Securing online services by combining smart cards and web-based applications


Published on

Published in: Technology
1 Comment
  • Hi, can you plese tell me where can I get the Sconnect JS library as you have mentioned in slide 9?
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Communication StackSmart card communication standardStandard API supported by all major operating systems, but not accessible from web applicationsMiddleware – browser / platform dependentCAPI on Windows, PKCS#11, OpenCard Framework (OCF), JSR 177, SIM Toolkit…UsabilityUser interface not coupled with web applicationTerminology not understood by non-technical usersDifferent architectures for browsers / platformsDifferent middleware on different platformsSoftware upgrade issuesEnd user installation issuesMiddleware-based TLS mutual authenticationPros: Conventional smart cards; strong authenticationCons: Browser / platform dependency; Usability, a single use caseJava appletPros: Complete and standardized smart card APICons: requires Java VMInternet smart cardPros: Security; Easy to use once setupCons: IP routing setup, legacy cards
  • Securing online services by combining smart cards and web-based applications

    1. 1. Securing online services by combining smart cards and web-based applications A. Olivier Potonniée, Asad Ali, Laurent Castillo, Darmawan Suwirya, Karen Lu Gemalto Technology & Innovations November 17, 2012 – JS.everywhere()
    2. 2. Overview The need for strong authentication Existing solutions A new, usable, smart-card-based authentication Smart card JavaScript API SConnect, a Gemalto browser extension Upcoming W3C standardization activity November 17, 2012 – JS.everywhere() 2
    3. 3. Introduction Web applications are part of our daily lives Environment: work; communication; social Applications: banking; shopping; entrainment Security breaches & online identity thefts are on the rise This can happen on both the client side and server side. User authentication is the door keeper Impact of security breaches Financial loss and pain to institutions and customers Loss of key assets, reputation damage November 17, 2012 – JS.everywhere() 3
    4. 4. Authentication: Current State Most websites use single factor authentication – Password Passwords are universally accepted as weak One major breach lead to release of 32 million passwords * Nearly 50% of users use names, slang words, dictionary words or trivial passwords * Strong password use is hard to enforce Usability of username/password Easy to use Too many passwords to remember Reuse passwords or use simple passwords* November 17, 2012 – JS.everywhere() 4
    5. 5. Single Sign-On SAML2 Delegation Service Providers delegate authentication to an Identity Provider Sign-on once to access different web services Use one set of credentials to login to different services Benefits Users: Remember one password instead of dozens Providers: Easier to secure one system than to secure many Even greater need for strong authentication Puts all one’s eggs in one basket Most systems still use username and password Break one, break all November 17, 2012 – JS.everywhere() 5
    6. 6. Smart Cards (or Secure Elements) Secure, portable, and tamper-resistant computer Multiple form factors Contact or Contactless (NFC: Near Field Communication) Applications Access control (physical, logical – e.g. Windows logon) Identity (citizen cards, passports, ID cards) Subscriber identification modules (SIM) Banking, etc. Using smart cards for the Web is a natural extension Strong two-factor authentication November 17, 2012 – JS.everywhere() 6
    7. 7. Using Smart Cards in Web Applications Installation & maintenance The missing piece Proprietary, specific (e.g. TLS Standard API Application authentication)supported by all major operating systems, ? Middleware Some are [Industry] but not accessible Standardsfrom web applications PC/SC API (e.g. MS CAPI, PKCS#11, Java API) Smart card Proprietary reader Drivers November 17, 2012 – JS.everywhere() 7
    8. 8. Enabling technology: SConnect is a Gemalto web browser extension BROWSERS • For all relevant OS-browser combinations • Smart Card JavaScript (and GWT) API • Based on PC/SC – no middleware Build-in security features • Force HTTPS OPERATING SYSTEMS • Server verification • Connection key linking to server’s SSL certificate • User consent for smart card access INSTALL Seamless user experience 15s • Prompt to download a the extension if missing • 15 seconds to download and install November 17, 2012 – JS.everywhere() 8
    9. 9. The smart card JS API: insertion eventsvar irCallback = { onCardInsertion : function(args) { // args holds card details doApplicationOperations(args); }, onCardRemoval : function(args) { /* whatever */ }};var validateCallback = { onValidationSuccess : function() { SConnect.PCSC.registerCardIRHandler(irCallback); }, onValidationFailed : function(args) { /* whatever */ }};window.onload = function() { // omitting install check… // trigger server validation and user consent popup SConnect.ValidateServer(validateCallback);}window.onunload = function () { SConnect.PCSC.unRegisterCardIRHandler()} November 17, 2012 – JS.everywhere() 9
    10. 10. The smart card JS API: card communicationfunction doApplicationOperations(args) { var g_scom = new SConnect.PCSC(); // connect to the reader. if (g_scom.connect(args.readerName) == false) { alert("Can’t connect to reader : " + readerName); return; } // start a pc/sc transaction var myTransaction = g_scom.beginTransaction(); try { // send command to the card. var cardResp = g_scom.transmit("00A4040007A0000000030000"); } catch(e) { log(e.getMessage()); } finally { g_scom.endTransaction(myTransaction); }} November 17, 2012 – JS.everywhere() 10
    11. 11. Demo: Smart card PKI authenticationEnd User Smart Card Browser Client Auth Server HTTPS + Validtion 1. Insert card & enter PIN 2. Verify PIN 3. Get challenge from server 4. Sign challenge 5. Verify signature on Server 6. Authentication Status Full showcase: November 17, 2012 – JS.everywhere() 11
    12. 12. Smart-card-based web applications Authentication PKI authentication OTP authentication Secret keys Digital signature PKI / OTP / Secret keys Online card content management Lazy activation PKI certificate renewal Card application updates New card application deployment… November 17, 2012 – JS.everywhere() 12
    13. 13. Standardization Benefits Removes the need for a browser extension Increase the number OS/browser combination (esp. on mobile) No dependency on proprietary solution W3C APIs SysApp Working Group, launched in Q4 2012 Runtime environment and APIs that let trusted applications integrate closely with the operating systems functionality Smart card (Secure Element) in phase 2 Secure Element API expected in 2014 Near Field Communications (NFC) Working Group Includes: Communication with contactless cards November 17, 2012 – JS.everywhere() 13
    14. 14. Conclusions Internet Security… Single-factor, knowledge based authentication is weak Smart Cards… Provide enhanced security while working within the constraints of established enterprise and government frameworks Market… Adoption occurs only when increased security makes economic sense Standards… W3C Secure Element and NFC APIs November 17, 2012 – JS.everywhere() 14
    15. 15. Thanks Questions ?November 17, 2012 – JS.everywhere() 15