[ale] Smart cards

[Michael B. Trausch]

On Thu, Oct 06, 2011 at 06:52:43PM -0400, Michael H. Warfield wrote:
> On Thu, 2011-10-06 at 16:11 -0400, Michael Trausch wrote: 
> > Just to clarify, I am not specifically looking for an OpenPGP smartcard...
> > anything that'll do for auth is fine.
>
> Hmmm...
>
> I haven't quite done what you are looking to do but you might check
> into the Aladdin eToken cards / tokens.  They have Windows software
> which I believe MIGHT do what you want to do but you'd have to buy
> that separately.  You'll need their pkcs11 driver to make the token
> work with NSS, ssh, pgp/gpg, and pam but it can be done.  I've used
> these with ssh (ssh-agent on Fedora has NSS integration and NSS
> handles the pkcs11 side of the house when used with ssh-agent).
> I've seen some code which, I think, logs you in when you insert a
> smart card and locks your screen when you pull it out but have had
> no experience with it.  The pam_usb module does something similar
> but just uses a plain ole usb memory card on which some sort of key
> is simply stored for that.

I would like something whre you can essentially lock the system, yes.
Well, actually, here is what I would _like_ to do, though I don't
seriously know if this would be an attainable setup:

  * Be able to have my own CA (trusted roots aren't relevant here, I'd
    be installing the root CA onto the systems I am managing).

  * Be able to use that CA to initialize a smart card, such that the
    smart card would be given to a person to use as their identity
    card for network operations.

  * Be able to map a smart card's public key to a user, which is of
    course a prerequisite for everything else.  In all probability
    this can easily be solved by using the CN field to indicate the
    user's name and domain in email format.

  * Be able to use the card for networked workstation logins for
    specially configured computers on the business network.

  * Be able to use the card to gain access to mountable filesystems in
    a secure manner for computers e.g., at home or other locations.
    Of course, when the card is removed the access to the filesystem
    should be revoked, it should become
    unmounted/disconnected/whatever.

  * It should be possible to use that smart card with e.g., Firefox so
    that that identity card can go home with them, and they can gain
    access without a username and password to the company site(s).

  * It should be possible to use that card to sign/encrypt mails
    "internally" (being a self-signed CA means that it wouldn't
    [rather, shouldn't] be used on the Internet, but interally the
    cert can be validated); of course, we're talking about S/MIME
    here, because that's the only thing that works out of the box for
    all standard MUAs that I'm aware of (sorry, even though I am using
    one right now, I don't consider terminal MUA to be standard
    anymore...)

  * It should be possible to do this regardless of the operating
    system on the client system.  The card should be usable on
    Windows, on OS X, and on Linux systems with a minimum of setup.

  * I don't want to know the private key.  I don't want them to know
    the private key.  I want to be able to provision a new card and
    associate it with their user account with relative ease (and
    honestly, just signing their key with the CA would be sufficient
    for that, as long as they correctly format their user at domain.tld
    when they create the CSR).

  * Also, I'd like it to be possible to have something better than a 4
    digit PIN on the stupid thing.  I realize that many of the cards
    out there will burn themselves out (much like a SIM card does)
    after a certain number of failed attempts, but that doesn't really
    mean much when people's 4-digit codes tend to be really
    predictable if you know the person for any length of time.  Four
    digit PIN numbers are evil.  EVIL.

Am I asking too much, do you think?

> All that said...  There are 2 types of Aladdin eToken cards.
>
> There are the 72K (yes, I said "K" - you don't need much space for
> keys) Java tokens (smart cards in a USB format).  These use their
> Java cardlet to actually implement the crypto stuff in Java.  They
> reserve some of the space for updates to the Java cardlet so you
> really only have about 64K available on the card for keys (which can
> store a couple dozen private keys - you don't store public keys or
> whole certs on them).  Those will run you in the $30-$40 range from
> CDW (cdw.com).  I've got a couple of those and don't really care for
> them.  People claim the Aladin middleware (which uses a proprietary
> protocol to talk to the cardlet) is buggy and klunky.

Java.  On a card.  Sheesh.

I must be missing something, though.  How can you do authentication if
there aren't any certificates involved, unless you are keeping a
database with every single public key.  I'd like to just sign a
certificate and they can present that client certificate (or use it in
any other valid way, for that matter).

> There are also 32K and 64K CardOS cards which are slightly more
> expensive (about $45 each for the 64K units I just bought a month
> ago or so).  They still require an Aladdin pkcs11 driver but you can
> locate that on the net for download.  I've used the 32K tokens in
> the past with ssh.  Just starting to play with my new 64K ones now.
> Last ALE meeting on ssh, I had a keyring full of these things.  They
> can be formatted for use directly with OpenCT but the format is not
> compatible with the Aladdin format, which you would need for any
> Windows Software.  There are guides on the net on setting them up
> and getting them working with Linux.

So... cross-platform compatibility is a pipe dream?  In order to make
it possible to use truly smart cards that never leak the private key,
I'd have to give 1 user multiple keys so that they could use the right
type based on whatever operating system they're using?

Perhaps I am seeing why these things aren't ubiquitous....

> I've also heard that they CAN BE formatted for OpenPGP but I've
> never done it and don't know anyone who has, but you say that's not
> important to you.

It's not.  I use OpenPGP when I think to set it up.  I used to sign
all my mail... I don't anymore, because nobody cares.  I used to
encrypt mails that I sent out, but I often got the complaint that it
was unreadable because keychains were lost or somesuch.  And besides,
if I didn't sign it, one really cannot legally prove that I said it,
at least with the way things sit at the moment (a federal court, if
I'm not mistaken, recently ruled that an IP address alone is not good
enough to identify a user on the Internet, and so anything left is
circumstantial... well, mostly, but I digress).

If someone really wants me to put a fill-fledged digital signature on
something, I will.  But honestly, the last thing I used my PGP keys
for was to sign the last release tarball for AllTray.

I would personally like something like a smart card that simply has a
built-in reader, so that you can just plug it in.  I don't want to see
its filesystem, I don't want access to the private key, I want it to
expose the same sort of interface that the readers themselves do.
Alas, I haven't found any of those yet, either.

And I still haven't got a bloody clue on how one would get anywhere
close to started with provisioning the damn things.

Maybe I'm not smart enough for this one... or maybe I need to invent
something that Just Works in a cross-platform manner?  Yeah, like I
have time for that...

      --- Mike