Kapil Sachdeva's Blog - SmartCard Serenity

Ant & NAnt have been the pioneers in recent times for automating the build and as Ant/NAnt guys describe their fascinating software - its kind of Make but without Make wrinkles. I have been a great fan of this stuff for a long time now. NET Smartcard SDK offers the custom NAnt tasks to automate the interactions with .NET Smartcard. I am going to describe here the custom tasks we have for .NET Smartcard.

If you are not familiar with NAnt please visit http://nant.sourceforge.net/

Below are described the custom NAnt tasks available for .NET Smartcard framework SDK.

• LoaderTask             

• Delete2Task

• ExecuteAssemblyTask       

Changing the path to NAnt binaries

.NET Smartcard SDK installs the NAnt binaries (shown below). The folder also contains netCard.NAntTasks.dll assembly which contain the above mentioned task. If you already have NAnt installed on your PC or want to download an updated version, you should add a path variable NANT_HOME in System settings & copy the netCard.NAntTasks.dll into the bin folder of NANT_HOME. If NANT_HOME is not defined, SDK takes [INSTALL_DIR]\3rdParty\NAnt as the default path for NAnt.

http://www.techworld.com/opsys/news/index.cfm?NewsID=2627

"The move towards smart cards is the way forward," said Gates in his keynote at IT Forum, in Copenhagen this morning. "The idea is to have a smart card that connects up in the best way - a .Net based smart card."

Microsoft partner Axalto "has done a super job on this", said Gates. "We will be using their smartcards internally - each employee will use those to get in and out of the buildings as we used to connect to our machines. We're requring them. We will completely replace passwords."

By having .Net capability, said Gates, "we think this brings different logic down to the card itself, giving a richness and continuity to the platform that only exists in that .Net environment." Axalto said this was the first commercial deployment of Axalto’s .Net-based smart cards.

For the press release goto: http://www.axalto.com/Company/press/news.asp?id=220

Finally its out of the lab as the product which is not only going to make systems secure but revolutionize the Smartcard technology with the help of excellent on-card & off-card application developement framework i.e .NET.

Except for Ping identity package for .NET (where they used the xsd generated classes) for Liberty & SAML specifications I do not see single .NET implementation of either specifications. I am surprised why ASP.NET community and companies who use ASP/ASP.NET are not concerened about these standards or may be they are waiting for Microsoft to provide WS-Federation support.

I am in the process of writting SAML 2.0 implementation in C# and will open source it once I have a working version. I am using WSE 2.0 frameworks for the implementation.

Everyone is giving its wish list for WSE 3.0 with WS-Reliable messaging being the foremost requirement so I _wish_ WSE 3.0 would have support for SAML 2.0 & WS-Federation support. Given the extensible nature of WSE its not difficult (technically). Sometime back I had written an implementation of WS-Federation for Plumbwork at GDN (now moved to SourceForge) for my identity management demo at Burton-catalyst, WSE team may take that as a starting point.

Its been more than month I have blogged something.... was on holidays and before that busy preparing demo using Liberty LECP profile for SmartCards. This is what is described below:

LECP or Liberty-Enable Client & Proxy profile is specified in “Liberty Bindings & Profiles Specificatios“ [Section 3.2.5]. LECP can be briefly explained as a client that has, or knows how to obtain, knowledge about the identity provider that the principal wishes to use with the Service Provider. This client receives and sends Liberty messages in the body of HTTP requests and responses.

Flow Diagram for LECP profile is :

The Demo comprised of 4 elements.

1. Service Provider [SP], http://www.dotnetcard.com/Demos/Liberty-Catalyst/Liberty-sp/TinkuTinki.aspx
2. Identity Provider [IDP], http://www.networksmartcard.com/Demos/Liberty-Catalyst/Liberty-idp/LECP.ashx
3. Liberty UA : Internet Explorer + LECP ToolBar.
4. Trusted Module : SmartCard.

Demo shows the proof-of-concept for role of SmartCards in Liberty Federation/ID Management world. I designed a toolbar for internet explorer which does the interactions with IDP, SP and Trusted Module (SmartCard). In the figure above toolbar can be considered as UserAgent (UA). Below is the picture of the toolbar:

Illustrated Below are the detailed steps of the demo:

• Clicking on the LogOn button in the toolbar prompts for user to enter PIN to authenticate to SmartCard.
• On successful validation, a list of Service Providers (stored as Xml file in .NET SmartCard) is retrieved by toolbar and shown in Service Providers combo Box in toolbar. Options and AutoFill buttons also get enabled.
• User selects the Service Provider from the combo Box.
• UserAgent (here toolbar) sends the request to SP selected for getting the AuthnRequestEnvelope as specified in LECP [Section 3.2.5.2].
• SP sends AuthnRequestEnvelope to UserAgent, UA validates and process this message to retrieve IDP (if provided by SP).
• If AuthnRequest message is good and valid, UA helps doing the mutual authentication of Trusted Module (SmartCard here) & IDP based on some shared secret. This scheme (authentication) has been used for demo purposes, we can make it as sophisticated as required.
• On Successful authentication, UA (toolbar) sends the AuthnRequest received from SP to the IDP.
• IDP does the necessary validation and processing of message and generates the AuthnResponseEnvelope containing the assertion about the user.

AutoFill button on the toolbar is a nice application to fill the forms on web pages from user data retrieved from SmartCard.

I used .NET for all the pieces necessary for the demo. .NET SmartCard is used as a TrustedModule. Below is shown the contents of the .NET SmartCard.

Lets have a look at Card Contents:

• Liberty.TM.exe is the application doing mutual authentication with IDP. 
• Liberty.ITrustedModule.dll is the interface to Trusted Module Service.
• AutoFillOptions.xml : Contains the user data (eg Name,address etc)
• ServiceProviders.xml : Contains the list of Service Providers supported by this SmartCard.
• Assertions.xml : This is another very interesting part. This is a cached assertion inside the SmartCard and to be used for offline mode. There may arise a need that Service Provider is not online so user can always download the assertions from IDP and present it to SP offline.

Plumbwork Orange workspace has been moved from GDN to Sourceforge. You can find implementations of various WS-* specifications there including one from me called WS-Federation.