scom = new SConnect.PCSC();
var readersWithCards = scom.listReaders(true);
// if more then one reader, employ some discovery mechanism scom.connect(readerWithCards[idx]);
var response = scom.exchange(“00A4040007A0000000020302”); if (response == “9000”){ _otp = scom.exchange(“002100000106”); }
scom.dispose();
// put the _otp value in text box } </script> </head> <body> <label>Press the button to get the OTP</label> <input type=“button” value=“click me” onclick=“getOtp(); submit();”/> </body></html>
A few lines of JavaScript…
<html> <head> <script src=“http://www.sconnect.com/scripts/sconnect.js” language=“javascript”/> <script src=“http://www.sconnect.com/scripts/marshaller.js” language=“javascript”/> <script src=“oath_stub.js” language=“javascript”/>
<script language=“javascript”> var _otp; function getOtp(){ var oathApp = new Samples.OATHApp(“selfdiscover”,0,”OATHService.uri”); _otp = oathApp.get_OTP();
// put the value of _otp in text box } </script> </head>
<body> <label>Press the button to get the OTP</label> <input type=“button” value=“click me” onclick=“getOtp(); submit();”/> </body>
</html>
Fewer lines of JavaScript…
DEMO: Device Administration Service
• Lightweight device management
• Routine security tasks performed in a cross browser, cross-platform setting
DEMO: Two-factor auth. for Web Apps
• MeHuNa: A fictional identity & security savvy company using cloud computing
• MeHuNa uses Google Apps(!) as it Office back-end
• Employees must use strong authentication for audit & security compliance purposes
• Employees get an OpenID for their personal use
Begin at the beginning and go on till you come to the end: then stop.
Thank You