Kapil Sachdeva's Blog - SmartCard Serenity

Ant & NAnt have been the pioneers in recent times for automating the build and as Ant/NAnt guys describe their fascinating software - its kind of Make but without Make wrinkles. I have been a great fan of this stuff for a long time now. NET Smartcard SDK offers the custom NAnt tasks to automate the interactions with .NET Smartcard. I am going to describe here the custom tasks we have for .NET Smartcard.

If you are not familiar with NAnt please visit http://nant.sourceforge.net/

Below are described the custom NAnt tasks available for .NET Smartcard framework SDK.

• LoaderTask             

• Delete2Task

• ExecuteAssemblyTask       

Changing the path to NAnt binaries

.NET Smartcard SDK installs the NAnt binaries (shown below). The folder also contains netCard.NAntTasks.dll assembly which contain the above mentioned task. If you already have NAnt installed on your PC or want to download an updated version, you should add a path variable NANT_HOME in System settings & copy the netCard.NAntTasks.dll into the bin folder of NANT_HOME. If NANT_HOME is not defined, SDK takes [INSTALL_DIR]\3rdParty\NAnt as the default path for NAnt.

http://www.techworld.com/opsys/news/index.cfm?NewsID=2627

"The move towards smart cards is the way forward," said Gates in his keynote at IT Forum, in Copenhagen this morning. "The idea is to have a smart card that connects up in the best way - a .Net based smart card."

Microsoft partner Axalto "has done a super job on this", said Gates. "We will be using their smartcards internally - each employee will use those to get in and out of the buildings as we used to connect to our machines. We're requring them. We will completely replace passwords."

By having .Net capability, said Gates, "we think this brings different logic down to the card itself, giving a richness and continuity to the platform that only exists in that .Net environment." Axalto said this was the first commercial deployment of Axalto’s .Net-based smart cards.

For the press release goto: http://www.axalto.com/Company/press/news.asp?id=220

Finally its out of the lab as the product which is not only going to make systems secure but revolutionize the Smartcard technology with the help of excellent on-card & off-card application developement framework i.e .NET.

Except for Ping identity package for .NET (where they used the xsd generated classes) for Liberty & SAML specifications I do not see single .NET implementation of either specifications. I am surprised why ASP.NET community and companies who use ASP/ASP.NET are not concerened about these standards or may be they are waiting for Microsoft to provide WS-Federation support.

I am in the process of writting SAML 2.0 implementation in C# and will open source it once I have a working version. I am using WSE 2.0 frameworks for the implementation.

Everyone is giving its wish list for WSE 3.0 with WS-Reliable messaging being the foremost requirement so I _wish_ WSE 3.0 would have support for SAML 2.0 & WS-Federation support. Given the extensible nature of WSE its not difficult (technically). Sometime back I had written an implementation of WS-Federation for Plumbwork at GDN (now moved to SourceForge) for my identity management demo at Burton-catalyst, WSE team may take that as a starting point.

Its been more than month I have blogged something.... was on holidays and before that busy preparing demo using Liberty LECP profile for SmartCards. This is what is described below:

LECP or Liberty-Enable Client & Proxy profile is specified in “Liberty Bindings & Profiles Specificatios“ [Section 3.2.5]. LECP can be briefly explained as a client that has, or knows how to obtain, knowledge about the identity provider that the principal wishes to use with the Service Provider. This client receives and sends Liberty messages in the body of HTTP requests and responses.

Flow Diagram for LECP profile is :

The Demo comprised of 4 elements.

1. Service Provider [SP], http://www.dotnetcard.com/Demos/Liberty-Catalyst/Liberty-sp/TinkuTinki.aspx
2. Identity Provider [IDP], http://www.networksmartcard.com/Demos/Liberty-Catalyst/Liberty-idp/LECP.ashx
3. Liberty UA : Internet Explorer + LECP ToolBar.
4. Trusted Module : SmartCard.

Demo shows the proof-of-concept for role of SmartCards in Liberty Federation/ID Management world. I designed a toolbar for internet explorer which does the interactions with IDP, SP and Trusted Module (SmartCard). In the figure above toolbar can be considered as UserAgent (UA). Below is the picture of the toolbar:

Illustrated Below are the detailed steps of the demo:

• Clicking on the LogOn button in the toolbar prompts for user to enter PIN to authenticate to SmartCard.
• On successful validation, a list of Service Providers (stored as Xml file in .NET SmartCard) is retrieved by toolbar and shown in Service Providers combo Box in toolbar. Options and AutoFill buttons also get enabled.
• User selects the Service Provider from the combo Box.
• UserAgent (here toolbar) sends the request to SP selected for getting the AuthnRequestEnvelope as specified in LECP [Section 3.2.5.2].
• SP sends AuthnRequestEnvelope to UserAgent, UA validates and process this message to retrieve IDP (if provided by SP).
• If AuthnRequest message is good and valid, UA helps doing the mutual authentication of Trusted Module (SmartCard here) & IDP based on some shared secret. This scheme (authentication) has been used for demo purposes, we can make it as sophisticated as required.
• On Successful authentication, UA (toolbar) sends the AuthnRequest received from SP to the IDP.
• IDP does the necessary validation and processing of message and generates the AuthnResponseEnvelope containing the assertion about the user.

AutoFill button on the toolbar is a nice application to fill the forms on web pages from user data retrieved from SmartCard.

I used .NET for all the pieces necessary for the demo. .NET SmartCard is used as a TrustedModule. Below is shown the contents of the .NET SmartCard.

Lets have a look at Card Contents:

• Liberty.TM.exe is the application doing mutual authentication with IDP. 
• Liberty.ITrustedModule.dll is the interface to Trusted Module Service.
• AutoFillOptions.xml : Contains the user data (eg Name,address etc)
• ServiceProviders.xml : Contains the list of Service Providers supported by this SmartCard.
• Assertions.xml : This is another very interesting part. This is a cached assertion inside the SmartCard and to be used for offline mode. There may arise a need that Service Provider is not online so user can always download the assertions from IDP and present it to SP offline.

Plumbwork Orange workspace has been moved from GDN to Sourceforge. You can find implementations of various WS-* specifications there including one from me called WS-Federation.

Its been on mind for some days to express my gratitude to guys (teams) who make the most wonderful developement environment on planet. In college I used to program primarily in Visual Studio 6.0 with MFC, ATL etc and never saw the importance of IDE until I switched to Java when I started working on JavaCards at Schlumberger (now Axalto Inc). I simply loved Java. Its a revolutionary language and paved the way to another great technology (.NET) & fantastic language C# ...... (pioneers should be given there respect).

Anyways, things were okay with Java but what I missed always was an IDE, I think I tried almost all the IDEs .... from Borland, to disgusting Forte (from SUN) , Visual Cafe, JCreator, Eclipse but none come close to VS.NET.

Forte was the worst with zillions of windows. I think I liked Visual Cafe the most. I loved the simplicty of JCreator and admired its creator for making the IDE in C++ than in Java as most Java-IDE developers do. They simply do not understand Java is not a language to make IDEs.

I recently used Eclipse, for an open source effort its a great IDE but again once you have been charmed by Visual Studio it get tough to be pleased by others.

With Visual studio.NET my love story began when we started our .NET SmartCard effort in 2002 and since then its tough to imagine life with out it. Lot of thanks to VS teams at MSFT for such great IDE.

SAML is a :

• XML Framework for defining tokens / assertions
• Protocol Binding framework
• Solution for SSO

With these questions in mind I started wondering if SAML provides everything then what does Liberty do. I asked this question in OASIS SSTC newsgroup and got some good explanation which I am posting here also.

Below is the answer from Conor P. Cahill from AOL who actively participates/contributes in SAML group.

---------

SAML1.1 does provide a framework upon which you can build a fully operational, privacy aware SSO environment.  This is, in fact, what Liberty did.  Liberty added functionality in the areas of:

• Identity Federation Protocols (how 2 parties agree on an identity handle for the user)
  
• Single Logout Protocols
• Privacy protection
• Authentication Context
• Metadata distribution
• Authentication request extensions
  
• IDP location (Common domain cookie)
• Enabled Client/Proxy
  
• Identity Affiliations
  

Liberty subsequently contributed their work back into the SSTC and the SSTC has incorporated it into the SAML 2.0 work that is currently in progress.   People who understand or have implemented Liberty ID-FF, will feel right at home with SAML 2.0.

-----------

Complete discussion can be found here.

In 1998 when Schlumberger Smart Card Systems (now Axalto, Inc) introduced JavaCards, application development for smart cards saw a revolutionary change. Being able to program in high level object oriented language not only speeded up the application development but bring interoperability of applications with other card manufacturers. JavaCards are/were definitely a mile stone in SmartCard evolution.

Though JavaCards brought Java to SmartCards application model remained essentially the same i.e based on IS07816-4 commuication concepts (commonly known as APDUs). A developer of on-card and off-card applications need to be an expert of this constrained APDU protocol.

With .NET SmartCard we introduce a new Smart Card running a CLR, pure subset of ECMA framework libraries and state-of-art SmartCard operating system. This time we did not want to invent something new as far as appication frameworks are concerned as it not only make developers learn new apis but does not fit in existing off-card frameworks.

Here I am describing our communication framework and will blog other exciting feaures in coming days.

Application model for .NET SmartCard applications (or better call them services) is subset of .NET Remoting framework with transport channel based on IS07816-4 protocol for smart cards. The framework hides all the details of underlying transport protocol from developer. Lets look at the snippet of simple on-card application:

public class MySmartService : MarshalByRefObject{

      public static void Main(){
         APDUServerChannel channel = new APDUServerChannel(0x12);
         ChannelServices.RegisterChannel(channel);
         RemotingConfiguration.RegisterWellKnownServiceType(typeof(MySmartService), “MyService.rem“,  WellKnownObjectMode.Singleton);
      }

      public string SayHello(string name){
         return "Hello " + name;
      }
}

As you can see, other than Transport channel there is no difference between on-card & off-card remoting services.

Real benefit of this application model is encashed when we write client application where again only transport channel needs to be changed.

public class MyClient{

     public static void Main(){
          APUDClientChannel channel = new APDUClientChannel();
          ChannelServices.RegisterChannel(channel);

         MySmartService serv = (MySmartService)Activator.GetObject(typeof(MySmartService), "apdu:\\selfDiscover:na:0x12\MyService.rem");

         Console.WriteLine(serv.SayHello("Mr. Bill gates"));

    }

}

On-card Remoting framework is extensible also as you can write custom sinks.

Sometime back I also wrote a version of SoapChannel (ala WSE2.0 Custom transport channels) which provide seamless connectivity to .NET SmartCard Services from WebServices based on WSE2.0 application framework. Will do a writeup on this later.

Side-by-Side execution is a great facility but if shared assembly (assembly in GAC) developers maintain backward compatability configuring the publisher's policy for shared assemblies make .NET Rock.

There are basically 2 ways to configure your shared assembly -

• Use the SnapIn [AdministrativeTools\Microsoft .NET Framework 1.1 Configuration]
• Use the policy assembly.

The SnapIn is really fast, neat and less-error prone way to do but in most practical situations not usable.

To configure via SnapIn, right click on Configured assemblies node in the left pane, select 'Add' menu option. After this configuration is intuitive.

Using policy assembly is the way mostly every shared assembly developer will use as it is just to be installed in GAC and then its upto the CLR to do the magic of assembly binding.

Steps for creation of the assembly are :

• Create a policy file
• Put the above created policy file in assembly using al
• Install the above created assembly in GAC.

Here is the snippet for sample policy file which says that CLR should bind the host application reference to version 1.1.0.0 instead of 1.0.0.0

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<runtime>
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
        <dependentAssembly>
            <assemblyIdentity name="LibInGac" publicKeyToken="5bb6adc75ec4790c" culture="neutral" />
        <bindingRedirect oldVersion="1.0.0.0" newVersion="1.1.0.0"/>
         </dependentAssembly>
    </assemblyBinding>
</runtime>
</configuration>

Now run the al with the following command line :

al /link:LibInGac.dll.config /out:policy.1.0.LibInGac.dll /keyfile:mysnk.snk /version:1.1.0.0

Important thing here is to get the above command line correct.

1. /link:name_of_file.config
2. /out:policy.MajorVersionOfOldAssembly.MinorVersionOfOldAssembly.OriginalAssemblyName.dll
3. /keyfile:key_pair_file
4. /version:Version_for_policy_file

/version is an important option as you may want to override your previous policy assembly. CLR will look into the policy assembly with greater version number.

/Key_pair_file should be the same key-pair with which assembly being accessed (here LibInGac) was signed.

/out:policy.MajorVersion.MinorVersion.AssemblyName.dll

I was looking at GDN quick start sample and found out after hit-n-trial that options provided to 'al' are wrong. Also MSDN does not specify major version and minor version are that of original assembly or new assembly.