Sunday, September 04, 2005

My Research on Smartcard

friends keep asking me, what are you doing all night long in the office? what is so good about Gamacard? what does it relate to SSL (secure socket layer)?

this post will be the answer to those questions. I wrote this so that I dont have to repeat the same answers to different persons all over again :D

The root of the answer lies back in the theory of "computer securities" (as what i tought in UAD). Some of the aspects of security are: Authenticity, Privacy and Integrity. Each aspect is solved by applying different technology.

Aspect of Privacy concerns to ensure that the message is read by the intended recipient, not by other people. This relates to Public-Key Cryptography.

Aspect of Integrity concerns that the received message is not altered (modified) during the transmission. This relates to Digital Signature.

Aspect of Authenticity concerns how we can be sure that the user (sender of the message) is authentic (not someone pretending to be the sender). Authenticity can be based on one of three things:
1). based on what we KNOW (such as username/pass, PIN),
2). based on what we HAVE (such as tokens, smartcards),
3). based on what we ARE (biometrics, such as fingerprint),
the more combination we have, the more we can be assured that the user is authentic.

How does this theory relates to Portal Akademik and Gamacard? as you might have aware, traditional user login involves sending the username/password across network to be authenticated by the server. it is sent in plaintext, someone could intercept and read it. my research focus on: 1). how we can have a secure transmission (encrypted) between browser and server, and also 2). how we can be sure that whoever logged-in is truly a legitimate student (not someone pretending to be student).

my first goal is done by setting up an OpenSSL (and the related certificates) in the webserver. Setting up OpenSSL is quite straightforward (as long as your linux-box have all the required libraries). You will end up having a HTTPS server :D Transmission between browser and server will automatically be encrypted. There are concerns from my friends, that HTTPS would result in a slower response. I said, lets give it a try, since our webserver is a dual-xeon processor with 2GB of RAM :D

the second goal involves Gamacard. Gamacard plays a vital role in enforcing user authenticity. Of course, the system would run just fine without Gamacard, but lacks the aspect of Authenticity. The nice part is, according to many references, when browser make a HTTPS request (therefore browser should respond with a valid certificate stored in the computer), browser can "automatically connect and read certificate stored on smartcards". To do so, you don't have to create a specialized plugins or other. All you have to do is to create a PKCS#11 file structure on the smartcard, and store the certificate inside. That is what I have been trying to do during the past days. I am trying to create a PKCS#11 compliance smartcards.

Imagine, if UGM becomes the first university who adopted DigitalID, where everyone needs only ONE CARD to access every digital services at UGM. Its my dream.

2 comments:

Anonymous said...

quoting mr. Yoyo:
2). how we can be sure that whoever logged-in is truly a legitimate student (not someone pretending to be student).

mas, gimana kalo mahasiswa ngasih tau passwordnya ke orang laen sekaligus meminjamkan gamacardnya juga? apakah tidak lebih baik menggunakan biometric untuk menjaga autentikasi? mohon pencerahan, mungkin belom nyambung :D

Adityo Hidayat St. Majo Kayo said...

sure. what you describe is like giving away your credit-card to someone... or like giving away your ATM+PIN to someone...

why does most industries (e.g banking) are not common to use biometrics? because the stronger you combine authentication technology, it become more expensive. industries try to balance the trade-offs, making the solutions feasible in a cost-effective manner.

u know... our last reseach concluded that it would take at least 4KB of smartcard capacity to accomodate user certificate. another 2KB for the fingerprint template. not to mention another KB for e-purse application. Gamacard is only 2KB :)