Asad Mahboob Ali

Prevent Online Identity Theft – Using Network Smart Cards for Secure Online Transactions

This paper presents a novel method that can be used to prevent online identity theft and thereby ensure secure online transactions. In particular, the method combats online identity theft mechanisms that capture information on the computer before the information is encrypted. The key feature of this method is the use of secure network smart cards to establish secure connections between the smart card and remote Internet nodes. Using this end-to-end secure connection, one can securely exchange confidential information between the smart card and a trusted remote server. Any intermediate node, including the host computer to which the smart card is connected, cannot compromise this secure connection.

Smart Cards and remote entrusting

Smart cards are widely used to provide security in end-to-end communication involving servers and a variety of terminals, including mobile handsets or payment terminals. Sometime, end-to-end server to smart card security is not applicable, and smart cards must communicate directly with an application executing on a terminal, like a personal computer, without communicating with a server. In this case, the smart card must somehow trust the terminal application before performing some secure operation it was designed for. This paper presents a novel method to remotely trust a terminal application from the smart card. For terminals such as personal computers, this method is based on an advanced secure device connected through the USB and consisting of a smart card bundled with flash memory. This device, or USB dongle, can be used in the context of remote untrusting to secure portable applications conveyed in the dongle flash memory. White-box cryptography is used to set the secure channel and a mechanism based on thumbprint is described to provide external authentication when session keys need to be renewed. Although not as secure as end-to-end server to smart card security, remote entrusting with smart cards is easy to deploy for mass-market applications and can provide a reasonable level of security.

Secure Network Card

This paper covers the philosophy and techniques used for implementation of a standard networking stack, including the hardware interface, PPP, TCP, IP, SSL/TLS, HTTP, and applications within the resource constraints of a smart card. This implementation enables a smart card to establish secure TCP/IP connections using SSL/TLS protocols to any client or server on the Internet, using only standard networking protocols, and requiring no host middleware to be installed. A standard (unmodified) client or server anywhere on the network can securely communicate directly with this card; as far as the remote computer can tell, the smart card is just another computer on the Internet. No smart card specific software is required on the host or any remote computer.

Network Smart Card

This paper describes the functionality and practical uses of a network smart card: a smart card that can connect to the Internet as a secure and autonomous peer. The network smart card does not require any special middleware on the host device. It uses standard networking protocols PPP and TCP/IP to achieve network connectivity. Network security is accomplished by an optimized SSL/TLS stack on the smart card. The combination of TCP/IP and SSL/TLS stacks on the smart card enables the smart card to establish a secure end-to-end network connection with any standard (unmodified) client or server on the Internet. This opens the door to seamless, secure and novel applications of smart cards in the most ubiquitous network: the Internet. Some of these applications that use the network smart card in confidential online transactions are explained.

Authentication and Mutual Authentication

In a sensitive environment, it is common to implement user authentication, possibly based on several factors, in order to ensure only authorized users have access to restricted features or information. But today more and more devices are interacting directly to perform some actions, or deliver a high level service to their user, like in smart grid and more generally in machine to machine environments. This raises the need for device authentication and, by extension, mutual device authentication. Highest confidence level should be achieved by ensuring both user and devices are allowed to engage in a transaction.