A Generic Proxy for Secure Smart Card-Enabled Web Applications

  • Guenther Starnberger
  • Lorenz Froihofer
  • Karl M. Goeschka
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6189)

Abstract

Smart cards are commonly used for tasks with high security requirements such as digital signatures or online banking. However, systems that Web-enable smart cards often reduce the security and usability characteristics of the original application, e.g., by forcing users to execute privileged code on the local terminal (computer) or by insufficient protection against malware. In this paper we contribute with techniques to generally Web-enable smart cards and to address the risks of malicious attacks. In particular, our contributions are: (i) A single generic proxy to allow a multitude of authorized Web applications to communicate with existing smart cards and (ii) two security extensions to mitigate the effects of malware. Overall, we can mitigate the security risks of Web-based smart card transactions and—at the same time—increase the usability for users.

Keywords

Smart cards Web applications Digital signatures Security 

References

  1. 1.
    Lu, H.K.: Network smart card review and analysis. Computer Networks 51(9), 2234–2248 (2007)CrossRefGoogle Scholar
  2. 2.
    Leitold, H., Hollosi, A., Posch, R.: Security architecture of the austrian citizen card concept. In: ACSAC, pp. 391–402. IEEE Computer Society, Los Alamitos (2002)Google Scholar
  3. 3.
    Starnberger, G., Froihofer, L., Goeschka, K.M.: QR-TAN: Secure mobile transaction authentication. In: International Conference on Availability, Reliability and Security. ARES ’09, Fukuoka, pp. 578–583 (March 2009)Google Scholar
  4. 4.
    Itoi, N., Fukuzawa, T., Honeyman, P.: Secure internet smartcards. In: Attali, I., Jensen, T.P. (eds.) JavaCard 2000. LNCS, vol. 2041, pp. 73–89. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Urien, P.: Smarttp smart transfer protocol. Internet Draft (June 2001)Google Scholar
  6. 6.
    Urien, P.: TLS-tandem: A smart card for WEB applications. In: 6th IEEE Consumer Communications and Networking Conf. CCNC 2009, pp. 1–2 (January 2009)Google Scholar
  7. 7.
    Lu, H.K., Ali, A.: Prevent online identity theft - using network smart cards for secure online transactions. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 342–353. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Bottoni, A., Dini, G.: Improving authentication of remote card transactions with mobile personal trusted devices. Computer Communications 30(8), 1697–1712 (2007)CrossRefGoogle Scholar
  9. 9.
    Aussel, J.D., d’Annoville, J., Castillo, L., Durand, S., Fabre, T., Lu, K., Ali, A.: Smart cards and remote entrusting. In: Future of Trust in Computing, pp. 38–45. Vieweg/Teubner (2009)Google Scholar
  10. 10.
    Márquez, J.T., Izquierdo, A., Sierra, J.M.: Advances in network smart cards authentication. Computer Networks 51(9), 2249–2261 (2007)CrossRefGoogle Scholar
  11. 11.
    Rannenberg, K.: Multilateral security a concept and examples for balanced security. In: NSPW ’00: Proceedings of the 2000 workshop on New security paradigms, pp. 151–162. ACM, New York (2000)CrossRefGoogle Scholar
  12. 12.
    Müller, T.: Trusted Computing Systeme. Xpert.press/Springer (2008)Google Scholar
  13. 13.
    Challener, D., Yoder, K., Catherman, R., Safford, D., Van Doorn, L.: A practical guide to trusted computing. IBM Press (2007)Google Scholar
  14. 14.
    Berger, S., Caceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: Virtualizing the Trusted Platform Module. In: Proceedings of the 15th USENIX Security Symposium, USENIX, pp. 305–320 (August 2006)Google Scholar
  15. 15.
    England, P., Löser, J.: Para-virtualized tpm sharing. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 119–132. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  17. 17.
    Hammer-Lahav, E., Cook, B.: The oauth core protocol. Internet Draft draft-hammer-oauth-02 (March 2009)Google Scholar
  18. 18.
    Bromberg, Y.D., Réveillàre, L., Lawall, J.L., Muller, G.: Automatic generation of network protocol gateways. In: Bacon, J.M., Cooper, B.F. (eds.) Middleware 2009. LNCS, vol. 5896, pp. 21–41. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Gobioff, H., Smith, S., Tygar, J.D., Yee, B.: Smart cards in hostile environments. In: WOEC’96: Proc. of the 2nd USENIX Workshop on Electronic Commerce, Berkeley, CA, USA, USENIX Association, p. 3 (1996)Google Scholar
  20. 20.
    Costan, V., Sarmenta, L.F.G., van Dijk, M., Devadas, S.: The trusted execution module: Commodity general-purpose trusted computing. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 133–148. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Guenther Starnberger
    • 1
  • Lorenz Froihofer
    • 1
  • Karl M. Goeschka
    • 1
  1. 1.Institute of Information SystemsVienna University of TechnologyViennaAustria

Personalised recommendations