The present invention relates generally to application program access to smart cards, and more particularly to a system and method for ensuring information security when allowing applications executing in a web-browser to access the functions and data stored on a smart card.
A smart card is a small secure personal computer that lacks input and output devices. Typical applications for smart cards include user authentication, storing private data, and use as electronic purses. For these applications, as well as for others, the usual mode of interacting with the smart card is from a host application that is executing on a host computer to which the smart card is connected.
U.S. patent application Ser. No. 11/849,117, Kapil Sachdeva and Ksheerabdhi Krishna, “System and Method for Browser Based Access to Smart Cards,” filed on 31 Aug. 2007, describes a mechanism which removes many burdens on a programmer in creating web-applications that access smart cards. In one scenario, for example, using the SConnect technology from Gemalto, Inc., Austin, Tex., USA, a web-application may be downloaded onto the host computer when a user accesses a remote web service. The web-application may be written an application program interface that is common across browsers and platforms. To insulate the web-application developer from the intricacies of particular platforms and browsers, a browser extension (herein referred to as the smart card access browser extension) is loaded into the browser. That browser extension marshals the interaction between the web-applications and the smart card. Thus, the browser extension provides a data pipe from the remote web-service to the smart card via the web-application. The SConnect technology from Gemalto, Inc., Austin, Tex. is an example of a smart card access browser extension.
Smart cards are often used to store highly sensitive information. For example, smart cards may be used for cryptographic operations and then would hold a user's private key. Smart cards may also be used to hold credentials for accessing various types of accounts, e.g., to provide access to particular computers or networks, financial accounts, health information accounts. Naturally, it is very important to safeguard such information and services provided by smart cards from inadvertent disclosure to third parties, from intentional theft by third parties, and from inadvertent or intentional damage. Failure to provide such safeguards could lead to unauthorized access to the information of the holder of a smart card, unauthorized access to a user's online accounts, destruction of data, and other types of identity theft.
A smart card access browser extension provides a mechanism by which a remote web-service is connected to the smart card over the Internet via a local computer. It is therefore desirable to use the smart card access browser extension to counter potential security threats to which a smart card is exposed when connected to the Internet.
Some examples of possible attacks against a smart card include Phishing, DNS Cache Poisoning, Malicious Websites, and Man-in-the-Middle Attacks.
Phishing attacks trick users into divulging their login credentials to malicious websites that resemble legitimate websites that a user may want to access, e.g., by pretending to be the user's bank or another online merchant with which a user may have an account. The key to prevent Phishing is the user's vigilance.
DNS cache poisoning attacks exploit vulnerabilities of DNS servers and trick the servers to accept fraudulent information that directs traffic to malicious websites. While Phishing lure individual victims, DNS cache poisoning can redirect all users trying to reach a target website to a fraudulent one.
Malicious Websites. Traditional smart cards work on an assumption that the host computer is secure. If a user enters a valid PIN, a client program on the host computer can access the smart card. In fact, any programs on the computer can access the card after the user logs in. Global Platform's Secure Channel Protocols (SCP) and ISO 7816-4's Secure Messaging prevent this problem by establishing authenticated secure communication channel between one client application on the host computer and one sever application in the smart card. Unfortunately, many smart cards in the field were either issued before these security standards were put in place or have not implemented them. These cards are vulnerable to attacks by malicious software on the computers.
The Man-In-The-Middle (MITM, middleperson) is an infamous network attack. The attacker pretends to be the server to a client, and pretends to be a client to the server, intercepting messages in between. For an example, assume a user wants to access a remote server using a client application (a browser, for example). The middleperson is located in between the client and the server intercepting the user's private data, modifying transactions, and/or hijacking the authenticated channel.
The secure socket layer (SSL), or its later version the transport layer security (TLS) protocol, enables two connecting Internet parties (e.g., a client and a server) to securely communicate, preventing MITM to eavesdrop or modify messages sent between the two parties. To completely prevent MITM attacks, the two communicating parties must know and authenticate each other. This, however, is often not the case; client authentication is often not used.
The HTTPS is HTTP carried by SSL/TLS instead of directly by TCP. It enables secure communication between web applications.
In addition to Internet based attacks, the smart card could be vulnerable to attacks launched from the host computer. One such attack mechanism is the Keystroke Logger. A keystroke logger is a malicious software program that captures a user's keystrokes with the motive to steal user's login credentials, such as usernames and passwords. The logger can then send the captured keystrokes to a remote server to extract information and to use it for fraudulent activities. Simple keystroke loggers are less effective with smart cards because captured PIN is no use without corresponding smart cards. A sophisticated keystroke logger can, however, capture a user PIN, wait for the subsequent smart card insertions, and access the card without the card holder's knowledge.
Other vulnerabilities to smart card data security derive from user behavior. While many software programs present warning messages to users, it is not uncommon for users to ignore such warnings.
Similarly, while many interactions between a client web browser and a remote web server is secured using SSL or TLS, such secure communication between client and server requires that the server is in possession of a valid and trustworthy SSL certificate. To be valid and trustworthy, the SSL certificate must be signed by a trusted root certificate authority (CA) and there must be a match between the Common Name (CN) of the certificate and the URL of the web page being accessed. If the SSL certificate does not meet those requirements, the web browser warns the user. It is very common for users to simply ignore such warnings and proceed with establishing the session with the remote server in spite of the SSL certificate not being valid. That poses the risk to the user that a malicious web site is being accessed which may cause improper access or manipulation of the contents of the user's smart card.
Therefore, it is desirable to provide security mechanisms by which the interaction by remote web-services to a smart card via the smart card access browser extension is safeguarded against malicious attackers and unintentional damages.
From the foregoing, it is be apparent that there is a need for an improved method to provide web applications access to smart cards.