Jump to content

What to do with a smart card reader?


Recommended Posts

I expect it to internally present itself as a USB device providing a COM port to the card. Maybe there's a dedicated driver to the thing.

Normally these days such devices are used to interact with smart cards that are genuinely smart. To clarify, here in .NL many cards have a chip in them but most of them are decidedly dumb, just providing access to files on the thing using a PIN for access. Note that this PIN can be up to 8 numbers long, even though you're typically just asked for 4 - this is configurable on a per-file basis. The real smart smartcards have dedicated crypto logic on them that allows these things to be used as a hardware security module - the sort of thing that contains the private key of your server and can encrypt/decrypt data provided to it by the host system. The idea here is that you can get your private key onto the device, you can see that it's there, but you won't be able to read it back anymore, and any attempts to do so will result in the destruction of the storage area that holds this information. One problem you get is that the cards aren't exactly cheap and, more importantly, after a power cycle of the host or the disconnecting of the device (either the reader from the host or the card from the reader) you need to provide a password to gain access to the keys again (more specifically, to get the device to use the key on your behalf to do useful stuff) which can be a bit annoying. Remote management kinda sucks.

I once made a web thing for our DoD using Tomcat that used one of these and one of the features we had was that we had a hidden one-time page. After a restart of the box you would be able to access this one-time page exactly once (subsequent requests would result in a 404). On this page you would be allowed to provide the password exactly once. If you provided the wrong password, we would do a System.exit() meaning the JVM was gone and an admin would have to start Tomcat again.

My internship at IBM some 20 years ago (fuck, I'm growing old!) was also at a department there that was focusing on developing cool usages of smartcard technology and that DoD gig was about 10 years ago now so while I'm happy to discuss this stuff my knowledge is kinda dated by now.

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...