• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 700
  • Last Modified:

Getting credentials from a smart card reader.

I am working on a web application in which we are wanting to verify users using a smart card with a USB smart card reader.  Will these create a client side variable that a web application can read?  If so, how would one go about finding that?  Let me know if this is too vague.  I know very little about smart card readers.
0
HyperBPP
Asked:
HyperBPP
  • 3
1 Solution
 
tstaddonCommented:
Do you have anything like the GemSafe Libraries, which would allow you to interface with the smart card?
0
 
HyperBPPAuthor Commented:
I just have the smart card reader installed.  Will a commercial library like GemSafe need to be installed in order to use the reader?  Or will it read at least the ostensible data on the card.  Once, again I apologize for how little I know on this matter.

Can anyone suggest a site that might dispel some of my ignorance on this matter.  
0
 
tstaddonCommented:
Normally you would either host a SSL certificate on the card and authenticate against the cert, or perhaps in some cases you might be able to identify the card itself.

One port of call assuming this is an IIS / AD implementation, would be here:
http://choosing-a-blog-url-sucks.blogspot.com/2006/10/howto-implementing-smart-card.html

Depending on the infrastructure you have, though, you might consider using middleware rather than trying to develop the authentication method on the site itself. Especially if you have any kind of access to a RADIUS infrastructure that supports smart cards.

It really depends on your budget and infrastructure as to what solution's best for you, especially if this is just one application in a smorgasbord of web apps that you need to think about securing via smart card authentication.

Just as an example, I know of people using Imprivata (a single sign-on appliance solution) with RADIUS and smart card technology that's not only interfaced to the VPN solution, but also to the door entry system. Under this setup it's possible to ensure there are only two ways to log into a web app that uses a back-end database for its user store- go in through a VPN with the smart card and PIN, or badge into the building itself with your smart card before you log into a PC on the local subnet.
0
 
tstaddonCommented:
If you're using Windows 2003 and XP on the clients then in theory you don't need any "third party" software for smart card login, but that doesn't mean it's a no-brainer.

I found this link which pretty much covers the Microsoft end of things...

http://www.microsoft.com/technet/security/guidance/identitymanagement/smrtcdcb/default.mspx

But bear in mind, one thing Microsoft do NOT provide, is CMS (aka Smart Card Management).

So, it might be fairly easy to enable an individual for smart card login without putting your hand in your pocket, since it's not massively difficult to assign a card to a user, but you probably wouldn't want to roll out 500 smart cards without a third party solution - Intercede, ActiveCard and GemAlto are the three players that immediately spring to mind.

This then brings into question how you'd develop an app that's portable to different customers with different CMS solutions, certification options etc - if you're developing an off-the-shelf solution for resale then this definitely needs more consideration but if it's for internal use only and you're working in a corporate environment then the best thing I can think of is that you talk to the network infrastructure team (assuming there is one) to find out if they have a PKI infrastructure, and work it from there.

0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now