Token Cards authentication

Anon

Hi all,

I'm looking for a Token-Cards based authentication solution for PHP based web sites and web apps.

If anyone knows a good solution or has experience using this please post your comments and experiences.

I guess I'm not the first with this need
but I can't find a solution.

Luis.

Anon

Hi Luis,

Could you be a little more specific about your requirements? I'm afraid I have no idea what "Token-Cards" are.

Thanks,

Jack

Anon

Jack,

Luis is looking for a secure way of client authentication! Although password/username is one possibility, they can often be guessed, they are revealed by the user, they are sniffed or found by brute force (often usernames are known, so all you need to do is to run a dictionary of passwords as most users select very simple passwords).

Digital certificates or IDs are the next step: They are the PKI way (public key infrastructure). Here you have a digital key and use encryption algorithms to securely verify the user. The password cannot be guessed or remembered: it is a random sequence of letters, numbers; the password cannot be sniffed: communication is automatically encrypted (through SSL v 3.0) but the password has to be "stored" on your computer – If a hacker gets access to your computer he will be able to extract that information.

On hardware tokens or smart-cards (see both definitions http://www.webopedia.com/TERM/t/token.html and http://www.webopedia.com/TERM/s/smart_card.html), the ID is kept external of the computer on a hardware device. Although often not perfect, they are easier to use and understood by end-users and the digital certificate information (the private key) is not easily extracted from the hardware device. See RSA SecureID, Schlumberger SmartCards, Rainbow ikey, AKS eToken for typical implementations (the latter two USB keys being the latest fashion).

Luis,

I think the easiest implementation would be through SSL v3.0 as this already has client authentication implemented. So to use this, you need to use the OpenSSL functions (see http://www.php.net/manual/en/ref.openssl.php). These functions are at a beta-stage at the moment. Also you need to find out how OpenSSL deals with client certificates. What you then need is on the client-side a way for the browser to communicate with your smart-card - this is the problem of the smartcard manufacturer.

All of this information is to the best of my knowledge on this topic, which is limited. I have never implemented any part of this myself. Hope it helps anyway!
If you know any more, please add!