Skip to main content

Softer Smartcards

Usable Cryptographic Tokens with Secure Execution

  • Conference paper
Financial Cryptography and Data Security (FC 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7397))

Included in the following conference series:

Abstract

Cryptographic smartcards provide a standardized, interoperable way for multi-factor authentication. They bridge the gap between strong asymmetric authentication and short, user-friendly passwords (PINs) and protect long-term authentication secrets against malware and phishing attacks. However, to prevent malware from capturing entered PINs such cryptographic tokens must provide secure means for user input and output. This often makes their usage inconvenient, as dedicated input key pads and displays are expensive and do not integrate with mobile applications or public Internet terminals. The lack of user acceptance is perhaps best documented by the large variety of non-standard multi-factor authentication methods used in online banking.

In this paper, we explore a novel compromise between tokens with dedicated card reader and USB or software-based solutions. We design and implement a cryptographic token using modern secure execution technology, resulting in a flexible, cost-efficient solution that is suitable for mobile use yet secure against common malware and phishing attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Advanced Micro Devices (AMD): AMD64 Virtualization Codenamed “Pacifica” Technology - Secure Virtual Machine Architecture Reference Manual (2005)

    Google Scholar 

  2. Anderson, R.J., Kuhn, M.: Tamper resistance – a cautionary note. In: USENIX Workshop on Electronic Commerce, pp. 1–11. USENIX (1996)

    Google Scholar 

  3. Asokan, N., Ekberg, J.E., Sadeghi, A.R., Stüble, C., Wolf, M.: Enabling Fairer Digital Rights Management with Trusted Computing. Research Report HGI-TR-2007-002, Horst-Görtz-Institute for IT-Security (2007)

    Google Scholar 

  4. Azema, J., Fayad, G.: M-ShieldTMmobile security technology: making wireless secure. Tech. rep., Texas Instruments (2008)

    Google Scholar 

  5. Bade, S., Thomas, K., Rabinovitz, D.: PKCS#11 openCryptoki for Linux, IBM developerWorks (2001)

    Google Scholar 

  6. Balfe, S., Paterson, K.G.: e-EMV: emulating EMV for internet payments with trusted computing technologies. In: Workshop on Scalable Trusted Computing (STC), pp. 81–92. ACM (2008)

    Google Scholar 

  7. Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: Computer and Communications Security (CCS), pp. 260–269. ACM (2010)

    Google Scholar 

  8. Bugiel, S., Dmitrienko, A., Kostiainen, K., Sadeghi, A.-R., Winandy, M.: TruWalletM: Secure Web Authentication on Mobile Platforms. In: Chen, L., Yung, M. (eds.) INTRUST 2010. LNCS, vol. 6802, pp. 219–236. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  9. Catuogno, L., Dmitrienko, A., Eriksson, K., Kuhlmann, D., Ramunno, G., Sadeghi, A.-R., Schulz, S., Schunter, M., Winandy, M., Zhan, J.: Trusted Virtual Domains – Design, Implementation and Lessons Learned. In: Chen, L., Yung, M. (eds.) INTRUST 2009. LNCS, vol. 6163, pp. 156–179. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  10. Datamonitor Group: The ROI case for smart cards in the enterprise (2004)

    Google Scholar 

  11. Dimitriadis, C.K.: Analyzing the security of Internet banking authentication mechanisms. Information Systems Control 3 (2007)

    Google Scholar 

  12. Federal Office for Information Security: Batch signature with the Health Professional Card (Stapelsignatur mit dem Heilberufsausweis) (2007)

    Google Scholar 

  13. Filyanov, A., McCune, J.M., Sadeghi, A.R., Winandy, M.: Uni-directional trusted path: Transaction confirmation on just one device. In: Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2011)

    Google Scholar 

  14. Gajek, S., Sadeghi, A.R., Stüble, C., Winandy, M.: Compartmented security for browsers - or how to thwart a phisher with trusted computing. In: Availability, Reliability and Security (ARES). IEEE (2007)

    Google Scholar 

  15. IBM: TrouSerS trusted software stack (2011), trousers.sourceforge.net/

  16. Intel Corp.: Intel Trusted Execution Technology MLE Developer’s Guide (2009)

    Google Scholar 

  17. Jackson, C., Boneh, D., Mitchell, J.C.: Spyware resistant web authentication using virtual machines (2007)

    Google Scholar 

  18. Jammalamadaka, R.C., van der Horst, T.W., Mehrotra, S., Seamons, K.E., Venkatasubramanian, N.: Delegate: A proxy based architecture for secure website access from an untrusted machine. In: Annual Computer Security Applications Conference (ACSAC). IEEE (2006)

    Google Scholar 

  19. Kaliski, B.: PKCS #5: Password-Based Cryptography Specification Version 2.0. RFC 2898 (2000)

    Google Scholar 

  20. Kolodgy, C.: Identity management in a virtual world (2003)

    Google Scholar 

  21. Kostiainen, K., Ekberg, J.E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: ACM Symposium on Information, Computer, and Communications Security (AsiaCCS), pp. 104–115. ACM (2009)

    Google Scholar 

  22. McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Seshadri, A.: Minimal TCB code execution. In: Research in Security and Privacy (S&P). IEEE (2007)

    Google Scholar 

  23. McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. In: European Conference on Computer Systems (EuroSys), pp. 315–328. ACM (2008)

    Google Scholar 

  24. Nohl, K.: Reviving smart card analysis. Black Hat, Las Vegas (2011)

    Google Scholar 

  25. Nyström, M.: PKCS #15 - a cryptographic token information format standard. In: Workshop on Smartcard Technology, p. 5. USENIX (1999)

    Google Scholar 

  26. RSA: PKCS #11: Cryptographic token interface standard. Public-key cryptography standards (PKCS), RSA Laboratories, version 2.30 (2009)

    Google Scholar 

  27. Sarmenta, L.F.G., van Dijk, M., O’Donnell, C.W., Rhodes, J., Devadas, S.: Virtual monotonic counters and count-limited objects using a TPM without a trusted OS. In: Workshop on Scalable Trusted Computing (STC), pp. 27–42. ACM (2006)

    Google Scholar 

  28. Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators – an evaluation of website authentication and the effect of role playing on usability studies. In: Research in Security and Privacy (S&P). IEEE (2007)

    Google Scholar 

  29. Tarnovsky, C.: Hacking the smartcard chip. Black Hat, DC (2010)

    Google Scholar 

  30. Trusted Computing Group (TCG) (2009), http://www.trustedcomputinggroup.org

  31. Trusted Computing Group (TCG): TPM Main Specification, Version 1.2 (2011)

    Google Scholar 

  32. Wojtczuk, R., Rutkowska, J.: Attacking Intel Trusted Execution Technology. Black Hat, DC (2009)

    Google Scholar 

  33. Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another way to circumvent Intel Trusted Execution Technology (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Brasser, F.F., Bugiel, S., Filyanov, A., Sadeghi, AR., Schulz, S. (2012). Softer Smartcards. In: Keromytis, A.D. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7397. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32946-3_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32946-3_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32945-6

  • Online ISBN: 978-3-642-32946-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics