Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: dual certificate/smartcard web session management

from [Rogan Dawes] Network Security [Permanent Link]
Subject: Re: dual certificate/smartcard web session management
Date: Fri, 17 Sep 2004 08:47:43 +0200 
Frank Dobb wrote:

Hello,

I am designing a authentication/session managment
system for a financial web application. Browsers will
be upto date versions of IE, Netscape.

Each client post will have a dual smartcard reader and
two different smartcards will have to be present for
the entire web session.

I am looking for ideas, references, white papers or
any other pointers how this has achieved in the past.

Thanks in advance, Frank

For that kind of application, I assume that you are dealing with extreme security requirements, non-repudiation, etc. In that case, I suggest that you use both of the certificates/private keys on the smart cards to sign all requests (POSTs, that is) that could result in changes (transactions), and archive those messages for your records.

Something like XML-SIG could be what you are looking for.

Simply refuse to process any transactions that are incorrectly signed. There is still the issue of viewing sensitive data. You may be able to design your application in such a way that all requests for data (non-images, etc) are always performed as POSTs, and those can also be signed.

This could prove to be clunky in practice, but it is probably workable.

You might want to have a look at http://openoces.org/ (I think), which implements something similar (only 1 signature required, though) for the Danish banking system.

Regards,

Rogan
--
Rogan Dawes

*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: dual certificate/smartcard web session management, Scovetta, Michael V
Next by Date:  Re: PHP session handler functions, Yasuo Ohgaki
Previous by Thread:  Re: dual certificate/smartcard web session management, Alexander Kalinovsky
Next by Thread:  RE: dual certificate/smartcard web session management, Scovetta, Michael V
Indexes:  [Date] [Thread] [Top] [All Lists]