0

I need to develop a java applet, for a mutual authentication between Tomcat 6 (server) and a SmartCard "IDGo 300" (client).

In order to do this I thought the following scheme:

  1. Tomcat (server) send to SmartCard (client) the request of his digital certificate (signed by CA).
  2. client enters PIN and selects an available certificate on the smart card, then the Applet sends his certificate (signed by CA) to tomcat. tomcat verifies the digital certificate and if correct sends back his certificate.
  3. The applet verifies the certificate of the server, and if the certificate is correct sends a confirm to server.
  4. The server gives full access to the client to use the web application.

I have some questions:

  1. Is this scheme feasible?
  2. I would like to manage everything through my applet and when the client disconnects the smart card he loses access to the server.
Ken Y-N
  • 14,644
  • 21
  • 71
  • 114
xfocus
  • 47
  • 9
  • In case anybody is here searching for smartcard PKI authentication, in 2021 or later, one option may be checked at https://web.signer.digital/home – Bharat Vasant Dec 18 '21 at 06:10

1 Answers1

0

Is it feasible? Yes. Is it practical? No. I would argue for a thick Java application instead.

First of all, you cannot authenticate by simply sending a certificate. You need something like a challenge-response as well (a signature created by the private key on the smart card after the PIN was entered).

Second, you need special permissions to use any hardware from an Applet. This means you have to alter the permission on the client or you may have to sign the Applet, after which the user has to accept the Applet for that specific task.

Applets have pretty specific lifetimes. You may not want to sync the removal of the card with the life cycle of an Applet. A user may block the response that is send when you disconnect. You can test if the card has been removed using waitForCardAbsent() in a separate thread.

If you cannot trust the connection (HTTP without SSL) then you cannot trust the Applet code. Users may not want to enter their PIN into untrusted code.

You will run into countless issues if you want to support multiple browsers and Java runtimes.

As a minor issue, the javax.smartcardio package may not always be available; it's not in javax for nothing.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • So with an applet there will be a security problem. I saw the eID project and I think it has the same appearance. [link]( http://code.google.com/p/eid-applet/) but I was unable to integrate their authentication applet for my needs.(i already configured tomcat for ssl 2 way authentication) – xfocus Jul 29 '12 at 12:42
  • I cannot comment on the Belgian eID applet in general, and I would not comment on the security of their system without doing proper research. The above is from my own experience. – Maarten Bodewes Jul 29 '12 at 12:52
  • i see what you mean,but i realy need to implement a solution for mutual authentifiaction with smart card into my j2ee application to sign pdf.but i am lost. – xfocus Jul 29 '12 at 13:43
  • j2ee can be used without a browser, do you really need the browser part? – Maarten Bodewes Jul 29 '12 at 17:26
  • This is a lot of work, requires a lot of knowledge and certainly a lot of testing. Months of it if in man hours you are doing it correctly. I've created such a solution long ago, but that was with support of people longer in the business. When the next project came along I created a proof of concept Java GUI application and we went with that. – Maarten Bodewes Jul 29 '12 at 21:08