SCM Server-Side API¶
The Server-Side Smart Card Middleware is a software component that can be installed on a web application server, allowing a secure, end-to-end communication between the customers’s application running on the server, and the smart card located on the end user’s workstation.
This architecture can complement Idopte’s Smart Card Web Service (SCWS) solution. With the regular SCWS solution, all the smart card management logic is performed on the client side, through the middleware components installed locally on the client computer. On the other hand, with the Server-Side solution, the smart card management logic is moved to the server side, and the middleware on the client side is only responsible for relaying the commands to the smart card.
This is particularly interesting in situations where a secure messaging is required at the APDU level, for performing administrative operations on the card. Using the Server-Side middleware in this case allows the application to establish an end-to-end secure channel, from the server within the customer’s premises, to the card on the end-user side, without exposing the secure channel master keys, or even the channel session keys, on the client computer. This guarantees that, even if the user’s workstation is compromised, the operations made on the card are still under complete control of the customer’s system, without any opportunity for man-in-the-middle type of attacks. This allows, for example:
Securely importing private keys from the servers to the card, without an attacker being able to extract the private key components at any point.
Securely producing a CSR, with on-board generated keys, without an attacker having the opportunity to alter the CSR and obtain a valid certificate for a key that is not the one generated on the card.
Remotely initializing a PIN value.
Any other use case where the secrets should be kept on the server and on the card, but not exposed on the way.