Using smart cards in web applications

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Using smart cards in web applications

Andreas Schwier (ML)
Dear all,

in the OpenSCDP project we have released a new version of the Scripting
Server that now allows web applications to remotely access smart cards
at the client. This makes the integration of smart cards in web
applications a little bit easier.

The implementation uses the RAMoverHTTP protocol that Global Platform
defined for remote management of secure elements from a Trusted Service
Manager (TSM).

The protocol provides a transparent APDU channel between the client and
the server using HTTP POST and TLV encoded command and response
templates. While the implementation has been done to support remote
management of SmartCard-HSMs, it can be used for any kind of ISO 7816-4
smart card.

Look at [1] for more details.

Andreas


[1] http://www.openscdp.org/scriptingserver/remoteterminal.html

--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Using smart cards in web applications

Andreas Schwier (ML)
A demo application is now available at [1].

Andreas

[1] http://demo.openscdp.org


Am 14.10.2013 22:22, schrieb Andreas Schwier (ML):

> Dear all,
>
> in the OpenSCDP project we have released a new version of the Scripting
> Server that now allows web applications to remotely access smart cards
> at the client. This makes the integration of smart cards in web
> applications a little bit easier.
>
> The implementation uses the RAMoverHTTP protocol that Global Platform
> defined for remote management of secure elements from a Trusted Service
> Manager (TSM).
>
> The protocol provides a transparent APDU channel between the client and
> the server using HTTP POST and TLV encoded command and response
> templates. While the implementation has been done to support remote
> management of SmartCard-HSMs, it can be used for any kind of ISO 7816-4
> smart card.
>
> Look at [1] for more details.
>
> Andreas
>
>
> [1] http://www.openscdp.org/scriptingserver/remoteterminal.html
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Using smart cards in web applications

Anders Rundgren-2
On 2013-12-03 13:17, Andreas Schwier (ML) wrote:
> A demo application is now available at [1].
>
> Andreas
>
> [1] http://demo.openscdp.org
>

A snag with this is that there's no apparent need for "personalizing" smart cards
or doing EAC from a web browser. If you are rather thinking about other web/http
clients there are already established solutions out there.

I was recently at a W3C meeting in China where among many things Gemalto's
SE API were discussed.  A somewhat vocal person from Google claimed it was
"The most scary API he had ever seen"...

If the smart card community absolutely need to put 7816 on the web they will
have to act as a community and also do this at "Google speed", otherwise
the TEE monster will eat their lunch.  The TEE APIs (as featured in KitKat)
operate at a level that even crypto n00bs can use by looking at [future]
code snippets on "Stackoverflow".

On the web, all you need are keys, while crypto-using applications are
either written in native or web code.  For supplying keys over the web
you need a key generation/initiation protocol like Google's U2F or
yours truly's SKS/KeyGen2 which unlike 7816 were _designed_ for the web.

Here is another "camp" also trying to get their [severely dated] standard
compatible with the new world:
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11
They apparently don't see the obvious: creating key and using keys are
two entirely different use-cases.  Cramming provisioning into p11 is
a genuinely bad idea because p11 wasn't designed for usage in an
untrusted environment requiring full E2ES (End To End Security).

Anders
pardon for being a PITA but somebody got play this part as well :-)

>
> Am 14.10.2013 22:22, schrieb Andreas Schwier (ML):
>> Dear all,
>>
>> in the OpenSCDP project we have released a new version of the Scripting
>> Server that now allows web applications to remotely access smart cards
>> at the client. This makes the integration of smart cards in web
>> applications a little bit easier.
>>
>> The implementation uses the RAMoverHTTP protocol that Global Platform
>> defined for remote management of secure elements from a Trusted Service
>> Manager (TSM).
>>
>> The protocol provides a transparent APDU channel between the client and
>> the server using HTTP POST and TLV encoded command and response
>> templates. While the implementation has been done to support remote
>> management of SmartCard-HSMs, it can be used for any kind of ISO 7816-4
>> smart card.
>>
>> Look at [1] for more details.
>>
>> Andreas
>>
>>
>> [1] http://www.openscdp.org/scriptingserver/remoteterminal.html
>>
>
>


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Using smart cards in web applications

Andreas Schwier (ML)
Hi Anders,

it's not about personalizing smart cards over the web (even though we
have a customer that does exactly this ;-).

But until we have the brave new world you're describing we need
something more usable today. And I don't want to wait for the next big
thing like U2F that might never happen. I'm a little bit more pragmatic
and love to make things work without waiting for others to do the job.

Andreas

> pardon for being a PITA but somebody got play this part as well :-)
True, and I find your input valuable ;-)


Am 03.12.2013 15:14, schrieb Anders Rundgren:

> On 2013-12-03 13:17, Andreas Schwier (ML) wrote:
>> A demo application is now available at [1].
>>
>> Andreas
>>
>> [1] http://demo.openscdp.org
>>
>
> A snag with this is that there's no apparent need for "personalizing" smart cards
> or doing EAC from a web browser. If you are rather thinking about other web/http
> clients there are already established solutions out there.
>
> I was recently at a W3C meeting in China where among many things Gemalto's
> SE API were discussed.  A somewhat vocal person from Google claimed it was
> "The most scary API he had ever seen"...
>
> If the smart card community absolutely need to put 7816 on the web they will
> have to act as a community and also do this at "Google speed", otherwise
> the TEE monster will eat their lunch.  The TEE APIs (as featured in KitKat)
> operate at a level that even crypto n00bs can use by looking at [future]
> code snippets on "Stackoverflow".
>
> On the web, all you need are keys, while crypto-using applications are
> either written in native or web code.  For supplying keys over the web
> you need a key generation/initiation protocol like Google's U2F or
> yours truly's SKS/KeyGen2 which unlike 7816 were _designed_ for the web.
>
> Here is another "camp" also trying to get their [severely dated] standard
> compatible with the new world:
> https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11
> They apparently don't see the obvious: creating key and using keys are
> two entirely different use-cases.  Cramming provisioning into p11 is
> a genuinely bad idea because p11 wasn't designed for usage in an
> untrusted environment requiring full E2ES (End To End Security).
>
> Anders
> pardon for being a PITA but somebody got play this part as well :-)
>
>>
>> Am 14.10.2013 22:22, schrieb Andreas Schwier (ML):
>>> Dear all,
>>>
>>> in the OpenSCDP project we have released a new version of the Scripting
>>> Server that now allows web applications to remotely access smart cards
>>> at the client. This makes the integration of smart cards in web
>>> applications a little bit easier.
>>>
>>> The implementation uses the RAMoverHTTP protocol that Global Platform
>>> defined for remote management of secure elements from a Trusted Service
>>> Manager (TSM).
>>>
>>> The protocol provides a transparent APDU channel between the client and
>>> the server using HTTP POST and TLV encoded command and response
>>> templates. While the implementation has been done to support remote
>>> management of SmartCard-HSMs, it can be used for any kind of ISO 7816-4
>>> smart card.
>>>
>>> Look at [1] for more details.
>>>
>>> Andreas
>>>
>>>
>>> [1] http://www.openscdp.org/scriptingserver/remoteterminal.html
>>>
>>
>>
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel