[ale] Smart cards

Jim Kinney jim.kinney at gmail.com
Thu Oct 6 22:45:19 EDT 2011


Take the card home and use to access work data? Are you going to issue
readers as well? Without a pin or something entered by the user there's no
stopping a cloned or loaned card.
On Oct 6, 2011 9:46 PM, "Michael B. Trausch" <mike at trausch.us> wrote:
> On Thu, Oct 06, 2011 at 06:52:43PM -0400, Michael H. Warfield wrote:
>> On Thu, 2011-10-06 at 16:11 -0400, Michael Trausch wrote:
>> > Just to clarify, I am not specifically looking for an OpenPGP
smartcard...
>> > anything that'll do for auth is fine.
>>
>> Hmmm...
>>
>> I haven't quite done what you are looking to do but you might check
>> into the Aladdin eToken cards / tokens. They have Windows software
>> which I believe MIGHT do what you want to do but you'd have to buy
>> that separately. You'll need their pkcs11 driver to make the token
>> work with NSS, ssh, pgp/gpg, and pam but it can be done. I've used
>> these with ssh (ssh-agent on Fedora has NSS integration and NSS
>> handles the pkcs11 side of the house when used with ssh-agent).
>> I've seen some code which, I think, logs you in when you insert a
>> smart card and locks your screen when you pull it out but have had
>> no experience with it. The pam_usb module does something similar
>> but just uses a plain ole usb memory card on which some sort of key
>> is simply stored for that.
>
> I would like something whre you can essentially lock the system, yes.
> Well, actually, here is what I would _like_ to do, though I don't
> seriously know if this would be an attainable setup:
>
> * Be able to have my own CA (trusted roots aren't relevant here, I'd
> be installing the root CA onto the systems I am managing).
>
> * Be able to use that CA to initialize a smart card, such that the
> smart card would be given to a person to use as their identity
> card for network operations.
>
> * Be able to map a smart card's public key to a user, which is of
> course a prerequisite for everything else. In all probability
> this can easily be solved by using the CN field to indicate the
> user's name and domain in email format.
>
> * Be able to use the card for networked workstation logins for
> specially configured computers on the business network.
>
> * Be able to use the card to gain access to mountable filesystems in
> a secure manner for computers e.g., at home or other locations.
> Of course, when the card is removed the access to the filesystem
> should be revoked, it should become
> unmounted/disconnected/whatever.
>
> * It should be possible to use that smart card with e.g., Firefox so
> that that identity card can go home with them, and they can gain
> access without a username and password to the company site(s).
>
> * It should be possible to use that card to sign/encrypt mails
> "internally" (being a self-signed CA means that it wouldn't
> [rather, shouldn't] be used on the Internet, but interally the
> cert can be validated); of course, we're talking about S/MIME
> here, because that's the only thing that works out of the box for
> all standard MUAs that I'm aware of (sorry, even though I am using
> one right now, I don't consider terminal MUA to be standard
> anymore...)
>
> * It should be possible to do this regardless of the operating
> system on the client system. The card should be usable on
> Windows, on OS X, and on Linux systems with a minimum of setup.
>
> * I don't want to know the private key. I don't want them to know
> the private key. I want to be able to provision a new card and
> associate it with their user account with relative ease (and
> honestly, just signing their key with the CA would be sufficient
> for that, as long as they correctly format their user at domain.tld
> when they create the CSR).
>
> * Also, I'd like it to be possible to have something better than a 4
> digit PIN on the stupid thing. I realize that many of the cards
> out there will burn themselves out (much like a SIM card does)
> after a certain number of failed attempts, but that doesn't really
> mean much when people's 4-digit codes tend to be really
> predictable if you know the person for any length of time. Four
> digit PIN numbers are evil. EVIL.
>
> Am I asking too much, do you think?
>
>> All that said... There are 2 types of Aladdin eToken cards.
>>
>> There are the 72K (yes, I said "K" - you don't need much space for
>> keys) Java tokens (smart cards in a USB format). These use their
>> Java cardlet to actually implement the crypto stuff in Java. They
>> reserve some of the space for updates to the Java cardlet so you
>> really only have about 64K available on the card for keys (which can
>> store a couple dozen private keys - you don't store public keys or
>> whole certs on them). Those will run you in the $30-$40 range from
>> CDW (cdw.com). I've got a couple of those and don't really care for
>> them. People claim the Aladin middleware (which uses a proprietary
>> protocol to talk to the cardlet) is buggy and klunky.
>
> Java. On a card. Sheesh.
>
> I must be missing something, though. How can you do authentication if
> there aren't any certificates involved, unless you are keeping a
> database with every single public key. I'd like to just sign a
> certificate and they can present that client certificate (or use it in
> any other valid way, for that matter).
>
>> There are also 32K and 64K CardOS cards which are slightly more
>> expensive (about $45 each for the 64K units I just bought a month
>> ago or so). They still require an Aladdin pkcs11 driver but you can
>> locate that on the net for download. I've used the 32K tokens in
>> the past with ssh. Just starting to play with my new 64K ones now.
>> Last ALE meeting on ssh, I had a keyring full of these things. They
>> can be formatted for use directly with OpenCT but the format is not
>> compatible with the Aladdin format, which you would need for any
>> Windows Software. There are guides on the net on setting them up
>> and getting them working with Linux.
>
> So... cross-platform compatibility is a pipe dream? In order to make
> it possible to use truly smart cards that never leak the private key,
> I'd have to give 1 user multiple keys so that they could use the right
> type based on whatever operating system they're using?
>
> Perhaps I am seeing why these things aren't ubiquitous....
>
>> I've also heard that they CAN BE formatted for OpenPGP but I've
>> never done it and don't know anyone who has, but you say that's not
>> important to you.
>
> It's not. I use OpenPGP when I think to set it up. I used to sign
> all my mail... I don't anymore, because nobody cares. I used to
> encrypt mails that I sent out, but I often got the complaint that it
> was unreadable because keychains were lost or somesuch. And besides,
> if I didn't sign it, one really cannot legally prove that I said it,
> at least with the way things sit at the moment (a federal court, if
> I'm not mistaken, recently ruled that an IP address alone is not good
> enough to identify a user on the Internet, and so anything left is
> circumstantial... well, mostly, but I digress).
>
> If someone really wants me to put a fill-fledged digital signature on
> something, I will. But honestly, the last thing I used my PGP keys
> for was to sign the last release tarball for AllTray.
>
> I would personally like something like a smart card that simply has a
> built-in reader, so that you can just plug it in. I don't want to see
> its filesystem, I don't want access to the private key, I want it to
> expose the same sort of interface that the readers themselves do.
> Alas, I haven't found any of those yet, either.
>
> And I still haven't got a bloody clue on how one would get anywhere
> close to started with provisioning the damn things.
>
> Maybe I'm not smart enough for this one... or maybe I need to invent
> something that Just Works in a cross-platform manner? Yeah, like I
> have time for that...
>
> --- Mike
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20111006/9cf2829e/attachment.html 


More information about the Ale mailing list