Smart card login implementation in websites

Hello all,

I have to improve website security by using smart-cards and card readers. How can I implement it?

Please let me know all the related steps, procedures, links to sample codes and whatever possible article, to make this system work.

One document is available at:
https://nihlogin.nih.gov/CertAuth/UsingSmartCardsWithNIHLogin.pdf
and:

USB Card Reading Keyboard:
http://www.smart-card.com/2010/07/20/usb-smart-card-keyboard/

Omnikey Card Reader:
https://www.hidglobal.com/prod_detail.php?prod_id=186

This is how, it should work.

A lot of thanks and appreciations to those who reply and help me add hard-ware based security in websites.

Basically it is done by requiring SSL/TLS comunication between browser and web-server, by an addition of requirement that not only server presents its certificate, but client as well presents clients certificate.

You did not specify what kind of web-aplication you are building and using what components or development environment.

Quick googling gave me these results:
http://securitythroughabsurdity.com/2007/04/implementing-smartcard-authentication.html
http://technet.microsoft.com/en-us/library/dd277383.aspx
http://www.mindtheflex.com/?p=80
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Smartcard_Configuration_Examples
http://w2spconf.com/2009/papers/s4p4.pdf
http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html

Please, specify more details :wink:

Thank you Aleksejs for those useful quick links.

I plan to use Omnikey 3021 card reader that runs in a web browser.
And this system will interact with the website when there is a need.

I think the best idea will be to implement java-applets that can read the data in smart cards using the Omnikey Hardware. And, it will send the authentication or other information to the website.

The problem is that the system should be a web-based application; and not a desktop application. But still, it should be able to read out the card in the customer’s web browser and send information to the server.

The below links would help you understand what I need:
http://www.ugosweb.com/scemu.aspx (an example of java applet reading the card)
https://nihlogin.nih.gov/CertAuth/UsingSmartCardsWithNIHLogin.pdf (manaul to similar operation)

I am searching for some coding examples, API/DLLs or technical/programming articles to make this possible.

Thank you.

If you dont have any clue on how to do this, you should consider saying no to the project.

What your asking about is a fairly simple process, but the caveat is that if you dont do it correctly the website will not be any more secure afterwards. In this case the chance of something not being secure enough in the end product is pretty high, and you as a professional should be able to see your limit and say no to projects that you dont know how to complete (especially when we are talking about security).

I am fully aware about the security issues, and need the system work.
So, I can think of hiring experts on this as well.

The system I am going to build is important, and producing cards to the sytem shows the legal presense of the member who signs using a card, and is run by limited members only.

Info only:
I found out the most relevant information on the website about the smart cards.
http://code.google.com/p/eid-applet/
http://code.google.com/p/eidlib/

These links distribute the real smart card API in Java and other languages.
They contain applications, samples, development manuals and more.

This is typically handled by the smart card middleware via PCKS 11 operations (if you have the middleware installed on the client, the browser will pop up a dialog asking the client for their smartcard on login). This won’t require applets or browser plug-ins.

If you need to do it via a web only solution, Comet Way makes a browser plug-in that might be useful to you, <snip/> - this plug-in lets you write scripts on the server that encapsulate the smart card interactions and post results back to your server, and it works with any kind of smart card without requiring middleware (a card minidriver) to be installed.