Konstantinos Markantonakis

Smart Cards, Tokens, Security and Applications

Providing a broad overview of the many card systems and solutions in practical use today, this state-of-the art work is written by contributing authors who are active researchers and acknowledged experts in their field. A single book cannot be found to match both the breadth and depth of content. The book combines a cross-discipline overview of smart cards, tokens and related security and applications plus a technical reference to support further research and study. A step-by-step approach educates the reader and by the end of the book the reader should be able to play an educated role in a smart card related project.

Confidence in smart token proximity: Relay attacks revisited

Contactless and contact smart card systems use the physical constraints of the communication channel to implicitly prove the proximity of a token. These systems, however, are potentially vulnerable to an attack where the attacker relays communication between the reader and a token. Relay attacks are not new but are often not considered a major threat, like eavesdropping or skimming attacks, even though they arguably pose an equivalent security risk. In this paper we discuss the feasibility of implementing passive and active relay attacks against smart tokens and the possible security implications if an attacker succeeds. Finally, we evaluate the effectiveness of time-out constraints, distance bounding and the use of a additional verification techniques for making systems relay-resistant and explain the challenges still facing these mechanisms.

Security Challenges for User-Oriented RFID Applications within the "Internet of Things"

In this article, we examine the role played by RFID in enabling user-oriented networked applications. We explain why RFID is seen to be an important building block of the ”Internet of Things” and examine how RFID, assisted by the deployment of NFC devices, is increasingly facilitating user-oriented, Internet-based application architectures. Finally, we look at the high-level security challenges that these user-oriented application architectures will need to address.

HB-MP + Protocol: An Improvement on the HB-MP Protocol

In this paper, we propose an enhanced version of the HB-MP authentication protocol, called the HB-MP+ protocol. The HB-MP protocol is a lightweight authentication protocol that is suitable for use in passive radio frequency identification (RFID) systems. The HB-MP+ protocol overcomes the man-in-the-middle attack to which the basic HB-MP protocol is vulnerable while maintaining its suitability to low-cost passive RFID systems. We show an effective man-in-the-middle attack against the HB-MP protocol where the attacker utilizes the predictable rotation of the secret key. We enhance the HB-MP protocol by randomizing the rotation of the secret key, which eliminates the vulnerability. We also propose the use of round keys that may be produced by rotation or, more generally, by a one-way function. We analyse the security and performance improvements of our HB-MP+ protocol and find it to be suitable for passive RFID systems.

A Paradigm Shift in Smart Card Ownership Model

Smart cards have been proliferated into many aspects of modern life. Historically, the ownership of smart cards has remained with the smart card issuers. Although this ownership model is favored by a wide range of industries and service providers, it does not provide optimum convenience and flexibility to cardholders. One potential solution could be to shift the control of smart cards from the smart card issuers to the smart card users. In this paper, we will analyze the feasibility of an ownership model that delegates the ownership of a smart card to its user. The operational and security requirements of the proposed ownership model will be provided. In addition, principal research questions are identified that would merit further in-depth analysis to test the viability of this ownership model.

Attacking smart card systems: Theory and practice

Smart card technology has evolved over the last few years following notable improvements in the underlying hardware and software platforms. Advanced smart card microprocessors, along with robust smart card operating systems and platforms, contribute towards a broader acceptance of the technology. These improvements have eliminated some of the traditional smart card security concerns. However, researchers and hackers are constantly looking for new issues and vulnerabilities. In this article we provide a brief overview of the main smart card attack categories and their corresponding countermeasures. We also provide examples of well-documented attacks on systems that use smart card technology (e.g. satellite TV, EMV, proximity identification) in an attempt to highlight the importance of the security of the overall system rather than just the smart card.

Potential misuse of NFC enabled mobile phones with embedded security elements as contactless attack platforms

In this paper we investigate the possibility that a Near Field Communication (NFC) enabled mobile phone, with an embedded Secure Element (SE), could be used as a mobile token cloning and skimming platform. We show how an attacker could use a NFC mobile phone as such an attack platform by exploiting the existing security controls of the embedded SE and the available contactless APIs. To illustrate the feasibility of these actions we also show how to practically skim and emulate certain tokens typically used in payment and access control applications with a NFC mobile phone. Although such attacks can also be implemented on other contactless platforms, such as custom-built card emulators and modified readers, the NFC-enabled mobile phone has a legitimate form factor, which would be accepted by merchants and arouse less suspicion in public. Finally, we propose several security countermeasures for NFC phones that could prevent such misuse.

Application Management Framework in User Centric Smart Card Ownership Model

The predominant smart card ownership model is the issuer centric, and it has played a vital role in the proliferation of the technology. However, recent developments of multi-application smart card technology lead to new potential ownership models. One of the possible models is the User Centric Smart Card Ownership Model. In this model, the ownership is with smart card users. To support users ownership, we require a framework that can assist cardholders to manage applications on their smart cards. In this paper, we present such a framework for managing application securely on a smart card.

A Secure Channel Protocol for Multi-Application Smart Cards Based on Public Key Cryptography

Smart card secure channel protocols based on public key cryptography are not widely utilised mainly due to processing overheads introduced in the underlying smart card microprocessors and the complexities introduced by the operation of a PKI infrastructure. In this paper we analyse the significance of public key secure channel protocols in multi-application smart cards. We believe that multi-application smart card technology (e.g. the GlobalPlatform smart card specification) should benefit more from the advantages of public key cryptography specifically for the initiation and maintenance of a secure channel. This paper introduces a public key based cryptographic protocol for secure entity authentication, data integrity and data confidentiality. The proposed secure channel protocol uses a combination of public key, secret key and the main idea behind the Diffie-Hellman key establishment protocols in order to achieve the desired goals.

A Practical Fair-Exchange E-Payment Protocol for Anonymous Purchase and Physical Delivery

In this paper, a practical electronic-payment (epayment) protocol is presented for use over the internet. The protocol applies the principle of true fair-exchange to the process of purchase and physical delivery via an ecommerce system without the involvement of third party, whilst maintaining customer and merchant anonymity.