登录使用智能卡的使用ASP.NET，Windows身份验证和模拟私钥数据 [英] Sign data using smart card's private key with ASP.NET, Windows Authentication, and Impersonation

问题描述

我想知道是否可以使用智能卡的私钥签数据，而无需诉诸Java applet或ActiveX控件。

I want to know if it is possible to sign data using a smart card's private key without resorting to a java applet or activex control.

我很着急接近！的

我们的环境是：

• 广告域
• 在PKI基础设施/智能卡（PIV）

我敲了一个简单的ASP.NET（.NET 4.0）网页表单的应用程序：

I knocked up a simple ASP.NET (.net 4.0) web forms app with:

• Windows身份验证，匿名关闭
• 身份冒充上

随着智能卡阅读器，我可以很容易地列举了登录用户的智能卡（StoreLocation.CurrentUser）的认证。然而，当我尝试访问私有密钥（通过CSP），我得到一个拒绝访问错误。

With the smart card in the reader I can easily enumerate the certificates on the logged-in user's smart card (StoreLocation.CurrentUser). However, when I try to access the private key (via a CSP), I get an "Access Denied" error.

在我在调试模式下所有的本地机器工作正常。我知道 - 这是一个老生常谈

On my local machine in debug mode everything works fine. I know - it's a cliche.

        protected void Page_Load(object sender, EventArgs e)
        {

            //always populate the cert store
            store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            store.Open(OpenFlags.MaxAllowed);

            RSACryptoServiceProvider csp = new RSACryptoServiceProvider();

            //hardcoded to get the first cert in the store - it's legit and had a private key
            cert = store.Certificates[0];

            //throws error when not local
            csp = (RSACryptoServiceProvider)cert.PrivateKey;

        }

我试着给应用程序池的身份访问证书存储区无果

I've tried giving app pool identities access to the certificate store to no avail.

推荐答案

这是不可能的使用用户的私钥的服务器上。这将有效地抵消使用智能卡的优点。事实上，安全操作都将在智能卡中进行。

It is not possible to use the user's private key on the Server. This would effectively nullify the benefits of using a Smart Card. In fact, security operations will be performed ON the Smart Card.

微软将智能卡作为其公钥基础设施（PKI）支持的一个关键组成部分。智能卡增强了纯软件的解决方案，如客户身份验证，交互登录和安全电子邮件。智能卡是公钥证书和相关的密钥，因为他们一个交汇点：

Strategy for Supporting Smart Cards

Microsoft views smart cards as a key component of its Public Key Infrastructure (PKI) support. Smart cards enhance software-only solutions, such as client authentication, interactive logon, and secure e-mail. Smart cards are a point of convergence for public-key certificates and associated keys because they:

  
• 为保护私钥提供防篡改存储和   其他形式的个人信息。
  
• 在隔离涉及认证的安全关键型计算，   数字签名，以及从系统其它部分的密钥交换。
  
• 启用的凭据和其他私人信息的可移植性   电脑在工作，家庭之间，或为移动用户。
  

• Provide tamper-resistant storage for protecting private keys and other forms of personal information.
• Isolate security-critical computations involving authentication, digital signatures, and key exchanges from other parts of the system.
• Enable portability of credentials and other private information between computers at work, at home, or for mobile users.

来源：智能卡概念

正如你所看到的，一个重要方面就是从系统的其余部分隔离的安全关键操作。以执行与用户的私钥加密的唯一方法是使用智能卡读取器（硬件本身）。由于没有办法从你尝试做一个服务器端的ASP.NET网页访问客户端的硬件是不可能的。

As you can see, one key aspect is to isolate security critical operations from the rest of the system. The only way to perform encryption with the user's private key is to use the Smart Card reader (the hardware itself). Since there's no way to access the client's hardware from a server side ASP.NET webpage what you try to do isn't possible.

要实现这一目标的唯一方法就是使用一个客户端组件。

The only way to achieve this is to use a client side component.

这篇关于登录使用智能卡的使用ASP.NET，Windows身份验证和模拟私钥数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！