research-article

A novel consumer-centric card management architecture and potential security issues

Authors:

Raja Naeem Akram,

Konstantinos Markantonakis,

Damien SauveronAuthors Info & Claims

Information Sciences—Informatics and Computer Science, Intelligent Systems, Applications: An International Journal, Volume 321, Issue C

Pages 150 - 161

https://doi.org/10.1016/j.ins.2014.12.049

Published: 10 November 2015 Publication History

Abstract

Multi-application smart card technology has gained momentum due to the Near Field Communication (NFC) and smart phone revolution. Enabling multiple applications from different application providers on a single smart card is not a new concept. Multi-application smart cards have been around since the late 1990s; however, uptake was severely limited. NFC has recently reinvigorated the multi-application initiative and this time around a number of innovative deployment models are proposed. Such models include Trusted Service Manager (TSM), User Centric Smart Card Ownership Model (UCOM) and GlobalPlatform Consumer-Centric Model (GP-CCM). In this paper, we discuss two of the most widely accepted and deployed smart card management architectures in the smart card industry: GlobalPlatform and Multos. We explain how these architectures do not fully comply with the UCOM and GP-CCM. We then describe our novel flexible consumer-centric card management architecture designed specifically for the UCOM and GP-CCM frameworks, along with ways of integrating the TSM model into the proposed card management architecture. Finally, we discuss four new security issues inherent to any architecture in this context along with the countermeasures for our proposed architecture.

References

[1]

Raja Naeem Akram, Konstantinos Markantonakis, Rethinking the smart card technology, in: 16th International Conference on Human-Computer Interaction, Springer-Verlag, Crete, Greece, 2014, pp. 221-232.

[2]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, Location based application availability, in: LNCS, vol. 5872/2009, Springer-Verlag, Vilamoura, Portugal, 2009, pp. 128-138.

[3]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, A dynamic and ubiquitous smart card security assurance and validation mechanism, in: IFIP AICT Series, Springer-Verlag, Brisbane, Australia, 2010, pp. 161-171.

[4]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, A paradigm shift in smart card ownership model, in: Proceedings of the 2010 International Conference on Computational Science and its Applications (ICCSA 2010), IEEE Computer Society, Fukuoka, Japan, 2010, pp. 191-200.

[5]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, Firewall mechanism in a user centric smart card ownership model, in: CARDIS 2010, vol. 6035/2010 of LNCS, Springer-Verlag, Passau, Germany, 2010, pp. 118-132.

[6]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, Simulator problem in user centric smart card ownership model, in: 6th IEEE/IFIP International Symposium on Trusted Computing and Communications (TrustCom-10), IEEE Computer Society, HongKong, China, 2010.

[7]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, A privacy preserving application acquisition protocol, in: 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-12), IEEE Computer Society, Liverpool, United Kingdom, 2012.

[8]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, Building the bridges - a proposal for merging different paradigms in mobile NFC ecosystem, in: The 8th International Conference on Computational Intelligence and Security (CIS 2012), IEEE Computer Society, Guangzhou, China, 2012.

Digital Library

[9]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, Coopetitive architecture to support a dynamic and scalable NFC based mobile services architecture, in: The 2012 International Conference on Information and Communications Security (ICICS 2012), Springer-Verlag, Hong Kong, China, 2012.

[10]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, A secure and trusted channel protocol for the user centric smart card ownership model, in: 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-13), IEEE Computer Society, Melbourne, Australia, 2013.

[11]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, Recovering from lost digital wallet, in: The 4th IEEE International Symposium on Trust, Security, and Privacy for Emerging Applications (TSP-13), IEEE Computer Society, Zhangjiajie, China, 2013.

[12]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, Remote attestation mechanism based on physical unclonable functions, in: The 2013 Workshop on RFID and IoT Security (RFIDsec'13 Asia), IOS Press, Guangzhou, China, 2013.

[13]

Raja Naeem Akram, Konstantinos Markantonakis, Keith Mayes, Remote attestation mechanism for user centric smart cards using pseudorandom number generators, in: 5th International Conference on Information and Communications Security (ICICS 2013), Springer-Verlag, Beijing, China, 2013.

[14]

Ross Anderson, Can we fix the security economics of federated authentication?, in: 19th International Workshop on Security Protocols, Springer-Verlag, London, UK, 2011.

[15]

David A. Basin, Stefan Friedrich, Marek Gawkowski, Verified bytecode model checkers, in: TPHOLS '02: Proceedings of the 15th International Conference on Theorem Proving in Higher Order Logics, Springer-Verlag, London, UK, 2002, pp. 47-66.

Digital Library

[16]

David A. Basin, Stefan Friedrich, Joachim Posegga, Harald Vogt, Java bytecode verification by model checking, in: CAV '99: Proceedings of the 11th International Conference on Computer Aided Verification, Springer-Verlag, London, UK, 1999, pp. 491-494.

Digital Library

[17]

CCMB, Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model, Part 2: Security Functional Requirements, Part 3: Security Assurance Requirements, August 2006.

[18]

Serge Chaumette, Damien Sauveron, Some security problems raised by open multiapplication smart cards, in: 10th Nordic Workshop on Secure IT-systems: NordSec 2005, October 2005, pp. 20-21.

[19]

European Commission, Future Networks and the Internet: Early Challenges Regarding the Internet of Things. Commission Staff Working Document SEC(2008) 2516, Commission of the European Communities, Brussels, September 2008.

[20]

EPC and GSMA, EPC-GSMA Mobile Contactless Payments Service Management Roles Requirements and Specifications. Technical report EPC 220-08, European Payments Council (EPC) and GSM Association, October 2010.

[21]

GlobalPlatform, GlobalPlatform Card Security Requirement Specification 1.0. Specification, Redwood City, USA, May 2003.

[22]

GlobalPlatform, GlobalPlatform Guide to Common Personalization, Specification 1.0, Redwood City, USA, May 2003.

[23]

GlobalPlatform, GlobalPlatform: GlobalPlatform Card Specification, Version 2.2, March 2006.

[24]

GlobalPlatform, GlobalPlatform's Proposition for NFC Mobile: Secure Element Management and Messaging, Specification, GlobalPlatform, April 2009.

[25]

GlobalPlatform, GlobalPlatform Card: Confidential Card Content Management, Card Specification v2.2 - Amendment A. Specification 1.0.1, Redwood City, USA, January 2011.

[26]

GlobalPlatform, GlobalPlatform Device: Secure Element Remote Application Management, Specification, GlobalPlatform, February 2011.

[27]

GlobalPlatform, GlobalPlatform A New Model: The Consumer-Centric Model and How It Applies to the Mobile Ecosystem, Whitepaper, GlobalPlatform, March 2012.

[28]

GlobalPlatform, GlobalPlatform Card Composition Model, Specification Ver 1.1, GlobalPatform, June 2012.

[29]

GlobalPlatform, Security Evaluation of Trusted Execution Environment: Why and How? Whitepaper, Trusted Labs, 2013.

[30]

GSMA, Global Systems for Mobile Communication (GSM), Visited August, 2010.

[31]

Michael Lackner, Reinhard Berlach, Michael Hraschan, Reinhold Weiss, Christian Steger, A defensive java card virtual machine to thwart fault attacks by microarchitectural support, in: International Conference on Risks and Security of Internet and Systems (CRiSIS), 2013, pp. 1-8.

[32]

Michael Lackner, Reinhard Berlach, Wolfgang Raschke, Reinhold Weiss, Christian Steger, A defensive virtual machine layer to counteract fault attacks on java cards, in: Workshop in Information Security and Practice (WISTP), 2013, pp. 82-97.

[33]

Xavier Leroy, On-card bytecode verification for java card, in: E-SMART '01: Proceedings of the International Conference on Research in Smart Cards, Springer-Verlag, London, UK, 2001, pp. 150-164.

[34]

Xavier Leroy, Bytecode verification on Java smart cards, Softw. Pract. Exper., 32 (2002) 319-340.

Digital Library

[35]

MAOSCO, Multos: The Multos Specification.

[36]

MAOSCO, Multos: Guide to Generating Application Load Units, Technical report MAO-DOC-TEC-009 v2.52, MAOSCO, 2006.

[37]

MAOSCO, Multos: Guide to Loading and Deleting Applications, Technical report MAO-DOC-TEC-008 v2.21, MAOSCO, 2006.

[38]

Wojciech Mostowski, Erik Poll, Malicious code on java card smartcards: attacks and countermeasures, in: LNCS, vol. 5189, Springer-Verlag, 2008, pp. 1-16.

[39]

Oracle, Java Card Platform Specification: Classic Edition; Application Programming Interface, Runtime Environment Specification, Virtual Machine Specification, Connected Edition; Runtime Environment Specification, Java Servlet Specification, Application Programming Interface, Virtual Machine Specification, Sample Structure of Application Modules, May 2009.

[40]

Damien Sauveron, Multiapplication smart card: towards an open smart card?, Inf. Secur. Tech. Rep., 14 (2009) 70-78.

Digital Library

[41]

Dennis Vermoen, Marc Witteman, GeorgiN. Gaydadjiev, Reverse engineering java card applets using power analysis, in: LNCS, vol. 4462, Springer-Verlag, 2007, pp. 138-149.

[42]

Eric Vétillard, Anthony Ferrari, Combined attacks and countermeasures, in: CARDIS 2010, 9th IFIP WG 8.8/11.2 International Conference on Dieter Gollmann, Jean-Louis Lanet, Julien Iguchi-Cartigny (Eds.), Smart Card Research and Advanced Application, vol. 6035/2010 of LNCS, 2010, pp. 133-147.

Cited By

Bouazzouni MConchon EPeyrard F(2018)Trusted mobile computingFuture Generation Computer Systems10.1016/j.future.2016.05.03380:C(596-612)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1016/j.future.2016.05.033
Poenaru AIstrate RPop F(2018)AFTFuture Generation Computer Systems10.1016/j.future.2016.05.02280:C(583-595)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1016/j.future.2016.05.022
Akram RMarkantonakis KSauveron D(2016)Recovering from a lost digital walletPervasive and Mobile Computing10.1016/j.pmcj.2015.06.01829:C(113-129)Online publication date: 1-Jul-2016
https://dl.acm.org/doi/10.1016/j.pmcj.2015.06.018

A novel consumer-centric card management architecture and potential security issues
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Recovering from a lost digital wallet

Multi-application smart cards enable a user to potentially have a diverse set of applications on her smart card. The growing trend of services convergence fuelled by Near Field Communication and smart phones has made multi-application smart cards a ...
Collaborative and Ubiquitous Consumer Oriented Trusted Service Manager
TRUSTCOM '14: Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications

Near Field Communication (NFC) enables a mobile phone to emulate a contactless smart card. This has reinvigorated the multiapplication smart card initiative. Trusted Service Manager (TSM) is an entity that is trusted by all stakeholders in the proposed ...
Implementing FISC IC Card Specification and Developing Health Care Application Using Java Card
MSE '00: Proceedings of the 2000 International Conference on Microelectronic Systems Education

Java Card specification extends Java technology into smart card. FIX IC card specificationis the only financial smart card standard in Taiwan. In the Peng-Hu Health Care IC Card Project, we adopted FIX-compatible IC cards. In this paper we describe an ...

Comments

Information & Contributors

Information

Published In

cover image Information Sciences: an International Journal

Information Sciences: an International Journal Volume 321, Issue C

November 2015

278 pages

ISSN:0020-0255

Issue’s Table of Contents

Copyright © Elsevier Inc.

Publisher

Elsevier Science Inc.

United States

Publication History

Published: 10 November 2015

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bouazzouni MConchon EPeyrard F(2018)Trusted mobile computingFuture Generation Computer Systems10.1016/j.future.2016.05.03380:C(596-612)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1016/j.future.2016.05.033
Poenaru AIstrate RPop F(2018)AFTFuture Generation Computer Systems10.1016/j.future.2016.05.02280:C(583-595)Online publication date: 1-Mar-2018
https://dl.acm.org/doi/10.1016/j.future.2016.05.022
Akram RMarkantonakis KSauveron D(2016)Recovering from a lost digital walletPervasive and Mobile Computing10.1016/j.pmcj.2015.06.01829:C(113-129)Online publication date: 1-Jul-2016
https://dl.acm.org/doi/10.1016/j.pmcj.2015.06.018

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents