 |
[email protected] |
 |
3275638434 |
 |
 |
| Paper Publishing WeChat |
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License
Sharing Smart Card Authenticated Sessions Using Proxies
Kevin E. Foltz and William R. Simpson
Full-Text PDF
XML 1414 Views
DOI:10.17265/1934-7332/2016.01.003
Institute for Defense Analyses, 4850 Mark Center Drive, Alexandria, VA 22311, USA
This paper discusses an approach to share a smart card in one machine with other machines accessible on the local network or the Internet. This allows a user at a browser to use the shared card remotely and access web applications that require smart card authentication. This also enables users to access these applications from browsers and machines that do not have the capability to use a smart card. The approach uses proxies and card reader code to provide this capability to the requesting device. Previous work with remote or shared smart card use either requires continuous access to the smart card machine or specific client software. The approach in this paper works for any device and browser that has proxy settings, creates minimal network traffic and computation on the smart card machine, and allows the client to transfer from one network to another while maintaining connectivity to a server. This paper describes the smart card sharing approach, implementation and validation of the approach using real systems, and security implications for an enterprise using smart cards.
Smart card, IT security, authentication, key management, proxy, SSL, TLS, session stealing
[2] Request for Comments: The Transport Layer Security (TLS) Protocol Version 1.2. Accessed August 2008. http://tools.ietf.org/html/rfc5246.
[3] Request for Comments: The Transport Layer Security (TLS) Protocol Version 1.1. Accessed April 2006. http://www.ietf.org/rfc/rfc4346.txt.
[4] Request for Comments: The TLS Protocol Version 1.0. Accessed January 1999. https://www.ietf.org/rfc/rfc2246.txt.
[5] Request for Comments: Transport Layer Security (TLS) Extensions. Accessed April 2006. http://tools.ietf.org/html/rfc4366.
[6] The SSL Protocol Version 3.0. Accessed November 18, 1996. https://tools.ietf.org/html/draft-ietf-tls-ssl-version3-00.
[7] Ross, A., and Kuhn, M. 1997. “Low Cost Attacks on Tamper Resistant Devices.” In Security Protocols, 5th International Workshop, Paris, France, April 7-9, Proceedings, Springer LNCS 1361, 125-36, ISBM 3-540-64040-1. Accessed September 3, 2015. http://www.cl.cam.ac.uk/~mgk25/tamper2.pdf.
[8] http://www.cs.dartmouth.edu/~pki02/Sandhu/paper.pdf.
[9] http://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919
[10] https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards.
[11] http://www.computerworld.com/article/2493077/malware-vulnerabilities/proof-of-concept-malware-can-share-usb-smart-card-readers-with-attackers-ove.html.
[12] http://www.spamfighter.com/News-18066-POC-Malware-Wins-Control-Over-USB-Smartcards.htm.
[13] Request for Comments: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. Accessed June 2014. http://tools.ietf.org/html/rfc7230.
[14] NSS Key Log Format. Available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format.
[15] Dolan-Gavitt, B., Leek, T., Hodosh, J., and Lee, W. 2013. “Tappan Zee (North) Bridge: Mining Memory Accesses for Introspection.” Proceedings of the ACM Conference on Computer and Communications Security (CCS).
[16] Foltz, K., and Simpson, W. R. 2015. “Wide Area Network Acceleration in a High Assurance Enterprise.” World Congress on Engineering (WCE) 2015, London, England.
[17] http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649.
[18] Java™ PKCS#11 Reference Guide. Accessed September 3,2015. http://docs.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html.
[19] http://blog.taddong.com/2012/04/owasp-zap-smartcard-project.html.
[20] OWASP. “Session Hijacking Attack.” Available at https://www.owasp.org/index.php/Session_hijacking_attack.
[21] http://stackoverflow.com/questions/1800745/cac-smartcard-reauthenticate.