Kapil Sachdeva's Blog - SmartCard Serenity

http://www.techworld.com/opsys/news/index.cfm?NewsID=2627

"The move towards smart cards is the way forward," said Gates in his keynote at IT Forum, in Copenhagen this morning. "The idea is to have a smart card that connects up in the best way - a .Net based smart card."

Microsoft partner Axalto "has done a super job on this", said Gates. "We will be using their smartcards internally - each employee will use those to get in and out of the buildings as we used to connect to our machines. We're requring them. We will completely replace passwords."

By having .Net capability, said Gates, "we think this brings different logic down to the card itself, giving a richness and continuity to the platform that only exists in that .Net environment." Axalto said this was the first commercial deployment of Axalto’s .Net-based smart cards.

For the press release goto: http://www.axalto.com/Company/press/news.asp?id=220

Finally its out of the lab as the product which is not only going to make systems secure but revolutionize the Smartcard technology with the help of excellent on-card & off-card application developement framework i.e .NET.

Except for Ping identity package for .NET (where they used the xsd generated classes) for Liberty & SAML specifications I do not see single .NET implementation of either specifications. I am surprised why ASP.NET community and companies who use ASP/ASP.NET are not concerened about these standards or may be they are waiting for Microsoft to provide WS-Federation support.

I am in the process of writting SAML 2.0 implementation in C# and will open source it once I have a working version. I am using WSE 2.0 frameworks for the implementation.

Everyone is giving its wish list for WSE 3.0 with WS-Reliable messaging being the foremost requirement so I _wish_ WSE 3.0 would have support for SAML 2.0 & WS-Federation support. Given the extensible nature of WSE its not difficult (technically). Sometime back I had written an implementation of WS-Federation for Plumbwork at GDN (now moved to SourceForge) for my identity management demo at Burton-catalyst, WSE team may take that as a starting point.

Its been more than month I have blogged something.... was on holidays and before that busy preparing demo using Liberty LECP profile for SmartCards. This is what is described below:

LECP or Liberty-Enable Client & Proxy profile is specified in “Liberty Bindings & Profiles Specificatios“ [Section 3.2.5]. LECP can be briefly explained as a client that has, or knows how to obtain, knowledge about the identity provider that the principal wishes to use with the Service Provider. This client receives and sends Liberty messages in the body of HTTP requests and responses.

Flow Diagram for LECP profile is :

The Demo comprised of 4 elements.

1. Service Provider [SP], http://www.dotnetcard.com/Demos/Liberty-Catalyst/Liberty-sp/TinkuTinki.aspx
2. Identity Provider [IDP], http://www.networksmartcard.com/Demos/Liberty-Catalyst/Liberty-idp/LECP.ashx
3. Liberty UA : Internet Explorer + LECP ToolBar.
4. Trusted Module : SmartCard.

Demo shows the proof-of-concept for role of SmartCards in Liberty Federation/ID Management world. I designed a toolbar for internet explorer which does the interactions with IDP, SP and Trusted Module (SmartCard). In the figure above toolbar can be considered as UserAgent (UA). Below is the picture of the toolbar:

Illustrated Below are the detailed steps of the demo:

• Clicking on the LogOn button in the toolbar prompts for user to enter PIN to authenticate to SmartCard.
• On successful validation, a list of Service Providers (stored as Xml file in .NET SmartCard) is retrieved by toolbar and shown in Service Providers combo Box in toolbar. Options and AutoFill buttons also get enabled.
• User selects the Service Provider from the combo Box.
• UserAgent (here toolbar) sends the request to SP selected for getting the AuthnRequestEnvelope as specified in LECP [Section 3.2.5.2].
• SP sends AuthnRequestEnvelope to UserAgent, UA validates and process this message to retrieve IDP (if provided by SP).
• If AuthnRequest message is good and valid, UA helps doing the mutual authentication of Trusted Module (SmartCard here) & IDP based on some shared secret. This scheme (authentication) has been used for demo purposes, we can make it as sophisticated as required.
• On Successful authentication, UA (toolbar) sends the AuthnRequest received from SP to the IDP.
• IDP does the necessary validation and processing of message and generates the AuthnResponseEnvelope containing the assertion about the user.

AutoFill button on the toolbar is a nice application to fill the forms on web pages from user data retrieved from SmartCard.

I used .NET for all the pieces necessary for the demo. .NET SmartCard is used as a TrustedModule. Below is shown the contents of the .NET SmartCard.

Lets have a look at Card Contents:

• Liberty.TM.exe is the application doing mutual authentication with IDP. 
• Liberty.ITrustedModule.dll is the interface to Trusted Module Service.
• AutoFillOptions.xml : Contains the user data (eg Name,address etc)
• ServiceProviders.xml : Contains the list of Service Providers supported by this SmartCard.
• Assertions.xml : This is another very interesting part. This is a cached assertion inside the SmartCard and to be used for offline mode. There may arise a need that Service Provider is not online so user can always download the assertions from IDP and present it to SP offline.

Plumbwork Orange workspace has been moved from GDN to Sourceforge. You can find implementations of various WS-* specifications there including one from me called WS-Federation.

Its been on mind for some days to express my gratitude to guys (teams) who make the most wonderful developement environment on planet. In college I used to program primarily in Visual Studio 6.0 with MFC, ATL etc and never saw the importance of IDE until I switched to Java when I started working on JavaCards at Schlumberger (now Axalto Inc). I simply loved Java. Its a revolutionary language and paved the way to another great technology (.NET) & fantastic language C# ...... (pioneers should be given there respect).

Anyways, things were okay with Java but what I missed always was an IDE, I think I tried almost all the IDEs .... from Borland, to disgusting Forte (from SUN) , Visual Cafe, JCreator, Eclipse but none come close to VS.NET.

Forte was the worst with zillions of windows. I think I liked Visual Cafe the most. I loved the simplicty of JCreator and admired its creator for making the IDE in C++ than in Java as most Java-IDE developers do. They simply do not understand Java is not a language to make IDEs.

I recently used Eclipse, for an open source effort its a great IDE but again once you have been charmed by Visual Studio it get tough to be pleased by others.

With Visual studio.NET my love story began when we started our .NET SmartCard effort in 2002 and since then its tough to imagine life with out it. Lot of thanks to VS teams at MSFT for such great IDE.

SAML is a :

• XML Framework for defining tokens / assertions
• Protocol Binding framework
• Solution for SSO

With these questions in mind I started wondering if SAML provides everything then what does Liberty do. I asked this question in OASIS SSTC newsgroup and got some good explanation which I am posting here also.

Below is the answer from Conor P. Cahill from AOL who actively participates/contributes in SAML group.

---------

SAML1.1 does provide a framework upon which you can build a fully operational, privacy aware SSO environment.  This is, in fact, what Liberty did.  Liberty added functionality in the areas of:

• Identity Federation Protocols (how 2 parties agree on an identity handle for the user)
  
• Single Logout Protocols
• Privacy protection
• Authentication Context
• Metadata distribution
• Authentication request extensions
  
• IDP location (Common domain cookie)
• Enabled Client/Proxy
  
• Identity Affiliations
  

Liberty subsequently contributed their work back into the SSTC and the SSTC has incorporated it into the SAML 2.0 work that is currently in progress.   People who understand or have implemented Liberty ID-FF, will feel right at home with SAML 2.0.

-----------

Complete discussion can be found here.

In 1998 when Schlumberger Smart Card Systems (now Axalto, Inc) introduced JavaCards, application development for smart cards saw a revolutionary change. Being able to program in high level object oriented language not only speeded up the application development but bring interoperability of applications with other card manufacturers. JavaCards are/were definitely a mile stone in SmartCard evolution.

Though JavaCards brought Java to SmartCards application model remained essentially the same i.e based on IS07816-4 commuication concepts (commonly known as APDUs). A developer of on-card and off-card applications need to be an expert of this constrained APDU protocol.

With .NET SmartCard we introduce a new Smart Card running a CLR, pure subset of ECMA framework libraries and state-of-art SmartCard operating system. This time we did not want to invent something new as far as appication frameworks are concerned as it not only make developers learn new apis but does not fit in existing off-card frameworks.

Here I am describing our communication framework and will blog other exciting feaures in coming days.

Application model for .NET SmartCard applications (or better call them services) is subset of .NET Remoting framework with transport channel based on IS07816-4 protocol for smart cards. The framework hides all the details of underlying transport protocol from developer. Lets look at the snippet of simple on-card application:

public class MySmartService : MarshalByRefObject{

      public static void Main(){
         APDUServerChannel channel = new APDUServerChannel(0x12);
         ChannelServices.RegisterChannel(channel);
         RemotingConfiguration.RegisterWellKnownServiceType(typeof(MySmartService), “MyService.rem“,  WellKnownObjectMode.Singleton);
      }

      public string SayHello(string name){
         return "Hello " + name;
      }
}

As you can see, other than Transport channel there is no difference between on-card & off-card remoting services.

Real benefit of this application model is encashed when we write client application where again only transport channel needs to be changed.

public class MyClient{

     public static void Main(){
          APUDClientChannel channel = new APDUClientChannel();
          ChannelServices.RegisterChannel(channel);

         MySmartService serv = (MySmartService)Activator.GetObject(typeof(MySmartService), "apdu:\\selfDiscover:na:0x12\MyService.rem");

         Console.WriteLine(serv.SayHello("Mr. Bill gates"));

    }

}

On-card Remoting framework is extensible also as you can write custom sinks.

Sometime back I also wrote a version of SoapChannel (ala WSE2.0 Custom transport channels) which provide seamless connectivity to .NET SmartCard Services from WebServices based on WSE2.0 application framework. Will do a writeup on this later.

Side-by-Side execution is a great facility but if shared assembly (assembly in GAC) developers maintain backward compatability configuring the publisher's policy for shared assemblies make .NET Rock.

There are basically 2 ways to configure your shared assembly -

• Use the SnapIn [AdministrativeTools\Microsoft .NET Framework 1.1 Configuration]
• Use the policy assembly.

The SnapIn is really fast, neat and less-error prone way to do but in most practical situations not usable.

To configure via SnapIn, right click on Configured assemblies node in the left pane, select 'Add' menu option. After this configuration is intuitive.

Using policy assembly is the way mostly every shared assembly developer will use as it is just to be installed in GAC and then its upto the CLR to do the magic of assembly binding.

Steps for creation of the assembly are :

• Create a policy file
• Put the above created policy file in assembly using al
• Install the above created assembly in GAC.

Here is the snippet for sample policy file which says that CLR should bind the host application reference to version 1.1.0.0 instead of 1.0.0.0

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<runtime>
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
        <dependentAssembly>
            <assemblyIdentity name="LibInGac" publicKeyToken="5bb6adc75ec4790c" culture="neutral" />
        <bindingRedirect oldVersion="1.0.0.0" newVersion="1.1.0.0"/>
         </dependentAssembly>
    </assemblyBinding>
</runtime>
</configuration>

Now run the al with the following command line :

al /link:LibInGac.dll.config /out:policy.1.0.LibInGac.dll /keyfile:mysnk.snk /version:1.1.0.0

Important thing here is to get the above command line correct.

1. /link:name_of_file.config
2. /out:policy.MajorVersionOfOldAssembly.MinorVersionOfOldAssembly.OriginalAssemblyName.dll
3. /keyfile:key_pair_file
4. /version:Version_for_policy_file

/version is an important option as you may want to override your previous policy assembly. CLR will look into the policy assembly with greater version number.

/Key_pair_file should be the same key-pair with which assembly being accessed (here LibInGac) was signed.

/out:policy.MajorVersion.MinorVersion.AssemblyName.dll

I was looking at GDN quick start sample and found out after hit-n-trial that options provided to 'al' are wrong. Also MSDN does not specify major version and minor version are that of original assembly or new assembly.

http://www.mindtree.com/ping_me.html

MindTree, a great consulting firm based in Banglore,India is running this seminar where lectures will be delivered by its founder & COO, Surbroto Bagchi. The first one in the series is posted at the site. Title of this lecture is : 9 Key Factors behind a successful technical career.

The lecture is really good and must say I did learn from the experience and guidance of Mr. Surbroto and specially loved the notion of Followership which I must say I have never heard before (although have followed it time and again :) ).

Regards to Mr. Surbroto Bagchi and thanks to MindTree for such a great effort.

I had been avoiding to look into details of Relax NG thinking it to be just another schema proposal until saw some good posts from Tim Ewald and Aaron Skonnard. A good introduction of RelaxNG can be found here at http://relaxng.org but the articles (1, 2, 3) which really throw an insight as far as comparisons are concerned are ones from David Mertz at IBM developerWorks. I found part 1 & part 2 very interesting. David provides the code fragments to assert the differences and way both (RelaxNG & XSD) express the same XML instance.

RelaxNG syntax is definitely way simpler than XSD & provide uniformity in describing elements and attributes. I would definitely agree with its creators when they say you need 30 minutes to understand it.

David mentioned a valid case where XSD scores is that of specifying number of occurrences of elements. RelaxNG is limited to <zeroOrMore>, <OneOrMore>  & <optional> where as XSD can use any range for cardinality. In part 2, David mention about infoset augmentation, siting an example of how in DTD and XSD, default values are inserted in XML instance and James Clark thinks it to be a bug in DTD and XSD specifications rather than a feature. RelaxNG does not support infoset augmentation. Well, in my opinion its definitely a feature and do not buy the argument of consequences of schema document being not available because of network. Network argument can be used on all parts of schema documents.

Except for 2 features described above (cardinality & infoset augmentation) RelaxNG is better than XSD in almost all ways for eg. Uniform treatment for Elements & attributes, modular & extensible data type system etc