ppt 43357 Safe And Secure Online Payments With Ssl Certificates
Secure Payments Over Mixed Communication Media
-
Upload
jonathan-leblanc -
Category
Technology
-
view
875 -
download
0
Transcript of Secure Payments Over Mixed Communication Media
Secure Payments over Mixed Communication Media
Identity, Data, and Payment Security Practices
Jonathan LeBlancHead of Global Developer AdvocacyPayPal / BraintreeTwitter: @jcleblanc | Email: [email protected]
Twitter: @jcleblanc | Hashtag: #dfist
Considerations in the Payments World
• Identity: Securing who the user is
• Data in Motion: Securing what the user is doing
• Payments: Securing how the user is buying
Twitter: @jcleblanc | Hashtag: #dfist
Transmitting information about who you areProtecting Identity
Twitter: @jcleblanc | Hashtag: #dfistSource: http://digitaltrends.com
Protecting Account Information
Twitter: @jcleblanc | Hashtag: #dfist
Protecting Identity through the Password
• Salting: Hardening the user password
• Good encryption algorithms: bcrypt, scrypt, PBKDF2
• Protects against: Rainbow tables, dictionary attacks
Twitter: @jcleblanc | Hashtag: #dfist
Android: POST request to server to encrypt data
ENTER FILENAME/LANG
String urlString = "https://myserver.com/auth";try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(1); nameValuePair.add(new BasicNameValuePair("password", "123456789")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost);catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex);}
client.java
Twitter: @jcleblanc | Hashtag: #dfist
Salting & Encrypting Passwords with bcrypt
ENTER FILENAME/LANG//node bcrypt packagevar bcrypt = require('bcrypt’);
function bcrypt_encrypt(username, password){ //generate a random salt with 10 rounds bcrypt.genSalt(10, function(err, salt){ //generate hash using password & salt bcrypt.hash(password, salt, function(err, key){ console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); });}
auth.js
Twitter: @jcleblanc | Hashtag: #dfist
Salting & Encrypting Passwords with PBKDF2
ENTER FILENAME/LANG//node standard crypto packagevar crypto = require('crypto’);
function pbkdf2_encrypt(username, password){ //generate random 32 byte salt crypto.randomBytes(32, function(ex, salt){ //generate PBKDF2 hash with specified iterations and length crypto.pbkdf2(password, salt, 4096, 512, 'sha256', function(err, key){ if (err) throw err; console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); });}
auth.js
Twitter: @jcleblanc | Hashtag: #dfist
Transmitting privileged user information between services Protecting Data in Motion
Twitter: @jcleblanc | Hashtag: #dfistSource: http://estimote.com
Taking Cues from Hardware Security
Twitter: @jcleblanc | Hashtag: #dfist
Protecting Data in Motion
• Asymmetric Public / Private Key Encryption
• Two pairs of public / private keys (sender + receiver)
• Encrypt with recipient public key, sign with sender private key
• Decrypt with recipient private key, verify with sender public key
Twitter: @jcleblanc | Hashtag: #dfist
Learning from Beacons
Central Device
Beacon Hardware
IP AddressEndpoint
Twitter: @jcleblanc | Hashtag: #dfist
Android: POST request to server to transmit data
ENTER FILENAME/LANG
String urlString = "https://myserver.com/server";try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(2); nameValuePair.add(new BasicNameValuePair("action", "login")); nameValuePair.add(new BasicNameValuePair("user", "ntesla")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost);catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex);}
client.java
Twitter: @jcleblanc | Hashtag: #dfist
Generating Public / Private Key Pairs
ENTER FILENAME/LANG//node module for RSA public/private key OpenSSL bindingsvar ursa = require('ursa');
//generate sender private and public keysvar senderkey = ursa.generatePrivateKey(1024, 65537);var senderprivkey = ursa.createPrivateKey(senderkey.toPrivatePem());var senderpubkey = ursa.createPublicKey(senderkey.toPublicPem());
//generate recipient private and public keysvar recipientkey = ursa.generatePrivateKey(1024, 65537);var recipientprivkey = ursa.createPrivateKey(recipientkey.toPrivatePem());var recipientpubkey = ursa.createPublicKey(recipientkey.toPublicPem());
server.js
Twitter: @jcleblanc | Hashtag: #dfist
Preparing Message, Encrypting, and Signing
ENTER FILENAME/LANG
//prepare JSON message and stringifyvar msg = { 'user':'Nikola Tesla', 'address':'W 40th St, New York, NY 10018',
'state':'active' };
msg = JSON.stringify(msg);
//encrypt and sign message for sendingvar encrypted = recipientpubkey.encrypt(msg, 'utf8', 'base64');var signed = senderprivkey.hashAndSign('sha256', msg, 'utf8', 'base64');
server.js
Twitter: @jcleblanc | Hashtag: #dfist
Hardware is Used as Bridge to Endpoint
Central Device
Beacon Hardware
IP AddressEndpoint
Twitter: @jcleblanc | Hashtag: #dfist
Decrypting and Verifying Message
ENTER FILENAME/LANG//decrypt data receivedvar decryptedmsg = recipientprivkey.decrypt(encrypted, 'base64', 'utf8');
//validate signaturevar validatedmsg = new Buffer(decryptedmsg).toString('base64');if (!senderpubkey.hashAndVerify('sha256', validatedmsg, signed, 'base64')){ throw new Error("invalid signature");} else { //decrypted message console.log('decrypted message', decryptedmsg, '\n');}
server.js
Twitter: @jcleblanc | Hashtag: #dfist
The Better Way
• Transmission over HTTPS
• Asymmetric or Symmetric algorithms
• Trusted protocols such as OAuth
Twitter: @jcleblanc | Hashtag: #dfist
Transmitting credit card and payment detailsProtecting Payments
Twitter: @jcleblanc | Hashtag: #dfistSource: http://mashable.com
Taking Cues from Email / SMS Communications
Twitter: @jcleblanc | Hashtag: #dfist
Tokenization
Credit Card NumberExpiration Date
Customer NamePostal Code
1a472HDsabejmasiw8371480isajlkarsi742198ue
Twitter: @jcleblanc | Hashtag: #dfist
Twitter: @jcleblanc | Hashtag: #dfistSource: http://fineartamerica.com
Twitter: @jcleblanc | Hashtag: #dfist
Extending Secure ProtectionUsing wearables to extend security
Twitter: @jcleblanc | Hashtag: #dfistSource: http://theverge.com
Twitter: @jcleblanc | Hashtag: #dfist
Capturing Wearable Device Information
ENTER FILENAME/LANG//get all devices currently attached via bluetoothSet<BluetoothDevice> pairedDevices = mBluetoothAdapter.getBondedDevices();
//loop through all paired devices foundif (pairedDevices.size() > 0){ // Loop through paired devices for (BluetoothDevice device : pairedDevices) { //DEVICE NAME: device.getName()
//DEVICE MAC ADDRESS: device.getAddress() }}
devices.java
Twitter: @jcleblanc | Hashtag: #dfistSource: http://droid-life.com
Twitter: @jcleblanc | Hashtag: #dfist
Securing Data CommunicationsIdentity, data, and payments within different communication methods
Thank you!Questions?
Twitter: @jcleblancEmail: [email protected]