5

Can a smartphone, alone, be a valid substitute for a Smartcard? If not, what is missing technically speaking?

Does the TPM chipset (which I assume is in the phone) provide enough security to "act as" a smartcard in various situations?

Since smartphones now can perform HOTP, TOTP, Asymmetric crypto, and zero knowledge proofs among others, and also authenticate the user with a thumbprint sensor that smart cards don't already do... perhaps using a smartphone is a better solution

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    I don't know of any phones that expose a TPM for developers. Even if they did, it would be a huge PitA to deal with each phone manufacturers API. So, I think it's apples and oranges. The real reason smart cards failed to penetrate the market is that they are too expensive. Mobile phones offer a better cost/benefit trade-off. – nowen Oct 28 '15 at 18:29
  • @nowen I would say that given that EMV is the standard in Europe, Canada, and elsewhere for credit cards and is in the process of becoming the standard in the United States, they have pretty good market penetration. Perhaps you are thinking of something more specific? – JimmyJames Oct 29 '15 at 13:33
  • 1
    @JimmyJames I don't think the OP is asking about credit cards, but smart cards such as in use at the DoD. – nowen Nov 02 '15 at 15:55
  • @nowen I'm looking at https://en.wikipedia.org/wiki/Smart_card for a common definition of smart card. Is there a different reference? – JimmyJames Nov 02 '15 at 16:28
  • @JimmyJames we would have to ask the OP the use case. A smart card used for authenticating to a computer or a smart card used for purchasing/credit card. I assumed the former b/c of the reference to HOTP/TOTP. – nowen Nov 03 '15 at 15:39
  • 1
    Generally speaking, smartphones do not have classic TPMs. (Windows Phones made by Nokia/Microsoft are an exception). ARM does include its TrustedZone technology in many of its chip designs, providing a Trusted Execution Environment. If I understand things correctly, if you pair an ARM processor with TrustedZone tech with an ARM CryptoCell off-processor element you have a setup that approximately serves the same roles that a combo of a recent Intel/AMD processor + a TPM does in a PC. How often TrustedZone + CryptoCell is actually present in popular smartphone models I couldn't say. – mostlyinformed Nov 28 '15 at 20:35

3 Answers3

3

Can a smartphone, alone, be a valid substitute for a Smartcard?

In one sense the answer is yes because a smartphone has all the capabilities that would commonly be attributed to a smart card. I'm not sure I consider them equivalent because a smartphone has many more vectors by which it could be compromised. The advantage of narrow scope is that it is much more easily reasoned about and therefore more easily secured.

JimmyJames
  • 2,956
  • 2
  • 16
  • 25
2

It depends on the smartphone, but categorically they can't all be used as a substitute for a smart card.

Obviously, phones don't have the electromechanical interface to be inserted into the slot of a smart card reader, so they can't meet the ISO specifications that describe the pinouts, voltages, communications protocols, etc. Some phones work around this for payments by complying with a different standardized smart card communication protocol, i.e. via Near Field Communication (NFC). This is how ApplePay works. Samsung bought out LoopPay, so they are able to provide an inductive interface to mag stripe read-heads that comply with most (but not all) of the mag stripe standards. Any RF based smartcard solution requires specialized hardware that is not necessarily present in all smartphones. A Bluetooth radio or WiFi radio won't cut it.

Another place where the differences exist is in the security of the stored data. In the case of payment data, some phones have a separate "Secured Memory" which performs the encryption functions used to comply with dynamic data authentication requirements. This security module is a tiny HSM that is separate from the phone's processor, which helps prevent malicious phone apps from stealing the secret keys in the data. It is technically different than a TPM chip, which has a slightly different function. (Smart phones may not use TPM(tm) chips, but many do offer encryption of their main storage memory in a way similar to using BitLocker with a TPM chip on a PC to encrypt the hard drive.)

John Deters
  • 33,650
  • 3
  • 57
  • 110
0

Yes, a SIM card is available on almost every phone. A sim card is a smart card.

A sim card presents the same security properties as a common smart card does: tamper resistant, cryptography algorithms, ...

Swisscom, the main Swiss telco has developed a solution: Mobile ID which leverages the security properties of a smart card to achieve authentication of users by interacting with the sim card.

J Kimball
  • 2,137
  • 1
  • 13
  • 19
Kami
  • 252
  • 1
  • 11