Smart cards play an important role as part of the project since they are used for user identification and authentication, and they provide support for electronic transactions based on e- Purses.
The Web and smart cards create the need for analysing the security architecture provided by the most used Web browsers: Netscape Communicator and Microsoft Internet Explorer. Regarding Netscape Communicator, we adapted a previous work, which was developed in the SSL Project of the Universidad de Murcia [9]. As part of this project, a complete implementation of a PKCS#11 [14] cryptographic module was developed. In relation to Microsoft Internet Explorer, the analysis and design of a cryptographic module in compliance with the security architecture of this browser, and therefore with the Microsoft Windows operating system, was one of the tasks where more technical and human resources were used.
The Security Architecture of Microsoft Windows
In order to add the smart card technology to Microsoft Internet Explorer in particular, and into Microsoft Windows in general, we used the PC/SC standard [13] since it provides the necessary interoperability between this kind of device and the most widely-used operating systems.
The PC/SC architecture is based on several levels defined by the physical features of smart cards and readers and the specific details of the API, Application Program Interface, aproviding the smart cards services (CryptoAPI) [11]. This API is a fundamental component of the security architecture of Microsoft Windows. It provides a complete cryptographic interface (digital signature, cipher, digital envelope, etc.) which is completely independent from the final service provider, its specific implementation, and the existence, or not, of a hardware device with cryptographic support. In this way, the developer can make use of cryptographic capabilities without the need to know the details of the cryptographic engine or hardware/software implementation.
Development of the CSP Cryptographic Module
Two components of the application environment defined by the PISCIS Project make use of smart cards by means of the CryptoAPI: PKI and SPEED protocol
In relation to the PKI, we use our CSP, Cryptographic Service Provider, through the Certificate Enrolment Control library in order to generate the key pairs related to the users, and to store in the smartcard the private key, the user certificate and the CA certificate. On the other hand, the SPEED protocol uses the private keys and certificates for authenticating and validating the messages being sent by the participants in an e-Commerce transaction.
Taking those requirements into account we have implemented a CSP according to the Microsoft specification and using the smart cards of the PISCIS Project. Moreover, in order to check the proper functionality of our CSP, we have tested it with several Windows applications (logon, Windows 2000 PKI, etc.) and other CSPs (for example, Microsoft Base Cryptographic Provider). Currently, the CSP developed in PISCIS has obtained the official signature of Microsoft, which enables its distribution as a valid component for Windows systems.
