A Password-authenticated Secure Channel for App to Java Card Applet Communication

TitleA Password-authenticated Secure Channel for App to Java Card Applet Communication
Publication TypeJournal Article
Year of Publication2015
AuthorsHölzl, M., Asnake E., Mayrhofer R., & Roland M.
JournalInternational Journal of Pervasive Computing and Communications (IJPCC)
Volume11
Pagination374-397
Date Published10/2015
Type of ArticleResearch paper
ISSN1742-7371
Abstract

Purpose
The usage of security and privacy sensitive systems on mobile devices, such as mobile banking, mobile credit cards, mobile ticketing, or mobile digital identities, has continuously risen in recent years. This development makes the protection of personal and security sensitive data on mobile devices more important than ever.

Design/methodology/approach
A common approach for the protection of sensitive data is to use additional hardware such as smart cards or secure elements. The communication between such dedicated hardware and back-end management systems uses strong cryptography. However, the data transfer between applications on the mobile device and so-called applets on the dedicated hardware is often either unencrypted (and interceptable by malicious software) or encrypted with static keys stored in applications.

Findings
To address this issue we present a solution for fine-grained secure application-to-applet communication based on Secure Remote Password (SRP-6a and SRP-5), an authenticated key agreement protocol, with a user-provided password at run-time.

Originality/value
By exploiting the Java Card cryptographic APIs and minor adaptations to the protocol, which do not affect the security, we are able to implement this scheme on Java Cards with reasonable computation time.

DOI10.1108/IJPCC-09-2015-0032
PDF download: 
Research Project: