0

We are working on a new secured project. We wish to enable both server side and client side authentication. To allow client authentication, we would like to create cards that can be placed into "card reader" and unlocked using a fingerprint.

Now, currently we have a few card readers of company A and in order for our client side (java - not a browser but a small software of our own) to use the certificate on that card, the java program uses a native call to a dll that allows us to conenct to it.

I am looking for a way to make this connection to the card reader generic, In case we change card readers to company B.

My questions are:

  1. Are there better ways to access the card reader for the certificate? For example, using pure java code (or pure JDK code) and still somehow retreiving the certificate and all other operations needed.

  2. Given there is no pure java way of doing this, is there a generic way that will help me not to be dependant on a specific .dll?

  3. How secured do you think this is? Perhaps, there is an equal secured way of doing client authntication without card readers?

thecodeparadox
  • 86,271
  • 21
  • 138
  • 164
user967710
  • 1,815
  • 3
  • 32
  • 58
  • 2
    you probably want to look at pkcs11. it's a standard interface to these kinds of things. i have written software to use it, but not with java (openssl - it is fairly easy to extend in c). anyway, i'd suggest googling for java pkcs11 libs. – andrew cooke May 16 '12 at 01:18

2 Answers2

2

The Oracle JRE comes with the Sun PKCS#11 provider, which will allow you to plug in a DLL implementing the PKCS#11 API.

This is definitely the "standard" way as far as Java is concerned. Your smart card can be loaded as a KeyStore instance. If your keys cannot be extracted from the smart card, the a PrivateKey object will still be created for use within your applications signing/decrypting, but you won't be able to extract the private exponent (assuming RSA here): it delegates the operations to the card, as designed.

(I've tried it successfully with OpenSC/OpenCT on a Linux machine in the past. I believe PKCS#11 is more rare for Windows, but some smartcard providers might still provide an interface for it.)

How secure this is will depend on the PKCS#11 implementation you're using. Tweaking your own DLL to make it fit PKCS#11 would certainly need some effort and reviewing before you can call it "secure".

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 1
    Just a note: all vendors we came across (about a dozen probably) provide PKCS#11 DLL for Windows due to much better functionality offered by PKCS#11 comparing to CSP. – Eugene Mayevski 'Callback May 16 '12 at 04:49
0

One option is middle-ware that sits between your card reader device drivers and your Java application. This way your application is only interacting with the middle-ware libraries and you don't need to be concerned with directly accessing DLL or the type of hardware you're using or even the sun PKCS11 provider. If a new card reader is installed, the middle-ware will interact with the drives. You can access your certificates, but also if the biometrics data (fingerprint) is stored on the smart card (as opposed to being on your server), the middle-ware can help access this. One company that makes such middle-ware is Active Identity.

Sanjeev
  • 1,517
  • 1
  • 18
  • 30