|
Philippe C. Martin
pmartin at snakecard.com
Wed Oct 19 13:14:12 EDT 2005
On Wednesday 19 October 2005 04:01 pm, Nicolas Lehuen wrote: > Well, you look like you know what you are doing :). I wish you to succeed > in this ! > > To exchange data between the client and server, why not use HTTP ? With a > scheme like this : > I just bought an Apache book and it cover that I'll sart studying that protocol > 1) The client sends an HTTP request to the server with the unique card Id. > The server generate and random value, associates it to the unique id > (storing it in a DB or something), and returns the random data to the > client. Actually it will be stored in the card > > 2) The client makes another HTTP request, this time with the unique id, and > the random data encrypted with its diversified key. The server fetch the > public key of the client thanks to its unique id, decrypts what the client > sent and checks if it matches the previously stored random data. It can > then send back a redirect to the intended page, with a secure cookie which > will be required to access all subsequent pages. > > To send HTTP request from the client, just use the APIs provided by the > plugin SDK. > > Does this sound good ? In any case, this is very close to the standard HTTP > Digest method of authentication, except that you use asymetric encryption > algorithms. > It does sound good - thanks a bunch. Actually this scheme uses symmetric encryption (3DES or AES). The advantages (I see) are: cheaper cards, not certification authority management. BTW: just found this tutorial http://roachfiend.com/archives/2004/12/08/how-to-create-firefox-extensions/ as well as a new book: hacking firefox which includes writing extension and introduces XPCOM (COM like stuff) As I'm fairly certain IE will let me do what I need, I'm fairly hopefull. Regards, Philippe > Regards, > Nicolas -- ************************************* Philippe C. Martin SnakeCard, LLC www.snakecard.com +1 405 694 8098 *************************************
|