Mutual authentication with smart cards

The World Wide Web has become the de facto interface for consumer oriented electronic commerce. So far the interaction between consumers and merchants is mostly limited to providing information about products and credit card based payments for mail orders. This is largely due to the lack of security currently available for commercial transactions. At the moment the only security mechanism present in most browsers is the Secure Socket Layer (SSL) which is limited to authentication and encryption of the HTTP session. It does not aim to secure transactions. This report describes the design of a new three party authentication and key distribution protocol to serve as a foundation for WWW based transactions. Instead of having a radically new design it is derived from KryptoKnight protocol family developed at IBM. An important design consideration has been that it can be implemented with existing smart card technology. Specifically the Dutch Chipper and ChipKnip cards have been examined for their applicability. The result is an ABK(t) type protocol that runs with any card that supports either the ISO7816 internal authenticate command or the En726 read stamped or protected read instructions. Secondly a prototype has been implemented in Java that can run in either the Java Development Kit or the Netscape or HotJava browser. Though Java was not designed for implementing hardware drivers it has proven perfectly suitable for communication with smart cards. Also it has effectively demonstrated its cross platform capabilities over multiple operating systems: except for a small native library to talk to the RS232 port the same code runs on Win32, Linux and the NCD network computer.