Can the the GP Secure Channel functionality be used for communications other than the ones for applet personalization or applet management?
For instance, can it be the case that a financial transaction is secured (authentication, integrity or confidentiality) using the GP Secure Channel protocol?
Thanks in advance
Related
I am developing an IoT device that uses TI's tm4c129encpdt microcontroller, cc3100 wifi chip and TI RTOS, and I am using TLS for secure communication with the server (HTTPS).
I just want to make my device more secure by adding some authentication methods. I am already assigning tokens to the device through a server.
Is there any standard way to add authentication method to an IoT device based on which I can assure to my clients that it has secured communication and authentication method?
Thanka and Regards
Akhilesh Gangwar
Use the 2-way authentication using TLS.
I am trying to design a Hyperledger Fabric solution with following requirements
The users are signed-up with an organization
The user should however have their individual identities on Blockchain
The users would interact with Blockchain through a web application
The users should store their own private keys / certificates
Individual user's key / certificate should be used to sign the transaction going to Blockchain. The organization however should not have access to user's private key / certificate
Instead the web application should merely transfer the signed content of the transaction to Blockchain, making it tamper-proof
Are there any solutions available that would cater to these requirements, so that the users continue to work through the web application only?
Can node.js SDK for Fabric be used on the client side to sign the transaction using the locally stored private key / certificate on user's desktop / laptop?
As of right now, no, there are no solutions available to cater to these requirements as the node SDK does not currently support a separation of logic between signing transaction proposals and sending transaction proposals. Step 6 is not possible with the 1.2 SDK.
Separating that logic is slated for the 1.3 release.
I have a REST api that I would like to secure so only my selected devices (which are embedded) can access the information. I don't want the users to have to login with their credentials; I just need the rest service to only be available for my specific set of devices.
How can I secure the WS to achieve this level of security?
Set up an X.509 certificate authority (CA).
Issue certificates to your devices.
Make your service only available with SSL and client certificates from your CA.
(This is not trivial.)
I’m a software engineer and I’m currently working on another payment application (my 3rd one) that must go under PCI PA-DSS compliance. I’m re-examining the PA-DSS documentation and I’m wondering if in the past I overworked on the security of the application, when I could’ve go by with TLS and user/pass. So, my questions are, when implementing a PA-DSS secure application:
For Authentication and Communication security is it enough to have TLS + user/pass?
What part(s) of the PA-DSS standard justifies the need of implementing message hashing and rolling hash between web methods calls? TLS implements reliable messages, but not rolling hashes and persistent callers between messages. Will implementing a rolling hash make any difference (from the PA-DSS stand point)?
If a payment processing application stores PII information and serves different companies (meaning that Company A and Company B can have accounts in such application), there is no specific requirement that states the PII information cannot be stored in the same DB, but in the past, PA-QSAs have insisted in this being an issue. The question is: Is this truly necessary? I cannot think Authorize.NET, a company with thousands of clients and processors have different databases to store the credit cards processed through each of its client companies.
Thanks in advance!
Update #1:
Assume all pages and web services, both in DMZ and Secure Zone will have HTTPS for all the communication channels, pages and services.
On #3, the question is not about the location or security of the storage of sensitive information. The question is more geared to question the ability of sharing sensitive information from different sources (clients, such as AT&T and Verizon for example) in the same database.
There are a few issues here.
1) Using TLS for just the username+password is still a vulnerability. Its a violation of owasp a9 and its trivial to hijack any account on your system using a firehseep style attack.
I know the PA-DSS 2.0 doesn't embody the entire owasp top 10, but requirement 12.1 should be noted:
12.1 Instruct customers to encrypt all non-console administrative access with
strong cryptography, using
technologies such as SSH, VPN, or
SSL/TLS for web-based management and
other non-console administrative
access.
Which would include an administrative http interface.
2) The PA-DSS recommendeds using real transport layer security such as: VPNs, and TLS/SSL. I don't believe there is a requirement for rolling hashes, and to be honest this isn't a very secure design. Such traffic needs full transport layer protection.
3) Don't forget about requirement 9:
9. Cardholder data must never be stored on a server connected to the Internet
If radius is Authuntication protocol why use kerberos,pap,chap,... ?
The Remote Authentication Dial-In User Service (RADIUS) protocol provides authentication, authorization, and accounting (AAA) for dial-in infrastructures, and it uses the same account and password to log into your company network through modem, WiFi, or a VPN tunnel. RADIUS has many carrier-grade features (the whole accounting part, for example) and is designed to operate in explicitly configured backbone networks.
But it is not well suited for PC and workstation networks and doesn't have the single-sign-on capability offered by Kerberos.
On the Other Hand, Kerberos provides an encrypted authentication service using shared secret keys. Kerberos can also support authentication via public key cryptography, but this is not covered by RFC 4120. Kerberos does not provide an authorization service, but Kerberos does support pass-through to other authorization services. Kerberos does not provide an accounting service.
For More Information about the PAP and CHAP, refer the following url
http://www.zeroshell.net/eng/kerberos/
and this url too you can refer
http://www.firewall.cx/ftopict-2679-.html
RADIUS (Remote Authentication Dial In User Service), defined in RFC 2865, is a protocol for remote user authentication and accounting.
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
Suppose you have Vodafone or Orange Telecom operator's connectivity at your home for internet connectivity.so,you will be needing a particular user id and password to access that.
Here Radius Protocol is used.
Technically, if you see the network file(.pcap file) that Wireshark Tool uses.
You will see that it contains Attribute Value Pairs that contains user name, password fields.
Radius uses CHAP password.So, it is more secured in terms of middle attack.
I hope you got my point