Security and Privacy in the IoT

Question 1

Privacy vs. Security

What is security? What is privacy? (or its goal)

Answer 1

Security - protect the data
Privacy - protect the user

Question 2

Issues with the IoT systems (4)

Answer 2

Hardware heterogeneity
Limited resources
Big data generation
Need for complex data protection and access measures

Question 3

Hierarchical IoT System (and give the 3 layers)

Answer 3

• Application layer - Applications/Services, Operation and Management
• Transportation later - Access Network
• Perception layer - WSN

Question 4

“The quality or state of being secure- to be free from danger”

Answer 4

Security

Question 5

A successful organization should have multiple layers of security in place: (6)

Answer 5

Physical security
Personal security
Operations security
Communications security
Network security
Information security

Question 6

The protection of information and its critical elements, including systems and hardware that use, store, and transmit information.

Give its necessary tools (5)

Answer 6

Information security

Necessary tools:
- policy
- awareness
- training
- education
- technology

Question 7

CIA TRIAD

________ - To ensure protection against unauthorized access to or use of confidential information

________ - To ensure that information and vital services are accessible for use when required

________- To ensure the accuracy and completeness of information to protect business processes

Answer 7

Confidentiality-Integrity-Availability (CIA)

1. Confidentiality
2. Availability
3. Integrity

Question 8

Which should weigh more security or usability?

Answer 8

usability

Question 9

Why learn IoT security from payment industry?

IoT systems face the same problems as ___________ faced before

• Initial design was for private point to point network the moved to _______ and later on the ______
• Started with basic security then found the security flaws and attached more complex security requirements later
• Low security devices from early design are still out there and used in compatible _________

Answer 9

card payment systems
- IP network; internet
- fall-back mode

Question 10

model of payment ecosystem and who are involved

Answer 10

Four-Party Model

• consumer
• merchant
• issuing bank
• acquiring bank

Question 11

Simplified Authorization Flow for Card Payment

1. The customer make a payment. Enter cardholder data into the__________ (POS, e-commerce website).
2. The merchant sends card data to an ________ who will route data to through the payments system for processing. For e-commerce, a _______ may redirect website to the acquirer.
3. The __________ sends the data to Payment brand.
   __________ forwards the data to the issuer.
4. The _______ verifies and make approval. For e-commerce, a payment gateway may redirect website to the issuer (ex. Verified by ______)
5. If the issuer agrees to fund the purchase, it will generate __________ and routes back to the card brand.
6. Payment brand forwards the authorization code back to acquirer/processor.
7. The acquirer/processor sends the authorization code back to the merchant.
8. The _______ concludes the sale with the customer.

Answer 11

1. merchant payment system
2. acquirer/payment processor, payment gateway
3. acquirer/processor
4. Payment brand; issuer; VISA
5. authorization number
6. merchant

Question 12

________ standard size (normally ID-1) card that has embedded integrated circuit with microprocessor

Answer 12

ISO/IEC 7810

Question 13

What can a smart card provide? (4)

Answer 13

personal identification
authentication
data storage
application processing

Question 14

There are different designs or types of smart cards such as: (3)

Answer 14

• Contact smart card - ISO/IEC 7816
• Contactless smart card - ISO/IEC 14443
• Hybrid

Question 15

Inside a smart card (7)

Answer 15

CPU
Security logic
Serial I/O Interface
Test Logic
ROM
RAM
EEPROM

Question 16

• microprocessor
• cryptographic co-processors
• random number generator

Answer 16

CPU

Question 17

Detects abnormal condition (e.g. low voltage)

Answer 17

security logic

Question 18

contacts the outside world

Answer 18

serial I/O interface

Question 19

Self-test procedure

Answer 19

test logic

Question 20

Basic Security Feature

Hardware (5)
Software (5)

Answer 20

Hardware
- closed package
- memory encapsulation
- fuses
- security logic (sensors)
- cryptographic co-processors and random generator

Software
- decoupling applications and operating system
- application separation (Java card)
- restricted file access
- life cycle control
- various cryptographic algorithms and protocols

Question 21

The two primary types of smart card operating systems are: (2)

Answer 21

Fixed File Structure
Dynamic Application

Question 22

What Card OS?

• files and permissions are set in advances by the issuer
• seldom used for payment cards

Answer 22

Fixed File Structure

Question 23

What Card OS?

• enables developers to build, test, and deploy different card application securely
• updates and security are able to be downloaded and dynamically changed
• ________ and _______ are the two main OS standards

Answer 23

Dynamic Application
- MULTOS and JavaCard

Question 24

• A standard, flexible tool box
• a known language and an easy tool for applet developers in cards
• requires the addition of Global Platform (or similar) to manage the card and its applets

Answer 24

JavaCard

Question 25

* a turn key system * comes as a complete package for cards issuers, with its certification authority, language, tools and personalization process * global platform is possible

Answer 25

MULTOS

Question 26

also known as a point of sale terminal, credit card terminal, EFTPOS terminal, Electronics Data Capture (EDC)

Answer 26

Payment terminal

Question 27

a device which interfaces with payment cards to make electronic fund transfers

Answer 27

Payment terminal

Question 28

A technical standard for smart payment cards and for payment terminals and automated teller machines (ATM)

Answer 28

EMV

Question 29

The initiative for EMV was taken by _________, __________ and ______ in the 1990s (now managed by EMVCe)

Answer 29

Europay, Mastercard and Visa

Question 30

support both ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards (MasterCard Contactless, Paywave, Expresspay)

Answer 30

EMV

Question 31

EMV current version

Answer 31

4.3

Question 32

EMV consist of four books ________ - application and independent ICC to Terminal Interface Requirements _______ - security and key management _______ - application specification _______ - cardholder, attendant, and acquirer interface requirements

Answer 32

Book 1 Book 2 Book 3 Book 4

Question 33

EMV - is a highly configurable tool-kit for payment protocols, offering a choice between (3): - many of these options are parameterized

Answer 33

* 3 Card Authentication Methods * 5 Cardholder Verification Methods * 2 Types of Transactions

Question 34

3 Card Authentication Methods

Answer 34

SDA (Static Data Authentication) DDA (Dynamic Data Authentication) CDA (Combined Data Authentication)

Question 35

5 Cardholder Verification Methods

Answer 35

* **None**: No verification method is used. * **Signature**: The traditional method of signing a receipt or a payment device to verify the transaction. * **Online PIN**: A Personal Identification Number that is checked online, i.e., with the bank's servers. * **Offline unencrypted PIN**: A PIN verification that occurs on the card machine itself without encryption. * **Offline encrypted PIN**: Similar to offline unencrypted PIN, but with the added security of encryption.

Question 36

2 Types of Transactions:

Answer 36

* **On-line Transactions**: Transactions that require a connection to the bank’s server to authorize. * **Off-line Transactions**: Transactions that can be authorized by the card terminal itself without immediate connection to the bank's server.

Question 37

EMV key algorithms (2)

Answer 37

* 3DES - major symmetric key algorithm with 128-bit key length * AES-128 - optional