Listen
Publikation Man-in-the-Middle: Analyse des Datenverkehrs bei NFC-Zahlungen(12/2014) Arnosti, Christof; Gruntz, DominikDas Bezahlen mit kontaktlosen Kreditkarten liegt im Trend, insbesondere seit grosse Ladenketten wie Migros, Coop oder Valora diese Bezahlmöglichkeit unterstützen. Mit Google Wallet, Apple Pay und Tapit von Swisscom besteht vermehrt auch die Möglichkeit mittels Smartphone kontaktlose Zahlungen auszulösen. Wir haben die Daten, die zwischen einem Terminal und einer Karte bzw. einem Mobiltelefon ausgetauscht werden, bei einer echten Bezahlung aufgezeichnet. In diesem Artikel beschreiben wir dieses Protokoll und die Software, die nötig ist, um solche Daten aufzuzeichnen.01B - Beitrag in Magazin oder ZeitungPublikation Secure Physical Access with NFC-enabled Smartphones(12/2015) Arnosti, Christof; Gruntz, Dominik; Hauri, MarcoThis paper presents a smartphone-based physical access control system in which the access points are not directly connected to a central authorization server. The access points ask the mobile phone whether a particular user has access or not. The mobile phone then relays such a request to the access server. The authentication of the smartphone is based on public-key cryptography. This requires that the private key is stored in a secure element or in a trusted execution environment to prevent identity theft. In our solution we use the following secure element archiectures: Host Card Emulation (HCE) and a microSD-based secure element. We show that the HCE approach cannot solve the relay attack under conservative security assumptions and we present and discuss an implementation based on a microSD secure element that still allows the access points to connect to the authorization server upon every access albeit the access points are not connected with it.01B - Beitrag in Magazin oder ZeitungPublikation Secure Physical Access with NFC-enabled Smartphones(Fachhochschule Nordwestschweiz FHNW, Institut für Mobile und Verteilte Systeme, 12/2015) Arnosti, Christof; Gruntz, Dominik; Hauri, Marco; Stamm, ChristophThis paper presents a smartphone-based physical access control system in which the access points are not directly connected to a central authorization server. The access points ask the mobile phone whether a particular user has access or not. The mobile phone then relays such a request to the access server. The authentication of the smartphone is based on public-key cryptography. This requires that the private key is stored in a secure element or in a trusted execution environment to prevent identity theft. In our solution we use the following secure element archiectures: Host Card Emulation (HCE) and a microSD-based secure element. We show that the HCE approach cannot solve the relay attack under conservative security assumptions and we present and discuss an implementation based on a microSD secure element that still allows the access points to connect to the authorization server upon every access albeit the access points are not connected with it.04A - Beitrag Sammelband