Browsing by Author "Paršovs, Arnis, juhendaja"

Now showing 1 - 20 of 20

A Proof of Concept Malware for Interacting with the Smart-ID Android Application
(Tartu Ülikool, 2020) Maala, Silver; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
The aim of this thesis is to study how a malicious application can interact with the Smart- ID Android application. The result of this paper is a proof of concept application that is able to use root privileges to capture the PINs entered by the user in the Smart-ID transaction screen and is later able to automatically enter the captured PINs in the transaction screen.
A Systematic Review of Wireless Infrared Communication
(Tartu Ülikool, 2020) Kruusi, Mihkel; Paršovs, Arnis, juhendaja; Morgan, Danielle Melissa, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
The demand for wireless communication systems has increased exponentially during the last few decades. To meet the demand, wireless infrared communication systems can be used as an alternative to the currently used wireless radio communication systems. As a result of this thesis, a systematic review of wireless infrared communication and lecture materials for a course called “Introduction to Wireless Security” were created. The lecture was conducted in video format.
Adding eMRTD authentication support to the Web eID project
(Tartu Ülikool, 2023) Maala, Silver; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
Eesti hakkas väljastama ID kaarte mille peal on Elektrooniliste Masinloetavate Reisidokumentide (eMRTD) applet aastal 2021. Selle lõputöö eesmärk on täiustada Web eID projekti sinna lisades eMRTD autentimise võimaluse. eMRTD applet sisaldab kaardi omaniku biomeetrilisi ja isiklikke andmeid ja neid andmeid saab krütograafiliselt kontrollida, et neid pole muudetud. Selles töös loodud autentimise meetod annab võimaluse veebirakendusel autentida kasutajat üle võrgu kasutades selleks ID kaardil olevat eMRTD appleti. Selle meetodi eelis on, et kasutaja ei pea sisestama enda PIN koodi. Selles töös anname ülevaata eMRTD-st, selles olevates failidest ja turvameetmetest, ja Web eID projektist. Selle töö tulemus on Web eID projekti Git harud, milles on toetatud autentimine eMRTD-ga.
Analysis of Security and Privacy Issues in Common Smart Home Products
(Tartu Ülikool, 2021) Teivens, Mikus; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
The smart home devices are manufactured with the idea that the house owner should be able to automate various heating, lightning, energy consumption heavy tasks. While the idea of the smart house sounds great, as with all other things, the convenience does not come without a price, and in authors opinion this price to pay is usually the privacy of the consumer. In this thesis the author will examine a few, most commonly available smart home solutions in the Baltic region and analyze what potential security and privacy issues these solutions or the applications controlling them, might introduce.
Database that stores data contained in digital signature file formats used in Estonia
(Tartu Ülikool, 2020) Aralov, Artur; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
The bachelor's thesis describes what digital signature file format is, and terms associated with it. In addition, specifications of digital signature file formats used in Estonia are described. The goal of this thesis was to create a database in which data contained in digital signature file formats used in Estonia will be stored. Therefore, this thesis also describes processes of collecting these digital signature file formats and creating a database.
Integration analysis of various eID authentication solutions used in the private sector of Estonia
(Tartu Ülikool, 2022) Milašius, Gediminas; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
In Estonia, citizens can log in to online services via eID authentication schemes such as Smart-ID, Mobile-ID, and smart cards. The vast majority of these authentications go to banks and e-government services. If any other business in the private sector wished to integrate eID authentication, they would encounter that information about authentication providers is scarce and scattered. No comprehensible resources exist that enumerate and compare various currently available eID schemes. The thesis aims to fill that gap by listing available eID solutions and providing security and integration analysis. The analysis will cover three solutions: Web eID, eeID, and Dokobit. The main findings of the thesis show that the technology to support eID authentication exists and that most businesses choose not to use eID authentication because the benefits of using such a system do not outweigh the costs of integration. Additionally, this thesis discovered significant security vulnerabilities in some eID solutions, previously assumed to be safe and secure. The thesis results serve as a reminder not to assume that a product is secure just because it specializes in security.
Intercepting Mobile-ID SIM Toolkit Calls On Android
(Tartu Ülikool, 2023) Mander, Karl Erik; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
This thesis investigates the security risk of intercepting Mobile-ID SIM Toolkit calls on Android. The investigation is done by modifying the Android operating system with malware. Through an in-depth analysis of the communication protocol between an Android phone and a SIM card, this study demonstrates that attackers who have gained access to the victim’s phone through illegitimate apps or other exploits with root privileges may be able to remotely control Mobile-ID operations by intercepting SIM card communications. From there on, the system could complete all Mobile-ID transactions surreptitiously and automatically. This thesis aimed to research the security architecture of Android OS concerning Mobile-ID and discuss possible options that a malware creator would have to implement to achieve SIM command intercepting capabilities.
Intercepting Network Traffic of the Smart-ID Android Application
(Tartu Ülikool, 2020) Ilja, Kärt; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
This thesis analyzes the technical means on how to monitor network communication between the Smart-ID Android application and the server. It gives an overview of the Smart-ID solution and then introduces the concept of man-in-the-middle attack used to intercept the traffic. To implement successful traffic interception attack, the certificate pinning mechanism had to be disabled in the Smart-ID application. This thesis provides step-by-step instructions on how to modify the Smart-ID application’s network security configuration and implement traffic interception using mitmproxy tool. Using the proposed methods network requests can be monitored to verify that no obvious personal data is being sent out from the user’s Android mobile device.
Secure Channel Establishment for the NFC Interface of the New Generation Estonian ID Cards
(Tartu Ülikool, 2020) Kivivare, Sander-Karl; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
The latest generation Estonian ID card introduced in the December 2018 has a contactless interface that can be used to communicate with the card via near-field communication (NFC). This thesis describes the cryptographic protocol that is used to communicate over the contactless interface and provides detailed instructions with code examples in Python to help software developers to create applications that can make use of this new NFC interface on Estonian ID card.
Security analysis of RIA’s authentication service TARA
(Tartu Ülikool, 2021) Kriisk, Jan Erik; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
Estonian Information System Authority (Riigi Infosüsteemi Amet - RIA) governs an authentication service called TARA. Many public sector e-services use the authentication service to authenticate users via ID-card, Mobile-ID, Smart-ID, or EU eID. The thesis aims to analyse the security of TARA, document the protocol, and analyse what could go wrong.
Security Analysis of Tartu Smart Bike Share Android Application
(Tartu Ülikool, 2020) Kütt, Siim-Alexander; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
In June 2019, Tartu City Transport launched a smart bike share system, which allows the residents of Tartu to rent bikes for small commutes around the city. A month after the system first launched a privacy exposure was discovered and personal data of the users was leaked. It was not publicly disclosed where the fault had resided, but it was confirmed to have been fixed shortly after the developers were notified. The aim of this research was to analyze the security of the Tartu Smart Bike Share Android app and its communication with the web service. During the course of the research, several security and privacy issues were found, one of which allows any registered user to query information about the location of a bike and its current user. The thesis provides a general description of the system and its underlying architecture, outlines how and which aspects of the app functionality were analyzed and what results were found. Suggestions for improving the security and privacy aspects of the system are also provided.
Security Architecture of the Latvian eParaksts mobile
(Tartu Ülikool, 2022) Šterna, Elizabete Liene; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
The eParaksts mobile is a Latvian eID solution that is used for authentication and electronic signature creation with more than 187 000 users. It can be used to access government e-services in Latvia and create qualified electronic signatures with the same legal strength as handwritten signatures. Since eParaksts mobile is not an open-source solution, there is no publically available information describing the architecture of eParaksts mobile. Therefore, in this thesis, network traffic analysis is performed to understand and describe how the authentication and electronic signature creation schemes are implemented. This analysis depicts in detail the enrollment, authentication and electronic signature creation processes and shows that eParaksts mobile has a hybrid architecture – partly device-based, partly server-based. The private key for the authentication scheme is kept on the user’s device, while the private key for signature creation is kept on an HSM on the server-side. Additionally, a discussion of security implications emerging from the architecture of eParaksts mobile is provided. Moreover, this thesis provides a foundation for future studies of security analysis of the eParaksts mobile solution.
Security in Remote Update of Medical Devices
(Tartu Ülikool, 2022) Wu, Xuejun; Aura, Tuomas, juhendaja; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
The Estonian Mobile-ID Implementation on the SIM Card
(Tartu Ülikool, 2022) Kravtšenko, Semjon; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
Mobile-ID is an eID solution that can be used for authentication and digital signing. It has been transaction for more than a decade, and it is popular in Estonia. As of May 2022, more than 251 000 Mobile-IDs are in use, and, on average, 10 million operations are completed each month [1]. The solution relies on a special Mobile-ID functionality built into a phone SIM card. There is publicly available documentation about Mobile-ID [2], but it mainly describes the communication between the e-services implementing Mobile-ID support and the Mobile-ID backend. Not much information is publicly available on how Mobile-ID functionality is implemented on the SIM card, how it interacts with the phone and how it communicates with the Mobile-ID backend. In this work, interactions between the SIM card and the phone are documented. Additionally, the communication between the SIM card and the Mobile-ID backend is described, as well as how Mobile-ID service SMS are used to perform Mobile-ID transaction.
Third-party services and their usage on the most visited Estonian websites
(Tartu Ülikool, 2021) Metsare, Norbert; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
Websites and used business models have changed a lot during the last few decades. While in the past a website had to create, manage, and secure all its own components, now all the site must do is to focus on its very own speciality and, by using third-party services, leave all the infrastructure, visitor analysis and security management to the services that specialize on those exact topics. This allows the website operators to create quality content, save money on development and increase their income. While using third-party services makes the process more efficient for the website operators, it makes the users of those sites more vulnerable. Every piece of possible information about the user is gathered and shared with third-party partners to analyse user’s patterns, location, and possible interests, so that the website can offer specific content to specific user. If we look more into the requests that forward the user’s data, we can see that all of this ends up in the databases of only a handful of big tech companies, which, in turn, creates a handful of problems – big companies having leverage over the site contents, risks related to data centralization, and web dependency on the tech giants. The current thesis will focus on the analysis of the most visited Estonian websites and their usage of third-party services, as well as the final destinations for gathered and forwarded user’s information. Based on the findings, different web business models and third-party services are explained, as well as the connections between them. Data centralization problems are discussed along with recommendations to the end-users for more safer web browsing.
Tracking And Privacy: The Case of News Site Delfi
(Tartu Ülikool, 2021) Valgre, Magnus; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
Privacy and tracking on the internet are concerns that have gotten more and more attention over the last few years. Among the biggest perpetrators of online tracking are news sites. Since many provide their content for free, and do not have an external funding source, they need to monetize pageviews by displaying advertising. The purpose of this thesis is to provide a privacy analysis of the Estonian news site delfi.ee. Delfi was chosen because it is the largest and most visited news site in Estonia. During the research some privacy issues were found showing that Delfi is currently not GDPR compliant. This thesis provides an overview of some commonly used tracking techniques, how they apply in the context of Delfi, and an analysis of Delfi’s privacy policies.
Two-Party ECDSA Protocol for Smart-ID
(Tartu Ülikool, 2020) Iltšuk, Eduard; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
Smart-ID is a digital signature solution based on threshold cryptography where two parties (mobile device and server) collaborate in key generation and signing process. The current solution uses RSA-based two-party signature scheme suggested by Buldas et al. in 2017 paper. This thesis proposes a Smart-ID-like solution based on Two-Party ECDSA protocol suggested by Lindell Yehuda in his 2017 paper. The thesis finds that the suggested ECDSA solution is able to provide the same security features as the current RSA-based Smart-ID solution, but with improved efficiency – more efficient key exchange, smaller signature size and does not require scalable secure storage on the server side. The security proof of the suggested ECDSA solution is not provided. However, the thesis provides a brief security analysis of the solution and the intuition why the suggested solution might be secure. The prototype implementation of the solution is also provided.
Use of electronic identity documents for multi-factor authentication
(Tartu Ülikool, 2021) Kus, Burak Can; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
This work introduces an open-source automated biometric authentication system, “eMRTD Face Access.” It uses an Electronic Machine Readable Travel Document (eMRTD) and a facial image to authenticate a person. The solution provides two-factor authentication. The authentication factor “something you have” is implemented by performing cryptographic checks to verify the authenticity of an eMRTD, but the authentication factor “something you are” is verified by comparing the facial image of the person presenting the document with the facial image stored in the document. The solution has been successfully tested on Estonian, Latvian, and Turkish identity documents and is also expected to work on documents issued by other countries.
Web tracking in the most popular Estonian websites
(Tartu Ülikool, 2021) Põdra, Priit; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
Every day we open our computers, laptops, or mobile phones to browse the web. We visit different websites and open various links or look for items. After some time, a separate website offers us a picture of the same thing we were looking for. That means we are being tracked and delivered tailored advertisements depending on our previous interests and location based on cookies content. What makes the situation complex is that they are not permitted to do that. The work aimed to study how are visitors of popular Estonian websites tracked and how their privacy is affected. For that, all the cookies were identified by category and type. We determine if popular Estonian webpages comply with the ePrivacy Directive to understand if visitors of popular Estonian websites were tracked without consent. Finally, we calculate which are effective defense methods against third-party tracking. This study has been based on 22 popular Estonian websites ranked by Amazon Alexa.com. These websites were divided into five categories: banking, education, e-commerce, news, and services, and for the crawl OpenWPM, a framework of Princeton University was used. The results showed that 64% of the popular Estonian websites use third-party cookies, and most of these websites track visitors without their consent
WYSIWYS Extensions to the Estonian ID Card Browser Signing Architecture
(Tartu Ülikool, 2021) Veromann, Toomas Aleksander; Paršovs, Arnis, juhendaja; Tartu Ülikool. Loodus- ja täppisteaduste valdkond; Tartu Ülikool. Arvutiteaduse instituut
Since the first ID cards were issued in Estonia, hundreds of millions of electronic signatures have been created. As opposed to paper-based documents, where signatories have the option to inspect the documents before signing, the signatures that are given online, through browser extensions, are given by signers without being able to verify what is the actual data that is being signed. Instead of displaying the documents securely on the signer’s device, service providers supply a hash value, which the signer must cryptographically sign. This so-called blind signing is convenient for service providers and signatories but does not protect signatories against service providers asking them to sign something that they may not be willing to sign. In this thesis, two What You See Is What You Sign (WYSIWYS) solutions were proposed to address this problem. The proposed solutions were implemented by modifying the existing ID card software and the results were subsequently analyzed. The proposed improvements to the existing browser signing solution enable users to inspect documents before signing, providing the possibility to sign documents in web environments with as much confidence as paper-based documents.