Smart Cards and Security - Unit 5

Questions and Answers

What is a common application of smart cards in healthcare?

Control access to restricted physical locations

Securely store financial information

Facilitate online shopping transactions

Securely store patient information and insurance data (correct)

Which cryptographic method allows a prover to demonstrate knowledge without revealing information?

Zero-Knowledge Protocols (correct)

Hashing

Digital Signatures

Symmetric Key Encryption

What mechanism do many smart cards use to combat tampering attempts?

RFID technology

Voltage monitoring (correct)

Biometric authentication

Encryption keys

In which sector are smart cards commonly used for secure transactions?

Banking and Payments

What is a primary use of smart cards in access control?

Providing physical and logical access

What is the primary benefit of using Zero Knowledge Protocols in communication?

They prevent any other parties from accessing the communication's content.

Which of the following best describes the role of the Prover in a Zero Knowledge Protocol?

The Prover must convince the Verifier they know the secret without revealing it.

What is one of the essential properties for a protocol to be considered 'zero-knowledge'?

The protocol must maintain a high probability of the Verifier being convinced without the Prover showing the secret.

Who is convinced of the Prover's knowledge in a Zero Knowledge Protocol?

The Verifier.

What does the term 'zero knowledge' specifically refer to in the context of Zero Knowledge Protocols?

No information about the secret is disclosed.

Study Notes

Unit 5: Other Security Issues

• Topic: Smart Cards and Security
  • Smart cards are small, plastic cards with embedded microprocessors.
  • They're used for identification, secure payments, access control, and data storage.
  • Smart cards offer enhanced security compared to traditional magnetic stripe cards due to data processing directly on the card and cryptographic operations.
  • Different types exist:
    • Contact smart cards require direct contact with a reader.
    • Contactless smart cards utilize radio frequency (RF) technology for communication.
    • Dual-interface smart cards combine contact and contactless technologies.
• Uses:
  • Banking and Payments: Used in credit & debit cards, following EMV standards.
  • Stored Value: Prepaid cards for public transit, vending machines, and toll booths.
  • Identification & Authentication: Used in government IDs, passports, and employee IDs.
• Healthcare:
  • Health insurance cards securely store patient and insurance details.
  • Patient data cards store medical history & emergency contacts.
  • Building & room access control, restricted access areas grant access only to authorized users.

Zero Knowledge Protocol

• Definition: Cryptographic methods allowing one party to prove information knowledge without revealing the actual information.

• Key Concepts:

  • Completeness: The prover, possessing the information, successfully convinces the verifier with high probability.
  • Soundness: The prover, without the information, cannot convince the verifier. Only possible with low probability.

• How it Works: Involves interaction rounds, prover providing evidence it possesses the information. This evidence is often in a random way.

• Example Scenario: Scenario of two glasses being switched with one containing Pepsi and one containing Coke.

• Applications:

  • Authentication: Password-free authentication where a user proves knowledge without revealing it.
  • Secure Voting: Voters can demonstrate they voted without revealing their choice.
  • Blockchain & Cryptocurrencies: Protocols like zk-SNARKs used in privacy-focused cryptocurrencies.
  • Access Control: Verifying user access rights without exposing sensitive data.

Enterprise Application Security

• Definition: The practice of safeguarding applications and their processed data from security threats.
• Components:
  • Application Layer Security: Ensures security measures are integrated into the application itself. This includes authentication/encryption/input validation and secure session management.
  • Identity & Access Management (IAM): Controls user access to resources within applications. Includes multi-factor authentication (MFA), single sign-on (SSO), and role-based access control (RBAC).
  • Data Security: Protection of sensitive information stored/transmitted within applications.
• Testing:
  • Static Application Security Testing (SAST): Scans the application's source code to detect vulnerabilities.
  • Dynamic Application Security Testing (DAST): Tests the application in real-time (testing environment) against attacks.
  • Interactive Application Security Testing (IAST): Analyzing the application while running to identify vulnerabilities.
• Management:
  • Vulnerability Management: Ongoing identification, assessment, and mitigation of vulnerabilities.
  • Threat Modeling & Risk Assessment: Identifying potential risks, evaluating their significance, and developing mitigation strategies.
• API Security: API protocols (Application Programming interfaces) are crucial in current enterprise applications. Security practices should ensure prevention against unauthorized access and misuse. These include:
  • Secure coding practices,
  • OAuth/access control, and
  • API gateways.
• DevSecOps: Integrating security into the development lifecycle to catch issues early.
• Logging, Monitoring, & Incident Response: Detecting unusual behavior indicating breaches, and creating plans for a quick reactive response to minimize incident impact.
• Common Threats: SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), malware/ransomware, insecure authentication.
• Benefits: Data protection, business continuity, customer trust, compliance.

Biometric Authentication

• Overview: A security process verifying a person's identity using unique biological characteristics (e.g., fingerprints, facial features).
• Types: Fingerprint, facial, hand geometry, iris, retina, voice, behavioral (typing speed, gait).
• How it Works:
  • Enrollment: Biometric data is captured, processed, and stored in a template.
  • Verification: The template matches the new biometric data input.
  • Continuous Authentication (optional): Verification repeated as a security measure.
• Applications: Mobile devices, banking, workplace access control, government/border control, and healthcare.
• Considerations: privacy, spoofing, data breach, and cost risks.
• Best Practices: Multi-factor authentication, encryption techniques to protect the storage of biometric Data, and ensure the detection of new spoofing methods.

### Database Access Control

• Definition: Security layer restricting which users can access data.
• Core Concepts:
  • Least Privilege: Granting users only the necessary access.
  • Strong Authentication Methods: Using strong methods and multi-factor authentication.
• Methods:
  • Access controls: Define who can get access on the database.
  • Authentication: Ensures only authorized users can access sensitive data.
  • Authorization: Restricts permitted actions, like reading, writing, deleting.
    • Auditing: Keeping track of database access.

Security and Privacy Issues in RFIDs

• Definition: Challenges connected with the use of radio-frequency identification (RFID) technology.

• Components:

  • RFID tags store data, while antenna transmits data
  • RFID readers receive and transmit data,
    • System data receives, processes, and stores data.

• Privacy Concerns:

  • Location tracking: RFID can reveal the location of individuals.
  • Data Exposure: Stored personal data can be vulnerable to unauthorized access.
  • Data Aggregation: Combining multiple sources of RFID data, may invade privacy.

• Security Concerns:

  • Data breaches are a risk if the system is not secured. Unwanted manipulation and misuse of the collected data.

Description

Explore the essential aspects of smart cards and their security features in this quiz from Unit 5. Learn about the different types of smart cards, their applications in banking, payments, and identification, and how they enhance security compared to traditional cards. Test your knowledge on this important security technology.