1 / 36

Security in Online Banking

Joel Fendrick. Security in Online Banking. Overview. Encryption Methods AES (Advanced Encryption Standard) SSL (Secure Socket Layer) TLS (Transport Layer Security) TLS Advantage Over SSL Security Example Attacks Countermeasure. Encryption Methods. Asymmetric Symmetric Hashing.

olivia-owen
Download Presentation

Security in Online Banking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Joel Fendrick Security in Online Banking

  2. Overview • Encryption Methods • AES (Advanced Encryption Standard) • SSL (Secure Socket Layer) • TLS (Transport Layer Security) • TLS Advantage Over SSL • Security Example • Attacks • Countermeasure

  3. Encryption Methods • Asymmetric • Symmetric • Hashing

  4. Asymmetric • Each user has two keys • Private • Public • Public key stored in public database • Messages encrypted with public key can only be decrypted with private key. • Encrypted with private -> decrypted with public

  5. Symmetric • No private/public • Only means of decryption is if you have the right key • Security issue in exchanging the key

  6. Hashing • Unique fixed length string of characters from selected text • One way process • Cannot recreate document from hash • If anything changes in text, hash would change • Can be used to determine integrity of file

  7. Suppose hash of a document was: 9c5292056062f70a2f14330cf4d30c7f If anything at all changes in document a new hash is formed 91857f37a636882c78de9961e791c81a Making it easy to tell if the message has been altered in any way

  8. AES (Advanced Encryption Standard) • Cryptographic algorithm used to protect electronic data • Block cipher that can encrypt and decrypt information • Capable of using keys of 128, 192, and 256 bits • Encrypts data into blocks of 128 bits

  9. Pseudo code http://www.garykessler.net/library/crypto.html#fig17

  10. in[] and out[] • 16-byte arrays with the plaintext and cipher text, respectively. (According to the specification, both of these arrays are actually 4*Nb bytes in length but Nb=4 in AES.) • w[] • array containing the key material and is 4*(Nr+1) words in length. (Again, according to the specification, the multiplier is actually Nb.) • state[] • a 2-dimensional array containing bytes in 4 rows and 4 columns. (According to the specification, this arrays is 4 rows by Nb columns.)

  11. SubBytes •  takes the value of a word within a State and substitutes it with another value by a predefined S-box • ShiftRows • circularly shifts each row in the State by some number of predefined bytes • MixColumns • takes the value of a 4-word column within the State and changes the four values using a predefined mathematical function • AddRoundKey • XORs a key that is the same length as the block, using an Expanded Key derived from the original Cipher Key

  12. Walkthrough • This walkthrough is of Rijndael encryption • Rijndael allows for both key and block sizes to be chosen independently from the set of { 128, 160, 192, 224,  256 } bits.  (And the key size does not in fact have to match the block size).  • However, the block size must always be 128 bits in AES, and the key size may be either 128, 192, or 256 bits. • http://www.formaestudio.com/rijndaelinspector/

  13. AES Flaw • 2009 weakness identified • Interesting in mathematical P.O.V. • Not really relevant in application • Finding the key of AES is four times easier than previously believed • Steps to find = 8 followed by 37 zeroes

  14. 1 trillion machines each test 1 billion keys per second • Would take more than 2 billion years to recover AES-128 key • AndreyBogdanov (K.U.Leuven), • Dmitry Khovratovich (Microsoft Research), • Christian Rechberger (ENS Paris)

  15. SSL (Secure Socket Layer) • 3 basic properties • Connection is private • Peer’s identity can be authenticated using asymmetric cryptography • Connection is reliable • message check using keyed Message Authentication Code (MAC)

  16. Two layers: can include length description and content • Lowest Layer = SSL Record Protocol • Second Layer = Handshake Protocol

  17. TLS (Transport Layer Security) • Two layers • TLS Record Protocol • TLS Handshake Protocol • Encapsulates higher level protocols

  18. TLS Record Protocol • Two basic properties • The connection is private • Symmetric Data encryption • The connection is reliable • Keyed MAC included in each message

  19. TLS Handshake Protocol • Three basic properties • Peer’s identity can be authenticated using asymmetric or public key cryptography • The negotiation of a shared secret is secure • The negotiation is reliable

  20. Advantage over SSL • Application protocol independent • Higher level protocols can layer on top of it transparently • Decisions on how to initiate TLS handshaking and how to interpret authentication certificates are left up to the designers of the higher level protocols

  21. Security Example • Either SSL or TLS protocol • We’ll focus on SSL since it is the basis for TLS

  22. Browser sends message via SSL to bank server • Bank responds by sending a certificate • Includes banks public key • Browser authenticates certificate and generate random session key • Uses this key to encrypt the data

  23. Bank’s server receives session key and decrypts • Key was sent encrypted by bank’s public key • Bank uses private key to decrypt • Session key that now both bank and client know is used for rest of communication

  24. Banks Didn’t Use SSL? • Bank of America • Wachovia • US Bank • Chase • American Express • Etc. • SSL login form listed as optional • Outside the US at this time HSBC was the only known bank not to use SSL authentication • British multinational banking and financial services company As of 2006 a number of big banks were not requiring the use of SSL authentication

  25. Attacks • Man-in-the-middle • Man-in-the-browser

  26. Man-in-the-middle • Someone intercepts the communication between two systems

  27. Specific MITM Attack • Victim visits site that uses TLS 1.0 and receives a cookie, this cookie injects the client-side BEAST (Browser Exploit Against SSL/TLS) • Attacker can now use a network sniffer to look for active TLS connections • Grabs and decrypts the HTTPS cookie • Allows attacker to hijack victim’s session with that site.

  28. Solution • Difficult • Attacks confidentiality VS authenticity like most attacks • Requires major change in the protocol itself • There are some fixes, but they cause compatibility issue with some existing SSL applications

  29. Man-in-the-browser • Malware already infecting user computer • Kicks in after user has logged onto site • Hijack money and siphon it into criminal accounts

  30. Solution • Use a trusted browser • Can be stored on a flash drive • Since stored in own secure environment it is not susceptible to malware in the same way as a traditional browser

  31. Countermeasure • Historically piecemeal approach • Generally recommends several defenses that support each other • Often creates gaps within the layer architecture leaving some elements exposed to threats

  32. Some banks implement a secure USB token • “provides secure online banking session even if computer is riddled with malware” • Read-only portable USB device • When plugged in encrypts the customers keystrokes • Launches virtualized OS • Launches secure browser • Launches a secure network between client and bank server

  33. This is an attempt to create a virtual machine that is walled off from the rest of the PC • Protection from clients system • Makes sense that banks would want to protect their customers, as they are often the weakest link and biggest threat vector

  34. Conclusion • Be careful and aware • Pay attention and confirm site is legitimate • Security is evolving , but so are the attacks

  35. References • [1] HIPAA Collaborative of Wisconsin. (2010). The Basics of Encryption. Retrieved on March 22, 2012, from • http://www.hipaacow.org/docs/encryption%20whitepaper%207.7.10.doc • [2] NIST. (2001). Retrieved on March 22, 2012, from FIPS Publications website: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf • [3] KatholiekeUniversiteit Leuven (2011, August 17). First flaws in the Advanced Encryption Standard used for internet banking identified. ScienceDaily. Retrieved on March 22, 2012, from http://www.sciencedaily.com­/releases/2011/08/110817075424.htm • [4] Dierks, T., & Rescorla, E. (2008, August). The Transport Layer Security (TLS) Protocol Version 1.2. Retrieved on March 22, 2012, from • http://tools.ietf.org/html/rfc5246 • [5] Freier, A., & Karlton, P. (2011, August). The Secure Sockets Layer (SSL) Protocol Version 3.0. Retrieved on March 22, 2012, from • http://tools.ietf.org/html/rfc6101 • [6] Onyszko, T. (2002, July 19). WindowsSecurity.com. Retrieved on March 23, 2012, from http://www.windowsecurity.com/articles/secure_socket_layer.html • [7] Online banking security and technical frequently asked questions. (2012). Retrieved on March 23, 2012, from http://www.bankofamerica.com/onlinebanking/index.cfm?adlink=&context=en&locale=&statecheck=WI&template=faq_security&cm_mmc=&cm_sp= • [8] Ou, G. (2006, April 27). Many banks failing to use ssl authentication. Retrieved on March 23, 2012, from • http://www.zdnet.com/blog/ou/many-banks-failing-to-use-ssl-authentication/201 • [9] OWASP. (2009, April 23). The open web application security project. Retrieved on March 23, 2012, from • https://www.owasp.org/index.php/Man-in-the-middle_attack • [10] Fisher, D. (2011, September 19). threatpost. Retrieved on March 23, 2012, from http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091911 • [11] Bethlehem, D. (2012, February 12). Strong authentication by itself is not enough to prevent man-in-the-browser attacks. Retrieved on March 24, 2012, from http://data-protection.safenet-inc.com/2012/02/strong- • [12] Ramirez, D. (2007). Case study: Itu-t recommendation x.805 applied to an enterprise environment— banking. Bell Labs Technical Journal, 12(3), 55-64. • [13] (2011). Securing the weakest link. Bank Technology News,24(6), 1 & 35.

More Related