SlideShare a Scribd company logo

Securing online services by combining smart cards and web-based applications

O
Olivier Potonniée
Technology
1 of 15
Securing online services by combining smart cards and web-based applications A. Olivier Potonniée, Asad Ali, Laurent Castillo, Darmawan Suwirya, Karen Lu Gemalto Technology & Innovations November 17, 2012 – JS.everywhere()
Overview The need for strong authentication Existing solutions A new, usable, smart-card-based authentication Smart card JavaScript API SConnect, a Gemalto browser extension Upcoming W3C standardization activity November 17, 2012 – JS.everywhere() 2
Introduction Web applications are part of our daily lives Environment: work; communication; social Applications: banking; shopping; entrainment Security breaches & online identity thefts are on the rise This can happen on both the client side and server side. User authentication is the door keeper Impact of security breaches Financial loss and pain to institutions and customers Loss of key assets, reputation damage November 17, 2012 – JS.everywhere() 3
Authentication: Current State Most websites use single factor authentication – Password Passwords are universally accepted as weak One major breach lead to release of 32 million passwords * Nearly 50% of users use names, slang words, dictionary words or trivial passwords * Strong password use is hard to enforce Usability of username/password Easy to use Too many passwords to remember Reuse passwords or use simple passwords * http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf November 17, 2012 – JS.everywhere() 4
Single Sign-On SAML2 Delegation Service Providers delegate authentication to an Identity Provider Sign-on once to access different web services Use one set of credentials to login to different services Benefits Users: Remember one password instead of dozens Providers: Easier to secure one system than to secure many Even greater need for strong authentication Puts all one’s eggs in one basket Most systems still use username and password Break one, break all November 17, 2012 – JS.everywhere() 5
Smart Cards (or Secure Elements) Secure, portable, and tamper-resistant computer Multiple form factors Contact or Contactless (NFC: Near Field Communication) Applications Access control (physical, logical – e.g. Windows logon) Identity (citizen cards, passports, ID cards) Subscriber identification modules (SIM) Banking, etc. Using smart cards for the Web is a natural extension Strong two-factor authentication November 17, 2012 – JS.everywhere() 6
Using Smart Cards in Web Applications Installation & maintenance The missing piece Proprietary, specific (e.g. TLS Standard API Application authentication) supported by all major operating systems, ? Middleware Some are [Industry] but not accessible Standards from web applications PC/SC API (e.g. MS CAPI, PKCS#11, Java API) Smart card Proprietary reader Drivers November 17, 2012 – JS.everywhere() 7
Enabling technology: SConnect is a Gemalto web browser extension BROWSERS • For all relevant OS-browser combinations • Smart Card JavaScript (and GWT) API • Based on PC/SC – no middleware Build-in security features • Force HTTPS OPERATING SYSTEMS • Server verification • Connection key linking to server’s SSL certificate • User consent for smart card access INSTALL Seamless user experience 15s • Prompt to download a the extension if missing • 15 seconds to download and install November 17, 2012 – JS.everywhere() 8
The smart card JS API: insertion events var irCallback = { onCardInsertion : function(args) { // args holds card details doApplicationOperations(args); }, onCardRemoval : function(args) { /* whatever */ } }; var validateCallback = { onValidationSuccess : function() { SConnect.PCSC.registerCardIRHandler(irCallback); }, onValidationFailed : function(args) { /* whatever */ } }; window.onload = function() { // omitting install check… // trigger server validation and user consent popup SConnect.ValidateServer(validateCallback); } window.onunload = function () { SConnect.PCSC.unRegisterCardIRHandler() } November 17, 2012 – JS.everywhere() 9
The smart card JS API: card communication function doApplicationOperations(args) { var g_scom = new SConnect.PCSC(); // connect to the reader. if (g_scom.connect(args.readerName) == false) { alert("Can’t connect to reader : " + readerName); return; } // start a pc/sc transaction var myTransaction = g_scom.beginTransaction(); try { // send command to the card. var cardResp = g_scom.transmit("00A4040007A0000000030000"); } catch(e) { log(e.getMessage()); } finally { g_scom.endTransaction(myTransaction); } } November 17, 2012 – JS.everywhere() 10
Demo: Smart card PKI authentication End User Smart Card Browser Client Auth Server HTTPS + Validtion 1. Insert card & enter PIN 2. Verify PIN 3. Get challenge from server 4. Sign challenge 5. Verify signature on Server 6. Authentication Status Full showcase: http://www.utopiagov.com November 17, 2012 – JS.everywhere() 11
Smart-card-based web applications Authentication PKI authentication OTP authentication Secret keys Digital signature PKI / OTP / Secret keys Online card content management Lazy activation PKI certificate renewal Card application updates New card application deployment … November 17, 2012 – JS.everywhere() 12
Standardization Benefits Removes the need for a browser extension Increase the number OS/browser combination (esp. on mobile) No dependency on proprietary solution W3C APIs SysApp Working Group, launched in Q4 2012 Runtime environment and APIs that let trusted applications integrate closely with the operating system's functionality Smart card (Secure Element) in phase 2 Secure Element API expected in 2014 Near Field Communications (NFC) Working Group Includes: Communication with contactless cards November 17, 2012 – JS.everywhere() 13
Conclusions Internet Security… Single-factor, knowledge based authentication is weak Smart Cards… Provide enhanced security while working within the constraints of established enterprise and government frameworks Market… Adoption occurs only when increased security makes economic sense Standards… W3C Secure Element and NFC APIs November 17, 2012 – JS.everywhere() 14
Thanks Questions ? November 17, 2012 – JS.everywhere() 15

Recommended

Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
PKI-In-A-Box
PKI-In-A-BoxPKI-In-A-Box
PKI-In-A-BoxChin Wan Lim
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web ApplicationsOlivier Potonniée
 

Recommended

Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
PKI-In-A-Box
PKI-In-A-BoxPKI-In-A-Box
PKI-In-A-BoxChin Wan Lim
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web ApplicationsOlivier Potonniée
 
Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Jorgen Thelin
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft Azure
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft AzureUno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft Azure
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft AzureGiuliano Latini
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
Go passwordless with fido2
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2Rob Dudley
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
Auth-Shield
Auth-ShieldAuth-Shield
Auth-ShieldChetan Kapila
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
Securing Android Applications
Securing Android ApplicationsSecuring Android Applications
Securing Android ApplicationsInfosys
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign Onleastprivilege
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntentsNov Matake
 
Internet Apps powered by NoSQL and JavaScript
Internet Apps powered by NoSQL and JavaScriptInternet Apps powered by NoSQL and JavaScript
Internet Apps powered by NoSQL and JavaScriptLuca Garulli
 
Les 2 leven in een kennis, netwerk en risicomij
Les 2 leven in een kennis, netwerk en risicomijLes 2 leven in een kennis, netwerk en risicomij
Les 2 leven in een kennis, netwerk en risicomijwimerkelbout
 

More Related Content

What's hot

Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Jorgen Thelin
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft Azure
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft AzureUno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft Azure
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft AzureGiuliano Latini
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
Go passwordless with fido2
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2Rob Dudley
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
Securing Android Applications
Securing Android ApplicationsSecuring Android Applications
Securing Android ApplicationsInfosys
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign Onleastprivilege
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntentsNov Matake
 

What's hot (20)

Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft Azure
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft AzureUno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft Azure
Uno, nessuno o 10.000, la gestione dell'identità ai tempi di Microsoft Azure
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
Go passwordless with fido2
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
Auth-Shield
Auth-ShieldAuth-Shield
Auth-Shield
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
Securing Android Applications
Securing Android ApplicationsSecuring Android Applications
Securing Android Applications
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign On
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntents
 

Viewers also liked

Internet Apps powered by NoSQL and JavaScript
Internet Apps powered by NoSQL and JavaScriptInternet Apps powered by NoSQL and JavaScript
Internet Apps powered by NoSQL and JavaScriptLuca Garulli
 
Les 2 leven in een kennis, netwerk en risicomij
Les 2 leven in een kennis, netwerk en risicomijLes 2 leven in een kennis, netwerk en risicomij
Les 2 leven in een kennis, netwerk en risicomijwimerkelbout
 
New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentationUzma Waqas
 
Story of a Tiny Frog - The Achiever
Story of a Tiny Frog - The AchieverStory of a Tiny Frog - The Achiever
Story of a Tiny Frog - The AchieverGurpreet Tikku
 
Deveo
DeveoDeveo
DeveoDeveo
 
Dev ops 2016 dockerizing the it
Dev ops 2016 dockerizing the itDev ops 2016 dockerizing the it
Dev ops 2016 dockerizing the itDeveo
 
Les 4 sociaal culturele praktijken
Les 4 sociaal culturele praktijkenLes 4 sociaal culturele praktijken
Les 4 sociaal culturele praktijkenwimerkelbout
 
Les 6 de culturele functie
Les 6 de culturele functieLes 6 de culturele functie
Les 6 de culturele functiewimerkelbout
 
Tire Rotation Instructions
Tire Rotation InstructionsTire Rotation Instructions
Tire Rotation Instructionsdirtrider88
 
Comparison of issue tracking in major SCM tools
Comparison of issue tracking in major SCM toolsComparison of issue tracking in major SCM tools
Comparison of issue tracking in major SCM toolsDeveo
 
Pre diabetes presentation
Pre diabetes presentationPre diabetes presentation
Pre diabetes presentationPouya Shafipour
 

Viewers also liked (20)

Internet Apps powered by NoSQL and JavaScript
Internet Apps powered by NoSQL and JavaScriptInternet Apps powered by NoSQL and JavaScript
Internet Apps powered by NoSQL and JavaScript
 
Les 2 leven in een kennis, netwerk en risicomij
Les 2 leven in een kennis, netwerk en risicomijLes 2 leven in een kennis, netwerk en risicomij
Les 2 leven in een kennis, netwerk en risicomij
 
New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentation
 
Chinastyle
ChinastyleChinastyle
Chinastyle
 
Story of a Tiny Frog - The Achiever
Story of a Tiny Frog - The AchieverStory of a Tiny Frog - The Achiever
Story of a Tiny Frog - The Achiever
 
Deveo
DeveoDeveo
Deveo
 
Dev ops 2016 dockerizing the it
Dev ops 2016 dockerizing the itDev ops 2016 dockerizing the it
Dev ops 2016 dockerizing the it
 
List+of+pharm+journals
List+of+pharm+journalsList+of+pharm+journals
List+of+pharm+journals
 
Les 4 sociaal culturele praktijken
Les 4 sociaal culturele praktijkenLes 4 sociaal culturele praktijken
Les 4 sociaal culturele praktijken
 
Les 6 de culturele functie
Les 6 de culturele functieLes 6 de culturele functie
Les 6 de culturele functie
 
Tire Rotation Instructions
Tire Rotation InstructionsTire Rotation Instructions
Tire Rotation Instructions
 
Comparison of issue tracking in major SCM tools
Comparison of issue tracking in major SCM toolsComparison of issue tracking in major SCM tools
Comparison of issue tracking in major SCM tools
 
Oral ulcers
Oral ulcersOral ulcers
Oral ulcers
 
Career planning
Career planningCareer planning
Career planning
 
Omd 411
Omd 411Omd 411
Omd 411
 
Pre diabetes presentation
Pre diabetes presentationPre diabetes presentation
Pre diabetes presentation
 
Oral ulcer revision 1
Oral ulcer revision 1Oral ulcer revision 1
Oral ulcer revision 1
 
pigmented lesions
pigmented lesionspigmented lesions
pigmented lesions
 
Whit lesions
Whit lesionsWhit lesions
Whit lesions
 
Pigmentation today
Pigmentation todayPigmentation today
Pigmentation today
 

Similar to Securing online services by combining smart cards and web-based applications

WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATUREProfesia Srl, Lynx Group
 
Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardConference Papers
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 
Blockchain and IAM for IOT Edge Authentication
Blockchain and IAM for IOT Edge AuthenticationBlockchain and IAM for IOT Edge Authentication
Blockchain and IAM for IOT Edge Authenticationdsapps
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketOKsystem
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance WebinarGrafic.guru
 
What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0WSO2
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great againEric Larcheveque
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
 
eMAS Multifactor Authentication
eMAS Multifactor AuthenticationeMAS Multifactor Authentication
eMAS Multifactor AuthenticationKalyana Sundaram
 
Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...
Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...
Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...mfrancis
 
Experiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceExperiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceEduserv Foundation
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecurityAndreas Leicher
 

Similar to Securing online services by combining smart cards and web-based applications (20)

WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 
Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forward
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017
 
Key2 share moosecon
Key2 share mooseconKey2 share moosecon
Key2 share moosecon
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
Blockchain and IAM for IOT Edge Authentication
Blockchain and IAM for IOT Edge AuthenticationBlockchain and IAM for IOT Edge Authentication
Blockchain and IAM for IOT Edge Authentication
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication market
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance Webinar
 
What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great again
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
eMAS Multifactor Authentication
eMAS Multifactor AuthenticationeMAS Multifactor Authentication
eMAS Multifactor Authentication
 
Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...
Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...
Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...
 
Experiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceExperiences in federated access control for UK e-Science
Experiences in federated access control for UK e-Science
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network Security
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Securing online services by combining smart cards and web-based applications

  • 1. Securing online services by combining smart cards and web-based applications A. Olivier Potonniée, Asad Ali, Laurent Castillo, Darmawan Suwirya, Karen Lu Gemalto Technology & Innovations November 17, 2012 – JS.everywhere()
  • 2. Overview The need for strong authentication Existing solutions A new, usable, smart-card-based authentication Smart card JavaScript API SConnect, a Gemalto browser extension Upcoming W3C standardization activity November 17, 2012 – JS.everywhere() 2
  • 3. Introduction Web applications are part of our daily lives Environment: work; communication; social Applications: banking; shopping; entrainment Security breaches & online identity thefts are on the rise This can happen on both the client side and server side. User authentication is the door keeper Impact of security breaches Financial loss and pain to institutions and customers Loss of key assets, reputation damage November 17, 2012 – JS.everywhere() 3
  • 4. Authentication: Current State Most websites use single factor authentication – Password Passwords are universally accepted as weak One major breach lead to release of 32 million passwords * Nearly 50% of users use names, slang words, dictionary words or trivial passwords * Strong password use is hard to enforce Usability of username/password Easy to use Too many passwords to remember Reuse passwords or use simple passwords * http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf November 17, 2012 – JS.everywhere() 4
  • 5. Single Sign-On SAML2 Delegation Service Providers delegate authentication to an Identity Provider Sign-on once to access different web services Use one set of credentials to login to different services Benefits Users: Remember one password instead of dozens Providers: Easier to secure one system than to secure many Even greater need for strong authentication Puts all one’s eggs in one basket Most systems still use username and password Break one, break all November 17, 2012 – JS.everywhere() 5
  • 6. Smart Cards (or Secure Elements) Secure, portable, and tamper-resistant computer Multiple form factors Contact or Contactless (NFC: Near Field Communication) Applications Access control (physical, logical – e.g. Windows logon) Identity (citizen cards, passports, ID cards) Subscriber identification modules (SIM) Banking, etc. Using smart cards for the Web is a natural extension Strong two-factor authentication November 17, 2012 – JS.everywhere() 6
  • 7. Using Smart Cards in Web Applications Installation & maintenance The missing piece Proprietary, specific (e.g. TLS Standard API Application authentication) supported by all major operating systems, ? Middleware Some are [Industry] but not accessible Standards from web applications PC/SC API (e.g. MS CAPI, PKCS#11, Java API) Smart card Proprietary reader Drivers November 17, 2012 – JS.everywhere() 7
  • 8. Enabling technology: SConnect is a Gemalto web browser extension BROWSERS • For all relevant OS-browser combinations • Smart Card JavaScript (and GWT) API • Based on PC/SC – no middleware Build-in security features • Force HTTPS OPERATING SYSTEMS • Server verification • Connection key linking to server’s SSL certificate • User consent for smart card access INSTALL Seamless user experience 15s • Prompt to download a the extension if missing • 15 seconds to download and install November 17, 2012 – JS.everywhere() 8
  • 9. The smart card JS API: insertion events var irCallback = { onCardInsertion : function(args) { // args holds card details doApplicationOperations(args); }, onCardRemoval : function(args) { /* whatever */ } }; var validateCallback = { onValidationSuccess : function() { SConnect.PCSC.registerCardIRHandler(irCallback); }, onValidationFailed : function(args) { /* whatever */ } }; window.onload = function() { // omitting install check… // trigger server validation and user consent popup SConnect.ValidateServer(validateCallback); } window.onunload = function () { SConnect.PCSC.unRegisterCardIRHandler() } November 17, 2012 – JS.everywhere() 9
  • 10. The smart card JS API: card communication function doApplicationOperations(args) { var g_scom = new SConnect.PCSC(); // connect to the reader. if (g_scom.connect(args.readerName) == false) { alert("Can’t connect to reader : " + readerName); return; } // start a pc/sc transaction var myTransaction = g_scom.beginTransaction(); try { // send command to the card. var cardResp = g_scom.transmit("00A4040007A0000000030000"); } catch(e) { log(e.getMessage()); } finally { g_scom.endTransaction(myTransaction); } } November 17, 2012 – JS.everywhere() 10
  • 11. Demo: Smart card PKI authentication End User Smart Card Browser Client Auth Server HTTPS + Validtion 1. Insert card & enter PIN 2. Verify PIN 3. Get challenge from server 4. Sign challenge 5. Verify signature on Server 6. Authentication Status Full showcase: http://www.utopiagov.com November 17, 2012 – JS.everywhere() 11
  • 12. Smart-card-based web applications Authentication PKI authentication OTP authentication Secret keys Digital signature PKI / OTP / Secret keys Online card content management Lazy activation PKI certificate renewal Card application updates New card application deployment … November 17, 2012 – JS.everywhere() 12
  • 13. Standardization Benefits Removes the need for a browser extension Increase the number OS/browser combination (esp. on mobile) No dependency on proprietary solution W3C APIs SysApp Working Group, launched in Q4 2012 Runtime environment and APIs that let trusted applications integrate closely with the operating system's functionality Smart card (Secure Element) in phase 2 Secure Element API expected in 2014 Near Field Communications (NFC) Working Group Includes: Communication with contactless cards November 17, 2012 – JS.everywhere() 13
  • 14. Conclusions Internet Security… Single-factor, knowledge based authentication is weak Smart Cards… Provide enhanced security while working within the constraints of established enterprise and government frameworks Market… Adoption occurs only when increased security makes economic sense Standards… W3C Secure Element and NFC APIs November 17, 2012 – JS.everywhere() 14
  • 15. Thanks Questions ? November 17, 2012 – JS.everywhere() 15

Editor's Notes

  1. Communication StackSmart card communication standardStandard API supported by all major operating systems, but not accessible from web applicationsMiddleware – browser / platform dependentCAPI on Windows, PKCS#11, OpenCard Framework (OCF), JSR 177, SIM Toolkit…UsabilityUser interface not coupled with web applicationTerminology not understood by non-technical usersDifferent architectures for browsers / platformsDifferent middleware on different platformsSoftware upgrade issuesEnd user installation issuesMiddleware-based TLS mutual authenticationPros: Conventional smart cards; strong authenticationCons: Browser / platform dependency; Usability, a single use caseJava appletPros: Complete and standardized smart card APICons: requires Java VMInternet smart cardPros: Security; Easy to use once setupCons: IP routing setup, legacy cards