HUT - TML - Studies - Tik-110.501 - Introduction of topics

TML / Studies / Tik-110.501 / Topics

Seminar on Network Security
Introduction of the topics and some material for the session of
M-commerce

Attacks related to the smart card used in electronic payment and cash cards
Tutor: Pekka Kanerva
Smart cards are considered as one solution to the problem of PTD. It can be used as a electronic identity card, money card, secure storage device of private encryption keys and so on. Maybe even a combination of all these. Phone cards have been available in the market for a couple of years. Take a look into the existing systems and their security. There has been some research in the field trying to find out how tamper resistant these cards really are. Discuss the different cash cards and their tamper resistance. Describe different kind of attacks against these cards used for payments. What kind of risks have the card manufacturers taken? Are the cards used for storage of unlimited amounts of money or only for a small amounts? Discuss also the difference between electronic money and electronic cash cards.
LITERATURE:
R. Anderson and M. Kuhn, Tamper Resistance - a Cautionary Note http://www.cl.cam.ac.uk/~mgk25/tamper.html

M. Kuhn, Attacks on Pay-TV Access Control Systems http://www.cl.cam.ac.uk/~mgk25/vc-slides.pdf

O. Kömmerling and M. Kuhn, Design Principles for Tamper-Resistant Smartcard Processors http://www.cl.cam.ac.uk/~mgk25/

B. Schneier and A. Shostack, Breaking Up Is Hard to Do: Modeling Security Threats for Smart Cards http://www.counterpane.com/smart-card-threats.html

Electronic Commerce http://www.smart-card.com/page19.html

Papers about electronic cash http://dosan.skku.ac.kr/~jykim/list_of_e-cash_paper.htm

Smartcard security information page, especially theoretical attacks and attacks on banking cards http://www.geocities.com/ResearchTriangle/Lab/1578/smart.htm

Smart Cards: Enabling Smart Commerce in the Digital Age http://www.americanpacific.net/html/wp2.htm

Digital Signatures in Mobile Commerce
Tutor: Petri Puhakainen
Digital signatures are expected to improve the security of on-line commerce. Thus, there is a growing need for digitally signed messages and transactions. This is also noticed by governments and legal frameworks for digital signatures are set up. This makes signatures legally bounding giving pressure for storing the signing keys in a secure manner.
It is important to understand, which security services can be provided by digital signatures as well as other implications they might have - like some privacy issues they will arise.
TARGET:
The goal of this subject is to get an understanding of digital signatures and their meaning in mobile (as well as in other on-line) comerce.
REQUIRES:
The student is expected to have (or acquire) a basic understanding of digital signatures.

PKIs for Mobile Commerce
Tutor: Petri Puhakainen
Many on-line commerce applications are using (or will be using ...) public key cryptography for security services. These applications are usually integrated into a key management infrastructure. An example of these key management infrastuctures - or public key infrastructures - is X.509. It seems to become as the most widely accepted PKI in commercial products. However, there are other PKI design efforts, too. Some of them seem to be much more suitable for large-scale mobile (and other on-line) commerce than X.509. One example of these is SPKI that is having more flexible trust management capabilities than X.509. It also supports anonymity in on-line interaction.
TARGET:
This topic should evaluate PKIs for large-scale on-line commerce and at least X.509 and SPKI should be covered.
REQUIRES:
The student is expected to have (or acquire) understanding of the PKI requiremens for large-scale on-line interaction.
LITERATURE FOR BOTH SUBJECTS ABOVE:

Abelson, H. et al., The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption, 20.8.1998 http://www.cdt.org/crypto/risks98/

American Bar Association, Digital Signature Guidelines, 1.8.1996 http://www.abanet.org/ftp/pub/scitech/ds-ms.doc

Ellison, C., Certification Infrastructure Needs For electronic Commerce And Personal Use, 16.7.1997 http://www.clark.net/pub/cme/nist-7-24/

Ellison, C., The Trust Shell Game, in Proceedings of Security Protocols, 6th International Workshop, pp. 36-40, Springer-Verlag, Berlin, 1999.

Ellison, C. et al., SPKI Certificate Theory, September 1999 http://www.ietf.org/rfc/rfc2693.txt

Ford, M., Identity Authentication and 'E-Commerce', 30.10.1998 http://www.law.warwick.ac.uk/jilt/98-3/ford.html

Ford, W. & Baum M. S., Secure Electronic Commerce: Building the Infrastructure for Digital Signatures & Encryption, Prentice Hall, Upper Saddle River, 1997, 470 p.

Gerk, E., Overview of Certification Systems: X.509, CA, PGP, and SKIP, 17.4.1997 http://www.mcg.org.br/cert.htm

Gerk, E., Towards Real World Models of Trust: Reliance on Received Information, 23.1.1998 http://www.mcg.org.br/trustdef.htm

Gladman, B. et al., Digital Signatures, Certificates, and Electronic Commerce, version 1.1, 8.6.1999, http://jya.com/bg/digsig.pdf

Greenleaf, G. & Clarke, R., Privacy Implications of Digital Signatures, version 10 of March 1997 http://www.anu.edu.au/people/Roger.Clarke/DV/DigSig.html

Mione, A., A Look at Some More PKI Design Efforts, Digital Systems report, 1998, vol. 20, no. 4.

This page is maintained by Network Security teaching staff, E-mail: netsec@tml.hut.fi.
The page has been last updated on September 6, 2000
URL: http://www.tml.hut.fi/Opinnot/Tik-110.501/2000/intro/commerce.html