Identity management for web-enabled smart card platform

Aki-Petteri Leinonen

Research output: Book/ReportReportProfessional

Abstract

The amount of sensitive information stored in different online services is rapidly growing in traditional web applications and also in mobile services. Most of these services control their own authentication credentials, increasing the number of credentials that the user needs to manage. Previous literature shows that when the amount of passwords grows, users tend to create weaker passwords or reuse passwords for different services. This exposes users to security threats. Attacks target weak passwords and compromised security might result in a domino effect, with one exposed password giving access to multiple services. In addition to usability issues, the mobile platform is vulnerable to physical attacks if the device is lost or stolen. This creates a need for a secure credential management platform for mobile devices that addresses these problems and creates a usable environment for the management of credentials. One such solution could be provided by a secure element inside the mobile device. The secure element is special hardware that provides secure code execution for the mobile platform, as in existing smart card platforms. This study is based on work carried out at VTT Technical Research Centre of Finland, in which a prototype version of a single sign-on Java Card application was created with a Java Card 3 generation emulator. An earlier prototype gave perspective for this work and served as an additional evaluation point for the constructed prototype. The purpose of this study is to find out whether a secure element with support for web-connected services can be used to provide a user-centric credential management platform in a mobile phone. This main question can be divided into three questions that need to be answered: What are the users' password management strategies, what requirements can be identified for a user-centric credential manager inside a secure element and can this solution be implemented with existing technology? In order to find out password management strategies and existing implementations, an extensive literature review is conducted. With respect to the use of password management strategies, the literature review indicated that users circumvent security methods because they consider that these methods take too much of their time and other resources compared to the perceived gains. It was also revealed that the authentication procedure must follow the user's mental model and not restrict the primary task the user needs to achieve. The requirements for the credential model are identified from the literature review and a single sign-on protocol is chosen to be the approach in this work. A prototype application that allows users to authenticate to different services with a single sign-on, and which also demonstrates two-factor authentication, is built and evaluated along with the earlier prototype. The hardware platform used in the prototype is a secure microSD memory card with an embedded Java Card 2 smart card chip. The prototype application built in this work shows that the credential manager application can be implemented in an open manner with a single sign-on protocol. The prototype shows promising results and offers a solid platform for identity management in a mobile phone when the number of services increases. That said, the need for further research on credential storage use in client applications is also identified.
Original languageEnglish
Place of PublicationEspoo
PublisherVTT Technical Research Centre of Finland
Number of pages71
ISBN (Electronic)978-951-38-7781-1
ISBN (Print)978-951-38-7780-4
Publication statusPublished - 2011
MoE publication typeNot Eligible

Publication series

NameVTT Tiedotteita - Research Notes
PublisherVTT
No.2596
ISSN (Print)1235-0605
ISSN (Electronic)1455-0865

Fingerprint

Smart cards
Authentication
Mobile phones
Mobile devices
Managers
Hardware
Data storage equipment

Keywords

  • identity management
  • smart card
  • mobile web services
  • single sign-on

Cite this

Leinonen, A-P. (2011). Identity management for web-enabled smart card platform. Espoo: VTT Technical Research Centre of Finland. VTT Tiedotteita - Research Notes, No. 2596
Leinonen, Aki-Petteri. / Identity management for web-enabled smart card platform. Espoo : VTT Technical Research Centre of Finland, 2011. 71 p. (VTT Tiedotteita - Research Notes; No. 2596).
@book{0e9430fb93e44ac8867e72ac64635290,
title = "Identity management for web-enabled smart card platform",
abstract = "The amount of sensitive information stored in different online services is rapidly growing in traditional web applications and also in mobile services. Most of these services control their own authentication credentials, increasing the number of credentials that the user needs to manage. Previous literature shows that when the amount of passwords grows, users tend to create weaker passwords or reuse passwords for different services. This exposes users to security threats. Attacks target weak passwords and compromised security might result in a domino effect, with one exposed password giving access to multiple services. In addition to usability issues, the mobile platform is vulnerable to physical attacks if the device is lost or stolen. This creates a need for a secure credential management platform for mobile devices that addresses these problems and creates a usable environment for the management of credentials. One such solution could be provided by a secure element inside the mobile device. The secure element is special hardware that provides secure code execution for the mobile platform, as in existing smart card platforms. This study is based on work carried out at VTT Technical Research Centre of Finland, in which a prototype version of a single sign-on Java Card application was created with a Java Card 3 generation emulator. An earlier prototype gave perspective for this work and served as an additional evaluation point for the constructed prototype. The purpose of this study is to find out whether a secure element with support for web-connected services can be used to provide a user-centric credential management platform in a mobile phone. This main question can be divided into three questions that need to be answered: What are the users' password management strategies, what requirements can be identified for a user-centric credential manager inside a secure element and can this solution be implemented with existing technology? In order to find out password management strategies and existing implementations, an extensive literature review is conducted. With respect to the use of password management strategies, the literature review indicated that users circumvent security methods because they consider that these methods take too much of their time and other resources compared to the perceived gains. It was also revealed that the authentication procedure must follow the user's mental model and not restrict the primary task the user needs to achieve. The requirements for the credential model are identified from the literature review and a single sign-on protocol is chosen to be the approach in this work. A prototype application that allows users to authenticate to different services with a single sign-on, and which also demonstrates two-factor authentication, is built and evaluated along with the earlier prototype. The hardware platform used in the prototype is a secure microSD memory card with an embedded Java Card 2 smart card chip. The prototype application built in this work shows that the credential manager application can be implemented in an open manner with a single sign-on protocol. The prototype shows promising results and offers a solid platform for identity management in a mobile phone when the number of services increases. That said, the need for further research on credential storage use in client applications is also identified.",
keywords = "identity management, smart card, mobile web services, single sign-on",
author = "Aki-Petteri Leinonen",
note = "Project code: 74237",
year = "2011",
language = "English",
isbn = "978-951-38-7780-4",
series = "VTT Tiedotteita - Research Notes",
publisher = "VTT Technical Research Centre of Finland",
number = "2596",
address = "Finland",

}

Leinonen, A-P 2011, Identity management for web-enabled smart card platform. VTT Tiedotteita - Research Notes, no. 2596, VTT Technical Research Centre of Finland, Espoo.

Identity management for web-enabled smart card platform. / Leinonen, Aki-Petteri.

Espoo : VTT Technical Research Centre of Finland, 2011. 71 p. (VTT Tiedotteita - Research Notes; No. 2596).

Research output: Book/ReportReportProfessional

TY - BOOK

T1 - Identity management for web-enabled smart card platform

AU - Leinonen, Aki-Petteri

N1 - Project code: 74237

PY - 2011

Y1 - 2011

N2 - The amount of sensitive information stored in different online services is rapidly growing in traditional web applications and also in mobile services. Most of these services control their own authentication credentials, increasing the number of credentials that the user needs to manage. Previous literature shows that when the amount of passwords grows, users tend to create weaker passwords or reuse passwords for different services. This exposes users to security threats. Attacks target weak passwords and compromised security might result in a domino effect, with one exposed password giving access to multiple services. In addition to usability issues, the mobile platform is vulnerable to physical attacks if the device is lost or stolen. This creates a need for a secure credential management platform for mobile devices that addresses these problems and creates a usable environment for the management of credentials. One such solution could be provided by a secure element inside the mobile device. The secure element is special hardware that provides secure code execution for the mobile platform, as in existing smart card platforms. This study is based on work carried out at VTT Technical Research Centre of Finland, in which a prototype version of a single sign-on Java Card application was created with a Java Card 3 generation emulator. An earlier prototype gave perspective for this work and served as an additional evaluation point for the constructed prototype. The purpose of this study is to find out whether a secure element with support for web-connected services can be used to provide a user-centric credential management platform in a mobile phone. This main question can be divided into three questions that need to be answered: What are the users' password management strategies, what requirements can be identified for a user-centric credential manager inside a secure element and can this solution be implemented with existing technology? In order to find out password management strategies and existing implementations, an extensive literature review is conducted. With respect to the use of password management strategies, the literature review indicated that users circumvent security methods because they consider that these methods take too much of their time and other resources compared to the perceived gains. It was also revealed that the authentication procedure must follow the user's mental model and not restrict the primary task the user needs to achieve. The requirements for the credential model are identified from the literature review and a single sign-on protocol is chosen to be the approach in this work. A prototype application that allows users to authenticate to different services with a single sign-on, and which also demonstrates two-factor authentication, is built and evaluated along with the earlier prototype. The hardware platform used in the prototype is a secure microSD memory card with an embedded Java Card 2 smart card chip. The prototype application built in this work shows that the credential manager application can be implemented in an open manner with a single sign-on protocol. The prototype shows promising results and offers a solid platform for identity management in a mobile phone when the number of services increases. That said, the need for further research on credential storage use in client applications is also identified.

AB - The amount of sensitive information stored in different online services is rapidly growing in traditional web applications and also in mobile services. Most of these services control their own authentication credentials, increasing the number of credentials that the user needs to manage. Previous literature shows that when the amount of passwords grows, users tend to create weaker passwords or reuse passwords for different services. This exposes users to security threats. Attacks target weak passwords and compromised security might result in a domino effect, with one exposed password giving access to multiple services. In addition to usability issues, the mobile platform is vulnerable to physical attacks if the device is lost or stolen. This creates a need for a secure credential management platform for mobile devices that addresses these problems and creates a usable environment for the management of credentials. One such solution could be provided by a secure element inside the mobile device. The secure element is special hardware that provides secure code execution for the mobile platform, as in existing smart card platforms. This study is based on work carried out at VTT Technical Research Centre of Finland, in which a prototype version of a single sign-on Java Card application was created with a Java Card 3 generation emulator. An earlier prototype gave perspective for this work and served as an additional evaluation point for the constructed prototype. The purpose of this study is to find out whether a secure element with support for web-connected services can be used to provide a user-centric credential management platform in a mobile phone. This main question can be divided into three questions that need to be answered: What are the users' password management strategies, what requirements can be identified for a user-centric credential manager inside a secure element and can this solution be implemented with existing technology? In order to find out password management strategies and existing implementations, an extensive literature review is conducted. With respect to the use of password management strategies, the literature review indicated that users circumvent security methods because they consider that these methods take too much of their time and other resources compared to the perceived gains. It was also revealed that the authentication procedure must follow the user's mental model and not restrict the primary task the user needs to achieve. The requirements for the credential model are identified from the literature review and a single sign-on protocol is chosen to be the approach in this work. A prototype application that allows users to authenticate to different services with a single sign-on, and which also demonstrates two-factor authentication, is built and evaluated along with the earlier prototype. The hardware platform used in the prototype is a secure microSD memory card with an embedded Java Card 2 smart card chip. The prototype application built in this work shows that the credential manager application can be implemented in an open manner with a single sign-on protocol. The prototype shows promising results and offers a solid platform for identity management in a mobile phone when the number of services increases. That said, the need for further research on credential storage use in client applications is also identified.

KW - identity management

KW - smart card

KW - mobile web services

KW - single sign-on

M3 - Report

SN - 978-951-38-7780-4

T3 - VTT Tiedotteita - Research Notes

BT - Identity management for web-enabled smart card platform

PB - VTT Technical Research Centre of Finland

CY - Espoo

ER -

Leinonen A-P. Identity management for web-enabled smart card platform. Espoo: VTT Technical Research Centre of Finland, 2011. 71 p. (VTT Tiedotteita - Research Notes; No. 2596).