The Virtual Smartcard Architecture provides software to emulate a smartcard. The virtual smartcard is internally accessible via PCSC and externally via USB (as CCID reader) or NFC (using an OpenPICC).
The Virtual Smartcard Architecture consists of the following components:
A virtual smartcard: The purpose of the virtual smartcard is to emulate a smartcard and make it accessible through PCSC. Currently the virtual smartcard supports almost all commands of ISO-7816 including secure messaging. Besides a plain ISO-7816 smartcard it is also possible to emulate a German ePass (only basic access control) and a rudimentary Cryptoflex smartcard.
The virtual smartcard communicates with the virtual smartcard driver through a socket on port 35963.
A USB CCID reader
The purpose of the program ccid is to forward a PCSC smartcard reader as a standard USB CCID reader. If the host system is in USB device mode, ccid forwards the local reader via USB to an other device. If in USB host mode, ccid virtually plugs in a USB CCID reader to the host system.
OpenPACE is an implementation of the Password-Authentication-Connection-Establishment (PACE) conforming to BSI TR-03110 version 2.02. OpenPACE enables applications to establish a strong session key using a weak password independent from the use of a smartcard. If a German "neuer Personalausweis" (nPA) is involved nevertheless, OpenPACE offers a smartcard abstraction layer to connect to the identity card.
The patch makes the protocol steps accessible through the OpenSSL libraries.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)
A smartcard library
The library abstracts from the APDU interface of smartcards to connect to the German "neuer Personalausweis (nPA)" using PACE.
Enrollment to Computer Sciences studies and account administration with password recovery
The aim of the project is to replace the manual process for enrollment of students and staff at the Institute of Computer Sciences by an electronic one. Currently, in compliance with privacy rules, the following data groups are being recorded: first name, name and current address. In addition, the user identifies himself with his identity card and the user's identity is manually verified by comparing him to the photograph. The current method scales poorly and requires simultaneous presence of both users and account managers. The same procedures have to be used for resetting a user password (in case of loss).
Using the electronic replacement, the enrollment procedures should be completely automated. The student registers by means of a valid registration number online (using a web form). Taking advantage of the "Chip authentication" and user authorization by entering the pin, the user's identity is verified without applying to someone in person. An account is automatically created. By means of the "restricted identification", a unique user-specific pseudonym is generated, which permits subsequent unambiguous recognition of a particular user. The use of this pseudonym ensures privacy and data economy. In addition, this pseudonym is persistent even if a student changes of the place of residence (which is particularly common). The restricted identification is the basis for all subsequent authentication procedures, in particular for the resetting the users password. The process can be conducted entirely online 24 hours a day, 7 days a week.
OpenMoko as "Standardleser"
Smart card readers can not only be used as communications medium between a smart card and a host. They can also act as a security device independent from the host, which might be contaminated with malware. They ensure a safe authentication to the smart card with secure hardware and certified firmware. As if a smart card reader with pinpad was not expensive enough, some smart cards, like the German electronic identity card (neuer Personalausweis), have unique requirements. Mobile phones could fill the gap between the need of secure authentication and the costs of a suitable reader. This diploma thesis evaluates what level of security can be reached when implementing a smart card reader on a mobile phone. In the first step, a CCID-compliant smartcard reader will be emulated by the phone and can be recognized by any modern operating system. In the second step, the functionality of the emulated reader will be extended to what TR-03119 specifies as "Standardleser". This approach combines mobility, security and modern cryptography in one single and cheap device.
OpenMoko as mobile nPA-Terminal: Usability
In November 2010, a new electronic identity card will be introduced in Germany. It will contain an ISO 14443 compliant chip that enables the holders of the card to authenticate themselves over the internet. The radio technology provides the possibility to use the new ID card in combination with a NFC enabled phone for mobile online authentication. Security procedures impose (by their very nature) limitations on the use of the applications they are protecting. An authentication technology might therefore affect the usability of the application. My diploma thesis will study the impact of eID-based authentication on the usability of mobile web usage and compare it with classical means of authentication. The core of the thesis will be a user study in which I will examine prototypes of eID based authentication scenarios with real users.
NFC-phone as PACE-enabled electronic identity reader
The project is aimed at combining a real life mobile phone with nearfield communication capability with the RFID chip of the new German electronic identity card. Operations that are specified as allowed by an unauthorized terminal like PIN management and updating the internal date timestamp through fresh certificate chains will be implemented.
SAR-PR-2011-03 Peeling Away Layers of an RFID Security System. Henryk Plötz and Karsten Nohl, 15 pages, Financial Cryptography and Data Security '11, February 28–March 4, 2011, Saint Lucia. [SAR-PR-2011-03]
SAR-PR-2011-01 Mobiles Szenario für den neuen Personalausweis. Wolf Müller, Frank Morgner und Dominik Oepen, in 21. Smartcard-Workshop, 2.-3. Februar 2011, Darmstadt, Deutschland, 10 Seiten 179-188. Herausg. Ullrich Waldmann, ISBN 978-3-8396-0215-7 [SAR-PR-2011-01]
SAR-PR-2010-13 "Die gesamte Technik ist sicher": Besitz und Wissen: Relay-Angriffe auf den neuen Personalausweis. Frank Morgner und Dominik Oepen, 27th Chaos Communication Congress, 27.-30. Dezember 2010, Berlin, Deutschland, 6 Seiten. [SAR-PR-2010-13][pdf][slides]
SAR-PR-2010-12 Mobile eCard-API. Kristian Beilke, 119 Seiten, Diplomarbeit, 2010. [SAR-PR-2010-12]
SAR-PR-2010-11 Authentisierung im mobilen Web: Zur Usability eID basierter Authentisierung auf einem NFC Handy. Dominik Oepen, 100 Seiten, Diplomarbeit, 2010. [SAR-PR-2010-11]
SAR-PR-2010-09 NFC-Telefon als PACE-fähiges Lesegerät für elektronische Ausweisdokumente. Ingo Kampe, 66 Seiten, Diplomarbeit, 2010. [SAR-PR-2010-09]
SAR-PR-2010-08 Documentless Proof of Identity,Wolf Müller, Chapter 4 in Book: Handbook of eID Security: Concepts, Practical Experiences, Technologies. Editors Walter Fumy, Manfred Paeschke. Publicis Publishing, ISBN-13: 978-3895783791, 2010. [SAR-PR-2010-08]
SAR-PR-2009-10 Eine virtualisierte Smartcardarchitektur für mobile Endgeräte. Frank Morgner und Dominik Oepen. Studienarbeit. 72 Seiten. [SAR-PR-2009-10]
SAR-PR-2009-04 Kryptographisch abgesicherter Mailsammeldienst für mobile Endgeräte. Felix Bechstein. Diplomarbeit. 67 Seiten. [SAR-PR-2009-04.pdf]
SAR-PR-2008-21 Mifare Classic – Eine Analyse der Implementierung.Henryk Plötz, Diplomarbeit (überarbeitete Version). 108 Seiten. [SAR-PR-2008-21]
SAR-PR-2008-18 Sybil Proof Anonymous Reputation Management. Wolf Müller1, Henryk Plötz1, Jens-Peter Redlich1, Takashi Shiraki2 (1Humboldt University Berlin, 2NEC Corporation), 10 pages, SecureComm 2008: 4th International Conference on Security and Privacy in Communication Networks, Istanbul, Turkey, 2008. [Abstract], [Conference Paper]