Smart Card - ASP.NET

Hello,
I'm creating ASP.NET site that a client can login using smart cards as
their password. And i have no idea how to beat it. Any help will be
great.

RK

Sahil
Sat Feb 19 02:27:00 CST 2005

You can't - unless you have trust on the client side - which you cannot
guarantee.
No code that runs inside a browser under the default trust level can read a
local resources such as a smart card.

The best approach to this would be to send an installation, which registers
a mimetype that the browser can access using a URL. Once the end user has
installed something like that on their desktops (i.e. your proprietary smart
card software), you've crossed that trust limit - and then you can simply
securely call that URL and hence invoke local exe code and send back the
credentials you need. MSN messenger does this when you hit "Instant Reply"
in hotmail.

- Sahil Malik
http://codebetter.com/blogs/sahil.malik/



"RK" <robert@prones.pl> wrote in message
news:85eb11psfo3pbt12fvm45n98fkn1l8qidk@4ax.com...
>
> Hello,
> I'm creating ASP.NET site that a client can login using smart cards as
> their password. And i have no idea how to beat it. Any help will be
> great.
>
> RK

RK
Mon Feb 21 01:19:36 CST 2005



I mean that on client side i have smart card reader. I think i find
way. I may use ActiveX on client side and get from smart card
reader/smart card authentication. If it pass i may send some
information to server (eg. user id/ user name etc.)


RK

ps: Something like "Priore Smart Card controll"

Mark
Mon Feb 21 01:39:53 CST 2005

"RK" <robert@prones.pl> wrote in message
news:sl2j11tqfsj05jke15ar82lv63gk3c9b6n@4ax.com...

> I may use ActiveX on client side

Yes, but only if all your clients use IE, and have their browser settings
set to allow them to use ActiveX controls in this way...

Sahil
Mon Feb 21 03:38:28 CST 2005

As Mark said - ActiveX control execution at the remote end will need -

a) Certificate + Security setting + User permission
b) DLL issues resolved in advance.

MFC ActiveX controls are too huge, ATL are too complicated to write. VB6
ActiveX controls just plain suck !!

You can even write an unmanaged .NET solution to get around the platform
issue, but problems a) and b) remain.

- Sahil Malik
http://codebetter.com/blogs/sahil.malik/




"Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:ev%23MKi%23FFHA.348@TK2MSFTNGP09.phx.gbl...
> "RK" <robert@prones.pl> wrote in message
> news:sl2j11tqfsj05jke15ar82lv63gk3c9b6n@4ax.com...
>
>> I may use ActiveX on client side
>
> Yes, but only if all your clients use IE, and have their browser settings
> set to allow them to use ActiveX controls in this way...
>

RK
Tue Feb 22 01:14:43 CST 2005


Maybe you have right, but...
i know that the users use IE to enter web site (in 100%)
and i can't find any other way to get smartcard authorization & info
about users from client side.

RK

Sahil
Tue Feb 22 02:26:00 CST 2005

You could do it using IE, ActiveX, but security will be something you'll
have to deal with.

- Sahil Malik
http://codebetter.com/blogs/sahil.malik/


"RK" <robert@prones.pl> wrote in message
news:brml11hjb2anneufjivfiv56662ofloghh@4ax.com...
>
> Maybe you have right, but...
> i know that the users use IE to enter web site (in 100%)
> and i can't find any other way to get smartcard authorization & info
> about users from client side.
>
> RK