When establishing a secure communication channel between a client C and a server S through an intermediate such as a gateway G as shown in FIG. 1, the client C and the server S don't pre-share a common secret.
Before establishing the secure communication channel between the client C and the server S, a mutual authentication between the server S and the client C occurred. The mutual authentication may be processed with any cryptographic protocol.
In the case where the mutual authentication comprises three steps: a terminal authentication step, a passive authentication step, and a chip authentication step as shown in FIG. 1, the server S can be authenticated by the client C through the gateway G, relatively to a certification authority according to a Terminal Authentication protocol, and the client C which has a long-term/permanent secret key skc with its related public key pkc such that pkc can then be trusted by the remote server S according to a First part of a Passive Authentication/Client Authentication protocol.
As shown in FIG. 1, a first secure channel between the client C and the gateway G and a second secure channel between the gateway G and the sever S may have been established. When the client C sends data to the remote server S through the gateway G, the gateway G has to decrypt and then encrypt data from a first protocol, used between the client C and the gateway G, to a second protocol used between the remote server S and the gateway G. The same happens when the remote server S sends data to the client C though the gateway G, which gateway G has to decrypt and then encrypt data from the second protocol used between the remote server S and the gateway G, to the first protocol used between the client C and the gateway G.
As a consequence, plaintext data are known by the gateway G. The problem of translating a protocol into another protocol through a gateway exposes the exchanged data between two communicating parties to a risk of eavesdropping and secrets re-usability whereby jeopardizing backward and forward secrecy, hence when a secret key is discovered by the attacker. If the gateway is compromised, someone could have access to the exchanged data in clear before the establishment of another secure channel.
Another problem is added when the client has a permanent secret key shared by a huge number of clients. By sharing the same permanent secret key, the privacy of the user is preserved as it is not possible to determine who's who, and a service provider can grant access to a client without knowing its identity. The service provider only knows that the client is an authorized client. The client can then authenticate to the server without identifying to the server. This authentication permanent secret key skc may also be used by the client C to establish a secure channel with the server S, and skc could be the only one secret value used by the client C to establish the secure channel. Then, if this permanent secret key skc is compromised for a client, all clients from the same lot which share the same permanent secret key may be easily attacked. Once the secret key is compromised, it is possible to open a secure channel and thus to compromise the confidentiality of data transmitted by the clients with the permanent secret key skc of the client.
This problem may occur for example when Web services are accessed with a client-middleware installed on the smartcard host which acts as a gateway G between the smartcard C and the remote server S.
One solution consists in using a secure IP-enabled reader equipped with a display unit and a PINpad; implementing a Password-Based-Mechanism also called PACE, implementing an interface device IFD-API interface according to ISO 24727 and supporting SOAP-interface for the communication with an application running on the smartcard host as described in the BSI TR-03131 v.1 EAC-Box Architecture and Interfaces Technical Guidelines. However this kind of solution has two main drawbacks: it may require a further mutual authentication between the enhanced reader and the smartcard host thereby raising again the issue of eavesdropping/man-in-the-middle and it represents a costly device.