Smart Cards and remote entrusting
Smart cards are widely used to provide security in end-to-end communication involving servers and a variety of terminals, including mobile handsets or payment terminals. Sometime, end-to-end server to smart card security is not applicable, and smart cards must communicate directly with an application executing on a terminal, like a personal computer, without communicating with a server. In this case, the smart card must somehow trust the terminal application before performing some secure operation it was designed for. This paper presents a novel method to remotely trust a terminal application from the smart card. For terminals such as personal computers, this method is based on an advanced secure device connected through the USB and consisting of a smart card bundled with flash memory. This device, or USB dongle, can be used in the context of remote untrusting to secure portable applications conveyed in the dongle flash memory. White-box cryptography is used to set the secure channel and a mechanism based on thumbprint is described to provide external authentication when session keys need to be renewed. Although not as secure as end-to-end server to smart card security, remote entrusting with smart cards is easy to deploy for mass-market applications and can provide a reasonable level of security.
KeywordsSmart Card Client Application Smart Card Reader Terminal Application Service Provider Application Service
Unable to display preview. Download preview PDF.
- B. Wyseur, W. Michiels, P. Gorissen and B. Preneel,“Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings”, SAC 2007 - Workshop on Selected Areas of Cryptography, Ottawa, Canada, August 16-17, 2007.Google Scholar
- J. Nagra, M. Ceccato and P. Tonella,“Distributing Trust Verification to Increase Application Performance,”PDP2008 - Euromicro Conference on Parallel, Distributed and Network-based, Toulouse, France, February 2008. In D. E. Baz, J. Bourgeois and F. Spies editors, Proc. of the 16th Euromicro Conference on Parallel, Distributed and Network-based Processing 2008, pages 604–610. IEEE Computer Society.Google Scholar
- R. Scandariato, Y. Ofek, P. Falcarin and M. Baldi,“Application-oriented trust in distributed computing”. ARES 2008 - International Conference on Availability, Reliability and Security, Barcelona (Spain), March 2008.Google Scholar
- M. Ceccato, Y. Ofek and P. Tonella,“Remote entrusting by run- time software authentication”, SOF-SEM 2008 - Conference on Current Trends in Theory and Practice of Computer Science,Tatras, Slovakia, January, 2008. In V. Geffert, J. Karhumaki, A. Bertoni, B. Preneel, P. Navrat, and M. Bielikova, editors, Proceedings of the 34th Conference on Current Trends in Theory and Practice of Computer Science (SOFSEM 2008), vol. 4910 of Lecture Notes in Computer Science, pages 83–97, Springer, 2008.Google Scholar
- J-D. Aussel,“Smart Cards and Digital Security,” MMM-ACNS 2007 - International Conference Mathematical Methods, Models and Architectures for Computer Networks Security, St. Petersburg, Russia, September 13-15,2007.Google Scholar