Smart cards: State-of-the-art to future directions

The evolution of smart card technology provides an interesting case study of the relationship and interactions between security and business requirements. This paper maps out the milestones for smart card technology, discussing at each step the opportunities and challenges. The paper reviews recently proposed innovative ownership/management models and the security challenges associated with them. The paper concludes with a discussion of possible future directions for the technology, and the challenges these present

Remote attestation mechanism for embedded devices based on physical unclonable functions

Remote attestation mechanisms are well studied in the high-end computing environments; however, the same is not true for embedded devices-especially for smart cards. With ever changing landscape of smart card technology and advancements towards a true multi-application platform, verifying the current state of the smart card is significant to the overall security of such proposals. The initiatives proposed by GlobalPlatform Consumer Centric Model (GP-CCM) and User Centric Smart Card Ownership Model (UCOM) enables a user to download any application as she desire-depending upon the authorisation of the application provider. Before an application provider issues an application to a smart card, verifying the current state of the smart card is crucial to the security of the respective application. In this paper, we analyse the rationale behind the remote attestation mechanism for smart cards, and the fundamental features that such a mechanism should possess. We also study the applicability of Physical Unclonable Functions (PUFs) for the remote attestation mechanism and propose two algorithms to achieve the stated features of remote attestation. The proposed algorithms are implemented in a test environment to evaluate their performance. © 2013 The authors and IOS Press. All rights reserved

A User Centric Security Model for Tamper-Resistant Devices

In this thesis we propose a design for a ubiquitous and interoperable device based on the smart card architecture to meet the challenges of privacy, trust, and security for traditional and emerging technologies like personal computers, smart phones and tablets. Such a de- vice is referred a User Centric Tamper-Resistant Device (UCTD). To support the smart card architecture for the UCTD initiative, we propose the delegation of smart card owner- ship from a centralised authority (i.e. the card issuer) to users. This delegation mandated a review of existing smart card mechanisms and their proposals for modifications/improve- ments to their operation. Since the inception of smart card technology, the dominant ownership model in the smart card industry has been refer to as the Issuer Centric Smart Card Ownership Model (ICOM). The ICOM has no doubt played a pivotal role in the proliferation of the technology into various segments of modern life. However, it has been a barrier to the convergence of different services on a smart card. In addition, it might be considered as a hurdle to the adaption of smart card technology into a general-purpose security device. To avoid these issues, we propose citizen ownership of smart cards, referred as the User Centric Smart Card Ownership Model (UCOM). Contrary to the ICOM, it gives the power of decision to install or delete an application on a smart card to its user. The ownership of corresponding applications remains with their respective application providers along with the choice to lease their application to a card or not. In addition, based on the UCOM framework, we also proposed the Coopetitive Architecture for Smart Cards (CASC) that merges the centralised control of card issuers with the provision of application choice to the card user. In the core of the thesis, we analyse the suitability of the existing smart card architectures for the UCOM. This leads to the proposal of three major contributions spanning the smart card architecture, the application management framework, and the execution environment. Furthermore, we propose protocols for the application installation mechanism and the application sharing mechanism (i.e. smart card firewall). In addition to this, we propose a framework for backing-up, migrating, and restoring the smart card contents. Finally, we provide the test implementation results of the proposed protocols along with their performance measures. The protocols are then compared in terms of features and performance with existing smart cards and internet protocols. In order to provide a more detailed analysis of proposed protocols and for the sake of completeness, we performed mechanical formal analysis using the CasperFDR.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Remote Attestation Mechanism for User Centric Smart Cards using Pseudorandom Number Generators

Abstract. User Centric Smart Card Ownership Model (UCOM) gives the freedom of choice of respective applications to the smart card users. The user-centric architecture requires a trusted entity to be present on the smart card to provide security assurance and validation to the requesting application providers. In this paper, we propose the inclusion of a trusted computing platform for smart cards that we refer as the Trusted Environment & Execution Manager (TEM). This is followed by the rationale behind the changes to the traditional smart card architecture to accommodate the remote security assurance and validation mechanism. We propose an attestation protocol that provides an on-demand security validation of a smart card by its respective manufacturer. Finally, the attestation protocol is informally analysed, and its test implementation and performance measurements are presented

Digital Trust - Trusted Computing and Beyond A Position Paper

Along with the invention of computers and interconnected networks, physical societal notions like security, trust, and privacy entered the digital environment. The concept of digital environments begins with the trust (established in the real world) in the organisation/individual that manages the digital resources. This concept evolved to deal with the rapid growth of the Internet, where it became impractical for entities to have prior offline (real world) trust. The evolution of digital trust took diverse approaches and now trust is defined and understood differently across heterogeneous domains. This paper looks at digital trust from the point of view of security and examines how valid trust approaches from other domains are now making their way into secure computing. The paper also revisits and analyses the Trusted Platform Module (TPM) along with associated technologies and their relevance in the changing landscape. We especially focus on the domains of cloud computing, mobile computing and cyber-physical systems. In addition, the paper also explores our proposals that are competing with and extending the traditional functionality of TPM specifications