Towards a Personal Security Device

  • Christof Rath
  • Thomas Niedermair
  • Thomas Zefferer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9871)

Abstract

In Europe, eID and e-signature solutions are basic building blocks of many transactional e-government services, especially in citizens-to-government communication. Many European countries issue smart cards to provide eID and e-signature functionality on a high assurance level. However, to access these tokens, security-critical code has to be executed on the client platform of the user. If the client platform is compromised, an attacker may gain access to credentials of the user and subsequently be able to issue electronic signatures or access protected resources. To address this problem, we present the concept of a personal security device. It is an isolated, low-cost, single-purpose device to execute security-critical code of eID and e-signature tasks. We developed a concrete implementation on a RaspberryPI and evaluated the solution via an external application. Our solution increases the security of eID and e-signature processes by mitigating the impact of a compromised client platform.

Keywords

Electronic identity Electronic signature Signature creation application Trustworthy user device 

References

  1. 1.
    A-SIT: Mobile Phone Signature & Citizen Card. http://www.buergerkarte.at
  2. 2.
    Centner, M., Orthacker, C., Bauer, W.: Minimal-Footprint Middleware for theCreation of Qualified Signatures. In: Institute for Systems and Technologies of Information, Control and Communication (ed.) Proceedings of the 6th International Conference onWeb Information Systems and Technologies, pp. 64–69. INSTICC - Institute for Systems and Technologies of Information, Control and Communication, Portugal (2010)Google Scholar
  3. 3.
    CWA 14170: Security requirements for signature creation applications (2004)Google Scholar
  4. 4.
    Cock, D., Wouters, K., Preneel, B.: Introduction to the Belgian EID card. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 1–13. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25980-0_1 CrossRefGoogle Scholar
  5. 5.
    Ducastel, N.: International Comparison eID Means. Technical report PBLQ (2015)Google Scholar
  6. 6.
    ecsec: Open eCard App. https://www.openecard.org. Accessed 11 April 2016
  7. 7.
    ETSI: Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic Signatures (PAdES); TS 102 778. Technical report, European Telecommunication Standards Institute (2009)Google Scholar
  8. 8.
    ETSI: Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic Signatures (XAdES); TS 101 903. Technical report, European Telecommunication Standards Institute (2010)Google Scholar
  9. 9.
    ETSI: Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES); TS 101 733. Technical report, European Telecommunication Standards Institute (2013)Google Scholar
  10. 10.
    European Parliament: Directive 95/46/EC. In: Official Journal of the European Communities, vol. 38, pp. 31–50. European Commision (1995)Google Scholar
  11. 11.
    European Parliament: eIDAS - Regulation (EU) No 910/2014. In: Official Journal of the European Union, vol. 57, pp. 73–114. European Commision (2014)Google Scholar
  12. 12.
    Eurosmart: Landscape of eID in Europe in 2013. Technical report, Eurosmart (2014)Google Scholar
  13. 13.
    FEDICT: eID BelgiumGoogle Scholar
  14. 14.
    IDABC: Study on eID Interoperability for PEGS: Update of Country Profiles (2009)Google Scholar
  15. 15.
    ID.ee: ID Card (2016)Google Scholar
  16. 16.
    ISO, IEC 24727: Identification cards - Integrated circuit card programming interfaces, Part 1–6Google Scholar
  17. 17.
    Leitold, H., Hollosi, A., Posch, R.: Security architecture of the Austrian citizen card concept. In: 18th Annual Computer Security Applications Conference, Proceedings, pp. 391–400 (2002)Google Scholar
  18. 18.
    OASIS: Digital signature services core protocols, elements, and bindings (2007)Google Scholar
  19. 19.
    Orthacker, C., Centner, M., Kittl, C.: Qualified mobile server signature. In: IFIP Advances in Information and Communication Technology. vol. 330, pp. 103–111 (2010)Google Scholar
  20. 20.
    Panda Security: Pandalabs’ Annual Report 2015Google Scholar
  21. 21.
    Spalka, A., Cremers, A.B., Langweg, H.: Trojan horse attacks on software for electronic signatures. Informatica (Slovenia) 26(2) (2002)Google Scholar
  22. 22.
    Sun Microsystems Inc.: JSR 268: Java Smart Card I/O API (2006)Google Scholar
  23. 23.
    Zefferer, T., Teufl, P.: Leveraging the adoption of mobile eID and e-Signature solutions in Europe. In: Kő, A., Francesconi, E. (eds.) EGOVIS 2015. LNCS, vol. 9265, pp. 86–100. Springer, Heidelberg (2015). doi:10.1007/978-3-319-22389-6_7 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Christof Rath
    • 1
  • Thomas Niedermair
    • 1
  • Thomas Zefferer
    • 1
  1. 1.Graz University of TechnologyInstitute of Applied Information Processing and CommunicationsGrazAustria

Personalised recommendations