aspose file tools*
The moose likes Servlets and the fly likes How program website (Java code) to use USB Tokens? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "How program website (Java code) to use USB Tokens?" Watch "How program website (Java code) to use USB Tokens?" New topic
Author

How program website (Java code) to use USB Tokens?

Dan Bizman
Ranch Hand

Joined: Feb 25, 2003
Posts: 387
I don't know a whole lot about USB tokens, but from what I know, they work on a challenge-response mechanism, just like SSL. With SSL (using https marker) a website can do a challenge-response without the user needing to do any setup/configuration. However, that's because it's all programed into the browser. If it needs to happen with a USB-connected piece of hardware (the USB Token is on a small USB harddrive), how would my code do this? How do I get that data to/from the USB token/holder? Does anyone have examples of this?

EDIT: Also, there are a few ways USB Tokens can be used. One is that it has a certificate (with pup/priv keys) inside along with an algorithm processor that handles the challenge/response. The second way is that it has a token on it (or a token generator) that you then enter into a form input in a web browser (for example) and it usually has rules, like time-sensitive tokens. So the number you get can only be used for the next 5 minutes.

From what I can tell, the only way to use the first one with a browser is by importing it into the browser (which to me seems insecure). The second one, I guess requires human copying into an input box. Does anyone know if there's also a second "variation" of that where there might be an encrypted password/token on the USB keyring that can be sent to the web server via the form input type="file"?
[ August 21, 2006: Message edited by: Dan Bizman ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42951
    
  72
Not sure if that helps, but the JavaIoFaq has links to a couple of articles about accessing USB devices in Java.
[ August 20, 2006: Message edited by: Ulf Dittmer ]
Dan Bizman
Ranch Hand

Joined: Feb 25, 2003
Posts: 387
Originally posted by Ulf Dittmer:
Not sure if that helps, but the JavaIoFaq has links to a couple of articles about accessing USB devices in Java.

[ August 20, 2006: Message edited by: Ulf Dittmer ]


Thanks for the reply, but that's a different topic. My code will be on the webserver and the user will be accessing it through a web browser, so I wouldn't have direct access to their USB. I was wondering if there's some way (with headers?) to get that info from the USB via the browser or not, without the user having to do any configuration.

For example, I know some people have the user plug the USB token in, then import the cert into IE. That's the LAST thing I want. It should be a roving token/key, and should never be imported/installed. Is there any way to do this? I'd think there are a bunch of companies using USB tokens - how do they do it?
Jeroen T Wenting
Ranch Hand

Joined: Apr 21, 2006
Posts: 1847
Unless you're writing trusted applets (which might through some JNI gain access to a DLL which could communicate with the USB device) there's no way as AFAIK Javascript cannot access any hardware devices (the printing support just forwards to the operating system).

Edit: what you really want is a secure network where only people who are trusted (thus have a correct login to the network) are known to exist.
You can then decide based on IP address whether the machine is allowed to access the site, blocking requests from all machines that are not in a well known range.
That's a server configuration issue, best handled at operating system level through a firewall.
[ August 21, 2006: Message edited by: Jeroen T Wenting ]

42
Dan Bizman
Ranch Hand

Joined: Feb 25, 2003
Posts: 387
Originally posted by Jeroen T Wenting:
Unless you're writing trusted applets (which might through some JNI gain access to a DLL which could communicate with the USB device) there's no way as AFAIK Javascript cannot access any hardware devices (the printing support just forwards to the operating system).

Edit: what you really want is a secure network where only people who are trusted (thus have a correct login to the network) are known to exist.
You can then decide based on IP address whether the machine is allowed to access the site, blocking requests from all machines that are not in a well known range.
That's a server configuration issue, best handled at operating system level through a firewall.

[ August 21, 2006: Message edited by: Jeroen T Wenting ]


Thanks for the reply.

Everything I can find on the internet (and there's not much) says that you import the cert from the USB keyring into your browser's cert keystore. That just doesn't make sense to me. Why have a roving certificate/identity store (specifically so you can log in from any comp in the world) if you're just going to save that cert locally at each computer. Am I wrong about how the import works? Doesn't it then make it so that the local computer now has your cert or does it keep the cert/keys on the usb keyring and saves your password only (which also doesn't seem smart)?

With regard to your second suggestion, that doesn't work and is a different context all together. There are situations where people want to keep their users/data constrained to one network/set-of-ips, but that's not what I'm trying to do here and usually not what USB tokens are for -- they're for roving.
Jeroen T Wenting
Ranch Hand

Joined: Apr 21, 2006
Posts: 1847
browser based solutions are a bad option when you want secure applications like that anyway.
Things get left behind in browser caches, cookie stores, people set the browser to automatically record passwords, etc. etc.

Far better to use a client you control completely, which would also allow you to use JNI to access that USB device (of course you'll have to provide a score of native libraries for every possible operating system).
Dan Bizman
Ranch Hand

Joined: Feb 25, 2003
Posts: 387
Originally posted by Jeroen T Wenting:
browser based solutions are a bad option when you want secure applications like that anyway.
Things get left behind in browser caches, cookie stores, people set the browser to automatically record passwords, etc. etc.

Far better to use a client you control completely, which would also allow you to use JNI to access that USB device (of course you'll have to provide a score of native libraries for every possible operating system).


I don't understand why you keep suggesting doing a completely different project.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How program website (Java code) to use USB Tokens?