Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protecting the Future of Mobile Payments

Protecting the Future of Mobile Payments

We are in an age where more people have phones than toilets, and there are more active cell phones than people on the planet. How do we protect all of these devices roaming around unsecured locations, especially when they want to pay for something. Learn the secrets behind building a secure mobile backbone, as we explore how to harden security, build systems based on identity confidence, and work towards a future proofed mobile framework.

Jonathan LeBlanc

February 26, 2016
Tweet

More Decks by Jonathan LeBlanc

Other Decks in Technology

Transcript

  1. Protecting the Future of Mobile Payments! Jonathan LeBlanc ! Twitter:

    @jcleblanc ! Book: http://bit.ly/iddatasecurity!
  2. //-------------! //Build Info: http://developer.android.com/reference/android/os/Build.html! //-------------! ! System.getProperty("os.version"); //os version! android.os.Build.DEVICE

    //device! android.os.Build.MODEL //model! android.os.Build.VERSION.SDK_INT //sdk version of the framework! android.os.Build.SERIAL //hardware serial number, if available! Retrieving Build Information for Android Device !
  3. //fetch all bonded bluetooth devices! Set<BluetoothDevice> pairedDevices = mBluetoothAdapter.getBondedDevices();! !

    //if devices found, fetch name and MAC address for each! if (pairedDevices.size() > 0){! for (BluetoothDevice device : pairedDevices){! //Device Name - device.getName()! //Device MAC address - device.getAddress()! }! }! Get all Bluetooth Paired Devices: Android!
  4. //create private key in private.key! openssl genrsa -out private.key 2048!

    ! //create public key in public.pem! openssl rsa -in private.key -outform PEM -pubout -out public.pem! Generating Public / Private Keys!
  5. var fs = require('fs');! var path = require('path');! var ursa

    = require('ursa');! var mkdirp = require('mkdirp');! ! //make direction and generate private / public keys for sender / receiver! var rootpath = './keys';! makekeys(rootpath, 'sender');! makekeys(rootpath, 'receiver');! Package Instantiation and Directory Creation!
  6. function makekeys(rootpath, subpath){! try {! mkdirp.sync(path.join(rootpath, subpath));! } catch (err)

    {! console.error(err);! }! ! var key = ursa.generatePrivateKey(); ! var privatepem = key.toPrivatePem();! var publicpem = key.toPublicPem()! ! try {! fs.writeFileSync(path.join(rootpath, subpath, 'private.pem'), privatepem, 'ascii');! fs.writeFileSync(path.join(rootpath, subpath, 'public.pem'), publicpem, 'ascii');! } catch (err) {! console.error(err);! }! }! Key and Directory Creation!
  7. //generate required keys! var senderprivkey = ursa.createPrivateKey(! fs.readFileSync(path.join(rootpath, 'sender', 'private.pem')));!

    var recipientpubkey = ursa.createPublicKey(! fs.readFileSync(path.join(rootpath, 'receiver', 'public.pem')));! ! //prepare JSON message to send! var msg = { 'user':'Nikola Tesla',! 'address':'W 40th St, New York, NY 10018',! 'state':'active' };! ! msg = JSON.stringify(msg);! ! //encrypt with recipient public key, and sign with sender private key! var encrypted = recipientpubkey.encrypt(msg, 'utf8', 'base64');! var signed = senderprivkey.hashAndSign('sha256', encrypted, 'utf8', 'base64');! Preparing Message, Encrypting, and Signing!
  8. //generate required keys! var senderpubkey = ursa.createPublicKey(! fs.readFileSync(path.join(rootpath, 'sender', 'public.pem')));!

    var recipientprivkey = ursa.createPrivateKey(! fs.readFileSync(path.join(rootpath, 'receiver', 'private.pem')));! ! //verify message with sender private key! bufferedmsg = new Buffer(encrypted);! if (!senderpubkey.hashAndVerify('sha256', bufferedmsg, signed, 'base64')){! throw new Error("invalid signature");! } else {! //decrypt message with recipient private key! var decryptedmsg = recipientprivkey.decrypt(encrypted, 'base64', 'utf8');! ! //--------! //message verified and decrypted ! //--------! }! ! Decrypting, and Verifying Message!
  9. Credit Card Tokenization! Credit Card Information! Address Information! Card Holder

    Name! ...! 7e29c5c48f44755598dec3549155 ad66f1af4671091353be4c4d7694 d71dc866