Security Testing and Formal Methods for High Levels Certification of Smart Cards.

However, while formal models are indeed used throughout high-assurance certification, verification of the actual implementation is not required by the CC and largely neglected in certification practice ... In this paper we discuss the gap between program verification and CC software certification, and we point out possible uses of code-level program verification in the CC certification process. ... security objectives, one for the SPM, one for both the FSP and the high-level part of the TDS, and one for the low-level part of the TDS. ...

doi:10.1007/978-3-642-03359-9_34 fatcat:fby2azmiefggzbginkcl3dr5n4

Most of those conclusions are well known by the community and we just point them out in our specific domain, the smart card. We provide a non trivial example of the use of formal methods. ... Moreover we reach our challenge, to formally implement a complex piece of code into a smart card. ... Formal methods aim to reduce the use of test and mainly of unitary tests. However there is still a need for functional tests. ...

doi:10.1145/1133373.1133416 dblp:conf/sigopsE/CassetL02 fatcat:fztjsqkaxnbvxgjmw33yrjzcpa

There is a need for assessing the security of smart cards by an independent third party, specially if multi-application smart cards become reality. ... The article discusses the problems related to this topic, and makes suggestions on how security evaluation of smart cards can be achieved. ... Method 2: Company certification A scheme for security certification of companies can be organised in the same way as for quality certification according to ISO 9000. ...

doi:10.1016/0920-5489(95)00013-k fatcat:rezuab52pbfqleexpptgcysvha

This approach facilitated implementation of a formally specified, mandatory security policy providing multi-level security (MLS) suitable for both government agencies and commercial users. ... The Caernarvon operating system was developed to demonstrate that a high assurance system for smart cards was technically feasible and commercially viable. ... ACKNOWLEDGEMENTS The Caernarvon project involved work by a number of people in addition to the authors of this paper, and we wish to acknowledge the contributions of Vernon Austel, Ran ...

doi:10.1145/1341312.1341320 fatcat:jnwsn7ikubbtllr44mqnrkpgtu

The conditions to international recognition of issued CC certificates are studied and several differentials are done showing what the prerequisites in terms of Security Assurance Requirements (SARs) are ... Finally a review of known evaluations at EAL 6 and 7 is done for resource management, for existing separation kernels/hypervisors compiled from published protection profiles, security targets or relevant ... The IT-Technical Domain is related to smart cards and similar devices where significant proportions of the required security functionality depend upon hardware (for example smart card hardware, smart card ...

doi:10.5281/zenodo.47296 fatcat:tgxiabog3ncjjk5k7wp7iz3u74

Open Access

In particular, the results obtained from the formal analysis of the smart card security protocols when smart cards are used as a specific type of Secure Signature Creation Devices (SSCDs) are presented ... We explain formalization of the protocols in AVISPA's high-level protocol specification language HLPSL [7], and describe approach to verifying that the device authentication protocols in CWA 14890-1 does ... We would like to thank Dieter Gollmann, Sebastien Canard, Jan Meier, Helmut Scherzer and the anonymous reviewers for helpful feedback and suggestions for improvements. ...

doi:10.1007/978-3-642-27257-8_20 fatcat:qw3ugvgzhfbg3nucsovc2vvqni

We present a method for requirements engineering and (semi-formal and formal) modeling of systems to be certified according to the higher evaluation assurance levels of the CC. ... The CC distinguish several evaluation assurance levels (EALs), level EAL7 being the highest and requiring the application of formal techniques. ... For example, smart cards are used for an increasing number of purposes, and e-commerce and other security-critical internet activities become increasingly common. ...

doi:10.1007/3-540-45732-1_32 fatcat:pkfbrlrperdqtdmhqysz2vvbum

In addition to end-user authentication, the described solution also supports the use of X.509 certificates for additional security servicesconfidentiality, integrity, and non-repudiation of transactions ... Smart electronic devices and gadgets and their applications are becoming more and more popular. ... Sead Muftic for his great motivational counselling that impacted me technically and theoretically for completion of this task. ...

doi:10.25046/aj010505 fatcat:wsmacjmberei3gl45nlmcktg6q

DOAJ

The distinctive security features of the Spanish electronic national identity card, known as Documento Nacional de Identidad electrónico, allow us to propose the usage of this cryptographic smart card ... for example of the so-called social networks. ... (FEDER, UE) under project COPCIS, reference TIN2017-84844-C2-1-R, and by the European Union program ERASMUS+ under the project 2017-1-ESO1-KA203-038491 (Rules_Math). ...

doi:10.1093/jigpal/jzz058 fatcat:ffahe5rkjzetxkzsch34kxp2pu

We argue that the entities responsible for accrediting smart card based applications thus require security expertise beyond the knowledge encoded in security standards and that a purely compliance based ... certification of eCard applications is insufficient. ... We thank the anonymous reviewers for valuable comments and suggestions. ...

doi:10.1007/978-3-642-15497-3_27 fatcat:clazpzikung5vmnxqdv3gvr33a

The proposed authentication and symmetric key exchange algorithm are formally verified and analyzed using automated validation of Internet security protocols and applications. ... The result of simulation proves that the proposed scheme is secure and safe. The experimental results show that time consumption for user authentication is acceptable. ... The safety and security of the proposed method are validated using formal verification technique. The simulation results demonstrate that the scheme is safe and secure. ...

doi:10.1109/access.2019.2896324 fatcat:qekruagonbb7hbtvfylzukhgsu

DOAJ

In particular, we present the design and implementation of (SC) 2 (Secure Communication over Smart Cards), a system securing the communication between a smart card and the TTP which provides the S×C matching ... The key idea lies in the notion of contract, a specification of the security behavior of an application that must be compliant with the security policy of the card hosting the application. ... In order to test the system, certificates for CA and TTP have to be created. CA root certificate is generated as a self-signed certificate. ...

doi:10.1007/978-3-642-27901-0_4 fatcat:zhamzoa7qbhjjpc4f5kw4wmawu

We present a constructive approach to correctness and exemplify it by describing a generator for certified Java Card applets that we are building. ... A proof of full functional correctness is generated, along with the code, from the specification; the proof can be independently checked by a simple proof checker, so that the larger and more complex generator ... Information technology security standards such as the Common Criteria and FIPS 140-2 (for cryptographic modules) require the developer to provide, for the highest levels of certification, proofs of correctness ...

doi:10.1007/978-3-540-69149-5_7 fatcat:eaw4crqmsber7coul6q2k4ghhm

Acknowledgments We first thank Eric Vetillard for providing us with material to write some parts of this paper, and also Patrick Biget for his helpful comments on this paper. ... But, Eric must undoubtedly be acknowledged for his careful reading of the paper and his insightful comments which helped us to improve the paper greatly. ... Smart Card Compilation and Loading Process Though current smart cards are able to run programs written in high-level languages, they still have drastic limitations. ...

doi:10.1145/318774.319265 fatcat:3yxhdbtwqffkdbdjmexn52wupu

The security of the protocol is formally verified and informal analysis is performed for various attacks. ... The huge amount of data stored on mobile devices poses information security risks and privacy concerns for individuals, enterprises, and governments. ... Acknowledgments: The author is grateful to the Middle East University, Amman, Jordan for the financial support granted to cover the publication fee of this research article. ...

doi:10.3390/jsan9010001 fatcat:p5irdyb43rds7nkfbhrgykym3e

DOAJ

Mind the Gap [chapter]

Preserved Fulltext

Increasing smart card dependability

Preserved Fulltext

The difficulty of standardizing smart card security evaluation

Preserved Fulltext

The Caernarvon secure embedded operating system

Preserved Fulltext

Technical Analysis Of Available Assurance Techniques

Preserved Fulltext

Formal Analysis of CWA 14890-1 [chapter]

Preserved Fulltext

A Problem-Oriented Approach to Common Criteria Certification [chapter]

Preserved Fulltext

Strong Authentication Protocol based on Java Crypto Chip as a Secure Element

Preserved Fulltext

OUP accepted manuscript

Preserved Fulltext

Caught in the Maze of Security Standards [chapter]

Preserved Fulltext

Automated User Authentication in Wireless Public Key Infrastructure for Mobile Devices using Aadhar card

Preserved Fulltext

SC 2: Secure Communication over Smart Cards [chapter]

Preserved Fulltext

A Constructive Approach to Correctness, Exemplified by a Generator for Certified Java Card Applets [chapter]

Preserved Fulltext

FACADE

Preserved Fulltext

D-FAP: Dual-Factor Authentication Protocol for Mobile Cloud Connected Devices

Preserved Fulltext