WebApp Sec mailing list archives
Re: dual certificate/smartcard web session management
From: Rogan Dawes <discard () dawes za net>
Date: Fri, 17 Sep 2004 08:47:43 +0200
Frank Dobb wrote:
Hello, I am designing a authentication/session managment system for a financial web application. Browsers will be upto date versions of IE, Netscape. Each client post will have a dual smartcard reader and two different smartcards will have to be present for the entire web session. I am looking for ideas, references, white papers orany other pointers how this has achieved in the past.Thanks in advance, Frank
For that kind of application, I assume that you are dealing with extreme security requirements, non-repudiation, etc. In that case, I suggest that you use both of the certificates/private keys on the smart cards to sign all requests (POSTs, that is) that could result in changes (transactions), and archive those messages for your records.
Something like XML-SIG could be what you are looking for.Simply refuse to process any transactions that are incorrectly signed. There is still the issue of viewing sensitive data. You may be able to design your application in such a way that all requests for data (non-images, etc) are always performed as POSTs, and those can also be signed.
This could prove to be clunky in practice, but it is probably workable.You might want to have a look at http://openoces.org/ (I think), which implements something similar (only 1 signature required, though) for the Danish banking system.
Regards, Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- dual certificate/smartcard web session management Frank Dobb (Sep 16)
- Re: dual certificate/smartcard web session management Alexander Kalinovsky (Sep 18)
- Re: dual certificate/smartcard web session management Rogan Dawes (Sep 18)
- <Possible follow-ups>
- RE: dual certificate/smartcard web session management Scovetta, Michael V (Sep 18)