Transcript presentation source

Connecting Smart Cards to the Internet
Scott Guthery, CTO
Mobile-Mind, Inc.
[email protected]
A Very Brief History of Computers
ERA
NEED
TECHNOLOGY
WINNER
Computers
Applications
Programming Languages
IBM
Minicomputers
Multi-Tasking
Operating Systems
DEC
Personal Computers
Usability
User Interfaces
Wintel
Trusted Computers
Transactions
Mathematics
????
… an ever tighter binding of hardware and software.
1
An Even Briefer History of Smart Cards
• 1967 - Jürgen Dethloff invents the smart card computer.
• 1972 - 1993 Patents, standards and “security through obscurity”
choke off applications and innovation.
• 1994 - MAOSCO and Keycorp create programmable smart cards.
• 1996 - Zeitcontrol and Schlumberger provide high-level languages.
• 1998 - Microsoft contributes a real file system and application
development tools.
• 2000 - Smart cards become Internet nodes.
2
Out of Sight, Out of Mind
Application
HTTP
HTTP
HTTP
Transport
TCP
TCP
TCP
Network
IP
IP
IP
Internet
Service
Network
Provider
Handheld
Device
Datalink
Physical
3
Smart
Card
Why IP on a Smart Card?
• End-to-End Security
• Standards-Based Card-Edge Interoperability
• Web-Based Application Development
• Direct Addressing
• More Points of Acceptance
• Remote Card Management
• Multiple Non-Proprietary Implementations
4
End-to-End Security
Card-Edge Interoperability
… … … … … … … … … …
67.483.22.56
67.483.22.01
Security Association
5
Factors Favoring Decentralized Architecture
• Time and Cost Efficiency
– reliable, instant access to data with no disk farm overhead
• Increased Accuracy
– single copy of cardholder data shared by all partners
• Enhanced Privacy
– no liability exposure for issuer & physical reassurance for cardholder
• Universal Portability
– insert data into whatever system or network needs it
• Off-Line Use
– use data at points not connected to any network
6
Network Protocol Stacks
aML with bScript / C, Basic, Perl, Java
WAE
WSP
Process/
Application
Application
Presentation
HTTP, AAA, MIP, SNMP
Session
WTP
WTLS
Host-to-Host
UDP, TCP, T/TCP
Transport
WDP
Internet
IP, ARP, ICMP
Network
Bearer
Services
Network
Interface
Data Link
ISO 7816-3, T=0, T=1
Physical
WAP
ISO OSI
Internet
7
Issues to be Addressed
• Data-link subnetwork definition, addressing and fragmentation
• IP over T=0, 1, and 2
• ARP, RARP and ICMP
• IPv4 versus IPv6 Addresses
• Static versus Dynamic Card Addresses
• Address Finding & Forwarding (PPP, DHCP and Mobile IP)
• UDP, T/TCP, TCP
• Authentication, Authorization and Auditing (AAA)
• Transaction Internet Protocol (TIP)
8
Initial Thinking
• Data-link subnetwork
– every smart card is a host, the terminal is gateway router
– need an addressing scheme on this subnetwork
– IPv6 will require a data-link fragmentation protocol
• IP over ISO 7816-3
– data field is IP packet
– 5-byte header describes packet
• ARP
– include ATR
• Both static and dynamic address cards seem to be useful
– start with IPv4
• Need a transaction model
9
Interconnection of networks
Mobile
Desktop
Smart cards connect sneaker
net to the Internet.
10
Contenders for Mobile Trust
• Mobile Telephones
– GSM, 3G, WAP, ...
• Pagers
– Pagewriter, Blackberry, …
• H/PCs
– Palm, Visor, …
• Smart Card “Carry-Along” Readers
– Xiring, Towitoko, Spyrus, …
• Authentication Tokens
– Mobil Fastpass, First Access, Ensure, i-Key, ...
• Settop and Game Controllers
– WebTV, Tatung, Sega, Nintendo, ...
• Personal Digital Audio
– Diamond Rio, Sony ICD-70PC, Audible, ...
11
Trust
“Who are YOU?”
12
Identity Modules
• Mobile transactions need reliable identification of the
caller regardless of the mobile device.
• 300M GSM telephones use a smart card chip
called a Subscriber Identity Module (SIM).
• SIMs separate the identity function from the
communication function.
• A SIM in some form will be a part of any mobile
trust solution.
13
IP over SMS and ISO 7816-3
Customer’s ME
WAN
SIM
Proxy
IP over
SMS
tunnelling
ME for sending
SMS or direct
access to SMSC
Courtesy of Joachim Posegga, Deutsche Telekom
SIM
IP
IP
IP
IP
T=1
HTTP
Server
SMS
IP
14
IP
tunnelling
Web
Server
Applet
SIM Toolkit
WebSIM Authentication
Generic Version
www.sim.com/+1234567/authenticate?<RAND>
f(Ki,Rand)
Geeks’
Savings
Bank
Geeks’ Mobile Operator
Courtesy of Joachim Posegga, Deutsche Telekom
15
Geek’s ME
Status and Plans
• Status
– First smart card IP implementation built by University of Michigan
– Internet-Draft for IP over ISO 7813-3 submitted to IETF
– Bull describes proxy-based IP for smart cards with proprietary
host/card communication
– Smart card Web server built for GSM SIM and demonstrated on
GSM mobile network by Deutsche Telekom and Mobile-Mind
• Plans
–
–
–
–
–
Second IP implementation & IETF standards track submission
Generate proposal for smart card IP address (IPv4 vs. IPv6)
Connect network smart cards and WebSIM to dot com apps.
Integrate Web server with smart card browsers
Experiment with alternative transaction protocols
16
Conclusions
• Smart card modules are particularly attractive on-line
identity tokens regardless of the nature of the network
or the device used to connect to it.
• Utility beyond simple authentication is very application
and situation dependent.
• If you think getting the bits around was fun, wait until we
start moving trust and risk around.
17
“You can all join in!”
Traffic, 1968
18