简体繁体 English

PKI - 读卡器更换

[英]PKI - card reader replacement

原文 2012-05-16 01:14:08 0 2 java/ ssl/ pki

We are working on a new secured project. 我们正在开发一个新的安全项目。 We wish to enable both server side and client side authentication. 我们希望启用服务器端和客户端身份验证。 To allow client authentication, we would like to create cards that can be placed into "card reader" and unlocked using a fingerprint. 为了允许客户端身份验证，我们希望创建可以放入“读卡器”并使用指纹解锁的卡。

Now, currently we have a few card readers of company A and in order for our client side (java - not a browser but a small software of our own) to use the certificate on that card, the java program uses a native call to a dll that allows us to conenct to it. 现在，目前我们有一些A公司的读卡器，为了我们的客户端（java - 不是浏览器，而是我们自己的小软件）使用该卡上的证书，java程序使用本机调用dll允许我们联系它。

I am looking for a way to make this connection to the card reader generic, In case we change card readers to company B. 我正在寻找一种方法来连接读卡器通用，如果我们将读卡器更换为公司B.

My questions are: 我的问题是：

Are there better ways to access the card reader for the certificate? 是否有更好的方法来访问证书的读卡器？ For example, using pure java code (or pure JDK code) and still somehow retreiving the certificate and all other operations needed. 例如，使用纯Java代码（或纯JDK代码），仍然以某种方式检索证书和所需的所有其他操作。
Given there is no pure java way of doing this, is there a generic way that will help me not to be dependant on a specific .dll? 鉴于没有纯粹的java方法，有没有一种通用的方法可以帮助我不依赖于特定的.dll？
How secured do you think this is? 您认为这有多安全？ Perhaps, there is an equal secured way of doing client authntication without card readers? 也许，在没有读卡器的情况下，有一种相同的安全方式来进行客户端身份验证？

2 个解决方案

The Oracle JRE comes with the Sun PKCS#11 provider , which will allow you to plug in a DLL implementing the PKCS#11 API. Oracle JRE附带Sun PKCS＃11提供程序，它允许您插入实现PKCS＃11 API的DLL。

This is definitely the "standard" way as far as Java is concerned. 就Java而言，这绝对是“标准”方式。 Your smart card can be loaded as a KeyStore instance. 您的智能卡可以作为KeyStore实例加载。 If your keys cannot be extracted from the smart card, the a PrivateKey object will still be created for use within your applications signing/decrypting, but you won't be able to extract the private exponent (assuming RSA here): it delegates the operations to the card, as designed. 如果无法从智能卡中提取密钥，仍会创建一个PrivateKey对象以在您的应用程序签名/解密中使用，但您将无法提取私有指数（假设此处为RSA）：它委派操作卡，按照设计。

(I've tried it successfully with OpenSC/OpenCT on a Linux machine in the past. I believe PKCS#11 is more rare for Windows, but some smartcard providers might still provide an interface for it.) （我过去曾在Linux机器上使用OpenSC / OpenCT成功尝试过。我相信PKCS＃11在Windows中更为罕见，但有些智能卡提供商仍可能为它提供接口。）

How secure this is will depend on the PKCS#11 implementation you're using. 这有多安全取决于您正在使用的PKCS＃11实现。 Tweaking your own DLL to make it fit PKCS#11 would certainly need some effort and reviewing before you can call it "secure". 调整自己的DLL以使其适合PKCS＃11肯定需要一些努力和审查才能称之为“安全”。

One option is middle-ware that sits between your card reader device drivers and your Java application. 一种选择是位于读卡器设备驱动程序和Java应用程序之间的中间件。 This way your application is only interacting with the middle-ware libraries and you don't need to be concerned with directly accessing DLL or the type of hardware you're using or even the sun PKCS11 provider. 这样，您的应用程序只与中间件库交互，您无需关心直接访问DLL或您正在使用的硬件类型甚至是sun PKCS11提供程序。 If a new card reader is installed, the middle-ware will interact with the drives. 如果安装了新的读卡器，则中间件将与驱动器进行交互。 You can access your certificates, but also if the biometrics data (fingerprint) is stored on the smart card (as opposed to being on your server), the middle-ware can help access this. 您可以访问您的证书，但如果生物识别数据（指纹）存储在智能卡上（而不是存储在您的服务器上），则中间件可以帮助您访问它。 One company that makes such middle-ware is Active Identity. 制造此类中间件的一家公司是Active Identity。