Secure Payments Over Mixed Communication Media

Secure Payments over Mixed Communication Media

Identity, Data, and Payment Security Practices

Jonathan LeBlancHead of Global Developer AdvocacyPayPal / BraintreeTwitter: @jcleblanc | Email: [email protected]

Twitter: @jcleblanc | Hashtag: #dfist

Considerations in the Payments World

• Identity: Securing who the user is

• Data in Motion: Securing what the user is doing

• Payments: Securing how the user is buying


Transmitting information about who you areProtecting Identity

Twitter: @jcleblanc | Hashtag: #dfistSource: http://digitaltrends.com

Protecting Account Information


Protecting Identity through the Password

• Salting: Hardening the user password

• Good encryption algorithms: bcrypt, scrypt, PBKDF2

• Protects against: Rainbow tables, dictionary attacks


Android: POST request to server to encrypt data

ENTER FILENAME/LANG

String urlString = "https://myserver.com/auth";try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(1); nameValuePair.add(new BasicNameValuePair("password", "123456789")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost);catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex);}

client.java


Salting & Encrypting Passwords with bcrypt

ENTER FILENAME/LANG//node bcrypt packagevar bcrypt = require('bcrypt’);

function bcrypt_encrypt(username, password){ //generate a random salt with 10 rounds bcrypt.genSalt(10, function(err, salt){ //generate hash using password & salt bcrypt.hash(password, salt, function(err, key){ console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); });}

auth.js


Salting & Encrypting Passwords with PBKDF2

ENTER FILENAME/LANG//node standard crypto packagevar crypto = require('crypto’);

function pbkdf2_encrypt(username, password){ //generate random 32 byte salt crypto.randomBytes(32, function(ex, salt){ //generate PBKDF2 hash with specified iterations and length crypto.pbkdf2(password, salt, 4096, 512, 'sha256', function(err, key){ if (err) throw err; console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); });}

auth.js


Transmitting privileged user information between services Protecting Data in Motion

Twitter: @jcleblanc | Hashtag: #dfistSource: http://estimote.com

Taking Cues from Hardware Security


Protecting Data in Motion

• Asymmetric Public / Private Key Encryption

• Two pairs of public / private keys (sender + receiver)

• Encrypt with recipient public key, sign with sender private key

• Decrypt with recipient private key, verify with sender public key


Learning from Beacons

Central Device

Beacon Hardware

IP AddressEndpoint


Android: POST request to server to transmit data

ENTER FILENAME/LANG

String urlString = "https://myserver.com/server";try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(2); nameValuePair.add(new BasicNameValuePair("action", "login")); nameValuePair.add(new BasicNameValuePair("user", "ntesla")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost);catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex);}

client.java


Generating Public / Private Key Pairs

ENTER FILENAME/LANG//node module for RSA public/private key OpenSSL bindingsvar ursa = require('ursa');

//generate sender private and public keysvar senderkey = ursa.generatePrivateKey(1024, 65537);var senderprivkey = ursa.createPrivateKey(senderkey.toPrivatePem());var senderpubkey = ursa.createPublicKey(senderkey.toPublicPem());

//generate recipient private and public keysvar recipientkey = ursa.generatePrivateKey(1024, 65537);var recipientprivkey = ursa.createPrivateKey(recipientkey.toPrivatePem());var recipientpubkey = ursa.createPublicKey(recipientkey.toPublicPem());

server.js


Preparing Message, Encrypting, and Signing

ENTER FILENAME/LANG

//prepare JSON message and stringifyvar msg = { 'user':'Nikola Tesla', 'address':'W 40th St, New York, NY 10018',

'state':'active' };

msg = JSON.stringify(msg);

//encrypt and sign message for sendingvar encrypted = recipientpubkey.encrypt(msg, 'utf8', 'base64');var signed = senderprivkey.hashAndSign('sha256', msg, 'utf8', 'base64');

server.js


Hardware is Used as Bridge to Endpoint

Central Device

Beacon Hardware

IP AddressEndpoint


Decrypting and Verifying Message

ENTER FILENAME/LANG//decrypt data receivedvar decryptedmsg = recipientprivkey.decrypt(encrypted, 'base64', 'utf8');

//validate signaturevar validatedmsg = new Buffer(decryptedmsg).toString('base64');if (!senderpubkey.hashAndVerify('sha256', validatedmsg, signed, 'base64')){ throw new Error("invalid signature");} else { //decrypted message console.log('decrypted message', decryptedmsg, '\n');}

server.js


The Better Way

• Transmission over HTTPS

• Asymmetric or Symmetric algorithms

• Trusted protocols such as OAuth


Transmitting credit card and payment detailsProtecting Payments

Twitter: @jcleblanc | Hashtag: #dfistSource: http://mashable.com

Taking Cues from Email / SMS Communications


Tokenization

Credit Card NumberExpiration Date

Customer NamePostal Code

1a472HDsabejmasiw8371480isajlkarsi742198ue

Twitter: @jcleblanc | Hashtag: #dfistSource: http://fineartamerica.com


Extending Secure ProtectionUsing wearables to extend security

Twitter: @jcleblanc | Hashtag: #dfistSource: http://theverge.com


Capturing Wearable Device Information

ENTER FILENAME/LANG//get all devices currently attached via bluetoothSet<BluetoothDevice> pairedDevices = mBluetoothAdapter.getBondedDevices();

//loop through all paired devices foundif (pairedDevices.size() > 0){ // Loop through paired devices for (BluetoothDevice device : pairedDevices) { //DEVICE NAME: device.getName()

//DEVICE MAC ADDRESS: device.getAddress() }}

devices.java

Twitter: @jcleblanc | Hashtag: #dfistSource: http://droid-life.com


Securing Data CommunicationsIdentity, data, and payments within different communication methods

Thank you!Questions?

Twitter: @jcleblancEmail: [email protected]

Secure Payments Over Mixed Communication Media

Technology

Transcript of Secure Payments Over Mixed Communication Media