Abstract
Smart cards are commonly used for tasks with high security requirements such as digital signatures or online banking. However, systems that Web-enable smart cards often reduce the security and usability characteristics of the original application, e.g., by forcing users to execute privileged code on the local terminal (computer) or by insufficient protection against malware. In this paper we contribute with techniques to generally Web-enable smart cards and to address the risks of malicious attacks. In particular, our contributions are: (i) A single generic proxy to allow a multitude of authorized Web applications to communicate with existing smart cards and (ii) two security extensions to mitigate the effects of malware. Overall, we can mitigate the security risks of Web-based smart card transactions and—at the same time—increase the usability for users.
Chapter PDF
Similar content being viewed by others
References
Lu, H.K.: Network smart card review and analysis. Computer Networks 51(9), 2234–2248 (2007)
Leitold, H., Hollosi, A., Posch, R.: Security architecture of the austrian citizen card concept. In: ACSAC, pp. 391–402. IEEE Computer Society, Los Alamitos (2002)
Starnberger, G., Froihofer, L., Goeschka, K.M.: QR-TAN: Secure mobile transaction authentication. In: International Conference on Availability, Reliability and Security. ARES ’09, Fukuoka, pp. 578–583 (March 2009)
Itoi, N., Fukuzawa, T., Honeyman, P.: Secure internet smartcards. In: Attali, I., Jensen, T.P. (eds.) JavaCard 2000. LNCS, vol. 2041, pp. 73–89. Springer, Heidelberg (2001)
Urien, P.: Smarttp smart transfer protocol. Internet Draft (June 2001)
Urien, P.: TLS-tandem: A smart card for WEB applications. In: 6th IEEE Consumer Communications and Networking Conf. CCNC 2009, pp. 1–2 (January 2009)
Lu, H.K., Ali, A.: Prevent online identity theft - using network smart cards for secure online transactions. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 342–353. Springer, Heidelberg (2004)
Bottoni, A., Dini, G.: Improving authentication of remote card transactions with mobile personal trusted devices. Computer Communications 30(8), 1697–1712 (2007)
Aussel, J.D., d’Annoville, J., Castillo, L., Durand, S., Fabre, T., Lu, K., Ali, A.: Smart cards and remote entrusting. In: Future of Trust in Computing, pp. 38–45. Vieweg/Teubner (2009)
Márquez, J.T., Izquierdo, A., Sierra, J.M.: Advances in network smart cards authentication. Computer Networks 51(9), 2249–2261 (2007)
Rannenberg, K.: Multilateral security a concept and examples for balanced security. In: NSPW ’00: Proceedings of the 2000 workshop on New security paradigms, pp. 151–162. ACM, New York (2000)
Müller, T.: Trusted Computing Systeme. Xpert.press/Springer (2008)
Challener, D., Yoder, K., Catherman, R., Safford, D., Van Doorn, L.: A practical guide to trusted computing. IBM Press (2007)
Berger, S., Caceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: Virtualizing the Trusted Platform Module. In: Proceedings of the 15th USENIX Security Symposium, USENIX, pp. 305–320 (August 2006)
England, P., Löser, J.: Para-virtualized tpm sharing. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 119–132. Springer, Heidelberg (2008)
Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)
Hammer-Lahav, E., Cook, B.: The oauth core protocol. Internet Draft draft-hammer-oauth-02 (March 2009)
Bromberg, Y.D., Réveillàre, L., Lawall, J.L., Muller, G.: Automatic generation of network protocol gateways. In: Bacon, J.M., Cooper, B.F. (eds.) Middleware 2009. LNCS, vol. 5896, pp. 21–41. Springer, Heidelberg (2009)
Gobioff, H., Smith, S., Tygar, J.D., Yee, B.: Smart cards in hostile environments. In: WOEC’96: Proc. of the 2nd USENIX Workshop on Electronic Commerce, Berkeley, CA, USA, USENIX Association, p. 3 (1996)
Costan, V., Sarmenta, L.F.G., van Dijk, M., Devadas, S.: The trusted execution module: Commodity general-purpose trusted computing. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 133–148. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Starnberger, G., Froihofer, L., Goeschka, K.M. (2010). A Generic Proxy for Secure Smart Card-Enabled Web Applications. In: Benatallah, B., Casati, F., Kappel, G., Rossi, G. (eds) Web Engineering. ICWE 2010. Lecture Notes in Computer Science, vol 6189. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13911-6_25
Download citation
DOI: https://doi.org/10.1007/978-3-642-13911-6_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13910-9
Online ISBN: 978-3-642-13911-6
eBook Packages: Computer ScienceComputer Science (R0)