Reputation: 2007
PKI - card reader replacement
We are working on a new secured project. We wish to enable both server side and client side authentication. To allow client authentication, we would like to create cards that can be placed into "card reader" and unlocked using a fingerprint.
Now, currently we have a few card readers of company A and in order for our client side (java - not a browser but a small software of our own) to use the certificate on that card, the java program uses a native call to a dll that allows us to conenct to it.
I am looking for a way to make this connection to the card reader generic, In case we change card readers to company B.
My questions are:
Are there better ways to access the card reader for the certificate? For example, using pure java code (or pure JDK code) and still somehow retreiving the certificate and all other operations needed.
Given there is no pure java way of doing this, is there a generic way that will help me not to be dependant on a specific .dll?
How secured do you think this is? Perhaps, there is an equal secured way of doing client authntication without card readers?
Upvotes: 0
Views: 575
Answers (2)
Reputation: 1575
One option is middle-ware that sits between your card reader device drivers and your Java application. This way your application is only interacting with the middle-ware libraries and you don't need to be concerned with directly accessing DLL or the type of hardware you're using or even the sun PKCS11 provider. If a new card reader is installed, the middle-ware will interact with the drives. You can access your certificates, but also if the biometrics data (fingerprint) is stored on the smart card (as opposed to being on your server), the middle-ware can help access this. One company that makes such middle-ware is Active Identity.
Upvotes: 0
Reputation: 122719
The Oracle JRE comes with the Sun PKCS#11 provider, which will allow you to plug in a DLL implementing the PKCS#11 API.
This is definitely the "standard" way as far as Java is concerned. Your smart card can be loaded as a KeyStore instance. If your keys cannot be extracted from the smart card, the a PrivateKey object will still be created for use within your applications signing/decrypting, but you won't be able to extract the private exponent (assuming RSA here): it delegates the operations to the card, as designed.
(I've tried it successfully with OpenSC/OpenCT on a Linux machine in the past. I believe PKCS#11 is more rare for Windows, but some smartcard providers might still provide an interface for it.)
How secure this is will depend on the PKCS#11 implementation you're using. Tweaking your own DLL to make it fit PKCS#11 would certainly need some effort and reviewing before you can call it "secure".
Upvotes: 2
Related Questions
- Java SmartCard Identity
- Getting certificates from PKCS11 Smartcard without PIN/password
- Reading a PKCS#1 or SPKI public key in Java without libraries
- Client Certificate authentication in Java
- Read Certificate from SmartCard using javax.smartcardio
- Java card key installation
- Writing and Reading certificates from smartcard
- PKCS11 driver for CAC card/ card reader
- Server Side Java: Can it read CAC cards and if so, how?
- How to access a smartcard in Java on Linux?