Identity management for web-enabled smart card platform

Aki-Petteri Leinonen

Research output: Book/ReportReport

Abstract

The amount of sensitive information stored in different online services is rapidly growing in traditional web applications and also in mobile services. Most of these services control their own authentication credentials, increasing the number of credentials that the user needs to manage. Previous literature shows that when the amount of passwords grows, users tend to create weaker passwords or reuse passwords for different services. This exposes users to security threats. Attacks target weak passwords and compromised security might result in a domino effect, with one exposed password giving access to multiple services. In addition to usability issues, the mobile platform is vulnerable to physical attacks if the device is lost or stolen. This creates a need for a secure credential management platform for mobile devices that addresses these problems and creates a usable environment for the management of credentials. One such solution could be provided by a secure element inside the mobile device. The secure element is special hardware that provides secure code execution for the mobile platform, as in existing smart card platforms. This study is based on work carried out at VTT Technical Research Centre of Finland, in which a prototype version of a single sign-on Java Card application was created with a Java Card 3 generation emulator. An earlier prototype gave perspective for this work and served as an additional evaluation point for the constructed prototype. The purpose of this study is to find out whether a secure element with support for web-connected services can be used to provide a user-centric credential management platform in a mobile phone. This main question can be divided into three questions that need to be answered: What are the users' password management strategies, what requirements can be identified for a user-centric credential manager inside a secure element and can this solution be implemented with existing technology? In order to find out password management strategies and existing implementations, an extensive literature review is conducted. With respect to the use of password management strategies, the literature review indicated that users circumvent security methods because they consider that these methods take too much of their time and other resources compared to the perceived gains. It was also revealed that the authentication procedure must follow the user's mental model and not restrict the primary task the user needs to achieve. The requirements for the credential model are identified from the literature review and a single sign-on protocol is chosen to be the approach in this work. A prototype application that allows users to authenticate to different services with a single sign-on, and which also demonstrates two-factor authentication, is built and evaluated along with the earlier prototype. The hardware platform used in the prototype is a secure microSD memory card with an embedded Java Card 2 smart card chip. The prototype application built in this work shows that the credential manager application can be implemented in an open manner with a single sign-on protocol. The prototype shows promising results and offers a solid platform for identity management in a mobile phone when the number of services increases. That said, the need for further research on credential storage use in client applications is also identified.
Original languageEnglish
Place of PublicationEspoo
PublisherVTT Technical Research Centre of Finland
Number of pages71
ISBN (Electronic)978-951-38-7781-1
ISBN (Print)978-951-38-7780-4
Publication statusPublished - 2011
MoE publication typeNot Eligible

Publication series

SeriesVTT Tiedotteita - Research Notes
Number2596
ISSN1235-0605

Keywords

  • identity management
  • smart card
  • mobile web services
  • single sign-on

Fingerprint

Dive into the research topics of 'Identity management for web-enabled smart card platform'. Together they form a unique fingerprint.

Cite this