To read the full version of this content please select one of the options below:

A password-authenticated secure channel for App to Java Card applet communication

Michael Hölzl (JRC u'smile and Institute of Networks and Security, Johannes Kepler University Linz, Linz, Austria)
Endalkachew Asnake (JRC u’smile, University of Applied Sciences Upper Austria, Hagenberg, Austria)
Rene Mayrhofer (JRC u'smile and Institute of Networks and Security, Johannes Kepler University Linz, Linz, Austria)
Michael Roland (JRC u’smile, University of Applied Sciences Upper Austria, Hagenberg, Austria)

International Journal of Pervasive Computing and Communications

ISSN: 1742-7371

Article publication date: 2 November 2015

Downloads
449

Abstract

Purpose

The purpose of this paper is to design, implement and evaluate the usage of the password-authenticated secure channel protocol SRP to protect the communication of a mobile application to a Java Card applet. The usage of security and privacy sensitive systems on mobile devices, such as mobile banking, mobile credit cards, mobile ticketing or mobile digital identities has continuously risen in recent years. This development makes the protection of personal and security sensitive data on mobile devices more important than ever.

Design/methodology/approach

A common approach for the protection of sensitive data is to use additional hardware such as smart cards or secure elements. The communication between such dedicated hardware and back-end management systems uses strong cryptography. However, the data transfer between applications on the mobile device and so-called applets on the dedicated hardware is often either unencrypted (and interceptable by malicious software) or encrypted with static keys stored in applications.

Findings

To address this issue, this paper presents a solution for fine-grained secure application-to-applet communication based on Secure Remote Password (SRP-6a and SRP-5), an authenticated key agreement protocol, with a user-provided password at run-time.

Originality/value

By exploiting the Java Card cryptographic application programming interfaces (APIs) and minor adaptations to the protocol, which do not affect the security, the authors were able to implement this scheme on Java Cards with reasonable computation time.

Keywords

Acknowledgements

This work has been carried out within the scope of u’smile, the Josef Ressel Center for User-Friendly Secure Mobile Environments, funded by the Christian Doppler Gesellschaft, A1 Telekom Austria AG, Drei-Banken-EDV GmbH, LG Nexera Business Solutions AG, NXP Semiconductors Austria GmbH and Österreichische Staatsdruckerei GmbH. This article is an extended version of M. Hölzl, E. Asnake, R. Mayrhofer and M. Roland. Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel. In Proceedings of the 12th International Conference on Advances in Mobile Computing & Multimedia (MoMM2014). ACM, Kaohsiung, Taiwan, December 2014.

Citation

Hölzl, M., Asnake, E., Mayrhofer, R. and Roland, M. (2015), "A password-authenticated secure channel for App to Java Card applet communication", International Journal of Pervasive Computing and Communications, Vol. 11 No. 4, pp. 374-397. https://doi.org/10.1108/IJPCC-09-2015-0032

Publisher

:

Emerald Group Publishing Limited

Copyright © 2015, Emerald Group Publishing Limited