wistp 07 a comparative analysis of common threats
play

WISTP 07 A comparative analysis of common threats, vulnerabilities, - PowerPoint PPT Presentation

Jul 17, 2023 •104 likes •337 views

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre,

  1. WISTP ’07 – A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre, Royal Holloway University of London www.sensornets.co.uk k.eagles@sensornets.co.uk {k.markantonakis, keith.mayes}@rhul.ac.uk

  2. Presentation Structure • Background to Research • Objectives of Research • Technology Definitions • Security Analysis • Results • Conclusion • Additional Information and Resources WISTP07 - 10th May 2007 2

  3. Authors’ Backgrounds • Kevin Eagles: – UK MOD Civil Servant in Defence Equipment and Support (DE&S) – Security Assurance Manager for Defence Corporate Business Applications IPT – Directorate General Information Systems and Services (DGISS) - formerly Defence Communication Services Agency (DCSA) • Dr. Konstantinos Markantonakis: – Smart Card Centre at Royal Holloway University of London • Dr. Keith Mayes: – Director of the Smart Card Centre at Royal Holloway University of London WISTP07 - 10th May 2007 3

  4. Background to Paper • 2004 to 2006 - MSc Information Security at Royal Holloway • MSc Project was: “A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies.” • MSc Project is basis for the paper produced for WISTP07 WISTP07 - 10th May 2007 4

  5. Objectives of this Research To enable this work, two high level objectives were established: • OBJECTIVE 1: Determine if there are any security threats, vulnerabilities, attacks and countermeasures that have been established for smart card technologies (both contact and contactless) that can be directly and/or indirectly applied to wireless sensor network node technologies • OBJECTIVE 2: Determine if there are any existing or emergent security threats, vulnerabilities, attacks and countermeasures that have been established for wireless sensor network node technologies that can be directly and/or indirectly applied to smart card technologies WISTP07 - 10th May 2007 5

  6. Technology Definitions • Smart card – integrated circuit (crypto co-processor & tamper resistance a common feature) – packaged and embedded within a card carrier – not normally a networked device (Java Card 3.0 an exception) – normally receives power from a separate source (some exceptions) Contact and contactless Smart Cards and also RFID technologies under the unified banner of smart card technologies • Wireless Sensor Network Node (Mote) – integrated circuit (basic micro-controller, no tamper resistance or crypto co- processor) – able to function as an element within a network, to send, receive or route – onboard battery but low power consumption – passing data onto other devices through wireless communications – collaborating to form a sensing network No focus on specific vendors or operating systems - broad view research WISTP07 - 10th May 2007 6

  7. Background to Analysis #1 • Plenty of data on ‘known’ attacks and Security Mechanisms for Smart Cards • Some data on ‘known’ and theoretical attacks on Motes • Plenty of Risk Analysis methods around, not many Threat Analysis methods • Definitions identity crisis – what is a threat? WISTP07 - 10th May 2007 7

  8. Background to Analysis #2 • Chose four pillars for the Security Analysis and created own definitions, need to ‘harvest’ as much information as possible: – Threat: “an objective a foe might try to realise in order to misuse a target or asset” – Vulnerability: “a specific means by which a threat can be executed via an unmitigated attack path” – Attacker: “the entity that is exploiting a vulnerability to establish a threat” – Countermeasure: “a mitigation measure that prevents, detects or significantly reduces a misdeed associated with a specific threat or group of threats” This led to the creation of the TVAC Table - four pillars became four blocks WISTP07 - 10th May 2007 8

  9. Background to Analysis #3 - TVAC WISTP07 - 10th May 2007 9

  10. Background to Analysis #4 - TVAC WISTP07 - 10th May 2007 10

  11. Background to Analysis #5 - TVAC The two initial left hand columns categorise the technology type and the threat unique identifier (TUID). or • contact smart card is prefixed SCA • contactless smart card prefixed SCB • Wireless Sensor Network Node prefixed WSNN. WISTP07 - 10th May 2007 11

  12. Background to Analysis #6– TVAC 8 Categories of Threat 'type', indicating what the target or asset is: Threat Summary: • Physical - Chip This includes a ‘Statement’ • Physical - Other of the Threat indicating ‘Entry • Logical - OS Point’ and rating the ‘Impact’ • Logical - Platform of the Threat from High, • Logical - Application • Logical - Other Moderate or Low. •Comms Bearer (e.g., Physical Card Reader, RF or RFID); 7 Threat Classifications: • Other. • Physical Static (e.g., No Power to Hardware); • Physical Dynamic (e.g., Power to Hardware); • Logical Static (e.g., No Power source active, but using glitches e.g., temp) • Logical Dynamic (e.g., Power to Software); • Social (e.g., Social Engineering); • Policy (e.g., Weakness in Governing Policies); • Other. WISTP07 - 10th May 2007 12

  13. Background to Analysis #7 - TVAC S = Spoofing Vulnerability Summary: T = Tampering A ‘Statement’ of the R = Repudiation I = Information disclosure Vulnerability, with a ‘Probability’ rating from D = Denial of Service High, Moderate or Low. E = Elevation of Privilege Microsoft method to categorise threats during software development. Added granularity to ‘CRIPAL’ C = Confidentiality – The restriction of information and/or assets (both physical and logical) to authorised entities/individuals only. R = Reliability – The ability to access and use information and/or assets (both physical and logical) consistently without disruption I = Integrity – The maintaining of information and/or assets (both physical and logical) in their complete and intended form. P = Privacy – The ability for an entity/individual to choose with whom to share their ‘Private’ information and/or assets (both physical and logical), without concern of impermissible access and/or use. A = Availability – Constant and timely access to information and/or assets (both physical and logical) for authorised entities/individuals. L = Legitimate Use – Use of information and/or assets (both physical and logical) is undertaken by authorised entities/individuals who have the legal rights to conduct actions through propriety (DPA ’98, CMA ‘90). WISTP07 - 10th May 2007 13

  14. Background to Analysis #8 - TVAC 5 Attack Classes: Invasive Active (e.g., Cutting new tracks); Invasive Passive (e.g., Microprobing to observe not to modify); Non-Invasive Active (e.g., Power Surge or glitch attacks); Non-Invasive Passive (e.g., DPA and Timing Attacks); Semi Invasive techniques (e.g., Light attacks). 3 Attacker Groups: • Class I (clever outsiders) - “Opportunist Attacker” • Class II (knowledgeable insiders) - “Expert/Professional Attacker • Class III (funded organisations) - “Sophisticated Attacker” WISTP07 - 10th May 2007 14

  15. Background to Analysis #9 - TVAC Countermeasure Summary: A ‘Statement’ of the Countermeasure, indicating its ‘Effectiveness’ represented by the following options: • Total (Complete Effectiveness) • Partial (Some Effectiveness) •None Overhead of Countermeasure on Time, Performance & Cost: This looks at any impacts the countermeasure may bring if implemented. WISTP07 - 10th May 2007 15

  16. Background to Analysis #10 - TVAC Short Assessment: “Can the threat and the mitigation to one technology be applied to the other technology”: • Total • Partial • None WISTP07 - 10th May 2007 16

  17. Results – 22 TVAC Tables • Ten threats, SCA-T1 to SCA-T10, have been explored for contact smart cards and these have also been applicable to contactless smart cards too as SCB-T1 to SCB-T10 respectively • Four additional threats have been applied to contactless smart cards as SCB-T11 to SCB-T14, giving contactless smart cards a count of fourteen • Eight threats were listed for WSN nodes (WSNN-T1 to WSNN-T8) • The Comparative Threat Analysis Assessment Matrices (CTAAMs) record any commonality/applicability from one technology to the other WISTP07 - 10th May 2007 17

  18. Smart Card Technologies Analysis Assessment Comparative Threat Analysis Assessment Matrix: Matrix Key: SCA/B = Threat and/or Countermeasure is applicable to both Contact and Contactless cards and hence are referenced as so. Contact Smart Card – has the prefix SCA and the threat reference to follow – e.g., SCA-T1 Contactless Smart Card – has the prefix SCB and the threat reference to follow – e.g., SCB-T1 WSN Node – has the prefix WSNN and the threat reference to follow – e.g., WSNN-T1 � (T) = Total Match; � (P) to (T) = Partial to Total Match; � (P) = Partial Match; � (N) = No Match WISTP07 - 10th May 2007 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Common Law Claims A comparative analysis Presented by Tim Ainsworth and Anthony Hillary 13

Common Law Claims A comparative analysis Presented by Tim Ainsworth and Anthony Hillary 13

Common Law Claims A comparative analysis Presented by Tim Ainsworth and Anthony Hillary 13 October 2017 Contents Workers compensation and the common law Restrictions on obtaining common law damages and changes to common law principles

414 views • 12 slides
Comparative Genomics Comparative Genomics Common Themes Gene and functional pathway

Comparative Genomics Comparative Genomics Common Themes Gene and functional pathway

Comparative Genomics Comparative Genomics Common Themes Gene and functional pathway presence/absence Identification, alignment of orthologs Structural analysis and comparison Comparative Genomics Basic Local Alignment Search Tool

480 views • 14 slides
Threats and Analysis Bruno Crpon J-PAL Course Overview 1. What is Evaluation? 2. Outcomes,

Threats and Analysis Bruno Crpon J-PAL Course Overview 1. What is Evaluation? 2. Outcomes,

Threats and Analysis Bruno Crpon J-PAL Course Overview 1. What is Evaluation? 2. Outcomes, Impact, and Indicators 3. Why Randomize and Common Critiques 4. How to Randomize 5. Sampling and Sample Size 6. Threats and Analysis 7. Project

1.2k views • 68 slides
Threats and Analysis Bruno Crpon J-PAL Course Overview 1. What is Evaluation? 2. Outcomes,

Threats and Analysis Bruno Crpon J-PAL Course Overview 1. What is Evaluation? 2. Outcomes,

Threats and Analysis Bruno Crpon J-PAL Course Overview 1. What is Evaluation? 2. Outcomes, Impact, and Indicators 3. Why Randomize and Common Critiques 4. How to Randomize 5. Sampling and Sample Size 6. Threats and Analysis 7. Project

776 views • 65 slides
QUALITATIVE COMPARATIVE ANALYSIS WHAT, WHY, HOW, AND UNDER WHAT CONDITIONS JENEEN R. GARCIA 24

QUALITATIVE COMPARATIVE ANALYSIS WHAT, WHY, HOW, AND UNDER WHAT CONDITIONS JENEEN R. GARCIA 24

QUALITATIVE COMPARATIVE ANALYSIS WHAT, WHY, HOW, AND UNDER WHAT CONDITIONS JENEEN R. GARCIA 24 FEBRUARY 2016 WHAT IS QCA? method to systematically compare cases and find common patterns using set theory/ Boolean algebra bridges

268 views • 25 slides
LCA COMPARATIVE ANALYSIS LCA COMPARATIVE ANALYSIS OF DIFFERENT TECHNOLOGIES OF DIFFERENT

LCA COMPARATIVE ANALYSIS LCA COMPARATIVE ANALYSIS OF DIFFERENT TECHNOLOGIES OF DIFFERENT

LCA COMPARATIVE ANALYSIS LCA COMPARATIVE ANALYSIS OF DIFFERENT TECHNOLOGIES OF DIFFERENT TECHNOLOGIES FOR SURFACE FUNCTIONALISATION FOR SURFACE FUNCTIONALISATION Gabriela Benveniste Environment Park S.p.A. Turin, Italy 3rd International

453 views • 30 slides
Comparative analysis of HIV- - 1 1 Comparative analysis of HIV attachment and fusion efficiency

Comparative analysis of HIV- - 1 1 Comparative analysis of HIV attachment and fusion efficiency

Comparative analysis of HIV- - 1 1 Comparative analysis of HIV attachment and fusion efficiency attachment and fusion efficiency Manon Eckhardt University Hospital Heidelberg Department of Virology AG Mller / Krusslich Background

535 views • 15 slides
Introduction to Qualitative Comparative Analysis (QCA) Morning Session: The Basics of QCA as an

Introduction to Qualitative Comparative Analysis (QCA) Morning Session: The Basics of QCA as an

Introduction to Qualitative Comparative Analysis (QCA) Morning Session: The Basics of QCA as an Approach IUSF- TIAS Autumn School on Concepts, Frameworks and Methods for the Comparative Analysis of Water Governance Jlich, Germany, November

1.17k views • 75 slides
WP3 EX-POST Case studies Comparative Analysis Report Deliverable no.: 3.2 Comparative Analysis

WP3 EX-POST Case studies Comparative Analysis Report Deliverable no.: 3.2 Comparative Analysis

WP3 EX-POST Case studies Comparative Analysis Report Deliverable no.: 3.2 Comparative Analysis Report 03 February 2012 Deliverable Title D3.2 Comparative Analysis Report Filename WP3 EX-POST Case studies: Comparative Analysis Report

805 views • 58 slides
Student-1: Comparative analysis of essential oil of 8 marketed plants Materials:

Student-1: Comparative analysis of essential oil of 8 marketed plants Materials:

Student-1: Comparative analysis of essential oil of 8 marketed plants Materials: 1-Extraction oil Salvia officinalis L. 2. Extraction of methanolic extract Mentha longifolia 3. Comparative GC-MS analysis Rosmarinus officinalis L. Thymus

243 views • 8 slides
Comparative Analysis of Traditional and Contemporary Wooden Architecture in Turkey, from the

Comparative Analysis of Traditional and Contemporary Wooden Architecture in Turkey, from the

Comparative Analysis of Traditional and Contemporary Wooden Architecture in Turkey, from the Perpective of Sustainability Rengin Beceren Ozturk, Arzu Ispalar Cahantimur Agenda Introduction Wooden Building Culture in Turkey Comparative

597 views • 20 slides
The EAC Common External Tariff: Comparative Evidence 2019 BNR Research Day, , June 10, 2019

The EAC Common External Tariff: Comparative Evidence 2019 BNR Research Day, , June 10, 2019

The EAC Common External Tariff: Comparative Evidence 2019 BNR Research Day, , June 10, 2019 Jaime de Melo IGC, FERDI, and University of Geneva Outline PART I: Top Down estimates (gravity) Bilateral (calibrated) trade costs are falling

230 views • 19 slides
Comparative Private Law 2012 A Common European Sales Law? Proposal for regulation: COM(2011)

Comparative Private Law 2012 A Common European Sales Law? Proposal for regulation: COM(2011)

Kre Lilleholt Comparative Private Law 2012 A Common European Sales Law? Proposal for regulation: COM(2011) 635 final An optional 2 nd regime for cross -border contracts Scope: sales of goods, supply of digital content,

460 views • 15 slides
IMPLEMENTATION OF EQAVET AT NATIONAL LEVEL: COMPARATIVE ANALYSIS FACO & UNIVERSITY OF MALTA

IMPLEMENTATION OF EQAVET AT NATIONAL LEVEL: COMPARATIVE ANALYSIS FACO & UNIVERSITY OF MALTA

IMPLEMENTATION OF EQAVET AT NATIONAL LEVEL: COMPARATIVE ANALYSIS FACO & UNIVERSITY OF MALTA SUZANNE GATT PATHWAY FROM EQAVET TO NQAVET - PEN (REF: 538730-LLP-1-2013-SE-LEONARDO-LMP) WORK PACKAGE 2: COMPARATIVE STUDY ON EQAVET The aims and

257 views • 22 slides
Identifying and Tracking Disinformation during the May Michael Baldassaro Digital Threats

Identifying and Tracking Disinformation during the May Michael Baldassaro Digital Threats

Identifying and Tracking Disinformation during the May Michael Baldassaro Digital Threats Project Lead 2019 South Africa Elections The Carter Center Prepared for The Workshop on Comparative Approaches to Disinformation Analytical and

253 views • 8 slides
Update Report August 9 th , 2018 Raymond Design Associates HVAC Comparative Cost Analysis

Update Report August 9 th , 2018 Raymond Design Associates HVAC Comparative Cost Analysis

Elbridge Gerry Building Committee Meeting Schematic Design Update Report August 9 th , 2018 Raymond Design Associates HVAC Comparative Cost Analysis Sloped v. Flat Roof Comparative Cost Analysis Typical 4-Classroom Bay Sloped:

488 views • 19 slides
TravelSpirit and the Open Internet of Mobility Open internet of mobility Call SmartCard

TravelSpirit and the Open Internet of Mobility Open internet of mobility Call SmartCard

TravelSpirit and the Open Internet of Mobility Open internet of mobility Call SmartCard Contactless App Data Payment MaaS Journey Platform Operator Planner aggregator facilitator Service planner Open data feeds Platform

339 views • 7 slides
Technical and Poster Presentation Contact Information Create an Account to Start the

Technical and Poster Presentation Contact Information Create an Account to Start the

Technical and Poster Presentation Contact Information Create an Account to Start the Submission Process Session Details Proposal Category/Details

181 views • 7 slides
L O G I S T I C S O L U T I O N S F O R C O N S U M E R E L E C T R O N I C S XARXA

L O G I S T I C S O L U T I O N S F O R C O N S U M E R E L E C T R O N I C S XARXA

L O G I S T I C S O L U T I O N S F O R C O N S U M E R E L E C T R O N I C S XARXA ELECTRONICS services AIR FREIGHT services SEA FREIGHT services GROUND

247 views • 8 slides
Partnering to Enable Wearable Technologies San Francisco, 2013 Why is it critical to partner with

Partnering to Enable Wearable Technologies San Francisco, 2013 Why is it critical to partner with

Partnering to Enable Wearable Technologies San Francisco, 2013 Why is it critical to partner with a GLOBAL SUPPLY SERVICES company? New component technologies Low yield at introduction High capital $s per mfg. line ~$1500 -

461 views • 12 slides
DATAMATICS GLOBAL SERVICES LIMITED Q4 & FY18 Results Update MAY 31, 2018 COMPANY OVERVIEW

DATAMATICS GLOBAL SERVICES LIMITED Q4 & FY18 Results Update MAY 31, 2018 COMPANY OVERVIEW

DATAMATICS GLOBAL SERVICES LIMITED Q4 & FY18 Results Update MAY 31, 2018 COMPANY OVERVIEW FINANCIAL OVERVIEW DISCUSSION SUMMARY AWARDS & CERTIFICATIONS COMPANY OVERVIEW COMPANY OVERVIEW OUR BRIEF PROFILE We build

253 views • 21 slides
KDDI CORPORATION Financial Results for the 1st Quarter of the Fiscal Year Ending March 2011 July

KDDI CORPORATION Financial Results for the 1st Quarter of the Fiscal Year Ending March 2011 July

Ubiquitous Solution Company KDDI CORPORATION Financial Results for the 1st Quarter of the Fiscal Year Ending March 2011 July 23, 2010 The figures included in the following brief, including the business performance target and the target for the

599 views • 23 slides
Smart Card Operating Systems Overview and Trends Pierre.Paradinas@gemplus.com Gemplus Labs

Smart Card Operating Systems Overview and Trends Pierre.Paradinas@gemplus.com Gemplus Labs

Smart Card Operating Systems Overview and Trends Pierre.Paradinas@gemplus.com Gemplus Labs Smart card A piece of plastic with a chip that contains: CPU, memories and programs SC is your personal information system, your

598 views • 21 slides
Revised document 4.1 On underwater noise Important improvements Title of the document changed to

Revised document 4.1 On underwater noise Important improvements Title of the document changed to

Revised document 4.1 On underwater noise Important improvements Title of the document changed to - HELCOM Guidelines for establishing environmental targets for underwater noise - A short introduction added to clarify the use of the document

194 views • 6 slides

More recommend