Wireless PKI Security and Mobile Voting - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Wireless PKI Security and Mobile Voting

Description:

Wireless PKI Security and Mobile Voting Jaak Tepandi and Stanislav Vassiljev, Tallinn University of Technology Ilja T ahhirov, InVision Software AG – PowerPoint PPT presentation

Number of Views:110
Avg rating:3.0/5.0
Slides: 18
Provided by: eWo49
Category:

less

Transcript and Presenter's Notes

Title: Wireless PKI Security and Mobile Voting


1
Wireless PKI Security and Mobile Voting
  • Jaak Tepandi and Stanislav Vassiljev, Tallinn
    University of Technology
  • Ilja Tšahhirov, InVision Software AG

Source IEEE Computer Society / August 2010 Date
March 2, 2012 Presenter ???
2
Outline
  • Introduction
  • Mobile phones a handy solution
  • WPKI authentication and digital signing
  • WPKI security study
  • Manageable WPKI-specific risk
  • WPKI-specific risk requiring attention
  • Implications for m-voting
  • WPKI requirements
  • Conclusion

3
Introduction
  • Wireless public-key infrastructure technology is
    used in many security-critical applications
    including banking and digital signing.
  • An analysis of WPKI security using ID-card-based
    PKI (ID-PKI) as a benchmark highlights various
    risks and their implications for mobile voting.

4
Mobile phones a handy solution(1/2)
  • Security-critical applications can utilize a
    computer and a mobile phone with a Universal
    Subscriber Identity Module (USIM) card for
    authentication and electronic signatures.
  • In Estonia, Mobiil-ID technology enables personal
    identification and authentication with a mobile
    phone.
  • a Mobiil-ID USIM card provides the usual SIM
    card functionality and also incorporates the
    private keys for authentication and digital
    signatures, obviating the need for a physical ID
    card reader.

5
Mobile phones a handy solution(2/2)
  • Mobiil-ID is based on emerging wireless PKI
    specifications. WPKI can be used to obtain client
    authentication and nonrepudiation .

6
WPKI authentication and digital signing
registration
5.
V H request PIN
user
Registration Authority(RA)
Mobile operator
6.
Cards bound to users identities
8.
5.
6.
4.
authentication or reject
1.
V H
 
Verification code (V)
Identifier
7.
TSP verifies the users signature and send
result to the AP
3.
validates IDs certificate
Trust service provider
Application provider
4.
Verification code (V)
Certificate Authority(CA)
2.
Request identity service for ID
7
WPKI security study(1/2)
  • Main types of threats focused on
  • -General Threats related to Legal issues
  • -Cryptography
  • -Software Development, technical threats
  • -M-Voting Threats

8
WPKI security study(2/2)
  • Risks with WPKI
  • -Risks associated with WPKI are of 
    Information security.
  • ?Integrity
  • ?Confidentiality
  • ?Authenticity
  • ?Non repudiation
  • ?Availability

9
Manageable WPKI-specific risk(1/3)
  • The risk within the Mobile Operators Subsystem
  • --the Over the Air (OTA) Server and SMS
    Center can be subject to Man in the
    Middle Attack.
  • Mobile Operator must impose security measures
    including the encryption communication over VPN
    and securing LAN with firewall. Detailed
    analysis demonstrates that the risk of MITM
    attacks is low.

10
Manageable WPKI-specific risk(2/3)
Sent to wrong mobile phone !
5.
H(V) request PIN
user
Mobile operator
6.
5.
The risk of MITM attack is low.
4.
6.
H(V)
Verification code (V)
 
1.
Identifier
3.
validates IDs certificate
Trust service provider
Application provider
4.
Verification code (V)
attack
Certificate Authority(CA)
2.
Request identity service for ID
? Example 1
11
Manageable WPKI-specific risk(3/3)
??VU1? VA2,?user????,??????????!(VA1VA2)
?Note I1I2 , VA1VA2 ? ??
???
user
Attacker
Mobile operator
??MITM attack,???????user??,?????user??server?????
,?????????????
Trust service provider
Application provider
Certificate Authority(CA)
? Example 2 - An attacker grasping a users
session
12
WPKI-specific risk requiring attention
  • Man in the middle attack between APs and users
    are easier in WPKI than in ID-PKI.(attacker may
    fake server between client and server connecting)
  • Compared with other authentication
    methods.(ex.one time passwords). WPKI enabled
    measures help prevent many kind of attacks.
  • ID-PKI authenticates the user based on both
    users certificate and the server public key
    certificate during the SSL session handshake.
    This makes an MITM attack unrealistic.

13
Implications for m-voting
  • Electronic voting asks for additional demanding
    security.
  • -votes must remain anonymous.
  • -the system must record every action.
  • The I-Voting(over the internet) used in Estonia
    and several other settings utilizes
    the digital envelope.
  • -Inner envelope has the encrypted vote.
  • -outer envelope has digital signature.

14
WPKI requirements(1/2)
  • RA maintain , document,and periodically audit
    strict procedures for persons identity and
    citizenship verification.
  • CA Informing people about m-voting security
    problem.(ex. User cant lend somebody mobile
    phone capable of signature service.)
  • M-voting infrastructure, operational procedures,
    and application development should match
    traditional e-voting systems strict security
    requirements.

15
WPKI requirements(2/2)
  • It is vital to ensure quality handling of USIM
    card private keys ,secret keys, and PIN codes.
  • (ex. MOs should keep logs.)
  • MO procedures should also ensure voter anonymity
    by preventing administrators from observing the
    m-voting process in any way.

16
Conclusion
  • WPKI??????????,?TSP?????user??PIN???????????,?????
    ????,???AP?user?????AP?TSP???????????????,????????
    ????

17
THE END
Write a Comment
User Comments (0)
About PowerShow.com