SlideShare ist ein Scribd-Unternehmen logo

Secure Payments Over Mixed Communication Media

Als PPTX, PDF herunterladen
Jonathan LeBlanc
Jonathan LeBlanc

Web enabled systems are now an integral part of everything we interact with, from microelectronics to voice enabled hardware, from text messages and phone calls to email, and really we’re just limited by our imaginations as to what we can connect. As we explore vast new realms of communication over mixed digital media, we have to ask ourselves how we protect our critical data within potential unsecure environments. Going beyond that, how do we protect some of our more critical data, payment information, in this same realm. As we look at a multitude of different environments, we’ll be exploring how to secure user identity and payment information through the communication channels, covering topics like: * Securing identity and payment data through voice commands or text. * Tokenization and encryption security. * Techniques for triggering secure transactions from communications media. At the end of the session, we’ll have a stronger understanding of proper techniques for working with new communication media sources, and see how we can apply fundamental security precepts in potentially insecure environments.

Technologie
1 von 29
Secure Payments over Mixed Communication Media Identity, Data, and Payment Security Practices Jonathan LeBlanc Head of Global Developer Advocacy PayPal / Braintree Twitter: @jcleblanc | Email: jleblanc@paypal.com
Twitter: @jcleblanc | Hashtag: #dfist Considerations in the Payments World • Identity: Securing who the user is • Data in Motion: Securing what the user is doing • Payments: Securing how the user is buying
Twitter: @jcleblanc | Hashtag: #dfist Transmitting information about who you are Protecting Identity
Twitter: @jcleblanc | Hashtag: #dfistSource: http://digitaltrends.com Protecting Account Information
Twitter: @jcleblanc | Hashtag: #dfist Protecting Identity through the Password • Salting: Hardening the user password • Good encryption algorithms: bcrypt, scrypt, PBKDF2 • Protects against: Rainbow tables, dictionary attacks
Twitter: @jcleblanc | Hashtag: #dfist Android: POST request to server to encrypt data ENTER FILENAME/LANG String urlString = "https://myserver.com/auth"; try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(1); nameValuePair.add(new BasicNameValuePair("password", "123456789")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost); catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex); } client.java
Twitter: @jcleblanc | Hashtag: #dfist Salting & Encrypting Passwords with bcrypt ENTER FILENAME/LANG//node bcrypt package var bcrypt = require('bcrypt’); function bcrypt_encrypt(username, password){ //generate a random salt with 10 rounds bcrypt.genSalt(10, function(err, salt){ //generate hash using password & salt bcrypt.hash(password, salt, function(err, key){ console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); }); } auth.js
Twitter: @jcleblanc | Hashtag: #dfist Salting & Encrypting Passwords with PBKDF2 ENTER FILENAME/LANG//node standard crypto package var crypto = require('crypto’); function pbkdf2_encrypt(username, password){ //generate random 32 byte salt crypto.randomBytes(32, function(ex, salt){ //generate PBKDF2 hash with specified iterations and length crypto.pbkdf2(password, salt, 4096, 512, 'sha256', function(err, key){ if (err) throw err; console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); }); } auth.js
Twitter: @jcleblanc | Hashtag: #dfist Transmitting privileged user information between services Protecting Data in Motion
Twitter: @jcleblanc | Hashtag: #dfistSource: http://estimote.com Taking Cues from Hardware Security
Twitter: @jcleblanc | Hashtag: #dfist Protecting Data in Motion • Asymmetric Public / Private Key Encryption • Two pairs of public / private keys (sender + receiver) • Encrypt with recipient public key, sign with sender private key • Decrypt with recipient private key, verify with sender public key
Twitter: @jcleblanc | Hashtag: #dfist Learning from Beacons Central Device Beacon Hardware IP Address Endpoint
Twitter: @jcleblanc | Hashtag: #dfist Android: POST request to server to transmit data ENTER FILENAME/LANG String urlString = "https://myserver.com/server"; try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(2); nameValuePair.add(new BasicNameValuePair("action", "login")); nameValuePair.add(new BasicNameValuePair("user", "ntesla")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost); catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex); } client.java
Twitter: @jcleblanc | Hashtag: #dfist Generating Public / Private Key Pairs ENTER FILENAME/LANG //node module for RSA public/private key OpenSSL bindings var ursa = require('ursa'); //generate sender private and public keys var senderkey = ursa.generatePrivateKey(1024, 65537); var senderprivkey = ursa.createPrivateKey(senderkey.toPrivatePem()); var senderpubkey = ursa.createPublicKey(senderkey.toPublicPem()); //generate recipient private and public keys var recipientkey = ursa.generatePrivateKey(1024, 65537); var recipientprivkey = ursa.createPrivateKey(recipientkey.toPrivatePem()); var recipientpubkey = ursa.createPublicKey(recipientkey.toPublicPem()); server.js
Twitter: @jcleblanc | Hashtag: #dfist Preparing Message, Encrypting, and Signing ENTER FILENAME/LANG //prepare JSON message and stringify var msg = { 'user':'Nikola Tesla', 'address':'W 40th St, New York, NY 10018', 'state':'active' }; msg = JSON.stringify(msg); //encrypt and sign message for sending var encrypted = recipientpubkey.encrypt(msg, 'utf8', 'base64'); var signed = senderprivkey.hashAndSign('sha256', msg, 'utf8', 'base64'); server.js
Twitter: @jcleblanc | Hashtag: #dfist Hardware is Used as Bridge to Endpoint Central Device Beacon Hardware IP Address Endpoint
Twitter: @jcleblanc | Hashtag: #dfist Decrypting and Verifying Message ENTER FILENAME/LANG //decrypt data received var decryptedmsg = recipientprivkey.decrypt(encrypted, 'base64', 'utf8'); //validate signature var validatedmsg = new Buffer(decryptedmsg).toString('base64'); if (!senderpubkey.hashAndVerify('sha256', validatedmsg, signed, 'base64')){ throw new Error("invalid signature"); } else { //decrypted message console.log('decrypted message', decryptedmsg, 'n'); } server.js
Twitter: @jcleblanc | Hashtag: #dfist The Better Way • Transmission over HTTPS • Asymmetric or Symmetric algorithms • Trusted protocols such as OAuth
Twitter: @jcleblanc | Hashtag: #dfist Transmitting credit card and payment details Protecting Payments
Twitter: @jcleblanc | Hashtag: #dfistSource: http://mashable.com Taking Cues from Email / SMS Communications
Twitter: @jcleblanc | Hashtag: #dfist Tokenization Credit Card Number Expiration Date Customer Name Postal Code 1a472HDsabejmasiw8371480 isajlkarsi742198ue
Twitter: @jcleblanc | Hashtag: #dfist
Twitter: @jcleblanc | Hashtag: #dfistSource: http://fineartamerica.com
Twitter: @jcleblanc | Hashtag: #dfist Extending Secure Protection Using wearables to extend security
Twitter: @jcleblanc | Hashtag: #dfistSource: http://theverge.com
Twitter: @jcleblanc | Hashtag: #dfist Capturing Wearable Device Information ENTER FILENAME/LANG //get all devices currently attached via bluetooth Set<BluetoothDevice> pairedDevices = mBluetoothAdapter.getBondedDevices(); //loop through all paired devices found if (pairedDevices.size() > 0){ // Loop through paired devices for (BluetoothDevice device : pairedDevices) { //DEVICE NAME: device.getName() //DEVICE MAC ADDRESS: device.getAddress() } } devices.java
Twitter: @jcleblanc | Hashtag: #dfistSource: http://droid-life.com
Twitter: @jcleblanc | Hashtag: #dfist Securing Data Communications Identity, data, and payments within different communication methods
Thank you! Questions? Twitter: @jcleblanc Email: jleblanc@paypal.com

Empfohlen

PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data SecurityJonathan LeBlanc
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data SecurityJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Token Based Authentication Systems
Token Based Authentication SystemsToken Based Authentication Systems
Token Based Authentication SystemsHüseyin BABAL
 
Redis
RedisRedis
RedisPuneet Kumar
 
Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Yuriko IKEDA
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 

Empfohlen

PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data SecurityJonathan LeBlanc
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data SecurityJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Token Based Authentication Systems
Token Based Authentication SystemsToken Based Authentication Systems
Token Based Authentication SystemsHüseyin BABAL
 
Redis
RedisRedis
RedisPuneet Kumar
 
Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Yuriko IKEDA
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'mStanisław Wasiutyński
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)Vladimir Dzhuvinov
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptographyErik LaBianca
 
Web security
Web securityWeb security
Web securitydavidahaskins
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Groupsiculars
 
Automated Testing
Automated TestingAutomated Testing
Automated TestingSpeed FC
 
Cookies
CookiesCookies
Cookiesamuthadeepa
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
Back to Basics Webinar 2: Your First MongoDB Application
Back to Basics Webinar 2: Your First MongoDB ApplicationBack to Basics Webinar 2: Your First MongoDB Application
Back to Basics Webinar 2: Your First MongoDB ApplicationMongoDB
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average DeveloperAnthony Ferrara
 
Back to Basics Webinar 3 - Thinking in Documents
Back to Basics Webinar 3 - Thinking in DocumentsBack to Basics Webinar 3 - Thinking in Documents
Back to Basics Webinar 3 - Thinking in DocumentsJoe Drumgoole
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
CGI.pm - 3ло?!
CGI.pm - 3ло?!CGI.pm - 3ло?!
CGI.pm - 3ло?!Anatoly Sharifulin
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSEBrian Campbell
 
Back to Basics Webinar 1 - Introduction to NoSQL
Back to Basics Webinar 1 - Introduction to NoSQLBack to Basics Webinar 1 - Introduction to NoSQL
Back to Basics Webinar 1 - Introduction to NoSQLJoe Drumgoole
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
Django SEM
Django SEMDjango SEM
Django SEMGandi24
 

Weitere ähnliche Inhalte

Was ist angesagt?

I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Groupsiculars
 
Automated Testing
Automated TestingAutomated Testing
Automated TestingSpeed FC
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
Back to Basics Webinar 2: Your First MongoDB Application
Back to Basics Webinar 2: Your First MongoDB ApplicationBack to Basics Webinar 2: Your First MongoDB Application
Back to Basics Webinar 2: Your First MongoDB ApplicationMongoDB
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average DeveloperAnthony Ferrara
 
Back to Basics Webinar 3 - Thinking in Documents
Back to Basics Webinar 3 - Thinking in DocumentsBack to Basics Webinar 3 - Thinking in Documents
Back to Basics Webinar 3 - Thinking in DocumentsJoe Drumgoole
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSEBrian Campbell
 
Back to Basics Webinar 1 - Introduction to NoSQL
Back to Basics Webinar 1 - Introduction to NoSQLBack to Basics Webinar 1 - Introduction to NoSQL
Back to Basics Webinar 1 - Introduction to NoSQLJoe Drumgoole
 

Was ist angesagt? (20)

Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'm
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Web security
Web securityWeb security
Web security
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
 
Automated Testing
Automated TestingAutomated Testing
Automated Testing
 
Cookies
CookiesCookies
Cookies
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP Argentina
 
Back to Basics Webinar 2: Your First MongoDB Application
Back to Basics Webinar 2: Your First MongoDB ApplicationBack to Basics Webinar 2: Your First MongoDB Application
Back to Basics Webinar 2: Your First MongoDB Application
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average Developer
 
Back to Basics Webinar 3 - Thinking in Documents
Back to Basics Webinar 3 - Thinking in DocumentsBack to Basics Webinar 3 - Thinking in Documents
Back to Basics Webinar 3 - Thinking in Documents
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
CGI.pm - 3ло?!
CGI.pm - 3ло?!CGI.pm - 3ло?!
CGI.pm - 3ло?!
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSE
 
Back to Basics Webinar 1 - Introduction to NoSQL
Back to Basics Webinar 1 - Introduction to NoSQLBack to Basics Webinar 1 - Introduction to NoSQL
Back to Basics Webinar 1 - Introduction to NoSQL
 

Ähnlich wie Secure Payments Over Mixed Communication Media

HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
Django SEM
Django SEMDjango SEM
Django SEMGandi24
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015Denard Springle IV
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSISSIMeetup
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
 
Us 17-radocea-intercepting-i cloud-keychain
Us 17-radocea-intercepting-i cloud-keychainUs 17-radocea-intercepting-i cloud-keychain
Us 17-radocea-intercepting-i cloud-keychainAlex Radocea
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.pptUskuMusku1
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systemsAbdulaziz Mohd
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIISylvain Maret
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 
IS Security Presentation
IS Security PresentationIS Security Presentation
IS Security PresentationRenjith K P
 
2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST SecurityDavid Blevins
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Towards the decentralisation of personal data through blockchains and linked ...
Towards the decentralisation of personal data through blockchains and linked ...Towards the decentralisation of personal data through blockchains and linked ...
Towards the decentralisation of personal data through blockchains and linked ...John Domingue
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developersMichel Schudel
 
Mobile Email Security
Mobile Email SecurityMobile Email Security
Mobile Email SecurityRahul Sihag
 

Ähnlich wie Secure Payments Over Mixed Communication Media (20)

HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
 
Django SEM
Django SEMDjango SEM
Django SEM
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSI
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security
 
Us 17-radocea-intercepting-i cloud-keychain
Us 17-radocea-intercepting-i cloud-keychainUs 17-radocea-intercepting-i cloud-keychain
Us 17-radocea-intercepting-i cloud-keychain
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
 
IS Security Presentation
IS Security PresentationIS Security Presentation
IS Security Presentation
 
2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Towards the decentralisation of personal data through blockchains and linked ...
Towards the decentralisation of personal data through blockchains and linked ...Towards the decentralisation of personal data through blockchains and linked ...
Towards the decentralisation of personal data through blockchains and linked ...
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
 
Mobile Email Security
Mobile Email SecurityMobile Email Security
Mobile Email Security
 

Mehr von Jonathan LeBlanc

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsJonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessJonathan LeBlanc
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with BoxJonathan LeBlanc
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer WorkshopJonathan LeBlanc
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security PracticesJonathan LeBlanc
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI ElementsJonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingJonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyJonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityJonathan LeBlanc
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsJonathan LeBlanc
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesJonathan LeBlanc
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and TrendsJonathan LeBlanc
 

Mehr von Jonathan LeBlanc (20)

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
 
BattleHack Los Angeles
BattleHack Los Angeles BattleHack Los Angeles
BattleHack Los Angeles
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with Beacons
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & Wearables
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and Trends
 
Rebuilding Commerce
Rebuilding CommerceRebuilding Commerce
Rebuilding Commerce
 

Kürzlich hochgeladen

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

Kürzlich hochgeladen (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Secure Payments Over Mixed Communication Media

  • 1. Secure Payments over Mixed Communication Media Identity, Data, and Payment Security Practices Jonathan LeBlanc Head of Global Developer Advocacy PayPal / Braintree Twitter: @jcleblanc | Email: jleblanc@paypal.com
  • 2. Twitter: @jcleblanc | Hashtag: #dfist Considerations in the Payments World • Identity: Securing who the user is • Data in Motion: Securing what the user is doing • Payments: Securing how the user is buying
  • 3. Twitter: @jcleblanc | Hashtag: #dfist Transmitting information about who you are Protecting Identity
  • 4. Twitter: @jcleblanc | Hashtag: #dfistSource: http://digitaltrends.com Protecting Account Information
  • 5. Twitter: @jcleblanc | Hashtag: #dfist Protecting Identity through the Password • Salting: Hardening the user password • Good encryption algorithms: bcrypt, scrypt, PBKDF2 • Protects against: Rainbow tables, dictionary attacks
  • 6. Twitter: @jcleblanc | Hashtag: #dfist Android: POST request to server to encrypt data ENTER FILENAME/LANG String urlString = "https://myserver.com/auth"; try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(1); nameValuePair.add(new BasicNameValuePair("password", "123456789")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost); catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex); } client.java
  • 7. Twitter: @jcleblanc | Hashtag: #dfist Salting & Encrypting Passwords with bcrypt ENTER FILENAME/LANG//node bcrypt package var bcrypt = require('bcrypt’); function bcrypt_encrypt(username, password){ //generate a random salt with 10 rounds bcrypt.genSalt(10, function(err, salt){ //generate hash using password & salt bcrypt.hash(password, salt, function(err, key){ console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); }); } auth.js
  • 8. Twitter: @jcleblanc | Hashtag: #dfist Salting & Encrypting Passwords with PBKDF2 ENTER FILENAME/LANG//node standard crypto package var crypto = require('crypto’); function pbkdf2_encrypt(username, password){ //generate random 32 byte salt crypto.randomBytes(32, function(ex, salt){ //generate PBKDF2 hash with specified iterations and length crypto.pbkdf2(password, salt, 4096, 512, 'sha256', function(err, key){ if (err) throw err; console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); }); } auth.js
  • 9. Twitter: @jcleblanc | Hashtag: #dfist Transmitting privileged user information between services Protecting Data in Motion
  • 10. Twitter: @jcleblanc | Hashtag: #dfistSource: http://estimote.com Taking Cues from Hardware Security
  • 11. Twitter: @jcleblanc | Hashtag: #dfist Protecting Data in Motion • Asymmetric Public / Private Key Encryption • Two pairs of public / private keys (sender + receiver) • Encrypt with recipient public key, sign with sender private key • Decrypt with recipient private key, verify with sender public key
  • 12. Twitter: @jcleblanc | Hashtag: #dfist Learning from Beacons Central Device Beacon Hardware IP Address Endpoint
  • 13. Twitter: @jcleblanc | Hashtag: #dfist Android: POST request to server to transmit data ENTER FILENAME/LANG String urlString = "https://myserver.com/server"; try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(2); nameValuePair.add(new BasicNameValuePair("action", "login")); nameValuePair.add(new BasicNameValuePair("user", "ntesla")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost); catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex); } client.java
  • 14. Twitter: @jcleblanc | Hashtag: #dfist Generating Public / Private Key Pairs ENTER FILENAME/LANG //node module for RSA public/private key OpenSSL bindings var ursa = require('ursa'); //generate sender private and public keys var senderkey = ursa.generatePrivateKey(1024, 65537); var senderprivkey = ursa.createPrivateKey(senderkey.toPrivatePem()); var senderpubkey = ursa.createPublicKey(senderkey.toPublicPem()); //generate recipient private and public keys var recipientkey = ursa.generatePrivateKey(1024, 65537); var recipientprivkey = ursa.createPrivateKey(recipientkey.toPrivatePem()); var recipientpubkey = ursa.createPublicKey(recipientkey.toPublicPem()); server.js
  • 15. Twitter: @jcleblanc | Hashtag: #dfist Preparing Message, Encrypting, and Signing ENTER FILENAME/LANG //prepare JSON message and stringify var msg = { 'user':'Nikola Tesla', 'address':'W 40th St, New York, NY 10018', 'state':'active' }; msg = JSON.stringify(msg); //encrypt and sign message for sending var encrypted = recipientpubkey.encrypt(msg, 'utf8', 'base64'); var signed = senderprivkey.hashAndSign('sha256', msg, 'utf8', 'base64'); server.js
  • 16. Twitter: @jcleblanc | Hashtag: #dfist Hardware is Used as Bridge to Endpoint Central Device Beacon Hardware IP Address Endpoint
  • 17. Twitter: @jcleblanc | Hashtag: #dfist Decrypting and Verifying Message ENTER FILENAME/LANG //decrypt data received var decryptedmsg = recipientprivkey.decrypt(encrypted, 'base64', 'utf8'); //validate signature var validatedmsg = new Buffer(decryptedmsg).toString('base64'); if (!senderpubkey.hashAndVerify('sha256', validatedmsg, signed, 'base64')){ throw new Error("invalid signature"); } else { //decrypted message console.log('decrypted message', decryptedmsg, 'n'); } server.js
  • 18. Twitter: @jcleblanc | Hashtag: #dfist The Better Way • Transmission over HTTPS • Asymmetric or Symmetric algorithms • Trusted protocols such as OAuth
  • 19. Twitter: @jcleblanc | Hashtag: #dfist Transmitting credit card and payment details Protecting Payments
  • 20. Twitter: @jcleblanc | Hashtag: #dfistSource: http://mashable.com Taking Cues from Email / SMS Communications
  • 21. Twitter: @jcleblanc | Hashtag: #dfist Tokenization Credit Card Number Expiration Date Customer Name Postal Code 1a472HDsabejmasiw8371480 isajlkarsi742198ue
  • 22. Twitter: @jcleblanc | Hashtag: #dfist
  • 23. Twitter: @jcleblanc | Hashtag: #dfistSource: http://fineartamerica.com
  • 24. Twitter: @jcleblanc | Hashtag: #dfist Extending Secure Protection Using wearables to extend security
  • 25. Twitter: @jcleblanc | Hashtag: #dfistSource: http://theverge.com
  • 26. Twitter: @jcleblanc | Hashtag: #dfist Capturing Wearable Device Information ENTER FILENAME/LANG //get all devices currently attached via bluetooth Set<BluetoothDevice> pairedDevices = mBluetoothAdapter.getBondedDevices(); //loop through all paired devices found if (pairedDevices.size() > 0){ // Loop through paired devices for (BluetoothDevice device : pairedDevices) { //DEVICE NAME: device.getName() //DEVICE MAC ADDRESS: device.getAddress() } } devices.java
  • 27. Twitter: @jcleblanc | Hashtag: #dfistSource: http://droid-life.com
  • 28. Twitter: @jcleblanc | Hashtag: #dfist Securing Data Communications Identity, data, and payments within different communication methods

Hinweis der Redaktion

  1. Taking Cues from Email / SMS Communications