Data Protection and Security

   

VII

Identification and Entity Authentication

    

VII.IV

Biometrics and Smartcards

    
   
 

Smartcards:

There are various authentication tokens, physical devices that a person carries around and uses for authentication. For instance credit cards without a smartcard contain a magnetic strip that holds secret information. The advantage of them over passwords is that they can hold larger secrets. However, it is straightforward for an attacker to copy the secret inside. Also, “intercept and replay” kinds of attacks are still possible.

Smartcards are better in terms of security they provide. They contain an embedded CPU and memory. When a smartcard is inserted into a smartcard reader, the verifier that knows the secret key in the smartcard can authenticate the smartcard owner by sending a challenge to the smartcard which is encrypted with the key. There are also public-key versions of the smartcard based authentication. Remember the challenge/response protocols we have seen earlier.

For most purposes, it is assumed that the key inside the smartcard is not readable. This property is known as tamper-resistance.

The practical problem smartcards have is the need to install readers at every access point.
To solve this problem, readerless smartcards or cryptographic calculators are introduced which are smartcards that require no connection to the terminal. They have a small display and a keyboard and the interaction with the terminal is through the user himself. More precisely, a challenge/response protocol can be implemented with these devices as follows:

  1. Alice types a PIN (a password) to unlock the device (Usually, smartcards are used together with a PIN to form a two-factor authentication scheme).
  2. Bob wishing to authenticate Alice sends a challenge and the terminal displays it to Alice.
  3. Alice manually types the challenge to the device.
  4. The device computes the response.
  5. Alice enters the response into the terminal she uses.
  6. Bob verifies the response.

Since these readerless smartcards can be used from ordinary terminals without a special hardware, their popularity grows in sectors that demand better security than passwords can provide (e.g. e-banking applications).


    

VII.IV.II Q

[+] Question

[-] Question

Is it possible to build the public-key version of the protocol described above?

    
   
       
 
«previous session [1] [2] next session »
   
       
 
«proceed to previous section proceed to next section »
  chapter index