• DocumentCode
    3044760
  • Title

    Vulnerabilities of PKI based Smartcards

  • Author

    Dasgupta, Partha ; Chatha, Karmvir ; Gupta, Sandeep K S

  • Author_Institution
    Department of Computer Science and Engineering, School of Computing and Informatics, Arizona State University, Tempe AZ. partha@asu.edu
  • fYear
    2007
  • fDate
    29-31 Oct. 2007
  • Firstpage
    1
  • Lastpage
    5
  • Abstract
    PKI-enabled smartcards hold the future of personal identity management and resilience against identity theft. These cards can hold multiple certified identities (e.g. credit card accounts) and provide: Authentication, Data Integrity, Confidentiality and Non-repudiation. Since the private key of the client certificates are stored in the card, and this key cannot be extracted from the card, it provides a high degree of security even when the card is used on an untrusted workstation (or point-of-sale). This paper shows that using PKI enabled smartcards on an un-trusted workstation can allow a variety of attacks to be performed by a malicious software. These attacks range from simple PIN phishing, to more serious attacks such as signatures on unauthorized transactions, authentication of users without consent, unauthorized secure access to SSL enabled web servers as well as remote usage of the smartcard by attackers. We also show that the root cause of such problems is the lack of a secure I/O channel between the user and the card and outline steps that can be taken to ensure such a channel is available making the documented attacks not feasible. We have prototyped the proposed solution and verified that the above attacks can be thwarted.
  • Keywords
    Authentication; Credit cards; Data mining; Data security; Identity management systems; Prototypes; Resilience; Software performance; Web server; Workstations;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Military Communications Conference, 2007. MILCOM 2007. IEEE
  • Conference_Location
    Orlando, FL, USA
  • Print_ISBN
    978-1-4244-1513-7
  • Electronic_ISBN
    978-1-4244-1513-7
  • Type

    conf

  • DOI
    10.1109/MILCOM.2007.4455333
  • Filename
    4455333