Java Applet与智能卡进行相互身份验证
[英]Java Applet for mutual authentication with smart card
问题描述
I need to develop a java applet, for a mutual authentication between Tomcat 6 (server) and a SmartCard " IDGo 300 " (client). 
我需要开发一个Java小程序,以便在Tomcat 6(服务器)和智能卡“ IDGo 300 ”(客户端)之间进行相互身份验证。
In order to do this I thought the following scheme: 为此,我想到了以下方案:
- Tomcat (server) send to SmartCard (client) the request of his digital certificate (signed by CA). Tomcat(服务器)将其数字证书(由CA签名)的请求发送给SmartCard(客户端)。
- client enters PIN and selects an available certificate on the smart card, then the Applet sends his certificate (signed by CA) to tomcat. 客户端输入PIN并在智能卡上选择可用证书,然后Applet将其证书(由CA签名)发送给tomcat。 tomcat verifies the digital certificate and if correct sends back his certificate. tomcat验证数字证书,如果正确,则发回其证书。
- The applet verifies the certificate of the server, and if the certificate is correct sends a confirm to server. 小程序验证服务器的证书,如果证书正确,则向服务器发送确认。
- The server gives full access to the client to use the web application. 服务器为客户端提供完全访问权限以使用Web应用程序。
I have some questions: 我有一些疑问:
- Is this scheme feasible? 这个方案可行吗?
- I would like to manage everything through my applet and when the client disconnects the smart card he loses access to the server. 我想通过我的applet管理一切,当客户端断开智能卡的连接时,他将无法访问服务器。
1 个解决方案
解决方案1
0 2012-07-29 12:20:17
Is it feasible? 可行吗 Yes. 是。 Is it practical? 实用吗? No. I would argue for a thick Java application instead. 不。我会建议使用厚的Java应用程序。
First of all, you cannot authenticate by simply sending a certificate. 首先,您不能仅通过发送证书来进行身份验证。 You need something like a challenge-response as well (a signature created by the private key on the smart card after the PIN was entered). 您还需要类似挑战响应的内容(输入PIN后,由智能卡上的私钥创建的签名)。
Second, you need special permissions to use any hardware from an Applet. 其次,您需要特殊权限才能使用Applet中的任何硬件。 This means you have to alter the permission on the client or you may have to sign the Applet, after which the user has to accept the Applet for that specific task. 这意味着您必须更改客户端的权限,或者可能必须签署Applet,然后用户必须接受Applet来执行特定任务。
Applets have pretty specific lifetimes. 小程序具有相当特定的生命周期。 You may not want to sync the removal of the card with the life cycle of an Applet. 您可能不希望将卡的移除与Applet的生命周期同步。 A user may block the response that is send when you disconnect. 当您断开连接时,用户可能会阻止发送的响应。 You can test if the card has been removed using waitForCardAbsent() in a separate thread. 您可以在单独的线程中使用waitForCardAbsent()测试卡是否已卸下。
If you cannot trust the connection (HTTP without SSL) then you cannot trust the Applet code. 如果您不能信任该连接(没有SSL的HTTP),那么您将不能信任Applet代码。 Users may not want to enter their PIN into untrusted code. 用户可能不想将其PIN输入到不受信任的代码中。
You will run into countless issues if you want to support multiple browsers and Java runtimes. 如果要支持多个浏览器和Java运行时,将遇到无数问题。
As a minor issue, the javax.smartcardio package may not always be available; 作为一个较小的问题, javax.smartcardio软件包可能并不总是可用。 it's not in javax for nothing. 它不是在javax中什么都没有。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.