[ale] Smart cards

Michael H. Warfield mhw at WittsEnd.com
Fri Oct 7 09:10:22 EDT 2011


On Thu, 2011-10-06 at 22:45 -0400, Jim Kinney wrote: 
> Take the card home and use to access work data? Are you going to issue
> readers as well? Without a pin or something entered by the user there's no
> stopping a cloned or loaned card.

"cloned card" - Not possible with a crypto card.  By design, you can not
read the private key from the card, even with all the PINS (user,
security officer, or transport/format).  You can only use it with the
crypto engine on the card to "decrypt" or "sign" (which are functionally
the same operation, depending on if the data being processed in is clear
to sign or encrypted to decrypt).  I would also assume (and I think he
even implied) he would use the ones in the USB token format, with the
built-in readers.

"loaned card" with or without pin is not relevant.  Individual doing the
loaning would merely "loan the pin" to the loan recipient.

A stolen or "borrowed" card (without owners permission) would be where
the pin could be an issue.  Pin is strongly recommended.

> On Oct 6, 2011 9:46 PM, "Michael B. Trausch" <mike at trausch.us> wrote:
> > On Thu, Oct 06, 2011 at 06:52:43PM -0400, Michael H. Warfield wrote:
> >> On Thu, 2011-10-06 at 16:11 -0400, Michael Trausch wrote:
> >> > Just to clarify, I am not specifically looking for an OpenPGP
> smartcard...
> >> > anything that'll do for auth is fine.
> >>
> >> Hmmm...
> >>
> >> I haven't quite done what you are looking to do but you might check
> >> into the Aladdin eToken cards / tokens. They have Windows software
> >> which I believe MIGHT do what you want to do but you'd have to buy
> >> that separately. You'll need their pkcs11 driver to make the token
> >> work with NSS, ssh, pgp/gpg, and pam but it can be done. I've used
> >> these with ssh (ssh-agent on Fedora has NSS integration and NSS
> >> handles the pkcs11 side of the house when used with ssh-agent).
> >> I've seen some code which, I think, logs you in when you insert a
> >> smart card and locks your screen when you pull it out but have had
> >> no experience with it. The pam_usb module does something similar
> >> but just uses a plain ole usb memory card on which some sort of key
> >> is simply stored for that.
> >
> > I would like something whre you can essentially lock the system, yes.
> > Well, actually, here is what I would _like_ to do, though I don't
> > seriously know if this would be an attainable setup:
> >
> > * Be able to have my own CA (trusted roots aren't relevant here, I'd
> > be installing the root CA onto the systems I am managing).
> >
> > * Be able to use that CA to initialize a smart card, such that the
> > smart card would be given to a person to use as their identity
> > card for network operations.
> >
> > * Be able to map a smart card's public key to a user, which is of
> > course a prerequisite for everything else. In all probability
> > this can easily be solved by using the CN field to indicate the
> > user's name and domain in email format.
> >
> > * Be able to use the card for networked workstation logins for
> > specially configured computers on the business network.
> >
> > * Be able to use the card to gain access to mountable filesystems in
> > a secure manner for computers e.g., at home or other locations.
> > Of course, when the card is removed the access to the filesystem
> > should be revoked, it should become
> > unmounted/disconnected/whatever.
> >
> > * It should be possible to use that smart card with e.g., Firefox so
> > that that identity card can go home with them, and they can gain
> > access without a username and password to the company site(s).
> >
> > * It should be possible to use that card to sign/encrypt mails
> > "internally" (being a self-signed CA means that it wouldn't
> > [rather, shouldn't] be used on the Internet, but interally the
> > cert can be validated); of course, we're talking about S/MIME
> > here, because that's the only thing that works out of the box for
> > all standard MUAs that I'm aware of (sorry, even though I am using
> > one right now, I don't consider terminal MUA to be standard
> > anymore...)
> >
> > * It should be possible to do this regardless of the operating
> > system on the client system. The card should be usable on
> > Windows, on OS X, and on Linux systems with a minimum of setup.
> >
> > * I don't want to know the private key. I don't want them to know
> > the private key. I want to be able to provision a new card and
> > associate it with their user account with relative ease (and
> > honestly, just signing their key with the CA would be sufficient
> > for that, as long as they correctly format their user at domain.tld
> > when they create the CSR).
> >
> > * Also, I'd like it to be possible to have something better than a 4
> > digit PIN on the stupid thing. I realize that many of the cards
> > out there will burn themselves out (much like a SIM card does)
> > after a certain number of failed attempts, but that doesn't really
> > mean much when people's 4-digit codes tend to be really
> > predictable if you know the person for any length of time. Four
> > digit PIN numbers are evil. EVIL.
> >
> > Am I asking too much, do you think?
> >
> >> All that said... There are 2 types of Aladdin eToken cards.
> >>
> >> There are the 72K (yes, I said "K" - you don't need much space for
> >> keys) Java tokens (smart cards in a USB format). These use their
> >> Java cardlet to actually implement the crypto stuff in Java. They
> >> reserve some of the space for updates to the Java cardlet so you
> >> really only have about 64K available on the card for keys (which can
> >> store a couple dozen private keys - you don't store public keys or
> >> whole certs on them). Those will run you in the $30-$40 range from
> >> CDW (cdw.com). I've got a couple of those and don't really care for
> >> them. People claim the Aladin middleware (which uses a proprietary
> >> protocol to talk to the cardlet) is buggy and klunky.
> >
> > Java. On a card. Sheesh.
> >
> > I must be missing something, though. How can you do authentication if
> > there aren't any certificates involved, unless you are keeping a
> > database with every single public key. I'd like to just sign a
> > certificate and they can present that client certificate (or use it in
> > any other valid way, for that matter).
> >
> >> There are also 32K and 64K CardOS cards which are slightly more
> >> expensive (about $45 each for the 64K units I just bought a month
> >> ago or so). They still require an Aladdin pkcs11 driver but you can
> >> locate that on the net for download. I've used the 32K tokens in
> >> the past with ssh. Just starting to play with my new 64K ones now.
> >> Last ALE meeting on ssh, I had a keyring full of these things. They
> >> can be formatted for use directly with OpenCT but the format is not
> >> compatible with the Aladdin format, which you would need for any
> >> Windows Software. There are guides on the net on setting them up
> >> and getting them working with Linux.
> >
> > So... cross-platform compatibility is a pipe dream? In order to make
> > it possible to use truly smart cards that never leak the private key,
> > I'd have to give 1 user multiple keys so that they could use the right
> > type based on whatever operating system they're using?
> >
> > Perhaps I am seeing why these things aren't ubiquitous....
> >
> >> I've also heard that they CAN BE formatted for OpenPGP but I've
> >> never done it and don't know anyone who has, but you say that's not
> >> important to you.
> >
> > It's not. I use OpenPGP when I think to set it up. I used to sign
> > all my mail... I don't anymore, because nobody cares. I used to
> > encrypt mails that I sent out, but I often got the complaint that it
> > was unreadable because keychains were lost or somesuch. And besides,
> > if I didn't sign it, one really cannot legally prove that I said it,
> > at least with the way things sit at the moment (a federal court, if
> > I'm not mistaken, recently ruled that an IP address alone is not good
> > enough to identify a user on the Internet, and so anything left is
> > circumstantial... well, mostly, but I digress).
> >
> > If someone really wants me to put a fill-fledged digital signature on
> > something, I will. But honestly, the last thing I used my PGP keys
> > for was to sign the last release tarball for AllTray.
> >
> > I would personally like something like a smart card that simply has a
> > built-in reader, so that you can just plug it in. I don't want to see
> > its filesystem, I don't want access to the private key, I want it to
> > expose the same sort of interface that the readers themselves do.
> > Alas, I haven't found any of those yet, either.
> >
> > And I still haven't got a bloody clue on how one would get anywhere
> > close to started with provisioning the damn things.
> >
> > Maybe I'm not smart enough for this one... or maybe I need to invent
> > something that Just Works in a cross-platform manner? Yeah, like I
> > have time for that...
> >
> > --- Mike
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20111007/a54873cc/attachment-0001.bin 


More information about the Ale mailing list