1.
Security’s Once and Future King Smart Cards for Web 2.0 Kapil Sachdeva Software Technologist Technology & Innovation Gemalto, Austin

2.
Smart Card : The Hardware <ul><li>Integrated Circuit Card (ICC) </li></ul><ul><li>Micro processor (8,16,32-bit) </li></ul><ul><li>Non-volatile memory (EEPROM, Flash) </li></ul><ul><li>Volatile memory (RAM) </li></ul><ul><li>Read only memory (ROM, FLASH) </li></ul>Plastic card Contact pad Gold wiring Epoxy fill Secure chip ROM Crypto CPU RAM NVM ROM, Operating system EEPROM, Application Memory

3.
Smart Card : The Security Device <ul><li>Tamper resistant </li></ul><ul><li>Cryptography </li></ul><ul><ul><li>RSA, AES, 3DES, ECC, SHA1, MD5 etc </li></ul></ul><ul><li>Security Evaluation – FIPS, Common Criteria </li></ul><ul><li>Domain specific knowledge and an attack-aware design approach enables smart card technology to be up to date vis-à-vis security </li></ul>

4.
Smart Card : The Comm. Protocol <ul><li>ISO 7816-3 </li></ul><ul><ul><li>APDU : Application Protocol Data Unit </li></ul></ul><ul><li>Master Slave </li></ul><ul><li>Synchronous communication </li></ul><ul><li>Transport protocol overloaded as the application protocol </li></ul>

5.
Smart Card : The Form Factors <ul><li>SIM </li></ul><ul><li>Credit Card </li></ul><ul><li>USB tokens </li></ul><ul><li>Electronic Documents </li></ul>

6.
Smart Card : The Business Verticals 300 Million 20 Million 2600 Million 500 Million 2007 Shipment Estimates Source: EUROSMART

7.
Smart Card : The Infrastructure ICC-Aware Application ICC-Aware Application Smart Card Aware Application Resource Manager IFD Handler IFD IFD IFD SC SC SC Reader Driver (USB CCID Class) Smart Card Readers Smart Cards PC/SC IFD Handler Interface PC/SC RM Interface

8.
Smart Card : The History <ul><li>1983 : Commercial chip card for Pay Phones </li></ul><ul><li>1991 : SIM card </li></ul><ul><li>1992 : Commercial debit card </li></ul><ul><li>1997 : Java Card </li></ul><ul><li>2002 : .NET Smart Card </li></ul>

9.
JavaCard : A Revolution

10.
JavaCard: The revolutionary Smart Card <ul><li>Programmable Smart Card </li></ul><ul><li>‘ Write once, run anywhere’ mantra with pragmatism </li></ul><ul><li>Platform openness rocks </li></ul>Anecdote: The first Java Card prototype used an 8-bit processor, 26K of ROM, 400 bytes of RAM & 1KB of EEPROM. Today smart cards have 32-bit chips, 16KB of RAM, 512KB of ROM/Flash

11.
JavaCard Virtual Machine & Runtime <ul><li>Pragmatic subset of functionality (data types, features) </li></ul><ul><li>Some specialized bytecodes </li></ul><ul><li>Special treatment of static fields </li></ul><ul><li>JC Virtual machine never terminates </li></ul><ul><li>Persistent memory model – objects live in EEPROM </li></ul><ul><li>Transaction management </li></ul><ul><li>Firewall between applications </li></ul>

12.
package com.gemalto.wallet; public class MyWallet extends Applet { public void select() {...} public void install() {...} public void debit(byte[] buff){ } public void credit(byte[] buff){ } public void process(APDU apdu) { byte[] buff = apdu.getBuffer(); switch(Util.getShort(buff,(short)0) { case INS_WALLET_DEBIT: debit(buff); break; case INS_WALLET_CREDIT: credit(buff); break; default: ISOException.throwIT(INVALID_INS); } } } A JavaCard toy Application

13.
JavaCard : Some misses <ul><li>Provided shim on operating system communication layer but still mixes the transport and application protocol. </li></ul><ul><li>Object based data store without any of the capabilities of Persistent Stores </li></ul><ul><ul><li>Application update problematic </li></ul></ul>

14.
.NET Card : An Innovation

15.
.NET Card: The evolutionary Smart Card <ul><li>Remoting as the communication paradigm from get go </li></ul><ul><ul><li>Do not expose the communication protocol </li></ul></ul><ul><li>User programmable access to File System </li></ul><ul><ul><li>Separation of application and data </li></ul></ul><ul><li>Use metadata to address domain specific requirements </li></ul><ul><ul><li>Transactions, Security, Legacy-support </li></ul></ul><ul><li>Geek bonus points – </li></ul><ul><ul><li>Visual Studio.NET integration </li></ul></ul><ul><ul><li>Richer type Support (primitives, strings, etc) </li></ul></ul><ul><ul><li>Exact GC </li></ul></ul><ul><ul><li>XML Parsing </li></ul></ul><ul><ul><li>Serialization </li></ul></ul><ul><ul><li>Strong-name signing </li></ul></ul>

16.
namespace MyCompany { public class MyWallet : MarshalByRefObject { [Transaction] public void Debit(int amount) { } [Transaction] public void Credit(int amount) { } public static void Main(string[] args) { ChannelServices.RegisterChannel(new APDUServerChannel()); RemotingServices.Marshal(new MyWallet(), “Wallet.uri&quot;); } } } A .NET Card toy Application

17.
Smart Card : The Applications <ul><li>Authentication </li></ul><ul><li>Digital signature & encryption </li></ul><ul><li>Secure storage </li></ul><ul><li>All of the above (manage/enforce a policy) </li></ul><ul><li>Sophisticated ice scratching device </li></ul>

18.
Fitting in the client crypto architecture <ul><li>CAPI : Windows (native) </li></ul><ul><li>CDSA : Mac OS X (native) </li></ul><ul><li>PKCS#11 : Windows, Linux, Mac OS X </li></ul><ul><li>Outlook, Thunderbird, Adobe Writer, PGP Clients, VPN Clients, Browsers </li></ul>

19.
A Quick Recap

20.
Smart Card : The Client Infrastructure ICC-Aware Application ICC-Aware Application Smart Card Aware Application Resource Manager IFD Handler IFD IFD IFD SC SC SC Reader Driver Smart Card Readers Smart Cards Service Providers Service Providers Service Provider Middleware PC/SC IFD Handler Interface PC/SC RM Interface Service Provider Interfaces

21.
The Web

22.
Ubiquity is key for Web applications

23.
Smart Cards and the Web: Classical <ul><li>To access Smart Card capabilities </li></ul><ul><li>On the User’s computer </li></ul><ul><ul><li>Internet explorer : card specific CSP impl. </li></ul></ul><ul><ul><li>Firefox : card specific PKCS#11 impl. </li></ul></ul><ul><ul><li>Safari : card-specific tokend </li></ul></ul><ul><li>On the Server </li></ul><ul><ul><li>Different server/client scripts to handle browser & crypto stack differences (Herculean!) </li></ul></ul>

24.
In other words, Break the ubiquity of web & Lose the mobility of Smart Cards

25.
A security mechanism should not make accessing a resource, or taking some action more difficult than it would be if security mechanism were not present. Principle of Psychological Acceptability

26.
DEMO: Let me show you what I mean

27.
Web 2.0

28.
Blogs AJAX Phishing E-gov Theft Web Services XML SOAP RSS Flickr Google Maps REST Social Networking

29.
A platform and application agnostic connectivity bridge to help JavaScript in a web page to communicate with server. XMLHttpRequest

30.
If I have seen further it is by standing on the shoulders of Giants - Issac Newton

31.
A platform and application agnostic connectivity bridge to help JavaScript in a web page to communicate with Smart Card SConnect

32.
<ul><li>Connectivity plumbing that works with classical smart cards </li></ul><ul><li>Digitally signed browser extension enabling scripts embedded in a web page to access the PC/SC channel on client machine </li></ul><ul><li>A toolkit for developing S mart card A ware W eb A pplications </li></ul><ul><li>Ubiquitous – all relevant OS/browser combinations </li></ul><ul><li>Lightweight – 15 second download and install </li></ul>SConnect OPERATING SYSTEMS BROWSERS DOWNLOAD 15

33.
<html> <head> <script src=“http://www.sconnect.com/scripts/sconnect.js” language=“javascript”/> <script language=“javascript”> var _otp; function getOtp() { var scom = new SConnect.PCSC(); var readersWithCards = scom.listReaders(true); // if more then one reader, employ some discovery mechanism scom.connect(readerWithCards[idx]); var response = scom.exchange(“00A4040007A0000000020302”); if (response == “9000”){ _otp = scom.exchange(“002100000106”); } scom.dispose(); // put the _otp value in text box } </script> </head> <body> <label>Press the button to get the OTP</label> <input type=“button” value=“click me” onclick=“getOtp(); submit();”/> </body> </html> A few lines of JavaScript…

34.
<html> <head> <script src=“http://www.sconnect.com/scripts/sconnect.js” language=“javascript”/> <script src=“http://www.sconnect.com/scripts/marshaller.js” language=“javascript”/> <script src=“oath_stub.js” language=“javascript”/> <script language=“javascript”> var _otp; function getOtp(){ var oathApp = new Samples.OATHApp(“selfdiscover”,0,”OATHService.uri”); _otp = oathApp.get_OTP(); // put the value of _otp in text box } </script> </head> <body> <label>Press the button to get the OTP</label> <input type=“button” value=“click me” onclick=“getOtp(); submit();”/> </body> </html> Fewer lines of JavaScript…

35.
DEMO: Device Administration Service <ul><li>Lightweight device management </li></ul><ul><li>Routine security tasks performed in a cross browser, cross-platform setting </li></ul>

36.
DEMO: Two-factor auth. for Web Apps <ul><li>MeHuNa: A fictional identity & security savvy company using cloud computing </li></ul><ul><li>MeHuNa uses Google Apps(!) as it Office back-end </li></ul><ul><li>Employees must use strong authentication for audit & security compliance purposes </li></ul><ul><li>Employees get an OpenID for their personal use </li></ul>

37.
Begin at the beginning and go on till you come to the end: then stop. Thank You