Smart Card Application Development Using Java / Edition 2 available in Paperback, eBook
Smart Card Application Development Using Java / Edition 2
- ISBN-10:
- 3540432027
- ISBN-13:
- 9783540432029
- Pub. Date:
- 08/26/2002
- Publisher:
- Springer Berlin Heidelberg
- ISBN-10:
- 3540432027
- ISBN-13:
- 9783540432029
- Pub. Date:
- 08/26/2002
- Publisher:
- Springer Berlin Heidelberg
Smart Card Application Development Using Java / Edition 2
Buy New
$109.99Overview
Product Details
| ISBN-13: | 9783540432029 |
|---|---|
| Publisher: | Springer Berlin Heidelberg |
| Publication date: | 08/26/2002 |
| Edition description: | Softcover reprint of the original 2nd ed. 2002 |
| Pages: | 305 |
| Product dimensions: | 6.10(w) x 9.25(h) x 0.02(d) |
Read an Excerpt
Chapter 3: Smart Cards and e-business
A common way to protect the communication between client and server is by establishing a secure session, where all communication is encrypted using a symmetrical key. This symmetrical key, often called "session key", is exchanged between the session partners by using public key cryptography. This exchange is typically combined with authentication of the partners. An example of such a scheme is SSL and its successor TLS (see Section 4.3 "TLS and Smart Cards'). A smart card is ideal to host the private key for authenticating the client to the server in a SSL connection.As we have seen, in a secure session the data is encrypted immediately before they are transmitted and decrypted directly after they are received. Alternatively, the data can be permanently stored in an encrypted form, and sent and received unchanged. In this case, decryption takes place before the data are used.
In all of these schemes the key that is required for the decryption can be stored in a smart card. Because a smart card usually is not powerful enough to efficiently decrypt large amounts of data, the smart card passes the decryption key to the host computer, which then performs the decryption.
A more secure variant is to use a changing decryption key, which itself is kept in encrypted form. The smart card then decrypts the decryption key. In this way the smart card only decrypts a few bytes and yet its decryption key is not exposed.
So far we have looked at communication between a client and a server. For communication between two clients we need a different form of protection. One type of client-client communication that we all use is e-mail. Anindividual e-mail is stored and forwarded across many nodes. To protect its privacy, the e-mail client of the sender encrypts the data and the e-mail client of the receiver decrypts them.
Established schemes for encrypting and decrypting e-mail use public key cryptography (for example PGP [PGP99]). On the sender's side the data is encrypted using the public key of the receiver, and on the receiver's side it is decrypted using the receiver's private key. If the receiver stores her private key on a smart card, it will be always with her and still be kept secure.
If we order some goods or services, we often have to sign a contract on paper to testify that we placed the order and are liable to pay for it. If we make the same deal over the network instead, we need the electronic equivalent of signing on paper: a digital signature. Such a digital signature must guarantee that a person cannot repudiate his or her order or statement.
The different methods for digital signature are based on an asymmetrical key pair. The signing person has a private key, which cannot be accessed or used by anybody else. A second key, which is associated to the private key, is known to the public. This key is called the public key. Only the unique owner of the private key can sign an order or a statement, while everybody can check the signature using the corresponding public key.
The public key is distributed in a certificate, which contains the owner's name and public key. In addition, the certificate has an expiration date. How do we know that the public key in the cerl icate is not manipulated? A trusted authority digitally signed the certificate. To check the certificate signature we need the public key of the signer, which is in the certificate of the signer. This certificate is signed by a trusted authority. The recursion can go on until we arrive at the "root certificate", which is something that we trust because it was distributed through a trusted channel, like for example shipped with the web browser.
Until now, digital signatures were mainly used for private business. Recently, first trials set out to use digital signatures for electronic forms filed with public authorities. Filling out an on-line form can speed up the process considerably compared to calling an office for a form, waiting for the mail with the blank form, and finally mailing the completed form. Therefore we expect that digital signatures will become increasingly popular in the public as well as the private sector.
For digital signatures it is crucial that the private key remains absolutely private. If any person could copy another person's private key, the digital signature would no longer be unique to the owner. Therefore the private key has to be stored in a very secure place where nobody could possibly copy it and where nobody but the owner can use it.
The most secure places to store such a private key is a cryptographic hardware unit, often called "crypto token". A smart card can be considered the most convenient and most portable cryptographic hardware unit. Modern smart cards are able to perform the signing operation inside the card. At the same time they do not provide any function to export the private signature key to the outside. Legislation in some European countries requires that the signature key must be generated on the smart card. In combination with the requirement that there must be no way to export the signature key, this makes it highly unlikely that any additional copies of a signature key could exist.
Other Uses of Smart Cards in e-business
The Internet as a ubiquitous network leads to new opportunities in various areas of commerce. We have seen examples of how the smart card can help to protect the data and communication on the net.
On the other hand, we can think of the smart card as an extension of the network. It allows the owner to load data onto the card while connected to the net and to later use this data at off-line devices.
In the following we present some applications of smart cards, in which the smart card is used at times connected to the network and at other times off-line.
Electronic Ticketing
Electronic Ticketing is a typical application where the card receives data from the net for later use. Consumers can put a ticket for a flight, a bus ride, or an event onto their smart card. These transactions can take place at a ticket vending machine, at a kiosk, or at the consumer's PC or Internet screen phone. In the latter case, an obvious path for the transaction is a web browser running a Java applet that communicates with the ticketing server through the Internet and with the smart card through the local software stack and attached hardware.
In the theater or bus or at the gate, it is often not practical or cost effective to have the device receiving the electronic tickets connected to the ticketing server. With an online device the server could detect and prevent fraud attempts, like using the same ticket more than once. Having no online connection, we need a smart card to prevent fraud...