Scribd Logo
Upload

Welcome to Scribd!

  • Wireless Public Key Infrastructure Security

    Uploaded by

    aamirhirani
    412 views20 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    412 views20 pages

    Wireless Public Key Infrastructure Security

    Uploaded by

    aamirhirani

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    Wireless Public Key Infrastructure Security

    and
    Mobile Voting

    Aamir Hirani
    Mustafa Zaidi
    Wajeeh ul Hassan
    Paper’s Highlights

    • This paper highlights various risks and


    implications of Wireless PKI security
    using ID Card Based PKI as benchmark for
    Mobile voting.
    Overview - Wireless PKI
    • Wireless Public Key Infrastructure (WPKI) is a two-factor
    authentication scheme using mainly the mobile phone and a laptop. It
    is mainly promoted by banks, mobile operators, and mobile network
    manufacturers.

    • Public Key Infrastructure (PKI) enables users to authenticate


    themselves to web services, sign documents electronically and
    encrypt text.

    • PKI binds user identities to their public keys by means of certificate


    authorities (CA).
    • PKI Support security critical functionality such as
    – Bank Transactions
    – Digital Signing and
    – E-voting.
    CASE – Mobile Voting
    • Estonia, country of 1.4 million people has
    more than 1 million ID –PKI cards issued.
    • Electronic signatures are used for contracts
    and other legal documents. Banks recognize
    the security of ID Card based PKI.
    • Nation’s local elections, Parliament elections
    used Electronic voting over Internet voting
    based on ID-PKI.
    • Problem – ID Card Reader NA, convenient to rely on portable
    devices: MOBILE PHONES
    Mobile Phones – “Handy” Solution
    • Security critical applications utilize
    – Computer and
    – Universal Subscriber Identity Module (USIM) for
    authentication and electronic signatures.
    • Ideally a mobile phone has 3 main components
    integrated
    – The Card – comprising the user’s certificate
    – The Card Reader &
    – Computer
    Mobile Phones – “Handy” Solution (Contd..)

    • Mobiil-ID is a technology that enables


    personal identification and authentication
    with a mobile phone.
    • Mobiil –ID USIM card provides the usual SIM
    card functionality and also incorporates the
    private keys for authentication obviating the
    need of physical ID card reader.
    Stakeholders and Components
    • USIM cards can be personalized allowing the
    following to be loaded onto the card
    – Public and private keys for authentication and
    digital signatures
    – 2 PINs and 1 PUK for authentication and digital
    signatures and
    – PIN and PUK codes for protecting and unblocking
    the USIM card.
    Stakeholders and Components
    USIM card USIM card
    USIM card USIM Card Personalized
    personalization logistics service
    Developer for USIM card
    provider provider
    Personalization
    Procure Store & Distribute
    card in RA offices

    Mobile Operator
    Registration
    Authority (RA)
    User

    Card Bound to
    user’s identities

    Application Trust Service Certificate


    Provider Provider Authority
    Stakeholders and Components
    USIM card Procure Store & Distribute card in RA Registration
    logistics service offices Authority (RA)
    provider

    WPKI In charge of User Registration, Certificate


    Management Handling and the main services

    Registers users, issues USIM cards &


    Registration
    provide Customer Care on behalf of
    Authority
    Certificate Authority (CA)
    Stakeholders and Components
    Certificate CA Manages certificate activation,
    Authority (CA) suspension, revocation, and storage.

    Handles authentication and signing


    Trust Service requests from Application Providers,
    Provider (TSP) communicating with Mobile Operators
    (MO), the CA for certificate and Validity
    Checks

    Communicates with users and the TSP by


    Mobile
    means of Subsystems such as over-the air
    Operators
    (OTA) server and SMS center
    WPKI Security Study
    • In Estonia Mobiil-ID technology is new and people
    are concerned about its security.
    • The security study began with High Level Risk
    Assessment examining WPKI stakeholders,
    processes, systems, major assets, threats and risks.
    • Main types of threats focused on
    – General Threats related to Legal issues
    – Cryptography
    – Software Development, technical threats and
    – M-Voting Threats
    WPKI Security Study (Contd..)
    • Risks with WPKI
    – Risks associated with WPKI are of
    • Information security
    • Integrity
    • Confidentiality
    • Authenticity
    • Non repudiation &
    • Availability
    WPKI Security Study (Contd..)
    • As many as 50 risks were identified which were
    compared to similar risks in ID-PKI.
    • E.g. The study ignored risks such as, insufficiency of
    124bit RSA Keys that are of the same magnitude for
    WPKI and ID-PKI (this does not specify WPKI
    Specific Problem)
    • Risk related to WPKI – The risk resulting from users
    technical equipment being out of application
    provider’s control is more probable in case of WPKI
    Manageable WPKI Specific Risks
    • The Risk within the Mobile Operator’s
    Subsystem i.e. the Over the Air (OTA) Server
    and SMS Center can be subject to Man in the
    Middle Attack
    • Mobile Operator must impose security
    measures including the encryption
    communication over VPN and securing LAN
    with firewalls.
    WPKI Specific Risks Requiring Attention

    • WPKI is sensitive to attacks on mobile phones


    in the case of ID-PKI.
    • Mobile Operators are stakeholders for WPKI
    their infrastructure, operational procedures
    and organization must be compatible with
    WPKI applications security requirements.
    • Also Man in the middle attack between APs
    and users are easier in WPKI than in ID-PKI.
    WPKI Specific Risks Requiring Attention

    • Compared with other authentication methods


    one time passwords – WPKI enabled measures
    help prevent many kind of attacks.
    • ID-PKI authenticates the user based on both
    her certificate and the server public key
    certificate during the SSL session handshake.
    This makes an MITM attack unrealistic.
    Implications for M-Voting
    • Electronic voting asks for additional
    demanding security.
    – Satisfy conflicting requirements of confidentiality.
    – Auditability, preserving integrity of voting results.
    Implications for M-Voting (Contd..)
    • Electronic Voting Systems differ from one
    another.
    – Swiss E-voting systems lets voters use the internet
    or mobile phones to cast votes . This system
    applies two step encryption and citizens use
    special password mailed to them.
    – The I-Voting used in Estonia and several other
    settings utilizes the “digital envelope”.
    • Inner envelope has the encrypted vote.
    • Outer envelope has digital signature.
    Implications for M-Voting (Contd..)
    • Various factors have to be considered to
    determine if a particular voting system is
    suitable. For e.g.
    – 1. The type and criticality of election
    – 2. Information and Communication technology
    infrastructure etc…
    • This should precede the political decision to
    accept I-voting. There is no universal solution
    but I-Voting and M-Voting can be considered
    practicable.
    WPKI Requirements and
    Recommendations

    You might also like