This document discusses combining smart cards with web applications for stronger online authentication. It outlines existing weak password-based authentication and the need for two-factor authentication. A new browser extension called SConnect allows smart card APIs to be accessed from web applications, enabling smart card-based authentication, signatures, and other functions. Upcoming W3C standards will further support smart card integration without extensions. In conclusion, smart cards can enhance security while usability and adoption depends on balanced security and business needs.

1. Securing online services by combining smart
cards and web-based applications
A. Olivier Potonniée, Asad Ali, Laurent Castillo,
Darmawan Suwirya, Karen Lu
Gemalto
Technology & Innovations
November 17, 2012 – JS.everywhere()

2. Overview
The need for strong authentication
Existing solutions
A new, usable, smart-card-based authentication
Smart card JavaScript API
SConnect, a Gemalto browser extension
Upcoming W3C standardization activity
November 17, 2012 – JS.everywhere() 2

3. Introduction
Web applications are part of our daily lives
Environment: work; communication; social
Applications: banking; shopping; entrainment
Security breaches & online identity thefts are on the rise
This can happen on both the client side and server side.
User authentication is the door keeper
Impact of security breaches
Financial loss and pain to institutions and customers
Loss of key assets, reputation damage
November 17, 2012 – JS.everywhere() 3

4. Authentication: Current State
Most websites use single factor authentication – Password
Passwords are universally accepted as weak
One major breach lead to release of 32 million passwords *
Nearly 50% of users use names, slang words, dictionary words or trivial
passwords *
Strong password use is hard to enforce
Usability of username/password
Easy to use
Too many passwords to remember
Reuse passwords or use simple passwords
* http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
November 17, 2012 – JS.everywhere() 4

5. Single Sign-On
SAML2
Delegation
Service Providers delegate authentication to an Identity Provider
Sign-on once to access different web services
Use one set of credentials to login to different services
Benefits
Users: Remember one password instead of dozens
Providers: Easier to secure one system than to secure many
Even greater need for strong authentication
Puts all one’s eggs in one basket
Most systems still use username and password
Break one, break all
November 17, 2012 – JS.everywhere() 5

6. Smart Cards (or Secure Elements)
Secure, portable, and tamper-resistant computer
Multiple form factors
Contact or Contactless (NFC: Near Field Communication)
Applications
Access control (physical, logical – e.g. Windows logon)
Identity (citizen cards, passports, ID cards)
Subscriber identification modules (SIM)
Banking, etc.
Using smart cards for the Web is a natural extension
Strong two-factor authentication
November 17, 2012 – JS.everywhere() 6

7. Using Smart Cards in Web Applications
Installation &
maintenance
The missing
piece
Proprietary, specific
(e.g. TLS
Standard API Application authentication)
supported by all major
operating systems, ? Middleware Some are [Industry]
but not accessible Standards
from web applications PC/SC API (e.g. MS CAPI,
PKCS#11, Java API)
Smart card
Proprietary reader Drivers
November 17, 2012 – JS.everywhere() 7

8. Enabling technology:
SConnect is a Gemalto web browser extension BROWSERS
• For all relevant OS-browser combinations
• Smart Card JavaScript (and GWT) API
• Based on PC/SC – no middleware
Build-in security features
• Force HTTPS OPERATING
SYSTEMS
• Server verification
• Connection key linking to server’s SSL certificate
• User consent for smart card access
INSTALL
Seamless user experience
15s
• Prompt to download a the extension if missing
• 15 seconds to download and install
November 17, 2012 – JS.everywhere() 8

9. The smart card JS API: insertion events
var irCallback = {
onCardInsertion : function(args) { // args holds card details
doApplicationOperations(args);
},
onCardRemoval : function(args) { /* whatever */ }
};
var validateCallback = {
onValidationSuccess : function() {
SConnect.PCSC.registerCardIRHandler(irCallback);
},
onValidationFailed : function(args) { /* whatever */ }
};
window.onload = function() { // omitting install check…
// trigger server validation and user consent popup
SConnect.ValidateServer(validateCallback);
}
window.onunload = function () {
SConnect.PCSC.unRegisterCardIRHandler()
}
November 17, 2012 – JS.everywhere() 9

10. The smart card JS API: card communication
function doApplicationOperations(args) {
var g_scom = new SConnect.PCSC();
// connect to the reader.
if (g_scom.connect(args.readerName) == false) {
alert("Can’t connect to reader : " + readerName);
return;
}
// start a pc/sc transaction
var myTransaction = g_scom.beginTransaction();
try {
// send command to the card.
var cardResp = g_scom.transmit("00A4040007A0000000030000");
} catch(e) {
log(e.getMessage());
} finally {
g_scom.endTransaction(myTransaction);
}
}
November 17, 2012 – JS.everywhere() 10

11. Demo: Smart card PKI authentication
End User Smart Card Browser Client Auth Server
HTTPS + Validtion
1. Insert card & enter PIN
2. Verify PIN
3. Get challenge from server
4. Sign challenge
5. Verify signature on Server
6. Authentication Status
Full showcase: http://www.utopiagov.com
November 17, 2012 – JS.everywhere() 11

12. Smart-card-based web applications
Authentication
PKI authentication
OTP authentication
Secret keys
Digital signature
PKI / OTP / Secret keys
Online card content management
Lazy activation
PKI certificate renewal
Card application updates
New card application deployment
…
November 17, 2012 – JS.everywhere() 12

13. Standardization
Benefits
Removes the need for a browser extension
Increase the number OS/browser combination (esp. on mobile)
No dependency on proprietary solution
W3C APIs
SysApp Working Group, launched in Q4 2012
Runtime environment and APIs that let trusted applications integrate
closely with the operating system's functionality
Smart card (Secure Element) in phase 2
Secure Element API expected in 2014
Near Field Communications (NFC) Working Group
Includes: Communication with contactless cards
November 17, 2012 – JS.everywhere() 13

14. Conclusions
Internet Security…
Single-factor, knowledge based authentication is weak
Smart Cards…
Provide enhanced security while working within the constraints of
established enterprise and government frameworks
Market…
Adoption occurs only when increased security makes economic
sense
Standards…
W3C Secure Element and NFC APIs
November 17, 2012 – JS.everywhere() 14

15. Thanks
Questions ?
November 17, 2012 – JS.everywhere() 15