Secure Internet Programming - menu
Secure Internet Programming
Princeton University
Department of Computer Science

Secure Applications for Handheld Devices
Dirk Balfanz, Edward Felten

We are studying how to make smartcard-like devices more secure by exploiting the fact that they may be able to interact with the user directly.

Smartcards are used to store secrets: PINs, personal information, private keys, etc. One reason why we use smartcards is because we don't trust our computers to hold that information for us: What if someone breaks into our PC and steals the secret information?

However, traditional smartcards are vulnerable against the following kind of attack: Someone breaks into your PC and tampers with your, say, Netscape Navigator executable (likewise, you might have just unknowingly downloaded a bad - or tampered with - version of Navigator). Next time you use your smartcard with Navigator, it may extract secret information from your smartcard or at least use it in unauthorized ways. Here are a few things that could happen:

  • Often, secrets on the smartcard are protected by a PIN or password. The application on your PC asks the user for the PIN and communicates it to the smartcard, asking it to unlock the secret information. Nothing prevents malicious applications from storing that PIN for illicit use.
  • Sometimes secrets on the smartcard can be extracted to the PC the smartcard is connected to. A malicious application could use these secrets to impersonate you or undermine the privacy of your communication.
  • Smartcards often hold private keys that are used to sign messages. A malicious application could use the smartcard, while it is connected to the PC, to make it sign any message.

All these problems could be avoided if the smartcard had a way to communicate with the user directly: The PIN could be entered on the device hence getting rid of the necessity to trust the application on the host. Likewise, the user could be notified whenever information is extracted from the smartcard, or whenever it is asked to sign a message. Moreover, the smartcard could even display that information or message before it is signed.

The following picture shows a 3Com PalmPilot working as a smartcard.

We can see that the PalmPilot can interact with the user directly, providing both means for input and output. Our research is centered around the question of what kind of interaction should be done directly through the device, rather than through the (potentially untrusted) computer, in order to make the use of the "smartcard" more secure.

As a proof of concept we are implementing the PKCS#11 standard for cryptographic tokens as a Netscape plug-in that will allow users to use their PalmPilot as a smarter smartcard to sign email messages and authenticate themselves across the World Wide Web.