EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Using TElX509Certificate from smart card for authentification to a WS

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#13436
Posted: 05/24/2010 03:55:10
by Eugene Mayevski (EldoS Corp.)

Well, why not use plain old HTTP or HTTPS? If your server side is written in .NET, then the simplest would be to create some request body and sign it on the client side, then send the signed request to the server. The server would verify the signature and send the requested data.

All can be done using our components.

For signing and verification you can use TElMEssageSigner/TElMessageVerifier components. They produce and handle PKCS#7-formatted result, so everything is standard. For HTTP (and HTTPS if needed) you can use TElHTTPSClient or use .NET HttpWebRequest.


Sincerely yours
Eugene Mayevski
#13437
Posted: 05/24/2010 04:31:45
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Hi Eugene,

Thanks for the suggestion. In the way you proposed,is it possible to send certificate along with the signed data?So the server could validate the request and Certificate(check for certificate issuer,chain and other?

The thing is, we would prefer to use well defined WS API,described with WSDL,
so we can call complex function and return complex object and data types.

To give you an concrete example,on of our objective is the following:

On the server, there is a database of student information(grades,dates,and college attendence data...). This data should be writen as an object on the card,
but we want to ensure that clients(students) that make the request are properly authentificated(and vice versa- clients are positive they access the right service on the server).As this functions that request data on the serve,can be quite diverse(and often complex), our primary idea was to expose them through a standard WS interface. To give you another example, our final objective is to implement behaviour in which java card applets and certificates can be downloaded from the server, and installed on the client card.

You can see how careful we are when addressing the security issue, and we would want to use the proper software to achieve this goals,and satisfy above mentioned security issues.

I know this is a complex situation, and I leftout some of the detailed information, but you get the idea. My question to you is, is above described behaviour possible to achieve with your products, and if yes,what approach and what products of yours would you recommend for this implementation?

We wouldnt wanna dig ourselves deep in using your products, and then find out what we had in mind cannot be done and that we need to get another solution.
#13442
Posted: 05/24/2010 14:40:34
by Eugene Mayevski (EldoS Corp.)

Quote
Tomislav Jakopović wrote:
In the way you proposed,is it possible to send certificate along with the signed data?So the server could validate the request and Certificate(check for certificate issuer,chain and other?


That's exactly the way signing works.

Quote
Tomislav Jakopović wrote:
The thing is, we would prefer to use well defined WS API,described with WSDL, so we can call complex function and return complex object and data types.


I am afraid that you would need to find some WebServices approach that supports custom transports. I know RemObjects SDK can be used for this with great success. And it's possible to plug SecureBlackbox transport to it.


Sincerely yours
Eugene Mayevski
#13444
Posted: 05/24/2010 16:06:13
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

OK one more thing,isnt it possible to use the certifactes for a WSE call?

Can this funcionality be achived?
#13445
Posted: 05/25/2010 01:56:39
by Eugene Mayevski (EldoS Corp.)

I guess no - .NET Framework was not designed for being extended by other developers (eg. see Socket class implementation without virtual classes).


Sincerely yours
Eugene Mayevski
#13460
Posted: 05/25/2010 17:37:28
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Eugene Mayevski wrote:
Well, why not use plain old HTTP or HTTPS? If your server side is written in .NET, then the simplest would be to create some request body and sign it on the client side, then send the signed request to the server. The server would verify the signature and send the requested data.

All can be done using our components.

For signing and verification you can use TElMEssageSigner/TElMessageVerifier components. They produce and handle PKCS#7-formatted result, so everything is standard. For HTTP (and HTTPS if needed) you can use TElHTTPSClient or use .NET HttpWebRequest.


Hi,

Can you give me any specifics in how to do that?
#13462
Posted: 05/26/2010 04:57:28
by Ken Ivanov (EldoS Corp.)

Regarding data signing/verification, please take a look at the MessagesDemo sample (Samples\(C#|VB.NET)\PKIBlackbox\MessagesDemo). The signing part will be executed on client side to sign the request; the verifying part would check the integrity of the signed requests on server.

BTW, if you prefer to use "standard" web services, you can actually pass the PKCS#7 signature as a parameter to some web service method (and then validate the signature in the code of the web service). In other words, the idea is to perform client authentication not on the transport layer, but by the service itself.
#13465
Posted: 05/26/2010 14:48:06
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Innokentiy Ivanov wrote:
Regarding data signing/verification, please take a look at the MessagesDemo sample (Samples\(C#|VB.NET)\PKIBlackbox\MessagesDemo). The signing part will be executed on client side to sign the request; the verifying part would check the integrity of the signed requests on server.

BTW, if you prefer to use "standard" web services, you can actually pass the PKCS#7 signature as a parameter to some web service method (and then validate the signature in the code of the web service). In other words, the idea is to perform client authentication not on the transport layer, but by the service itself.


Actually thats what Im trying to do at the moment.

What bothers me is how to use TElX509Certificate for encription,decryption and signing.

SBMessages.TElMessageEncryptor encryptor doesnt use TElX509Certificate parameter, but a Certificate store. How does it knows which certificates key use for encryption/signing??
#13466
Posted: 05/26/2010 15:11:15
by Ken Ivanov (EldoS Corp.)

TElMessageEncryptor encrypts the data for all the certificates contained in the CertStorage storage. TElMessageSigner signs the data with all the certificates having the corresponding private keys.
#13467
Posted: 05/26/2010 15:12:45
by Eugene Mayevski (EldoS Corp.)

... so if you have a certificate in, say, TElPKCS11CertStorage, then you just need to copy it to TElMEmoryCertStorage, and then pass this TElMEmoryCertStorage to TElMEssageSigner. SecureBlackbox will care about the underlying key so this approach will work right for you .


Sincerely yours
Eugene Mayevski
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 9645 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!