We are studying how to make smartcard-like devices more secure by
exploiting the fact that they may be able to interact with the user
Smartcards are used to store secrets: PINs, personal information,
private keys, etc. One reason why we use smartcards is because we don't
trust our computers to hold that information for us: What
if someone breaks into our PC and steals the secret information?
However, traditional smartcards are vulnerable against the following
kind of attack: Someone breaks into your PC and tampers with your,
say, Netscape Navigator executable (likewise, you might have just
unknowingly downloaded a bad - or tampered with - version of
Navigator). Next time you use your smartcard with Navigator, it may
extract secret information from your smartcard or at least use it in
unauthorized ways. Here are a few things that could happen:
- Often, secrets on the smartcard are protected by a PIN or
password. The application on your PC asks the user for the
PIN and communicates it to the smartcard, asking it to unlock the
secret information. Nothing prevents malicious applications from
storing that PIN for illicit use.
- Sometimes secrets on the smartcard can be extracted to the PC the
smartcard is connected to. A malicious application could use these
secrets to impersonate you or undermine the privacy of your
- Smartcards often hold private keys that are used to sign
messages. A malicious application could use the smartcard, while it is
connected to the PC, to make it sign any message.
All these problems could be avoided if the smartcard had a way to
communicate with the user directly: The PIN could be entered on
the device hence getting rid of the necessity to trust the
application on the host. Likewise, the user could be notified whenever
information is extracted from the smartcard, or whenever it is asked
to sign a message. Moreover, the smartcard could even display that
information or message before it is signed.
The following picture shows a 3Com PalmPilot working as a
We can see that the PalmPilot can interact with the user directly,
providing both means for input and output. Our research is centered
around the question of what kind of interaction should be done
directly through the device, rather than through the (potentially
untrusted) computer, in order to make the use of the "smartcard" more
As a proof of concept we are implementing the PKCS#11 standard for
cryptographic tokens as a Netscape plug-in that will allow users to use
their PalmPilot as a smarter smartcard to sign email messages and
authenticate themselves across the World Wide Web.