Interleaving Command Sequences: a Threat to Secure Smartcard Interoperability
This addresses a critical security vulnerability in smartcard systems used for sensitive applications like digital signatures, highlighting a gap in current certification standards.
The paper tackles the problem of secure smartcard interoperability by demonstrating that external commands intended for one smartcard type can interleave with commands on another, potentially compromising digital signature processes without user warnings.
The increasingly widespread use of smartcards for a variety of sensitive applications, including digital signatures, creates the need to ensure and possibly certify the secure interoperability of these devices. Standard certification criteria, in particular the Common Criteria, define security requirements but do not sufficiently address the problem of interoperability. Here we consider the interoperability problem which arises when various applications interact with different smartcards through a middleware. In such a situation it is possible that a smartcard of type S receives commands that were supposed to be executed on a different smartcard of type S'. Such "external commands" can interleave with the commands that were supposed to be executed on S. We experimentally demonstrate this problem with a Common Criteria certified digital signature process on a commercially available smartcard. Importantly, in some of these cases the digital signature processes terminate without generating an error message or warning to the user.