I have some elementary questions concerning the usage of smart cards. They will probably be way too basic for members of this forum; maybe even inappropriate. My hope is that contributors to this forum with the necessary expertise will be able to point me in the right direction so I can carry on researching this subject further. Please, bear with me and my ignorance.
I am particularly interested in the Common Access Card (CAC) used by the military (and others) to provide a two-factor authentication mechanism. My understanding is that the factors are something that you know (a PIN to unlock the card) and something that you have (the card itself.) Access to the card takes place by means of some specialized hardware - a card reader. I believe that the card reader may be physically connected to the device (server, computer, whatever one calls it) for which the smart card-provided authentication is required. Alternatively, the card reader may be provide authentication over the network. Let me go over these two cases, which I will refer to as cases 1 and 2, respectively. Case 1: I will refer to the card reader as CR, and to the server it is physically connected to as S. CR will allow a smart card user U to be authenticated in S. U inserts his or her CAC into CR. U is prompted for a PIN. Assuming the PIN punched in is correct, the CAC is unlocked. At this point CR will interact with S via some specialized application in S. This application must use a driver specifically developed for the CR hardware and whatever operating system (loosely speaking) that is used to control S. Assuming that this driver is in place and working correctly, what is the information exchanged between CR and S? I understand that the CAC uses X.509 certificates. How does the information exchange take place? My guess: S will access certificate information from the CAC using some cryptographic API (PKCS-11 seems to be a common one.) Each CAC will have an X.509 certificate assigned to it that has been signed by some certificate authority (CA) that must be known to S in advance. Essentially, S will use the appropriate CA certificate (which it will typically retrieve form local storage) in order to verify the X.509 certificate associated with the CAC in question that S has retrieved from CR. The verification may be a chained one. Is this a more or less accurate description, or am I totally off the bull's eye? Case 2: The setup here would be the following: A card reader CR physically connected to some device D (typically, but not necessarily, a PC) that can connect to some remote server S through some secure transport mechanism. The interaction wold be similar to the one described above, the difference being that D mediates the authentication. I.e. D will retrieve the CAC's certificate through interaction with CR, and will pass it on to S by means of the transport mechanism used by D to connect to S. The most straightforward one I can think of would be SSL/TLS: Once D has got the CAC's certificate C from CR, it will use C to start an SSL/TLS handshake with S. S will use standard SSL/TLS mechanisms to verify C. If this verification succeeds then the owner of CAC will be allowed to establish an SSL/TLS session with S. It's obvious that the example that I have in mind consists of establishing an HTTPS connection from a PC to some HTTPS server S. Again, is this a correct description? Feedback on this will be much appreciated. Again, if this is not the right forum for these questions, I will be most thankful if somebody could point me to the appropriate forum(s). _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
