Re: dual certificate/smartcard web session management

[Rogan Dawes <discard () dawes za net>]

Frank Dobb wrote:

> Hello,
>
> I am designing a authentication/session managment
> system for a financial web application. Browsers will
> be upto date versions of IE, Netscape.
>
> Each client post will have a dual smartcard reader and
> two different smartcards will have to be present for
> the entire web session.
>
> I am looking for ideas, references, white papers or
> any other pointers how this has achieved in the past. 
>
> Thanks in advance, Frank

For that kind of application, I assume that you are dealing with extreme 
security requirements, non-repudiation, etc. In that case, I suggest 
that you use both of the certificates/private keys on the smart cards to 
sign all requests (POSTs, that is) that could result in changes 
(transactions), and archive those messages for your records.

Something like XML-SIG could be what you are looking for.

Simply refuse to process any transactions that are incorrectly signed. 
There is still the issue of viewing sensitive data. You may be able to 
design your application in such a way that all requests for data 
(non-images, etc) are always performed as POSTs, and those can also be 
signed.

This could prove to be clunky in practice, but it is probably workable.

You might want to have a look at http://openoces.org/ (I think), which 
implements something similar (only 1 signature required, though) for the 
Danish banking system.

Regards,

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"