WebApp Sec mailing list archives
RE: dual certificate/smartcard web session management
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Fri, 17 Sep 2004 11:25:21 -0400
Frank, Sounds like a pretty interesting project. A number of thing come to mind: 1. You probably don't want to customize the browser with a plugin or anything. If you have more than a few people using the system, they'll upgrade their browser, etc, and you'll have the verify that the plugin is installed anyway. 2. Getting access to the hardware is difficult. You can use ActiveX, signed Java, and possibly Flash to execute code on the client to check. However, these can be turned off on the browser. Also, non-IE browsers don't do ActiveX. 3. You can run an "agent" on the client to check the smartcards every few seconds and send a message to the web application through a secure back-channel. The web application, when getting a request from the client, can easily verify that client's polling data was last sent in X seconds ago. This would remove any dependence on a particular browser. Firewalls/proxies can be handled by making this a web-service. If you wanted this to be even more secure, you'd need to do some sort of token/data-signing exchange between the app server, the agent, and the smart card reader (otherwise, a malicious user just emulates what the agent would normally send. I hope this helps a little. Michael Scovetta -----Original Message----- From: Frank Dobb [mailto:nyon1261 () yahoo com] Sent: Thursday, September 16, 2004 3:57 AM To: webappsec () securityfocus com Subject: dual certificate/smartcard web session management Hello, I am designing a authentication/session managment system for a financial web application. Browsers will be upto date versions of IE, Netscape. Each client post will have a dual smartcard reader and two different smartcards will have to be present for the entire web session. I am looking for ideas, references, white papers or any other pointers how this has achieved in the past. Thanks in advance, Frank __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail
Current thread:
- dual certificate/smartcard web session management Frank Dobb (Sep 16)
- Re: dual certificate/smartcard web session management Alexander Kalinovsky (Sep 18)
- Re: dual certificate/smartcard web session management Rogan Dawes (Sep 18)
- <Possible follow-ups>
- RE: dual certificate/smartcard web session management Scovetta, Michael V (Sep 18)