Frank,
Sounds like a pretty interesting project. A number of thing come to
mind:
1. You probably don't want to customize the browser with a plugin or
anything. If you have more than a few people using the system, they'll
upgrade their browser, etc, and you'll have the verify that the plugin
is installed anyway.
2. Getting access to the hardware is difficult. You can use ActiveX,
signed Java, and possibly Flash to execute code on the client to check.
However, these can be turned off on the browser. Also, non-IE browsers
don't do ActiveX.
3. You can run an "agent" on the client to check the smartcards every
few seconds and send a message to the web application through a secure
back-channel. The web application, when getting a request from the
client, can easily verify that client's polling data was last sent in X
seconds ago. This would remove any dependence on a particular browser.
Firewalls/proxies can be handled by making this a web-service. If you
wanted this to be even more secure, you'd need to do some sort of
token/data-signing exchange between the app server, the agent, and the
smart card reader (otherwise, a malicious user just emulates what the
agent would normally send.
I hope this helps a little.
Michael Scovetta
-----Original Message-----
From: Frank Dobb [mailto:nyon1261@yahoo.com]
Sent: Thursday, September 16, 2004 3:57 AM
To: webappsec@securityfocus.com
Subject: dual certificate/smartcard web session management
Hello,
I am designing a authentication/session managment
system for a financial web application. Browsers will
be upto date versions of IE, Netscape.
Each client post will have a dual smartcard reader and
two different smartcards will have to be present for
the entire web session.
I am looking for ideas, references, white papers or
any other pointers how this has achieved in the past.
Thanks in advance, Frank
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail
