The present invention relates generally to application program access to smart cards, and more particularly to a system and method for allowing user applications executing in a web—browser to access the functions and data in a smart card.
A smart card is a small secure personal computer that lacks input and output devices. Typical applications for smart cards include user authentication, storing private data and use as electronic purses. For these applications, as well as for others, the usual mode of interacting with the smart card is from a host application that is executing on a host computer to which the smart card is connected.
Host application program access to smart-card-based Public Key Infrastructure functionality, for example, is typically achieved through installation of middleware, which provides application program interfaces callable from application programs. The middleware then performs the interactions with the smart card hardware, typically via some form of reader. One commonly available architecture is based on the PC/SC Specifications from the PC/SC Workgroup. FIG. 1 is a block diagram illustrating a high-level view of an implementation of the PC/SC Specification. Smart card aware applications 101 running on a host computer 103 access smart cards 104a-d through a host computer middleware 105 and a smart card resource manager 107. The smart card resource manager 107, in turn, interacts with drivers 109a-d for the various card readers 111a-d to which the host computer 103 is connected.
This architecture presents several problems to the deployment of smart cards. These problems include the requirement of loading a middleware component onto the host computer and making updates to the middleware component. That becomes a particularly undesirable requirement when smart cards are to be used with web-based applications.
Increasingly, web applications have become commonplace and allow for platform-independent access to data and services available over the Internet. For example, web services such as online movie rentals and web-based email applications have become very popular. One advantage of the near ubiquitous deployment of web-connected computers and the wide-spread adoption of web-based applications is that such solutions remove the user from the virtual tether to the user's own computer. For example, by using web-based email services such as Google's Gmail, subscribers to those services can access their email from any computer connected to the web.
Now consider the addition of smart cards to the web-based environment. If a user has a smart card for storing, for example, passwords, account information, or digital certificates, or for performing certain security functions, for example, cryptographic services, and the user wishes to use the smart card while performing some web-based transaction on a computer other than one that belongs to the user, the user would have to install the host computer middleware 105 and possibly an appropriate IFD driver 109 on the particular host computer 103 that the user wishes to use. The owner of that host computer may not have granted the user sufficient privileges for installing middleware software. Furthermore, the owner may not wish to have such middleware software installed on the computer, or if the computer in question is a public computer, for example, one found in a kiosk at an airport or in a library, the person authorized to install the middleware component might not even be available. This problem is one that would stand in the way of a user being able to use a smart card for the security solutions smart cards provide in an environment where such security protections would be of particularly high value. Likewise, updates to the middleware present analogous problems.
An additional issue is that the manner in which web-browsers expose interfaces to middleware. Because popular web-browsers, e.g., Firefox and Internet Explorer, provide different interfaces to middleware, web applications that rely on such middleware have to be web-browser-aware. In other words, the web applications must either be developed specific to each web-browser or must do an internal check to determine which web-browser is being used and have the capability of addressing the appropriate middleware.
These problems are very unfortunate. The web, while becoming a widely used virtual marketplace for a many types of transactions, is also very prone to security issues such as fraudulent use of private accounts, identity theft, and theft of private data. Smart cards are ideally suited for addressing such problems. For example, smart cards may be used for secure storing of user credentials and can be used as an integral component to login processes thereby providing two-factor authentication. However, the necessity of installing middleware on host-computers that a user wishes to employ in accessing web services stands in the way of effective use of smart cards for some such uses.
Smart cards may be advantageously used in conjunction with cryptography services. As such smart cards may be used to store a user's private key and digital certificates. Furthermore, the smart cards may also be used to perform cryptography operations such as encrypting messages, decrypting messages, providing user login, and digitally signing documents using the user's private key. The above—mentioned problems in deployment of smart cards are further aggravated in their use as cryptographic devices.
Since hardware tokens and even software security devices present different interfaces and use different protocols, industry has worked on specifications for accessing the cryptographic capabilities such as storing and accessing certificates, signing or encrypting data, etc., in a hardware neutral way. There are two main competing standards for providing this hardware neutral access to cryptography: Crypto API (CAPI) and PKCS#11. These two standards are largely associated with different operating system platforms and web-browsers. CAPI is the standard used in the Windows operating systems from Microsoft Corporation, Redmond, Wash., and is provided as a standard function of the Windows operating systems. It is the cryptography standard implemented for Microsoft's Internet Explorer. PKCS#11, which was developed by RSA Laboratories, is available in several desktop operating systems and is natively available via the Firefox web-browser from the Mozilla Foundation. There are similarities and there are differences between the two approaches.
In the traditional approach for providing cryptographic services using smart cards, developers would develop host modules for either CAPI or PKCS#11 to be installed as plug-ins to email clients and other applications such as desktop login or Virtual Private Network (VPN). These modules are not part of the underlying operating system installation.
From the foregoing, it will be apparent that there is a need for an improved method to provide web applications access to smart cards.