Secure Messaging Implementation in OpenSC
Affiliation(s)
Department of Engineering, University of Rome Tor Vergata, Rome, Italy. Department of Information Science, University of Rome Tor Vergata, Rome, Italy. Nestor Laboratory, University of Rome Tor Vergata, Rome, Italy.
Department of Engineering, University of Rome Tor Vergata, Rome, Italy. Department of Information Science, University of Rome Tor Vergata, Rome, Italy. Nestor Laboratory, University of Rome Tor Vergata, Rome, Italy.
ABSTRACT
Smartcards are used for a rapidly increasing number of applications including electronic identity, driving licenses, physical access, health care, digital signature, and electronic payments. The use of a specific smartcard in a "closed" environment generally provides a high level of security. In a closed environment no other smartcards are employed and the card use is restricted to the smartcard's own firmware, approved software applications, and approved card reader. However, the same level of security cannot be claimed for open environments where smartcards from different manufacturers might interact with various smartcard applications. The reason is that despite a number of existing standards and certification protocols like Common Criteria and CWA 14169, secure and convenient smartcard interoperability has remained a challenge. Ideally, just one middleware would handle the interactions between various software applications and different smartcards securely and seamlessly. In our ongoing research we investigate the underlying interoperability and security problems specifically for digital signature processes. An important part of such a middleware is a set of utilities and libraries that support cryptographic applications including authentication and digital signatures for a significant number of smartcards. The open-source project OpenSC provides such utilities and libraries. Here we identify some security lacks of OpenSC used as such a middleware. By implementing a secure messaging function in OpenSC 0.12.0 that protects the PIN and data exchange between the SC and the middleware, we address one important security weakness. This enables the integration of digital signature functionality into the OpenSC environment.
Smartcards are used for a rapidly increasing number of applications including electronic identity, driving licenses, physical access, health care, digital signature, and electronic payments. The use of a specific smartcard in a "closed" environment generally provides a high level of security. In a closed environment no other smartcards are employed and the card use is restricted to the smartcard's own firmware, approved software applications, and approved card reader. However, the same level of security cannot be claimed for open environments where smartcards from different manufacturers might interact with various smartcard applications. The reason is that despite a number of existing standards and certification protocols like Common Criteria and CWA 14169, secure and convenient smartcard interoperability has remained a challenge. Ideally, just one middleware would handle the interactions between various software applications and different smartcards securely and seamlessly. In our ongoing research we investigate the underlying interoperability and security problems specifically for digital signature processes. An important part of such a middleware is a set of utilities and libraries that support cryptographic applications including authentication and digital signatures for a significant number of smartcards. The open-source project OpenSC provides such utilities and libraries. Here we identify some security lacks of OpenSC used as such a middleware. By implementing a secure messaging function in OpenSC 0.12.0 that protects the PIN and data exchange between the SC and the middleware, we address one important security weakness. This enables the integration of digital signature functionality into the OpenSC environment.
Cite this paper
M. Talamo, M. Galinium, C. H. Schunck and F. Arcieri, "Secure Messaging Implementation in OpenSC," Journal of Information Security, Vol. 3 No. 4, 2012, pp. 251-258. doi: 10.4236/jis.2012.34032.
M. Talamo, M. Galinium, C. H. Schunck and F. Arcieri, "Secure Messaging Implementation in OpenSC," Journal of Information Security, Vol. 3 No. 4, 2012, pp. 251-258. doi: 10.4236/jis.2012.34032.
References
[1] International Organization for Standardization (ISO) “Identification Cards—Integrated Circuit Cards Part 4: Organization, Security and Commands for Interchange,” International Organization for Standardization Std., Geneva, 2005. [2] International Organization for Standardization (ISO) “Identification Cards—Integrated Circuit Cards Programming Interfaces—Part 3: Application Programming Interface,” International Organization for Standardization Std., Geneva, 2008. [3] The Common Criteria, “Common Criteria for Information Technology Security Evaluation,” Common Criteria Std., 2009. http://www.commoncriteriaportal.org/cc/ [4] The European Committee for Standardization (CEN), “Secure Signature-Creation Devices ‘EAL 4+’,” European Committee for Standardization (CEN) Std., Brussels, 2004. [5] M. Talamo et al., “Robustness and Interoperability Problems in Security Devices,” Proceedings of 4th International Conferences on Information Security and Cryptology, Beijing, 14-17 December 2008. [6] M. Talamo et al., “Verifying Extended Criteria for Interoperability of Security Devices,” Proceedings of 3rd International Symposium on Information Security, Monterrey, 10-11 November 2008, pp. 1131-1139. [7] M. Talamo, M. Galinium, C. H. Schunck and F. Arcieri, “Interleaving Command Sequences: A Thread to Secure Smartcard Interoperability,” Proceedings of the 10th International Conference on Information Security and Privacy, Jakarta, 1-3 December 2011, pp. 102-107. [8] OpenSC, “OpenSC Tools and Libraries for Smartcard,” 2001. http://www.opensc-project.org/opensc [9] W. Rankl and W. Effing, “Smart Card Handbook,” 4th Edition, Wiley, West Sussex, 2010. [10] M. Talamo, M. Galinium, C. H. Schunck and F. Arcieri, “Interleaving Commands: A Threat to the Interoperability of Smartcard Based Security Applications,” International Journal of Computer and Communication, Vol. 6, No. 1, 2012, pp. 76-83. [11] M. Talamo, M. Galinium, C. H. Schunck and F. Arcieri, “Integrating Secure Messaging into OpenSC,” Proceedings of the 2nd International Conference on Computer and Management, Wuhan, 9-11 March 2012, pp. 1222-1227. [12] E. Pucciarelli, “Implementation of Secure Messaging,” 2008. http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg03034.html [13] A. Villani, “Incrypto34v2 User and Administrator Guidance,” ST. Incard, Marcianese, 2004. [14] OpenSC. “Supported Hardware (Smart Cards and Usb tokens),” 2011. http://www.opensc-project.org/opensc/wiki/SupportedHardware [15] O. Kirch and A. Iacono, “pkcs15-postecert.c,” 2004. http://www.opensc-project.org/opensc/browser/OpenSC/src/libopensc/pkcs15-postecert.c [16] E. Pucciarelli, “pkcs15-itacns.c,” 2008. http://www.opensc-project.org/opensc/browser/OpenSC/src/libopensc/pkcs15-itacns.c [17] Agencia per L’Italia Digitale, “Certificatori Firma Digitale. Ente Nazionale per la Digitalizzazione della Pubblica Amministrazione,” 2011. http://www.digitpa.gov.it/certificatori_firma_digitale
[1] International Organization for Standardization (ISO) “Identification Cards—Integrated Circuit Cards Part 4: Organization, Security and Commands for Interchange,” International Organization for Standardization Std., Geneva, 2005. [2] International Organization for Standardization (ISO) “Identification Cards—Integrated Circuit Cards Programming Interfaces—Part 3: Application Programming Interface,” International Organization for Standardization Std., Geneva, 2008. [3] The Common Criteria, “Common Criteria for Information Technology Security Evaluation,” Common Criteria Std., 2009. http://www.commoncriteriaportal.org/cc/ [4] The European Committee for Standardization (CEN), “Secure Signature-Creation Devices ‘EAL 4+’,” European Committee for Standardization (CEN) Std., Brussels, 2004. [5] M. Talamo et al., “Robustness and Interoperability Problems in Security Devices,” Proceedings of 4th International Conferences on Information Security and Cryptology, Beijing, 14-17 December 2008. [6] M. Talamo et al., “Verifying Extended Criteria for Interoperability of Security Devices,” Proceedings of 3rd International Symposium on Information Security, Monterrey, 10-11 November 2008, pp. 1131-1139. [7] M. Talamo, M. Galinium, C. H. Schunck and F. Arcieri, “Interleaving Command Sequences: A Thread to Secure Smartcard Interoperability,” Proceedings of the 10th International Conference on Information Security and Privacy, Jakarta, 1-3 December 2011, pp. 102-107. [8] OpenSC, “OpenSC Tools and Libraries for Smartcard,” 2001. http://www.opensc-project.org/opensc [9] W. Rankl and W. Effing, “Smart Card Handbook,” 4th Edition, Wiley, West Sussex, 2010. [10] M. Talamo, M. Galinium, C. H. Schunck and F. Arcieri, “Interleaving Commands: A Threat to the Interoperability of Smartcard Based Security Applications,” International Journal of Computer and Communication, Vol. 6, No. 1, 2012, pp. 76-83. [11] M. Talamo, M. Galinium, C. H. Schunck and F. Arcieri, “Integrating Secure Messaging into OpenSC,” Proceedings of the 2nd International Conference on Computer and Management, Wuhan, 9-11 March 2012, pp. 1222-1227. [12] E. Pucciarelli, “Implementation of Secure Messaging,” 2008. http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg03034.html [13] A. Villani, “Incrypto34v2 User and Administrator Guidance,” ST. Incard, Marcianese, 2004. [14] OpenSC. “Supported Hardware (Smart Cards and Usb tokens),” 2011. http://www.opensc-project.org/opensc/wiki/SupportedHardware [15] O. Kirch and A. Iacono, “pkcs15-postecert.c,” 2004. http://www.opensc-project.org/opensc/browser/OpenSC/src/libopensc/pkcs15-postecert.c [16] E. Pucciarelli, “pkcs15-itacns.c,” 2008. http://www.opensc-project.org/opensc/browser/OpenSC/src/libopensc/pkcs15-itacns.c [17] Agencia per L’Italia Digitale, “Certificatori Firma Digitale. Ente Nazionale per la Digitalizzazione della Pubblica Amministrazione,” 2011. http://www.digitpa.gov.it/certificatori_firma_digitale