TUD Technische Universität Darmstadt
Hessische Landes-und Hochschulbibliothek
HLuHB

EPDA - Elektronische Publikationen Darmstadt


Autor: Kilian-Kehr, Roger
Titel:Mobile Security with Smartcards
Dissertation:TU Darmstadt, Fachbereich Informatik, 2002

Die Dokumente in PDF 1.3 (mit Adobe Acrobat Reader 4.0 zu lesen):

thesis-kilian-kehr-final.pdf (1339297 Byte)

Abstract auf Deutsch:


Dienstnutzung ist in vielerlei Szenarien geprägt durch den Einsatz von Passworten als Mechanismus zur Benutzerauthentifikation. Dieses Verfahren ist sowohl unbequem für die Benutzer, da diese sich u.U. viele verschiedenen Benutzernamen und dazugehörige Passworte merken müssen, als auch aus Sicherheitsgesichtspunkten kritisch, da Benutzer oft zur Wahl schwacher Passworte neigen.

In der Informationstechnologie wird traditionell Kryptographie eingesetzt, um digitale Inhalte zu schützen oder Identitäten über den Besitz von kryptographischen Schlüsseln zu authentifizieren. Dies erfordert aber den Einsatz von geeigneten Geräten zur Durchführung der kryptographischen Algorithmen und die sichere Speicherung der kryptographischen Schlüssel vor Diebstahl.

Chipkarten besitzen genau diese beiden Eigenschaften und stellen daher eine interessante Grundlage für ein persönliches Sicherheitsmodul dar, welches den Menschen bei sicherheitskritischen Operationen wie die Erstellung einer elektronischen Signatur oder Authentifikation unterstützt. Heutzutage findet man allerdings Chipkarten in der Regel nur in anwendungsspezifischen Szenarien und der Einsatz einer universell nutzbaren Chipkarte ist insbesondere unter Integrationsgesichtspunkten weitestgehend ungelöst.

Die vorliegende Dissertation schlägt vier verschiedene Ansätze vor, wie dieses Integrationsproblem für ein breites Anwendungsspektrum gelöst werden kann.

Die Arbeit zeigt, dass diese Ansätze im Rahmen von bestimmten Designdimensionen neue Bereiche abdecken und lefert dadurch signifikante Beiträge zum Verständnis der Rolle von Chipkarten in mobilen Szenarien.



Abstract auf Englisch:

Mobility in conjunction with communication facilities in the form of mobile telephony seems to be one of the major technology trends observed throughout the last decade. Many experts and analysts expect that the arrival of mobile services such as mobile commerce, location-based services, multi-media messaging, and mobile gaming in the third generation of mobile networks will be the next step in this success story. However, protecting service providers from fraud and mobile users from new threats such as identity theft or other attacks on privacy and security matters is equally challenging.

Historically, cryptography has been used to protect information in the digital world from eavesdropping or tampering. In future person-to-person and person-to-service interaction scenarios cryptography will be of at least equal importance. However, the situation today is not people-centric but more application-centric, i.e. for each application new security measures are defined and implemented. As an example one may just consider that almost any access control in the Internet is managed through simple account/password schemes different for each application. But passwords are known to be a generally weak security measure in many practical settings. From the user perspective the account/password approach additionally leads to numerous login accounts an individual has to manage - something which is inconvenient and as a consequence often error-prone.

Cryptographic measures can be applied but shifting towards such mechanisms especially in mobile settings is often hard to implement since people cannot easily carry around their personal cryptographic keys, let alone memorize them or input them when needed. Therefore, we believe that some kind of personal security assistant or device is needed that safely keeps a user's security-sensitive data and enforces the user's security-related interests. Otherwise, people will be forced to use traditional weak protection mechanisms that are applicable without strong cryptographic measures - a situation we do not think is desirable in the digital age of tomorrow.

Smartcards are devices that could be used to solve at least some of the problems mentioned. They are tamper-resistant, can safely store information, are able to perform unobserved (cryptographic) operations, and can be conveniently carried around. As such they seem to be ideal candidates for personal security modules. However, it is yet unclear how smartcards can be empowered to actually play the role of true personal and ubiquitous security modules. Furthermore, the smartcard alone is not sufficient to act as a security module since it lacks reasonable user interfaces such as a display and input facilities. Thus, suitable terminals are needed that allow users to communicate with their smartcards, i.e. personal security modules are comprised of suitable terminals and personalized smartcards that work together in order to fulfill the users' needs.

Henceforth, this thesis will contribute approaches, architectures, protocols, and systems how smartcards can be put in place to become true security modules for people in the digital age. The most visible contributions of this thesis are as follows:

These results can be used independently from each other but equally well composed into more general security solutions. As such they can be considered as building blocks enabling the composition of suitable personal security modules meeting the personal security demands of the future.

Summing up, this thesis provides solutions to the question how smartcards can become true personal security modules. It does this by proposing concrete architectures and protocols all of which have been prototypically implemented to yield meaningful proofs-of-concepts.



Dokument aufgenommen :2002-05-24
URL:http://elib.tu-darmstadt.de/diss/000214