Mobile Application to Java Card Applet Communication using a Password-authenticated Secure Channel


With the increasing popularity of security and privacy sensitive systems on mobile devices, such as mobile banking,mobile credit cards, mobile ticketing, or mobile digital identities, challenges for the protection of personal and securitysensitive data of these use cases emerged. A common approach for the protection of sensitive data is to use additionalhardware such as smart cards or secure elements. The communication between such dedicated hardware and back-endmanagement systems uses strong cryptography. However,the data transfer between applications on the mobile deviceand so-called applets on the dedicated hardware is ofteneither unencrypted (and interceptable by malicious software)or encrypted with static keys stored in applications. Toaddress this issue we present a solution for fine-grained secure application-to-applet communication based on SecureRemote Password (SRP-6a), an authenticated key agreementprotocol, with a user-provided password at run-time. Byexploiting the Java Card cryptographic API and minor adaptations to the protocol, which do not affect the security, wewere able to implement this scheme on Java Cards withreasonable computation time.

Proc. MoMM 2014: 12th International Conference on Advances in Mobile Computing and Multimedia