Joaquin Torres

Advances in network smart cards authentication

Smart cards have been widely used as simple token hardware in authenticationn processes. Nevertheless, a new trend indicates a shift towards more enhanced cards with networking capabilities. We propose revising the usual focus on smart card authentication protocol designs, as well as highlighting the need to adapt to new trends. Our main objective is to define an authentication model that uses the card as a stand-alone supplicant in a mutual end-to-end authentication schema. We also propose a protocol architecture which allows us to integrate the smart card within the network in the authentication plane. Finally, this new approach to network smart cards authentication processes is applied to a practical electronic payment scenario.

A new domain-based payment model for emerging mobile commerce scenarios

Most of the security proposals in m-commerce scenarios have been based on a classical payment model, which basically establishes relationships across domains among customers and merchants by means of business and banking domains. Nevertheless, these security solutions are not sufficiently robust when new components intend to participate in the m-commerce process. From our research, we can identify three emerging factors that could subordinate the design of current and future m-commerce scenarios: enhanced payment cards with networking functionalities, a plethora of infrastructures with constrained connectivity and intermediary entities with multiparty payment functionalities. Consequently, this paper identifies the need for review of the model being used so far in order to guarantee security robustness, and proposes an extended payment model that, among other advantages, allows the study of more effective security solutions.

Towards self-authenticable smart cards

Traditionally, the smart cards have been seen as security devices, but as soon as they could be integrated into distributed and networked environments their vulnerabilities could be attempted and countermeasures against new security threats in an open-access internet were required. In this work, our target could be represented by an end-to-end mutual authentication scenario where the smart card could authenticate by itself to a Network Access Server by means of link layer protocols and therefore in absence of IP connectivity. Some previous related models based on the Extensible Authentication Protocol are presented. However, in these works the smart card and terminal implement jointly the supplicant functionality (split supplicant). We consider the native EAP multiplexing model specified by the IETF to propose a new approach in order to avoid this split and to achieve an autonomous and highly independent smart card in the authentication scheme: a self-authenticable smart card.

New E-Payment Scenarios in an Extended Version of the Traditional Model

Most of the security proposals in commerce scenarios have been based on a classical e-payment system definition. This definition basically represents a client who sends a payment order to obtain some goods/services from the merchant, which the intentions of the real money transaction carry on between his financial institutions. Nevertheless, these definitions are not sufficiently robust when new aspects appear in the electronic payment transaction. We can identify some of those new aspects (such as: smart card with network capabilities, business mediator with advantage services, handheld devices with constrained connectivity, and multiparty scenarios) that could subordinate the design of current and future commerce scenarios. In this paper we extended the traditional e-payment system definition, in order to include these new aspects. Additionally, we describe two new payment models, where such aspects are involved, and where the secure solution needs to consider new security requirements.

Secure e-payment protocol with new involved entities

Most of the secure electronic payment solutions that have been proposed in the last years are focused on the traditional payment model: one customer buys goods/services to one merchant, and a payment e- transaction is performed via a processor and banking institutions. However, nowadays, more versatile e- commerce scenarios could be considered with different constraints but with interesting challenges and advantages. On one hand, new customers habits and new connectivity solutions and technologies such as hotspots in public wireless LANs, enough band-width in 3G cellular networks, powerful smart-phones, embedded browsers, etc. are adapting the current market offers. On the other hand, new intermediate entities aim to participate in the purchase transaction by providing value-added and customized services to the different parties, with the corresponding benefits. An important assumption for our proposal is that this intermediary is an a priori untrustworthy entity for the customer. In this paper, we describe a new e-payment model with an intermediary that links one customer with multiple merchants. Additionally, this model considers merchants and intermediaries with Internet connectivity constraints; therefore our solution is based on a client-centric approach, i.e. only the client equipment has the capability of online communicating with the banking networks by means of a payment service provider. For that reason, our solution is focused on the protection of the end-to-end e-payment transactions that are transmitted through a powerful client handheld device.

Secure electronic payments in heterogeneous networking: new authentication protocols approach

Recent research efforts have been addressed towards maintain the heterogeneous networking transparent under the powerful all-IP concept. As example, current global standarization initiative specifies the 3G cellular system to wireless LAN inter-working. On the other hand, smart cards are presented as enough powerful devices capable to perform a strong authentication at lower layers of the protocol stack. Our work proposes a novel model reference and a scenario of applicability for secure electronic payment in this environment. Impact on the trust relations are assesed and a set of authentication requirements are provided. Finally, a new approach based on end-to-end layer 2 authentication protocols is adjusted to this proposal, considering the most interesting improvements in the authentication mechanisms applicable to this context.

Interoperability and Information Mobility Issues in Industrial Ecosystems

Communication protocols used in industrial ecosystems provide the information with mobility and ubiquitous capabilities. As industrial ecosystems expand to embrace new devices, services or communication technologies, and also due to the increase of the information being exchanged, the interoperability and mobility issues are starting to show up. These issues prevent the interconnection among ecosystems, thus, limiting information mobility. We review these problems arisen from non-standard implementations of communication protocols, and will point out other common problems for these implementations. Finally, we will remark the aspects that should be taken into account when designing methodologies to validate the information exchange mechanisms.

Application of Network Smart Cards to Citizens Identification Systems

This paper proposes a new authentication and authorization architecture based on a network smart cardwith identification purposes: ID-NSCard. Thus, a citizen who holds this kind of device might be securely authenticated by a remote authoritative server in an identification system. This work shows how the standardized specifications are transparently reused and integrated in the proposed architecture. Details of the protocol and authentication mechanisms are provided for a Case of Study: Spanish National Electronic ID Card.

Validating the Use of BAN LOGIC

Most attacks against security protocols are due to their vulnerable designs. These type of protocols are usually the base which many other protocols and applications are built upon, so proving the correctness of such protocols has become a very important issue in recent years. At the same time, the complexity of security protocols has increased considerably, making it harder to perform an exhaustive analysis of the different situations they are able to deal with. BAN logic was created to assist in the validation of authentication protocols. Although there are other validation logics, we have chosen BAN because we believe its formal process is very simple and robust and therefore facilitates its application to validate old protocols such as Otway-Rees and more complex new ones such as IKE (standard Internet Key Exchange protocol). This paper is based on BAN logic. We will give a brief description of validating procedures and we will demonstrate the validity of BAN foundations, refuting some weaknesses detected by other authors.

Network smart card performing U(SIM) functionalities in AAA protocol architectures

This paper reviews the way in which the security protocolsEAP-SIM/AKA are used in 3G/WLAN network interworking from thepoint of wiew of the U(SIM). As result, a new AAA protocol architectureis derived from the integration of a Network Smart Card, NSC, that implementsU(SIM) functionalities within the scheme. The implementationin a testbed shows the robustness and feasibility of such an architecture.