Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis (Vol 2)

In this paper, we demonstrate how Trusted Computing technology can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. We take a pragmatic approach, focusing here on exploiting features of Trusted Computing as it is being deployed today. Thus we rely only on the presence of client-side Trusted Platform Modules, rather than upon the ``idealised'' deployment in which Trusted Computing functionality is fully integrated with OS and CPU, and which still seems to be a distant prospect. In essence, our approach uses features of the Public Key Infrastructure that is inherent in Trusted Computing to build lightweight client-side enrollment and certification processes; public key certificates are then used to underpin authentication for CNP payments. Using this approach we demonstrate how Trusted Platform Module (TPM) enabled platforms can integrate with SSL and 3-D Secure. We discuss the threats to CNP transactions that remain even with our enhancements in place, focussing in particular on the threat of malware, and how it can be ameliorated

Towards Secure E-Commerce Based on Virtualization and Attestation Techniques

We present a secure e-commerce architecture that is resistant to client compromise and man-in-the-middle attacks on SSL. To this end, we propose several security protocols that use attestation techniques offered by the Trusted Computing Group (TCG). Using these protocols, we can ensure that the client configuration remains untampered and trusted for the duration of the transaction. In addition, confidential data, such as authentication passwords, are only accessible by the electronic commerce server to which the users intend to transfer their data. Since we employ a trusted third party that is responsible for verifying a client’s platform configuration, our approach does not depend on trusted computing at the server but instead only requires minor modification to server logic

e-EMV: Emulating EMV for Internet Payments using Trusted Computing Technology

The introduction of Static Data Authentication (SDA) compliant EMV cards with their improved cardholder verification and card authentication capabilities has resulted in a dramatic reduction in the levels of fraud seen at Point of Sale (POS) terminals. However, with this POS-based reduction has come a corresponding increase in the level of fraud associated with Internet-based Card Not Present (CNP) transactions. This increase is largely attributable to the fact that Internet-based CNP processing has no easy way of integrating EMV into its transaction architecture. In this regard, payment is reliant on Mail Order Telephone Order (MOTO) based processing where knowledge of card account details is deemed a sufficient form of transaction authorisation. This report aims to demonstrate how Trusted Computing technology can be used to emulate EMV for use in Internet-based CNP transactions. Through a combination of a Trusted Platform Module, processor (with chipset extensions) and OS support we show how we can replicate the functionality of standard EMV-compliant cards. The usage of Trusted Computing in this setting allows a direct migration to more powerful Combined DDA and application cryptogram generation (CDA) cards as well as offering increased security benefits over those seen in EMV's deployment for POS transactions. Customer to Merchant interaction in our setting mirrors transaction processing at traditional POS terminals. We build upon the services offered by Trusted Computing in order to provide a secure and extensible architecture for Internet-based CNP transactions

Identity Crisis: On the Problem of Namespace Design for ID-PKC and MANETs

Ad-hoc Networks (MANETs). In particular we examine the problem of naming and namespace design in an Identity-based Key Infrastructure (IKI). We examine the potential impact that different types of identifiers may have on the utility of ad hoc networks where an IKI provides the underlying key infrastructure. We also highlight problems inherent in extending namespaces to allow inter-operability amongst heterogeneous trust domains. I

Information Security Group,

It seems likely that TCG-compliant computing platforms will become widespread over the next few years. Once one accepts that the Trusted Computing paradigm offers an interesting and powerful set of security features, the natural question arises: for what purposes can this technology be exploited? In this chapter, we examine the application of Trusted Computin