Abstract
Cryptographic smartcards provide a standardized, interoperable way for multi-factor authentication. They bridge the gap between strong asymmetric authentication and short, user-friendly passwords (PINs) and protect long-term authentication secrets against malware and phishing attacks. However, to prevent malware from capturing entered PINs such cryptographic tokens must provide secure means for user input and output. This often makes their usage inconvenient, as dedicated input key pads and displays are expensive and do not integrate with mobile applications or public Internet terminals. The lack of user acceptance is perhaps best documented by the large variety of non-standard multi-factor authentication methods used in online banking.
In this paper, we explore a novel compromise between tokens with dedicated card reader and USB or software-based solutions. We design and implement a cryptographic token using modern secure execution technology, resulting in a flexible, cost-efficient solution that is suitable for mobile use yet secure against common malware and phishing attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Advanced Micro Devices (AMD): AMD64 Virtualization Codenamed “Pacifica” Technology - Secure Virtual Machine Architecture Reference Manual (2005)
Anderson, R.J., Kuhn, M.: Tamper resistance – a cautionary note. In: USENIX Workshop on Electronic Commerce, pp. 1–11. USENIX (1996)
Asokan, N., Ekberg, J.E., Sadeghi, A.R., Stüble, C., Wolf, M.: Enabling Fairer Digital Rights Management with Trusted Computing. Research Report HGI-TR-2007-002, Horst-Görtz-Institute for IT-Security (2007)
Azema, J., Fayad, G.: M-ShieldTMmobile security technology: making wireless secure. Tech. rep., Texas Instruments (2008)
Bade, S., Thomas, K., Rabinovitz, D.: PKCS#11 openCryptoki for Linux, IBM developerWorks (2001)
Balfe, S., Paterson, K.G.: e-EMV: emulating EMV for internet payments with trusted computing technologies. In: Workshop on Scalable Trusted Computing (STC), pp. 81–92. ACM (2008)
Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: Computer and Communications Security (CCS), pp. 260–269. ACM (2010)
Bugiel, S., Dmitrienko, A., Kostiainen, K., Sadeghi, A.-R., Winandy, M.: TruWalletM: Secure Web Authentication on Mobile Platforms. In: Chen, L., Yung, M. (eds.) INTRUST 2010. LNCS, vol. 6802, pp. 219–236. Springer, Heidelberg (2011)
Catuogno, L., Dmitrienko, A., Eriksson, K., Kuhlmann, D., Ramunno, G., Sadeghi, A.-R., Schulz, S., Schunter, M., Winandy, M., Zhan, J.: Trusted Virtual Domains – Design, Implementation and Lessons Learned. In: Chen, L., Yung, M. (eds.) INTRUST 2009. LNCS, vol. 6163, pp. 156–179. Springer, Heidelberg (2010)
Datamonitor Group: The ROI case for smart cards in the enterprise (2004)
Dimitriadis, C.K.: Analyzing the security of Internet banking authentication mechanisms. Information Systems Control 3 (2007)
Federal Office for Information Security: Batch signature with the Health Professional Card (Stapelsignatur mit dem Heilberufsausweis) (2007)
Filyanov, A., McCune, J.M., Sadeghi, A.R., Winandy, M.: Uni-directional trusted path: Transaction confirmation on just one device. In: Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2011)
Gajek, S., Sadeghi, A.R., Stüble, C., Winandy, M.: Compartmented security for browsers - or how to thwart a phisher with trusted computing. In: Availability, Reliability and Security (ARES). IEEE (2007)
IBM: TrouSerS trusted software stack (2011), trousers.sourceforge.net/
Intel Corp.: Intel Trusted Execution Technology MLE Developer’s Guide (2009)
Jackson, C., Boneh, D., Mitchell, J.C.: Spyware resistant web authentication using virtual machines (2007)
Jammalamadaka, R.C., van der Horst, T.W., Mehrotra, S., Seamons, K.E., Venkatasubramanian, N.: Delegate: A proxy based architecture for secure website access from an untrusted machine. In: Annual Computer Security Applications Conference (ACSAC). IEEE (2006)
Kaliski, B.: PKCS #5: Password-Based Cryptography Specification Version 2.0. RFC 2898 (2000)
Kolodgy, C.: Identity management in a virtual world (2003)
Kostiainen, K., Ekberg, J.E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: ACM Symposium on Information, Computer, and Communications Security (AsiaCCS), pp. 104–115. ACM (2009)
McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Seshadri, A.: Minimal TCB code execution. In: Research in Security and Privacy (S&P). IEEE (2007)
McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. In: European Conference on Computer Systems (EuroSys), pp. 315–328. ACM (2008)
Nohl, K.: Reviving smart card analysis. Black Hat, Las Vegas (2011)
Nyström, M.: PKCS #15 - a cryptographic token information format standard. In: Workshop on Smartcard Technology, p. 5. USENIX (1999)
RSA: PKCS #11: Cryptographic token interface standard. Public-key cryptography standards (PKCS), RSA Laboratories, version 2.30 (2009)
Sarmenta, L.F.G., van Dijk, M., O’Donnell, C.W., Rhodes, J., Devadas, S.: Virtual monotonic counters and count-limited objects using a TPM without a trusted OS. In: Workshop on Scalable Trusted Computing (STC), pp. 27–42. ACM (2006)
Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators – an evaluation of website authentication and the effect of role playing on usability studies. In: Research in Security and Privacy (S&P). IEEE (2007)
Tarnovsky, C.: Hacking the smartcard chip. Black Hat, DC (2010)
Trusted Computing Group (TCG) (2009), http://www.trustedcomputinggroup.org
Trusted Computing Group (TCG): TPM Main Specification, Version 1.2 (2011)
Wojtczuk, R., Rutkowska, J.: Attacking Intel Trusted Execution Technology. Black Hat, DC (2009)
Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another way to circumvent Intel Trusted Execution Technology (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Brasser, F.F., Bugiel, S., Filyanov, A., Sadeghi, AR., Schulz, S. (2012). Softer Smartcards. In: Keromytis, A.D. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7397. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32946-3_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-32946-3_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32945-6
Online ISBN: 978-3-642-32946-3
eBook Packages: Computer ScienceComputer Science (R0)