Cited By
View all- Schürmann DDechand SWolf L(2017)OpenKeychainProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/31309641:3(1-24)Online publication date: 11-Sep-2017
Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel
Pages 147 - 156
Abstract
With the increasing popularity of security and privacy sensitive systems on mobile devices, such as mobile banking, mobile credit cards, mobile ticketing, or mobile digital identities, challenges for the protection of personal and security sensitive data of these use cases emerged. A common approach for the protection of sensitive data is to use additional hardware such as smart cards or secure elements. The communication between such dedicated hardware and back-end management systems uses strong cryptography. However, the data transfer between applications on the mobile device and so-called applets on the dedicated hardware is often either unencrypted (and interceptable by malicious software) or encrypted with static keys stored in applications. To address this issue we present a solution for fine-grained secure application-to-applet communication based on Secure Remote Password (SRP-6a), an authenticated key agreement protocol, with a user-provided password at run-time. By exploiting the Java Card cryptographic API and minor adaptations to the protocol, which do not affect the security, we were able to implement this scheme on Java Cards with reasonable computation time.
References
[1]
American National Standards Institute, American Bankers Association, and Global Engineering Documents (Firm). American National Standard for Financial Service X9.63-2001: Public Key Cryptography for the Financial Services Industry. American Bankers Association, 2001.
[2]
M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In Advances in Cryptology---CRYPTO'96, page 1--15, 1996.
[3]
M. Bellare, J. Kilian, and P. Rogaway. The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci., 61(3):362--399, Dec. 2000.
[4]
M. Bellare and P. Rogaway. The AuthA protocol for password-based authenticated key exchange. In IEEE P1363, pages 136--3, 2000.
[5]
S. Bellovin and M. Merritt. Encrypted key exchange: password-based protocols secure against dictionary attacks. In IEEE Computer Society Symposium on Research in Security and Privacy, pages 72--84, 1992.
[6]
N. Ben-Asher, N. Kirschnick, H. Sieger, J. Meyer, A. Ben-Oved, and S. Möller. On the Need for Different Security Methods on Mobile Phones, page 465--473. MobileHCI '11. ACM, 2011.
[7]
P. Bichsel, J. Camenisch, T. Groß, and V. Shoup. Anonymous credentials on a standard Java Card, page 600--610. CCS '09. ACM, 2009.
[8]
S. A. Brands. Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, 2000.
[9]
E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation, page 132--145. CCS '04. ACM, 2004.
[10]
E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys '11, page 239--252. ACM, 2011.
[11]
A. De Luca, A. Hang, F. Brudy, C. Lindner, and H. Hussmann. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems, CHI '12, page 987--996, New York, NY, USA, 2012. ACM.
[12]
W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644--654, 1976.
[13]
M. J. Dworkin. SP 800-38B. Recommendation for block cipher modes of operation: The CMAC mode for authentication. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States, 2005.
[14]
European Network of Excellence in Cryptology II. ECRYPT II yearly report on algorithms and keysizes. June 2011.
[15]
R. D. Findling and R. Mayrhofer. Towards face unlock: On the difficulty of reliably detecting faces on mobile phones. In Proc. MoMM 2012: 10th International Conference on Advances in Mobile Computing and Multimedia, pages 275--280, New York, USA, 2012. ACM.
[16]
V. Gayoso Martinez, C. Sanchez Avila, J. Espinosa Garcia, and L. Hernandez Encinas. Elliptic curve cryptography: Java implementation issues, pages 238--241. Oct 2005.
[17]
GlobalPlatform. Secure channel protocol -- GlobalPlatform card specification v2.2 - Amendment D, 2009.
[18]
J.-H. Han, Y.-J. Kim, S.-I. Jun, K.-I. Chung, and C.-H. Seo. Implementation of ECC/ECDSA cryptography algorithms based on Java card, pages 272--276. 2002.
[19]
G. Hancke. A practical relay attack on ISO 14443 proximity cards. Technical report, 2005.
[20]
F. Hao and P. Y. A. Ryan. Password authenticated key exchange by juggling. In Proceedings of the 16th International conference on Security protocols, Security'08, page 159--171, Berlin, Heidelberg, 2011. Springer-Verlag.
[21]
S. Höbarth and R. Mayrhofer. A framework for on-device privilege escalation exploit execution on android. In Proceedings of IWSSI/SPMU, 2011.
[22]
M. Hölzl, R. Mayrhofer, and M. Roland. Requirements analysis for an open ecosystem for embedded tamper resistant hardware on mobile devices. In Proc. MoMM 2013: International Conference on Advances in Mobile Computing and Multimedia, Vienna, Austria, 2013. ACM.
[23]
D. P. Jablon. Strong password-only authenticated key exchange. SIGCOMM Comput. Commun. Rev., 26(5):5--26, Oct. 1996.
[24]
S. Khan, M. Nauman, A. Othman, and S. Musa. How secure is your smartphone: An analysis of smartphone security mechanisms, page 76--81. 2012.
[25]
M. La Polla, F. Martinelli, and D. Sgandurra. A survey on security for mobile devices. IEEE Communications Surveys Tutorials, 15(1):446--471, 2013.
[26]
M. Landman. Managing Smart Phone Security Risks, page 145--155. InfoSecCD '10. ACM, 2010.
[27]
S. Lucks. Open key exchange: How to defeat dictionary attacks without encrypting public keys. In B. Christianson, B. Crispo, M. Lomas, and M. Roe, editors, Security Protocols, LNCS, pages 79--90. Springer Berlin Heidelberg, Jan. 1998.
[28]
T. Mantoro and A. Milisic. Smart card authentication for internet applications using NFC enabled phone. In 2010 International Conference on Information and Communication Technology for the Muslim World (ICT4M), pages D13--D18, 2010.
[29]
R. Mayrhofer. An architecture for secure mobile devices. Security and Communication Networks, 2014.
[30]
R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120--126, 1978.
[31]
M. Roland, J. Langer, and J. Scharinger. Practical attack scenarios on secure element-enabled mobile devices. In 2012 4th International Workshop on Near Field Communication (NFC), pages 19--24, 2012.
[32]
A. Ruiz-Martinez, O. Canovas, and A. Gomez-Skarmeta. Smartcard-based e-coin for electronic payments on the (mobile) internet. In Third International IEEE Conference on Signal-Image Technologies and Internet-Based System, 2007. SITIS '07, pages 361--368, 2007.
[33]
J. Song, R. Poovendran, J. Lee, and T. Iwata. The AES-CMAC Algorithm. RFC 4493 (Informational), 06 2006.
[34]
M. Sterckx, B. Gierlichs, B. Preneel, and I. Verbauwhede. Efficient implementation of anonymous credentials on java card smart cards. In Information Forensics and Security, 2009. WIFS 2009., page 106--110, 2009.
[35]
D. Taylor, T. Wu, N. Mavrogiannopoulos, and T. Perrin. Using the Secure Remote Password (SRP) Protocol for TLS Authentication. RFC 5054, 11 2007.
[36]
H. Tews and B. Jacobs. Performance issues of selective disclosure and blinded issuing protocols on java card. In Information Security Theory and Practice. Smart Devices, Pervasive Systems, and Ubiquitous Networks, page 95--111. Springer, 2009.
[37]
T. Wu. The secure remote password protocol. In Proc. of the 1998 Internet Society Network and Distributed System Security Symposium, page 97--111, Nov. 1998.
[38]
T. Wu. SRP-6: improvements and refinements to the secure remote password protocol. http://srp.stanford.edu/, Oct. 2002.
Index Terms
- Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel
Recommendations
Robust smart-card-based remote user password authenticationscheme
Smart-card-based remote user password authentication schemes are commonly used for providing authorized users a secure method for remotely accessing resources over insecure networks. In 2009, Xu etal. proposed a smart-card-based password authentication ...
Provably secure three-party authenticated key agreement protocol using smart cards
Authenticated key agreement protocol is a useful cryptographic primitive, which can be used to protect the confidentiality, integrity and authenticity for transmitted data over insecure networks. From the point of view of the management of pre-shared ...
Improvement of robust smart-card-based password authentication scheme
Smart-card-based password authentication scheme is one of the commonly used mechanisms to prevent unauthorized service and resource access and to remove the potential security threats over the insecure networks and has been investigated extensively in ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2014
464 pages
ISBN:9781450330084
DOI:10.1145/2684103
- General Chair:
- Shyue-Liang Leon Wang,
- Program Chairs:
- Yu-Hui Tao,
- Liming Chen,
- Chung-Nan Lee
Copyright © 2014 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
In-Cooperation
- JKU: Johannes Kepler Universität Linz
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 08 December 2014
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
MoMM '14
MoMM '14: The 12th International Conference on Advances in Mobile Computing and Multimedia
December 8 - 10, 2014
Kaohsiung, Taiwan
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 139Total Downloads
- Downloads (Last 12 months)5
- Downloads (Last 6 weeks)1
Reflects downloads up to 10 Dec 2024
Other Metrics
Citations
Cited By
View all- Schürmann DDechand SWolf L(2017)OpenKeychainProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/31309641:3(1-24)Online publication date: 11-Sep-2017
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in