Connecting Smart Cards to the Internet Scott Guthery, CTO Mobile-Mind, Inc....
-
Upload
douglas-quinn -
Category
Documents
-
view
216 -
download
2
Transcript of Connecting Smart Cards to the Internet Scott Guthery, CTO Mobile-Mind, Inc....
2
A Very Brief History of Computers
ERA NEED TECHNOLOGY WINNER
Computers Applications Programming Languages IBM
Minicomputers Multi-Tasking Operating Systems DEC
Personal Computers Usability User Interfaces Wintel
Trusted Computers Transactions Mathematics ????
… an ever tighter binding of hardware and software.
3
An Even Briefer History of Smart Cards
• 1967 - Jürgen Dethloff invents the smart card computer.
• 1972 - 1993 Patents, standards and “security through obscurity”
choke off applications and innovation.
• 1994 - MAOSCO and Keycorp create programmable smart cards.
• 1996 - Zeitcontrol and Schlumberger provide high-level languages.
• 1998 - Microsoft contributes a real file system and application
development tools.
• 2000 - Smart cards become Internet nodes.
4
Out of Sight, Out of Mind
Physical
Datalink
Network
Transport
Application
SmartCard
HandheldDevice
IP
TCP
HTTP
NetworkProvider
IP
TCP
HTTP
InternetService
IP
TCP
HTTP
5
Why IP on a Smart Card?
• End-to-End Security
• Standards-Based Card-Edge Interoperability
• Web-Based Application Development
• Direct Addressing
• More Points of Acceptance
• Remote Card Management
• Multiple Non-Proprietary Implementations
6
End-to-End Security
67.483.22.5667.483.22.56
… … … … … … … … … …… … … … … … … … … …
67.483.22.0167.483.22.01
Security AssociationSecurity Association
Card-Edge InteroperabilityCard-Edge Interoperability
7
Factors Favoring Decentralized Architecture
• Time and Cost Efficiency– reliable, instant access to data with no disk farm overhead
• Increased Accuracy– single copy of cardholder data shared by all partners
• Enhanced Privacy– no liability exposure for issuer & physical reassurance for cardholder
• Universal Portability– insert data into whatever system or network needs it
• Off-Line Use– use data at points not connected to any network
8
Network Protocol Stacks
InternetInternet ISO OSIISO OSI
PhysicalPhysical
Data LinkData Link
NetworkNetwork
TransportTransport
SessionSession
PresentationPresentation
ApplicationApplication
NetworkInterfaceNetworkInterface
InternetInternet
Host-to-HostHost-to-Host
Process/ApplicationProcess/Application
ISO 7816-3, T=0, T=1ISO 7816-3, T=0, T=1
IP, ARP, ICMPIP, ARP, ICMP
UDP, TCP, T/TCPUDP, TCP, T/TCP
HTTP, AAA, MIP, SNMPHTTP, AAA, MIP, SNMP
WAPWAP
BearerServicesBearer
Services
WTPWTP
WSPWSP
WAEWAE
WDPWDP
WTLSWTLS
ML with Script / C, Basic, Perl, JavaML with Script / C, Basic, Perl, Java
9
Issues to be Addressed
• Data-link subnetwork definition, addressing and fragmentation
• IP over T=0, 1, and 2
• ARP, RARP and ICMP
• IPv4 versus IPv6 Addresses
• Static versus Dynamic Card Addresses
• Address Finding & Forwarding (PPP, DHCP and Mobile IP)
• UDP, T/TCP, TCP
• Authentication, Authorization and Auditing (AAA)
• Transaction Internet Protocol (TIP)
10
Initial Thinking
• Data-link subnetwork– every smart card is a host, the terminal is gateway router– need an addressing scheme on this subnetwork– IPv6 will require a data-link fragmentation protocol
• IP over ISO 7816-3– data field is IP packet– 5-byte header describes packet
• ARP– include ATR
• Both static and dynamic address cards seem to be useful– start with IPv4
• Need a transaction model
11
Interconnection of networks
Smart cards connect sneakernet to the Internet.
Desktop
Mobile
12
Contenders for Mobile Trust
• Mobile Telephones– GSM, 3G, WAP, ...
• Pagers– Pagewriter, Blackberry, …
• H/PCs– Palm, Visor, …
• Smart Card “Carry-Along” Readers– Xiring, Towitoko, Spyrus, …
• Authentication Tokens– Mobil Fastpass, First Access, Ensure, i-Key, ...
• Settop and Game Controllers– WebTV, Tatung, Sega, Nintendo, ...
• Personal Digital Audio– Diamond Rio, Sony ICD-70PC, Audible, ...
13
Trust
“Who are YOU?”
14
Identity Modules
• Mobile transactions need reliable identification of the
caller regardless of the mobile device.
• 300M GSM telephones use a smart card chip called a Subscriber Identity Module (SIM).
• SIMs separate the identity function from the communication function.
• A SIM in some form will be a part of any mobile trust solution.
• 300M GSM telephones use a smart card chip called a Subscriber Identity Module (SIM).
• SIMs separate the identity function from the communication function.
• A SIM in some form will be a part of any mobile trust solution.
15
SIM Toolkit
SIM
Web ServerApplet
IP tunnelli
ng
IP over SMS and ISO 7816-3
Customer’s ME
ME for sending SMS or direct
access to SMSC
SMS IP
T=
1IP
SIMProxy
HTTP Server
IP over SMS
tunnelling
IP
IP
WAN IP
Courtesy of Joachim Posegga, Deutsche TelekomCourtesy of Joachim Posegga, Deutsche Telekom
16
WebSIM AuthenticationGeneric Version
Geek’s MEwww.sim.com/+1234567/authenticate?<RAND>
Geeks’SavingsBank
Geeks’ Mobile Operator
f(Ki,Rand)
Yes. US-$ 0.20 please...
f(Ki,Rand) OK?
Courtesy of Joachim Posegga, Deutsche TelekomCourtesy of Joachim Posegga, Deutsche Telekom
17
Status and Plans
• Status– First smart card IP implementation built by University of Michigan– Internet-Draft for IP over ISO 7813-3 submitted to IETF– Bull describes proxy-based IP for smart cards with proprietary
host/card communication– Smart card Web server built for GSM SIM and demonstrated on
GSM mobile network by Deutsche Telekom and Mobile-Mind
• Plans– Second IP implementation & IETF standards track submission– Generate proposal for smart card IP address (IPv4 vs. IPv6)– Connect network smart cards and WebSIM to dot com apps.– Integrate Web server with smart card browsers– Experiment with alternative transaction protocols
18
Conclusions
• Smart card modules are particularly attractive on-line identity tokens regardless of the nature of the network or the device used to connect to it.
• Utility beyond simple authentication is very application and situation dependent.
• If you think getting the bits around was fun, wait until we start moving trust and risk around.
19
“You can all join in!”“You can all join in!”
Traffic, 1968Traffic, 1968