Smartcards with Webservice Interface

Transcription

1 Smartcards with Webservice Interface 22. SIT-SmartCard Workshop 8./9. February 2012 Jan Eichholz

2 Agenda Benefits of a Webservice Interface for Smartcards The Service Access Layer out of ISO/IEC The Architecture of the G&D Webservice Smartcard Demo Conclusion

3 The Project The German part of the project is funded by the German Federal Ministry of Education and Research Project start: June 2008, February 2009 in Germany Project end: January 2011 National Partners: IFX, NXP European Partners: Gemalto (Project Lead), STM, OKSystem, Precise Biometrics, Compuworx, id3, CEA, NXP-F

4 IT- Infrastructure Vision einer Internet Smart Card Status Quo Networking TCP/IP, USB, HTTP, Bluetooth Operating System Windows, Linux, Palm Devices PCs, PDAs, Phones Applications Internet Smart Card Model Networking TCP/IP, USB, HTTP,.NET, Bluetooth Smart Card Devices PCs, PDAs, Phones Middleware Smart Card T=1 Proprietary JavaCard STARCOS Reader Telco, Payment Corporate ID Operating System Applications Windows, Linux, Palm Source: Dr. Walter Hinz, SIT-SmartCard Workshop Darmstadt, 07. Februar 2007 #4

5 Smartcards with APDU Interface Authentication Identification Data Access Application Interface Application Interface APDU APDU APDU APDU Generation Öffentliche Ordner Öffentliche Ordner

6 Smartcards with Webservice Interface Authentication Identification Data Access Application Interface Application Interface Webservice Öffentliche Ordner

7 Smart Home and M2M Infrastructure Smart Devices Application Server Smart Device Server Secure Data Monitoring JC3.0 Secure Data Smart Home Device Security Gateway Source: Sönke Schröder

8 Agenda Benefits of a Webservice Interface for Smartcards The Service Access Layer out of ISO/IEC The Architecture of the G&D Webservice Smartcard Demo Conclusion

9 ISO/IEC in a nutshell Testing ISO/IEC Architecture ISO/IEC Service Application Service Access Layer (SAL) ISO/IEC Generic Card Access Layer ISO/IEC Interface Device-API (IFD-API) ISO/IEC Auth. Protocols ISO/IEC

10 Agenda Benefits of a Webservice Interface for Smartcards The Service Access Layer out of ISO/IEC The Architecture of the G&D Webservice Smartcard Demo Conclusion

11 G&D SAL-on-card architecture (Overview) APDU TCP/IP based communication Service Access Layer WebService instead of APDU communication Nearly no middleware necessary Simple Card Capability Discovery

12 The Protocol Stack XML / SOAP HTTP / HTTPS Streaming Interface BIP APDU TCP IPv4 / IPv6 EEM (Ethernet) T=0 / T=1 USB

13 JavaCard 3 Connected Servlets (HTTP communication) Multi-Threading Strings Extended APIs Garbage Collection eid-sallet SmartCard SALlet API SAL Servlet XML Parser SOAP Smart Card OS, Web Server Source: Oracle

14 SAL-Servlet: Communication flow On card eid-sallet SmartCard SALlet API SAL Servlet XML Parser SOAP Smart Card OS, Web Server

15 XML & SOAP Extension of the JavaCard API to support XML and SOAP XML & SOAP API according to definitions of Java Standard Edition (subset) Highly optimized with respect to performance, RAM and Flash consumption <env:envelope> <env:header/> <env:body> <CardApplicationConnect> <CardApplicationPath>eID-SALlet</CardApplicationPath> </CardApplicationConnect> </env:body> </env:envelope> SmartCard eid-sallet SALlet API SAL Servlet XML SOAP Parser Smart Card OS, Web Server

16 The SALlet-API Extension to the standard JavaCard API Allows the implementation of Webservice connected Applets (=SALlets) in an easy way Uses the objects out of ISO/IEC Card Applications Differential Identities Data Sets Access Control Lists SmartCard eid-sallet SALlet API SAL Servlet XML SOAP Parser Smart Card OS, Web Server

17 A sample SALlet DIDs and Access Rules //create a PIN-DID object DIDPIN did = new DIDPIN("DIDPIN", 1234, 3); add(did); //create access control list with security condition Vector<Short> actionsdidpin = new Vector<Short>(); actionsdidpin.addelement(action.dsi_read); actionsdidpin.addelement(action.dsi_write); AccessRule accessruledidpin = new AccessRule( new SecurityConditionDID(did), actionsdidpin); //attach access rules to data set dataset.addaccessrule(accessruledidpin); SmartCard eid-sallet SALlet API SAL Servlet XML SOAP Parser Smart Card OS, Web Server

18 Optimization of XML and SOAP Performance time [sec.] ,1 step I step II step III step IV step V step VI step VII step VIII development steps

19 Agenda Benefits of a Webservice Interface for Smartcards The Service Access Layer out of ISO/IEC The Architecture of the G&D Webservice Smartcard Demo Conclusion

20 DEMO

21 Agenda Benefits of a Webservice Interface for Smartcards The Service Access Layer out of ISO/IEC The Architecture of the G&D Webservice Smartcard Demo Conclusion

22 Conclusion The necessary Smartcard infrastructure can be reduced by using an high level interface on the Smartcard With the help of an addition to the JavaCard-API (SALlet-API) the development of SOAP-Applets is quite easy. The Demonstrator shows, that in principal the Webservice as Smartcard interface is possible, but The used JavaCard 3.0 connected platform is currently not mainstream The SOAP-binding is well used, due to specific context an optimized approach might be useful An implementation on top of the widely used JavaCard 3.0 classic platform is possible. IPv6 can offer a direct addressing of the Smartcard in the future, privacy aspects have to be considered!

23 Thank you for your Attention! Contact: Jan Eichholz Phone Giesecke & Devrient GmbH Prinzregentenstr München