Second South Eastern Conference on eCommerce, 24-26 October 2000, Sofia, Bulgaria

Smart Card test infrastructure for Web-centric applications

Lothar Breitenbach, Marc Wilikens
Joint Research Centre
21020 Ispra (VA) – Italy
Thomas Frey
IFS Informationstechnik GmbH
Munich, Germany

Keywords: smart cards, test-beds, secure consumer access to web services

It becomes crucial that citizens and consumers get easy, ubiquitous and secure
access to Internet services such as to be found in e-commerce, health care and
content provision. The use of mobile and secure smart cards for user access tokens,
authentication and digital signature therefore become a key feature in future web
applications. Access to services needs to be accomplished with zero administration
requirements from the part of the end user. This could be accomplished by means of
an inexpensive web access terminal amended with an appropriate smart card
terminal. This card terminal can be fixed, public or mobile. In this context, Java
technology is a promising solution as it allows downloading of personalised code
from a web server based on user credentials that are stored and processed on a
Smart Card. To provide full platform independence, a number of challenges have still
to be overcome, not the least in terms of interoperability and security. Also, the
eEurope initiative1 emphasises that further efforts are needed to accelerate and
harmonise the use of smart cards to further the secure access to electronic services.
This paper describes the deployment of a Smart Card infrastructure based on Java
technology at the Joint Research Centre TRINIDAD (Trial Infrastructure for
Dependable Application Deployment) test-bed. The Smart Card infrastructure is
composed of a set of hardware and software components that can be used as
building blocks for the development and testing of smart card aware web applications
based on the Open Card Framework (OCF). Target applications can be found in
secure ubiquitous consumer access to web-based services such as e-commerce,
healthcare and content. A concept demonstrator has been developed for user
identification and authentication integrated in a web-based healthcare application.
By means of this project, the Joint Research Centre has developed a smart card
infrastructure for web-centric applications, i.e. all client hardware, software
components at Web-browser side and the appropriate technology to develop and test
smart card aware web applications. The developed technology and components are
tested with a health care web pilot application developed on JRC TRINIDAD.
Considering the role of the Joint Research Centre as pan-European research centre
of the EC, the smart card infrastructure is open to organisations for testing solutions
and applications, for instance in the frame of EU funded IST projects.
The paper will describe the architecture and employed platforms of the infrastructure
that is based on Java Card and card reader service based on the in Java written
Open Card Framework (OCF)2. One important achievement is the generic nature of
the approach, leaving the possibility to evolve all developed smart card components
to other web applications and to enhanced functions on the smart card such as digital
signature. Some outstanding issues will be described in terms of interoperability and

1
eEurope 2002, Action Plan, approved at European Council in Feira, 19-20 June 2000.
http://europa.eu.int/comm/information_society/eeurope/
2
http://www.opencard.org
 Page 2

security. In particular, further smart card investigations and application developments

are needed to provide consumers easy, ubiquitous and secure access to web
services, i.e. there is the need to develop an genuine “Internet card”. Such an
approach would for instance imply: “Zero-administration” card reader connection to a
terminal, server side authentication of the user and establishment of a SSL
connection for secure communication between web browser and web server and a
secure channel between the server and the smart card by using cryptography.

TCP/IP
Trusted Web Web Browser SSL-Client
Server certificate
from Card
SSL

Java Worker Browser

Applet Interface
Application
Server
Secure channel

Database
Reader with
Java Card and
Applet
Secure environment

Figure: Possible architecture for a secure Internet card