1 Using Smart Cards to Integrate SSL/TLS and SESAME Mark Vandenwauver Paul Ashley Joris Claessens Mark Looi Wim Moreau Katholieke Universiteit Leuven Information Security Research Center Dept. Elektrotechniek-ESAT, COSIC School of Data Communications Kardinaal Mercierlaan 94 Queensland University of Technology B-3001 Heverlee - BELGIUM GPO Box 2434, Brisbane - AUSTRALIA Ph. 32-16-32.11.34 Ph. 61-7-3864 1940 Fax 32-16-32.19.70 Fax 61-7-3221 2384 mark.vandenwauver@esat.kuleuven.ac.be ashley@fit.qut.edu.au joris.claessens@esat.kuleuven.ac.be mlooi@fit.qut.edu.au wim.moreau@esat.kuleuven.ac.be COSIC Internal Report * – February 1999 Abstract Web technology is used more and more for accessing organizational data. The benefit being that a well known interface is used to access all computers across the organization’s network. These accesses can also be secured to some extent by using the Internet standard SSL/TLS protocol. Single sign-on systems allow users to login to a central security server, be provided with a ticket, and then use this ticket to access other resources across the system. The benefit of single sign-on systems is reduced management for system adminstrators and a more user- friendly system. This paper describes our efforts in integrating the web technology with a single sign-on system. This allows us to combine their benefits. To achieve additional security in the system, and to allow mobility of users, we have incorporated Smart Card technology. The importance of the Smart Cards cannot be overstated. Using the Smart Card it is possible for users to roam and access the local resources in a secure way. On the downside, the difficulty of using Smart Cards is the ad-hoc lack of standardization within web technology. * Submitted to IFIP WG 11.2 1999 Appeared in Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security (CMS 1999), IFIP Conference Proceedings 152, B. Preneel (ed.), Kluwer, pp. 303–317, 1999. c 1999 Kluwer