The Virtual Smartcard Architecture provides
software to emulate a smartcard. The virtual smartcard is internally accessible
via PCSC and externally via USB (as CCID reader) or NFC (using an OpenPICC).
The Virtual Smartcard Architecture consists of the following components:
A virtual smartcard: The purpose of the virtual smartcard is to emulate
a smartcard and make it accessible through PCSC. Currently the virtual smartcard
supports almost all commands of ISO-7816 including secure messaging. Besides
a plain ISO-7816 smartcard it is also possible to emulate a German ePass (only
basic access control) and a rudimentary Cryptoflex smartcard.
The virtual smartcard communicates with the virtual smartcard driver through
a socket on port 35963.
A USB CCID reader
The purpose of the program ccid is to forward a PCSC smartcard reader as a standard
USB CCID reader. If the host system is in USB device mode, ccid forwards the
local reader via USB to an other device. If in USB host mode, ccid virtually
plugs in a USB CCID reader to the host system.
OpenPACE is an implementation of the Password-Authentication-Connection-Establishment
(PACE) conforming to BSI TR-03110 version 2.02. OpenPACE enables applications
to establish a strong session key using a weak password independent from the
use of a smartcard. If a German "neuer Personalausweis" (nPA) is involved nevertheless,
OpenPACE offers a smartcard abstraction layer to connect to the identity card.
The patch makes the protocol steps accessible through the OpenSSL libraries.
This product includes software developed by the OpenSSL
Project for use in the OpenSSL Toolkit (http://www.openssl.org/)
A smartcard library
The library abstracts from the APDU interface of smartcards to connect to the
German "neuer Personalausweis (nPA)" using PACE.
Enrollment to Computer Sciences
studies and account administration with password recovery
The aim of the project is to replace the manual process for enrollment of students
and staff at the Institute of Computer Sciences by an electronic one. Currently,
in compliance with privacy rules, the following data groups are being recorded:
first name, name and current address. In addition, the user identifies himself
with his identity card and the user's identity is manually verified by comparing
him to the photograph. The current method scales poorly and requires simultaneous
presence of both users and account managers. The same procedures have to be
used for resetting a user password (in case of loss).
Using the electronic replacement, the enrollment procedures should be completely
automated. The student registers by means of a valid registration number online
(using a web form). Taking advantage of the "Chip authentication" and user authorization
by entering the pin, the user's identity is verified without applying to someone
in person. An account is automatically created. By means of the "restricted
identification", a unique user-specific pseudonym is generated, which permits
subsequent unambiguous recognition of a particular user. The use of this pseudonym
ensures privacy and data economy. In addition, this pseudonym is persistent
even if a student changes of the place of residence (which is particularly common).
The restricted identification is the basis for all subsequent authentication
procedures, in particular for the resetting the users password. The process
can be conducted entirely online 24 hours a day, 7 days a week.
OpenMoko as "Standardleser"
Smart card readers can not only be used as communications medium between a smart
card and a host. They can also act as a security device independent from the
host, which might be contaminated with malware. They ensure a safe authentication
to the smart card with secure hardware and certified firmware. As if a smart
card reader with pinpad was not expensive enough, some smart cards, like the
German electronic identity card (neuer Personalausweis), have unique requirements.
Mobile phones could fill the gap between the need of secure authentication and
the costs of a suitable reader. This diploma thesis evaluates what level of
security can be reached when implementing a smart card reader on a mobile phone.
In the first step, a CCID-compliant smartcard reader will be emulated by the
phone and can be recognized by any modern operating system. In the second step,
the functionality of the emulated reader will be extended to what TR-03119 specifies
as "Standardleser". This approach combines mobility, security and modern cryptography
in one single and cheap device.
OpenMoko as mobile nPA-Terminal: Usability
In November 2010, a new electronic identity card will be
introduced in Germany. It will contain an ISO 14443 compliant chip that enables
the holders of the card to authenticate themselves over the internet. The radio
technology provides the possibility to use the new ID card in combination with
a NFC enabled phone for mobile online authentication. Security procedures impose
(by their very nature) limitations on the use of the applications they are protecting.
An authentication technology might therefore affect the usability of the application.
My diploma thesis will study the impact of eID-based authentication on the usability
of mobile web usage and compare it with classical means of authentication. The
core of the thesis will be a user study in which I will examine prototypes of
eID based authentication scenarios with real users.
NFC-phone as PACE-enabled electronic identity
The project is aimed at combining a real life mobile phone
with nearfield communication capability with the RFID chip of the new German
electronic identity card. Operations that are specified as allowed by an unauthorized
terminal like PIN management and updating the internal date timestamp through
fresh certificate chains will be implemented.
SAR-PR-2011-03 Peeling Away Layers of an RFID Security System. Henryk Plötz
and Karsten Nohl, 15 pages, Financial Cryptography and Data Security '11,
February 28–March 4, 2011, Saint Lucia.
SAR-PR-2011-01 Mobiles Szenario für den neuen Personalausweis. Wolf Müller,
Frank Morgner und
Dominik Oepen, in 21. Smartcard-Workshop, 2.-3. Februar 2011, Darmstadt, Deutschland, 10 Seiten 179-188. Herausg. Ullrich Waldmann, ISBN 978-3-8396-0215-7
SAR-PR-2010-13 "Die gesamte Technik ist sicher": Besitz und Wissen: Relay-Angriffe
auf den neuen Personalausweis. Frank Morgner und
Dominik Oepen, 27th Chaos
Communication Congress, 27.-30. Dezember 2010, Berlin, Deutschland, 6
SAR-PR-2010-12 Mobile eCard-API. Kristian Beilke, 119 Seiten,
SAR-PR-2010-11 Authentisierung im mobilen Web: Zur Usability eID basierter Authentisierung auf einem NFC Handy. Dominik Oepen, 100 Seiten,
SAR-PR-2010-09 NFC-Telefon als PACE-fähiges Lesegerät für elektronische
Ausweisdokumente. Ingo Kampe, 66 Seiten,
SAR-PR-2010-08 Documentless Proof of Identity,Wolf Müller, Chapter
4 in Book: Handbook of eID Security: Concepts, Practical Experiences,
Technologies. Editors Walter Fumy, Manfred Paeschke. Publicis
978-3895783791, 2010. [SAR-PR-2010-08]
SAR-PR-2009-04 Kryptographisch abgesicherter Mailsammeldienst für mobile Endgeräte.
Felix Bechstein. Diplomarbeit. 67
SAR-PR-2008-21 Mifare Classic – Eine Analyse der Implementierung.Henryk Plötz,
Diplomarbeit (überarbeitete Version). 108 Seiten. [SAR-PR-2008-21]
SAR-PR-2008-18 Sybil Proof Anonymous Reputation Management. Wolf Müller1,
Takashi Shiraki2 (1Humboldt
University Berlin, 2NEC Corporation), 10 pages,
SecureComm 2008: 4th International Conference on Security and Privacy in
Communication Networks, Istanbul, Turkey, 2008. [Abstract], [Conference
SAR-PR-2008-09 Chiptease: Verschlüsselung eines führenden Bezahlkartensystems geknackt.
Jan Krissler, Karsten Nohl, Henryk Plötz, ct magazin für computer technik, 8 /2008, Seiten 80-85.
SAR-PR-2008-08 Concepts of Anonymous Reputation Management.
Henryk Plötz, Studienarbeit, 21 Seiten.