290 likes | 307 Views
Web enabled systems are now an integral part of everything we interact with, from microelectronics to voice enabled hardware, from text messages and phone calls to email, and really we’re just limited by our imaginations as to what we can connect. As we explore vast new realms of communication over mixed digital media, we have to ask ourselves how we protect our critical data within potential unsecure environments. Going beyond that, how do we protect some of our more critical data, payment information, in this same realm. As we look at a multitude of different environments, we’ll be exploring how to secure user identity and payment information through the communication channels, covering topics like: * Securing identity and payment data through voice commands or text. * Tokenization and encryption security. * Techniques for triggering secure transactions from communications media. At the end of the session, we’ll have a stronger understanding of proper techniques for working with new communication media sources, and see how we can apply fundamental security precepts in potentially insecure environments.
E N D
Secure Payments over Mixed Communication Media Identity, Data, and Payment Security Practices Jonathan LeBlanc Head of Global Developer Advocacy PayPal / Braintree Twitter: @jcleblanc | Email: jleblanc@paypal.com
Considerations in the Payments World • Identity: Securing who the user is • Data in Motion: Securing what the user is doing • Payments: Securing how the user is buying Twitter: @jcleblanc | Hashtag: #dfist
Protecting Identity Transmitting information about who you are Twitter: @jcleblanc | Hashtag: #dfist
Protecting Account Information Twitter: @jcleblanc | Hashtag: #dfist Source: http://digitaltrends.com
Protecting Identity through the Password • Salting: Hardening the user password • Good encryption algorithms: bcrypt, scrypt, PBKDF2 • Protects against: Rainbow tables, dictionary attacks Twitter: @jcleblanc | Hashtag: #dfist
Android: POST request to server to encrypt data client.java String urlString = "https://myserver.com/auth"; try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); ENTER FILENAME/LANG //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(1); nameValuePair.add(new BasicNameValuePair("password", "123456789")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost); catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex); } Twitter: @jcleblanc | Hashtag: #dfist
Salting & Encrypting Passwords with bcrypt auth.js ENTER FILENAME/LANG //node bcrypt package var bcrypt = require('bcrypt’); function bcrypt_encrypt(username, password){ //generate a random salt with 10 rounds bcrypt.genSalt(10, function(err, salt){ //generate hash using password & salt bcrypt.hash(password, salt, function(err, key){ console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); }); } Twitter: @jcleblanc | Hashtag: #dfist
Salting & Encrypting Passwords with PBKDF2 auth.js //node standard crypto package var crypto = require('crypto’); ENTER FILENAME/LANG function pbkdf2_encrypt(username, password){ //generate random 32 byte salt crypto.randomBytes(32, function(ex, salt){ //generate PBKDF2 hash with specified iterations and length crypto.pbkdf2(password, salt, 4096, 512, 'sha256', function(err, key){ if (err) throw err; console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); }); } Twitter: @jcleblanc | Hashtag: #dfist
Protecting Data in Motion Transmitting privileged user information between services Twitter: @jcleblanc | Hashtag: #dfist
Taking Cues from Hardware Security Twitter: @jcleblanc | Hashtag: #dfist Source: http://estimote.com
Protecting Data in Motion • Asymmetric Public / Private Key Encryption • Two pairs of public / private keys (sender + receiver) • Encrypt with recipient public key, sign with sender private key • Decrypt with recipient private key, verify with sender public key Twitter: @jcleblanc | Hashtag: #dfist
Learning from Beacons Central Device Beacon Hardware IP Address Endpoint Twitter: @jcleblanc | Hashtag: #dfist
Android: POST request to server to transmit data client.java String urlString = "https://myserver.com/server"; try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); ENTER FILENAME/LANG //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(2); nameValuePair.add(new BasicNameValuePair("action", "login")); nameValuePair.add(new BasicNameValuePair("user", "ntesla")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost); catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex); } Twitter: @jcleblanc | Hashtag: #dfist
Generating Public / Private Key Pairs ENTER FILENAME/LANG server.js //node module for RSA public/private key OpenSSL bindings var ursa = require('ursa'); //generate sender private and public keys var senderkey = ursa.generatePrivateKey(1024, 65537); var senderprivkey = ursa.createPrivateKey(senderkey.toPrivatePem()); var senderpubkey = ursa.createPublicKey(senderkey.toPublicPem()); //generate recipient private and public keys var recipientkey = ursa.generatePrivateKey(1024, 65537); var recipientprivkey = ursa.createPrivateKey(recipientkey.toPrivatePem()); var recipientpubkey = ursa.createPublicKey(recipientkey.toPublicPem()); Twitter: @jcleblanc | Hashtag: #dfist
Preparing Message, Encrypting, and Signing ENTER FILENAME/LANG server.js //prepare JSON message and stringify var msg = { 'user':'Nikola Tesla', 'address':'W 40th St, New York, NY 10018', 'state':'active' }; msg = JSON.stringify(msg); //encrypt and sign message for sending var encrypted = recipientpubkey.encrypt(msg, 'utf8', 'base64'); var signed = senderprivkey.hashAndSign('sha256', msg, 'utf8', 'base64'); Twitter: @jcleblanc | Hashtag: #dfist
Hardware is Used as Bridge to Endpoint Central Device Beacon Hardware IP Address Endpoint Twitter: @jcleblanc | Hashtag: #dfist
Decrypting and Verifying Message ENTER FILENAME/LANG server.js //decrypt data received var decryptedmsg = recipientprivkey.decrypt(encrypted, 'base64', 'utf8'); //validate signature var validatedmsg = new Buffer(decryptedmsg).toString('base64'); if (!senderpubkey.hashAndVerify('sha256', validatedmsg, signed, 'base64')){ throw new Error("invalid signature"); } else { //decrypted message console.log('decrypted message', decryptedmsg, '\n'); } Twitter: @jcleblanc | Hashtag: #dfist
The Better Way • Transmission over HTTPS • Asymmetric or Symmetric algorithms • Trusted protocols such as OAuth Twitter: @jcleblanc | Hashtag: #dfist
Protecting Payments Transmitting credit card and payment details Twitter: @jcleblanc | Hashtag: #dfist
Taking Cues from Email / SMS Communications Twitter: @jcleblanc | Hashtag: #dfist Source: http://mashable.com
Tokenization Credit Card Number Expiration Date 1a472HDsabejmasiw8371480 isajlkarsi742198ue Customer Name Postal Code Twitter: @jcleblanc | Hashtag: #dfist
Twitter: @jcleblanc | Hashtag: #dfist Source: http://fineartamerica.com
Extending Secure Protection Using wearables to extend security Twitter: @jcleblanc | Hashtag: #dfist
Twitter: @jcleblanc | Hashtag: #dfist Source: http://theverge.com
Capturing Wearable Device Information ENTER FILENAME/LANG devices.java //get all devices currently attached via bluetooth Set<BluetoothDevice> pairedDevices = mBluetoothAdapter.getBondedDevices(); //loop through all paired devices found if (pairedDevices.size() > 0){ // Loop through paired devices for (BluetoothDevice device : pairedDevices) { //DEVICE NAME: //DEVICE MAC ADDRESS: device.getAddress() } } device.getName() Twitter: @jcleblanc | Hashtag: #dfist
Twitter: @jcleblanc | Hashtag: #dfist Source: http://droid-life.com
Securing Data Communications Identity, data, and payments within different communication methods Twitter: @jcleblanc | Hashtag: #dfist
Thank you! Questions? Twitter: @jcleblanc Email: jleblanc@paypal.com