远程站点和客户端私钥
我遇到了一些困难的情况,因为我需要一种方法让连接到 ASP.NET MVC 站点的客户端使用其私钥对 blob 进行签名和解密,以便服务器永远看不到私钥材料。在解密情况下,这些是加密的会话密钥。服务器看到会话密钥是可以接受的,只是看不到用户的私钥。
也就是说,我需要在浏览器中向用户呈现一些内容,让一些 javascript(或 java 小程序或 silverlight 等)执行与客户端上的硬件令牌通信的客户端,并将结果返回到服务器。
这不是客户端身份验证。我不需要简单地通过 IIS 使用证书进行身份验证。硬件令牌是 HID OmniKey USB 读卡器。
我对可用选项的理解是:
1。 Mozilla Javascript Crypto - 这似乎是最佳路线。 Firefox 似乎向远程站点公开了各种智能卡事件和功能。我了解了如何对文本进行签名,但没有了解如何解密 blob(最大的目标)。似乎有加载 PKCS#11 模块的方法,但文档似乎在那之后停止了。
2.具有更高信任度的 Silverlight - 这是我的第二个首选路线,因为我熟悉 Silverlight 和 .NET。 Silverlight 5 具有 P/Invoke 功能,因此我始终可以调用 PC/SC 模块,但这需要在浏览器外运行,而我无法做到这一点。似乎有一些关于在浏览器中以更高的信任度运行 Silverlight 应用程序的帖子,但这是一个全局设置,因此我不想降低其他应用程序的安全性。
3. ActiveX - ActiveX 组件可以与 PC/SC 模块交互,但这只是 Internet Explorer 的解决方案。如果被迫选择所需的浏览器,我更喜欢 Firefox 或 Chrome。
3. Firefox/Chrome 扩展 - 我的理解是 Firefox XPCOM 是 C++,我可以直接调用 PC/SC 库,并且扩展可以与远程站点上的脚本/DOM 交互。我不确定远程站点如何触发 Firefox 扩展。换句话说,远程站点如何告诉分机“好的,是时候签名了”?此路线的一个此类示例是 XSign(尽管它不使用硬件令牌)。
4. Java Applet - 这可能最终是唯一的方法。我找到了几个示例/指南,但我对 Java 不熟悉。 Java使用智能卡签名的小程序。在本例中,它只是一个简单的小程序,可以与令牌进行通信,并将结果发布到站点。
还有其他选择吗?我相信选项(1),Mozilla Javascript Crypto 是最好的方法,但文档非常稀疏。感谢您的任何指导。
I have a bit of a difficult situation in that I need a way for a client connected to an ASP.NET MVC site to sign and decrypt blobs with their private key, such that the server never sees the private key material. In the decryption case, these are encrypted session keys. It is acceptable that the server see the session key, just not the users private key.
That is, I need to present the user some content in a browser, have some javascript (or java applets, or silverlight, etc.) execute client side that communicates with a hardware token on the client, and returns the result to the server.
This is NOT client side authentication. I don't need to simply authenticate via IIS with a certificate. The hardware tokens are HID OmniKey USB readers.
My understanding of the options available are:
1. Mozilla Javascript Crypto - This seems to be the optimal route. It appears that Firefox exposes various smart card events and functionality to remote sites. I see how to sign text, but nothing about decrypting blobs (the largest goal). There seems to be methods for loading a PKCS#11 module, but the documentation seems to stop after that.
2. Silverlight with Elevated Trust - This is my second preferable route, because of familiarity with Silverlight and .NET. Silverlight 5 has the ability to P/Invoke, so I could always call the PC/SC modules, but this requires running Out of Browser, which I can't do. There seems to be some posts about running a Silverlight app In Browser with elevated trust, but this is a global setting, and so I don't want to diminish security for other applications.
3. ActiveX - An ActiveX component can interact with the PC/SC module, but this would be an Internet Explorer only solution. If forced to pick a required browser, I'd prefer Firefox or Chrome.
3. Firefox/Chrome Extension - My understanding is Firefox XPCOM is C++, and I can just directly call the PC/SC libraries, and the extension can interact with scripts/DOM on the remote site. I'm not sure how the remote site though can trigger a Firefox extension. In other words, how does the remote site tell the extension "ok, it's time to sign"? One such example of this route is XSign (though it doesn't use hardware tokens).
4. Java Applet - This might ultimately be the only way to do it. I've found a couple examples/guides, but I'm not familiar with Java. Java Applet for Signing with a Smart Card. In this case, it's just a simple applet that can communicate with the token, and post the results to the site.
Are there other options available? I believe option (1), Mozilla Javascript Crypto is the best approach, but the documentation is beyond sparse. Thanks for any guidance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
也许您可以考虑让客户端下载本机应用程序并安装它(一次)。您可以让他们使用该应用程序进行身份验证并与您的服务器协商会话密钥 - 然后该应用程序可以使用启动 URL 中的会话密钥启动浏览器。 “本机”应用程序可能不是那么本机 - 使用 java 或 .net(如果您仅使用 Windows)或 python 等。
Maybe you could consider just having the clients download a native application and install it (once). You can have them use that app to do the authentication and negotiate a session key with your server - the app could then launch a browser with the session key in the launch url. "Native" apps could probably be not that native - use java or .net (if you're windows only) or python etc.
我实际上已经检查了所有选项。最后一个选项(Java Applet)最适合您的情况并且最容易实现。缺点是 JRE(Java 运行时环境)应该已经安装在客户端并与浏览器配合良好。用户还必须授予小程序在首次运行时连接到其智能卡的权限。
顺便说一句,如果你想使用 PKCS#7,你可以使用 Bouncy Castle。 JDK中没有标准的API。
PS:不要使用 JavaScript 进行加密。 Javascript 加密技术被认为是有害的。
I have virtually examined all options. The last option (Java Applet) is the most appropriate for your case and easiest to implement. The downside is that JRE (Java Runtime Environment) should already be installed at client side and plays nice with the browser. User also has to grant permission to the applet to connect to his smart card at first run.
BTW if you want to use PKCS#7, you can use Bouncy Castle. It has no standard API in JDK.
PS: Don't use JavaScript for cryptography. Javascript Cryptography Considered Harmful.