the Java Card environment is equipped with the necessary
hardware for computation of modulo operations in SRP, lim-
itations in Java Card APIs on accessing the cryptographic
co-processors make it challenging to implement SRP with
acceptable performance. However, by exploiting the RSA
encryption API provided by the platform, we show that it
is possible to compute exponentiations and multiplications
with support of the cryptographic co-processor. This, and
minor adaptations to the protocol, made it possible to im-
plement the SRP-6a server-side in a Java Card applet with
reasonable computation time. For our implementation with
a 2048 bit long prime modulus, the complete protocol runs
in less than 2 seconds for the smart card and less than 4
seconds for the secure element tests. However, considering
our use cases, a user only has to wait for the verification
phase (i.e. less than 100 ms for the smart card and 400 ms for
the secure element) since the time intensive key agreement
phase runs simultaneously with the password/PIN entry. Fi-
nally, we also provide an applet level implementation for
the ISO/IEC 7816-4 secure messaging standard. The source
code of the whole implementation is available under an open
source license
10
.
9. ACKNOWLEDGMENTS
This work has been carried out within the scope of u’smile,
the Josef Ressel Center for User-Friendly Secure Mobile Envi-
ronments. We gratefully acknowledge funding and support by
the Christian Doppler Gesellschaft, A1 Telekom Austria AG,
Drei-Banken-EDV GmbH, LG Nexera Business Solutions
AG, and NXP Semiconductors Austria GmbH.
10. REFERENCES
[1] American National Standards Institute, American
Bankers Association, and Global Engineering
Documents (Firm). American National Standard for
Financial Service X9.63-2001 : Public Key
Cryptography for the Financial Services Industry.
American Bankers Association, 2001.
[2]
M. Bellare, R. Canetti, and H. Krawczyk. Keying hash
functions for message authentication. In Advances in
Cryptology—CRYPTO’96, page 1–15, 1996.
[3] M. Bellare, J. Kilian, and P. Rogaway. The security of
the cipher block chaining message authentication code.
J. Comput. Syst. Sci., 61(3):362–399, Dec. 2000.
[4] M. Bellare and P. Rogaway. The AuthA protocol for
password-based authenticated key exchange. In IEEE
P1363, pages 136–3, 2000.
[5] S. Bellovin and M. Merritt. Encrypted key exchange:
password-based protocols secure against dictionary
attacks. In IEEE Computer Society Symposium on
Research in Security and Privacy, pages 72–84, 1992.
[6] N. Ben-Asher, N. Kirschnick, H. Sieger, J. Meyer,
A. Ben-Oved, and S. M
¨
oller. On the Need for Different
Security Methods on Mobile Phones, page 465–473.
MobileHCI ’11. ACM, 2011.
[7] P. Bichsel, J. Camenisch, T. Groß, and V. Shoup.
Anonymous credentials on a standard Java Card, page
600–610. CCS ’09. ACM, 2009.
10
https://gitorious.org/secure-element/
secure-channel-srp6a-android-lib and https://gitorious.org/
secure-element/secure-channel-srp6a-applet
[8] S. A. Brands. Rethinking Public Key Infrastructures
and Digital Certificates: Building in Privacy. MIT
Press, 2000.
[9] E. Brickell, J. Camenisch, and L. Chen. Direct
anonymous attestation, page 132–145. CCS ’04. ACM,
2004.
[10] E. Chin, A. P. Felt, K. Greenwood, and D. Wagner.
Analyzing inter-application communication in android.
In Proceedings of the 9th International Conference on
Mobile Systems, Applications, and Services, MobiSys
’11, page 239–252. ACM, 2011.
[11] A. De Luca, A. Hang, F. Brudy, C. Lindner, and
H. Hussmann. Touch me once and i know it’s you!:
implicit authentication based on touch screen patterns.
In Proceedings of the 2012 ACM annual conference on
Human Factors in Computing Systems, CHI ’12, page
987–996, New York, NY, USA, 2012. ACM.
[12] W. Diffie and M. Hellman. New directions in
cryptography. IEEE Transactions on Information
Theory, 22(6):644–654, 1976.
[13]
M. J. Dworkin. SP 800-38B. Recommendation for block
cipher modes of operation: The CMAC mode for
authentication. Technical report, National Institute of
Standards & Technology, Gaithersburg, MD, United
States, 2005.
[14] European Network of Excellence in Cryptology II.
ECRYPT II yearly report on algorithms and keysizes.
June 2011.
[15]
R. D. Findling and R. Mayrhofer. Towards face unlock:
On the difficulty of reliably detecting faces on mobile
phones. In Proc. MoMM 2012: 10th International
Conference on Advances in Mobile Computing and
Multimedia, pages 275–280, New York, USA, 2012.
ACM.
[16] V. Gayoso Martinez, C. Sanchez Avila,
J. Espinosa Garcia, and L. Hernandez Encinas. Elliptic
curve cryptography: Java implementation issues, pages
238–241. Oct 2005.
[17] GlobalPlatform. Secure channel protocol –
GlobalPlatform card specification v2.2 - Amendment D,
2009.
[18]
J.-H. Han, Y.-J. Kim, S.-I. Jun, K.-I. Chung, and C.-H.
Seo. Implementation of ECC/ECDSA cryptography
algorithms based on Java card, pages 272–276. 2002.
[19] G. Hancke. A practical relay attack on ISO 14443
proximity cards. Technical report, 2005.
[20]
F. Hao and P. Y. A. Ryan. Password authenticated key
exchange by juggling. In Proceedings of the 16th
International conference on Security protocols,
Security’08, page 159–171, Berlin, Heidelberg, 2011.
Springer-Verlag.
[21] S. H
¨
obarth and R. Mayrhofer. A framework for
on-device privilege escalation exploit execution on
android. In Proceedings of IWSSI/SPMU, 2011.
[22]
M. H
¨
olzl, R. Mayrhofer, and M. Roland. Requirements
analysis for an open ecosystem for embedded tamper
resistant hardware on mobile devices. In Proc. MoMM
2013: International Conference on Advances in Mobile
Computing and Multimedia, Vienna, Austria, 2013.
ACM.
[23] D. P. Jablon. Strong password-only authenticated key
exchange. SIGCOMM Comput. Commun. Rev.,