How to authenticate user by smart card in my website from chrome in mac

[Pavan Kumar Reddy Malgari]

v  We are using normal form based authentication as the first layer of protection in our web application

v  Later the User is allowed to perform some actions

v  Now we want for some actions smart card protection.

v How to connect to smart card and how can we authenticate user by this ,can we send normal APDU commands. should we use applets or what technology we should use to connect to smart card .

[Reilly Grant]

Chrome does not support sending arbitrary ADPUs to a smart card. Chrome can however use a smart card that stores an SSL client certificate to authenticate the user to the server.

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

[Pavan Kumar Reddy Malgari]

Thank u  Reilly, can u give suggest me with what technology or how can i authenticate the user to the server that stores Certificate

[Primiano Tucci]

Every smartdcard runs its own embeded OS which decides how and where to store key / certificates. The low level APDU protocol is typically standard (all the security smartcards I've seen use the, terribly named,  "T=0 / T=1 protocol", defined in ISO/IEC 7816-3). However the higher level communication (i.e. which APDU send to list certificate) is typically non standard and varies from vendor to vendor.

However, if you move another level up, there is a standard interface, called PKCS#11, that vendor drivers can implement and release, which defines a uniform way, for apps, to see certificates on a hardware token.

Summarizing the situation is pretty much like this:

Application (e.g. Chrome)

           |

+-----------------------+

|   PKCS#11 interface   |

+-----------------------+

           |

+-----------------------+

|Unspecified black magic|

|    (vendor drivers)   |

+-----------------------+

                       |

+------------------------------------+

|       T=0/T=1 APDU protocol        |

|(typically handled by PC/SC daemon) |

+------------------------------------+

                       |

+------------------------------------------+

|Smart card reader drivers                 |

|Nowadays almost everybody uses standard   |

|CCID USB interfaces and modern OSs        |

|provide drivers for that. i.e. the reader |

|itself is typically not a problem         |

+------------------------------------------+

           |

        Smart card

From a more concrete / technical viewpoint, the way you use a smartcard for SSL PKI is by installing the PKCS#11 compatible drivers from the vendor. The module will expose a cert provider, and the browser will be able to list certificates on the smartcard when needed (ok, it's a terribly over simplificated model but perhaps gives the idea).

Take a look to https://code.google.com/p/eid-mw/wiki/ChromeLinux for just a random example.

The sad part of the story is that, in order for all this to work, the users need to install something (the smartcard drivers) on the machine before they can use PKI. 

For some smartcards, on some OSs (for instance some Siemens/Gemalto cards on WIndows) the operating system already contains the pkcs#11 modules, so in very few cases, manual installation can be avoided.

In general, AFAICT, it's a nightmare and I haven't seen yet a solution that "just works" on every OS without requiring manual steps (and without using Java applets, where you can cheat and talk directly the T=0/T=1 protocol).

--

--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

--

Primiano Tucci
Software Engineer
Google UK Limited
Registered Office: Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ