Vulnerabilities of PKI based smartcards

Partha Dasgupta; Karmvir Chatha; Sandeep Gupta

doi:10.1109/MILCOM.2007.4455333

Vulnerabilities of PKI based smartcards

Partha Dasgupta, Karmvir Chatha, Sandeep Gupta

IAFSE-CIDSE: Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Scopus citations

Abstract

PKI-enabled smartcards hold the future of personal identity management and resilience against identity theft. These cards can hold multiple certified identities (e.g. credit card accounts) and provide: Authentication, Data Integrity, Confidentiality and Non-repudiation. Since the private key of the client certificates are stored in the card, and this key cannot be extracted from the card, it provides a high degree of security even when the card is used on an untrusted workstation (or point-of-sale). This paper shows that using PKI enabled smartcards on an un-trusted workstation can allow a variety of attacks to be performed by a malicious software. These attacks range from simple PIN phishing, to more serious attacks such as signatures on unauthorized transactions, authentication of users without consent, unauthorized secure access to SSL enabled web servers as well as remote usage of the smartcard by attackers. We also show that the root cause of such problems is the lack of a secure I/O channel between the user and the card and outline steps that can be taken to ensure such a channel is available making the documented attacks not feasible. We have prototyped the proposed solution and verified that the above attacks can be thwarted.

Original language	English (US)
Title of host publication	Military Communications Conference, MILCOM 2007
DOIs	https://doi.org/10.1109/MILCOM.2007.4455333
State	Published - Dec 1 2007
Event	Military Communications Conference, MILCOM 2007 - Orlando, FL, United States Duration: Oct 29 2007 → Oct 31 2007

Publication series

Name	Proceedings - IEEE Military Communications Conference MILCOM

Other

Other	Military Communications Conference, MILCOM 2007
Country	United States
City	Orlando, FL
Period	10/29/07 → 10/31/07

ASJC Scopus subject areas

Electrical and Electronic Engineering

Access to Document

10.1109/MILCOM.2007.4455333

Fingerprint Dive into the research topics of 'Vulnerabilities of PKI based smartcards'. Together they form a unique fingerprint.

Cite this

@inproceedings{89beb071a30a48fea00239d0a0622ac1,

title = "Vulnerabilities of PKI based smartcards",

abstract = "PKI-enabled smartcards hold the future of personal identity management and resilience against identity theft. These cards can hold multiple certified identities (e.g. credit card accounts) and provide: Authentication, Data Integrity, Confidentiality and Non-repudiation. Since the private key of the client certificates are stored in the card, and this key cannot be extracted from the card, it provides a high degree of security even when the card is used on an untrusted workstation (or point-of-sale). This paper shows that using PKI enabled smartcards on an un-trusted workstation can allow a variety of attacks to be performed by a malicious software. These attacks range from simple PIN phishing, to more serious attacks such as signatures on unauthorized transactions, authentication of users without consent, unauthorized secure access to SSL enabled web servers as well as remote usage of the smartcard by attackers. We also show that the root cause of such problems is the lack of a secure I/O channel between the user and the card and outline steps that can be taken to ensure such a channel is available making the documented attacks not feasible. We have prototyped the proposed solution and verified that the above attacks can be thwarted.",

author = "Partha Dasgupta and Karmvir Chatha and Sandeep Gupta",

year = "2007",

month = dec,

day = "1",

doi = "10.1109/MILCOM.2007.4455333",

language = "English (US)",

isbn = "1424415136",

series = "Proceedings - IEEE Military Communications Conference MILCOM",

booktitle = "Military Communications Conference, MILCOM 2007",

note = "Military Communications Conference, MILCOM 2007 ; Conference date: 29-10-2007 Through 31-10-2007",

}

TY - GEN

T1 - Vulnerabilities of PKI based smartcards

AU - Dasgupta, Partha

AU - Chatha, Karmvir

AU - Gupta, Sandeep

PY - 2007/12/1

Y1 - 2007/12/1

N2 - PKI-enabled smartcards hold the future of personal identity management and resilience against identity theft. These cards can hold multiple certified identities (e.g. credit card accounts) and provide: Authentication, Data Integrity, Confidentiality and Non-repudiation. Since the private key of the client certificates are stored in the card, and this key cannot be extracted from the card, it provides a high degree of security even when the card is used on an untrusted workstation (or point-of-sale). This paper shows that using PKI enabled smartcards on an un-trusted workstation can allow a variety of attacks to be performed by a malicious software. These attacks range from simple PIN phishing, to more serious attacks such as signatures on unauthorized transactions, authentication of users without consent, unauthorized secure access to SSL enabled web servers as well as remote usage of the smartcard by attackers. We also show that the root cause of such problems is the lack of a secure I/O channel between the user and the card and outline steps that can be taken to ensure such a channel is available making the documented attacks not feasible. We have prototyped the proposed solution and verified that the above attacks can be thwarted.

AB - PKI-enabled smartcards hold the future of personal identity management and resilience against identity theft. These cards can hold multiple certified identities (e.g. credit card accounts) and provide: Authentication, Data Integrity, Confidentiality and Non-repudiation. Since the private key of the client certificates are stored in the card, and this key cannot be extracted from the card, it provides a high degree of security even when the card is used on an untrusted workstation (or point-of-sale). This paper shows that using PKI enabled smartcards on an un-trusted workstation can allow a variety of attacks to be performed by a malicious software. These attacks range from simple PIN phishing, to more serious attacks such as signatures on unauthorized transactions, authentication of users without consent, unauthorized secure access to SSL enabled web servers as well as remote usage of the smartcard by attackers. We also show that the root cause of such problems is the lack of a secure I/O channel between the user and the card and outline steps that can be taken to ensure such a channel is available making the documented attacks not feasible. We have prototyped the proposed solution and verified that the above attacks can be thwarted.

UR - http://www.scopus.com/inward/record.url?scp=47949097544&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=47949097544&partnerID=8YFLogxK

U2 - 10.1109/MILCOM.2007.4455333

DO - 10.1109/MILCOM.2007.4455333

M3 - Conference contribution

AN - SCOPUS:47949097544

SN - 1424415136

SN - 9781424415137

T3 - Proceedings - IEEE Military Communications Conference MILCOM

BT - Military Communications Conference, MILCOM 2007

T2 - Military Communications Conference, MILCOM 2007

Y2 - 29 October 2007 through 31 October 2007

ER -