Smartcard authentication

Implementing something you have plus something you know, from scratch.

Comment

Notes

Team member name(s):

  • Chris Forgach - OMSCS alum

Disclaimer

I did this project two summers ago. Please do not waste time considering me for the awards. I saw that only 40ish hackers signed up, and I imagine the attrition rate will be high since this is an online event. However, the scope is similar to that of a 1-day hackathon.

Inspiration

Ask yourself and everyone you know the following questions: (1) why can't we buy alcohol from vending machines, and (2) why can't we vote online for government elections? If you cannot find specific answers for EXACTLY why it's not possible, then we are on the same page. Also Estonia has been doing online voting successfully for more than a decade.

What it does

Chip + PIN smartcard authentication.

How we built it

  • purchased a blank smartcard (i.e., a Javacard microcontroller)
  • purchased a USB card reader
  • programmed a Javacard application from scratch
  • flashed it on the the microcontroller using GlobalPlatformPro and the USB card reader
  • made a basic web UI with django to demo the login process

Challenges we ran into

  • The Javacard language dominates the smartcard ecosystem. However, like regular java it requires tons of dependencies to work with, which makes it both harder to learn to use and less secure by default.
  • The people who use it mostly work at banks and telecom companies, and all of the negative stereotypes of those industries are painfully true when it comes to the smartcard development ecosystem. For example, documentation is shamefully scarce because of proprietary interests and security by obscurity.
  • The state of cryptographic libraries are a disgrace to the software profession. The standard advice from cryptographers is nEvEr WrItE yOuR oWn EnCrYpTiOn... except all of the popular libraries don't want to take responsibility for implementing good security either, and are instead designed to (1) be easily misconfigured and (2) blame the user for the inevitable security breaches that flow from said poor configuration.

Accomplishments that we're proud of

This prototype actually works, including the encryption and authentication protocols which don't show up in a demo video and are invisible to the user when done well.

What we learned

  • How to work in javacard.
  • About serialized communication protocols

What's next for Smartcard authentication

  • The real path forward is to copy what Estonia is doing.

Built With

Share this project:

Updates