[mod_python] Smart Card and mod_python and browser pluggins

Philippe C. Martin pmartin at snakecard.com
Wed Oct 19 13:14:12 EDT 2005

On Wednesday 19 October 2005 04:01 pm, Nicolas Lehuen wrote:

> Well, you look like you know what you are doing :). I wish you to succeed
> in this !
> To exchange data between the client and server, why not use HTTP ? With a
> scheme like this :
I just bought an Apache book and it cover that I'll sart studying that 

> 1) The client sends an HTTP request to the server with the unique card Id.
> The server generate and random value, associates it to the unique id
> (storing it in a DB or something), and returns the random data to the
> client.
Actually it will be stored in the card

> 2) The client makes another HTTP request, this time with the unique id, and
> the random data encrypted with its diversified key. The server fetch the
> public key of the client thanks to its unique id, decrypts what the client
> sent and checks if it matches the previously stored random data. It can
> then send back a redirect to the intended page, with a secure cookie which
> will be required to access all subsequent pages.
> To send HTTP request from the client, just use the APIs provided by the
> plugin SDK.
> Does this sound good ? In any case, this is very close to the standard HTTP
> Digest method of authentication, except that you use asymetric encryption
> algorithms.
It does sound good - thanks a bunch.

Actually this scheme uses symmetric encryption (3DES or AES). The advantages 
(I see) are: cheaper cards, not certification authority management.

BTW: just found this tutorial 

as well as a new book: hacking firefox which includes writing extension and 
introduces XPCOM (COM like stuff)

As I'm fairly certain IE will let me do what I need, I'm fairly hopefull.



> Regards,
> Nicolas

Philippe C. Martin
SnakeCard, LLC
+1 405 694 8098

More information about the Mod_python mailing list