Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel
M. Hölzl, E. Asnake, R. Mayrhofer, M. Roland - Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel - Proceedings of the 12th International Conference on Advances in Mobile Computing and Multimedia (MoMM 2014), Kaohsiung, Taiwan, China, 2014, pp. 10
With the increasing popularity of security and privacy sensitive systems on mobile devices, such as mobile banking, mobile credit cards, mobile ticketing or mobile digital identities, new challenges emerged for the protection of personal data. In new approaches, mobile applications tend to use additional hardware, such as smart cards or secure elements, to address these challenges. The communication between such dedicated hardware and back-end management systems uses strong cryptography. However, the data transfer between applications on the mobile device and so-called applets on the dedicated hardware is often either unencrypted (and interceptable by malicious software) or encrypted with static keys stored in applications. To address this issue we present a solution for fine-grained secure application-to-applet communication based on Secure Remote Password (SRP-6a), an authenticated key agreement protocol, with a user-provided password at run-time. By exploiting the Java Card cryptographic API and minor adaptations to the protocol, which do not affect the security, we were able to implement this scheme on Java Cards with reasonable computation time.