Status crypto cards HOWTO: prob­lems with the card read­er (sup­port could be bet­ter)

Af­ter hours (spread over weeks) I come to the con­clu­sion that there is a lot of po­ten­tial to im­prove the doc­u­ment­a­tion of card read­ers (but I doubt the card read­er vendors will do it) and of the pc­sc doc­u­ment­a­tion. It is not easy to ar­rive at a point where you un­der­stand everything. The com­pat­ib­il­ity list does not help much, as the card read­ers are partly past their end of life and the mod­els which re­place them are not lis­ted. Re­spect­ively the one I bought does not sup­port all the fea­tures I need. I even por­ted the driver to FreeBSD (not com­mit­ted, I wanted to test everything first) and a lot of stuff works, but one crit­ic­al part is that I can not store a cer­ti­fic­ate on the crypto card as the card read­er or the driver  does not sup­port ex­ten­ded AP­DUs (needed to trans­fer more than 255 bytes to the card read­er).

Well, the status so far:

  • I have a HOWTO what to in­stall to use crypto cards in FreeBSD
  • I have a HOWOT what to in­stall /​ con­fig­ure in Win­dows
  • I have a HOWTO re­gard­ing cre­at­ing keys on a open­p­gp v2 card and how to use this key with ssh on FreeBSD (or any oth­er unix-​like OS which can run pc­sc)
  • I have a card read­er which does not sup­port ex­ten­ded AP­DUs
  • I want to make sure what I write in the HOW­TOs is also suit­able for the use with Win­dows /​ PuTTY
  • it seems Win­dows needs a cer­ti­fic­ate and not only a key when us­ing the Win­dows CAPI (us­ing the vendor sup­plied card read­er driver) in PuTTY-​CSC (works at work with a USB token)
  • the pc­sc pkcs11 Win­dows DLL is not suit­able yet for use on Win­dows 8 64bit
  • I con­tac­ted the card read­er vendor if the card read­er or the driver is the prob­lem re­gard­ing the ex­ten­ded AP­DUs
  • I found prob­lems in gpg4win /​ pc­sc on Win­dows 8
  • I have send some money to the de­velopers of gpg4win to sup­port their work (if you use gnupg on Win­dows, try to send a few units of money to them, the work stag­nated as they need to spend their time for paid work)

So either I need a new card read­er, or have to wait for an up­date of the linux driver of the vendor… which prob­ably means it may be a lot faster to buy a new card read­er. When look­ing for one with at least a PIN pad, I either do not find any­thing which is lis­ted as sup­por­ted by pc­sc on the vendor pages (it is in­cred­ible how hard it is to nav­ig­ate the web­sites of some com­pan­ies… a lot of buzzwords but no way to get to the real products), or they only list up­dated mod­els where I do not know if they will work.

When I have some­thing which works with FreeBSD and Win­dows, I will pub­lish all the HOW­TOs here at once.

Open­P­GP crypto cards ordered

I wro­te in a pre­vi­ous blog post that I want to switch to crypto cards for use with ssh and GnuPG. Af­ter some re­search I settled on the Open­P­GP cryto cards. I ordered them from ker­nel­con­cepts. As soon as they ar­rive (and I have some free time), I will start to use them and write down how to work with them with FreeBSD.

Which crypto card to use with FreeBSD (ssh/​gpg)

The re­cent se­cur­ity in­cid­ent triggered a dis­cus­sion how to se­cure ssh/​gpg keys.

One way I want to fo­cus on here (be­cause it is the way I want to use at home), is to store the keys on a crypto card. I did some re­search for suit­able crypto cards and found one which is called Fei­tian PKI Smart­card, and one which is called Open­P­GP card. The Open­P­GP card also ex­ists in a USB ver­sion (ba­sic­ally a small ver­sion of the card is already in­teg­rated in­to a small USB card read­er).

The Fei­tian card is re­por­ted to be able to handle RSA keys up­to 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­met­ers of the card to store up­to 9 keys on it.

The spec of the Open­P­GP card tells that it sup­ports RSA keys up­to 3072 bits, but there are re­ports that it is able to handle RSA keys up­to 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for up­to 3 keys on it.

If I go this way, I would also need a card read­er. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-​proof” way to go ahead. I found a Rein­er SCT cy­ber­Jack secoder card read­er, which is be­lieved to be sup­por­ted by OpenSC and seems to be a good bal­ance between cost and fea­tures of the Rein­er SCT card read­ers.

If any­one read­ing this can sug­gest a bet­ter crypto card (keys up­to 4096 bits, more than 3 slots, and/​or DSA/​ECDSA  sup­port), or a bet­ter card read­er, or has any prac­tic­al ex­per­i­ence with any of those com­pon­ents on FreeBSD, please add a com­ment.

Good En­er­max sup­port in Ger­many

The power sup­ply of my server at home failed at the end of last month. As I was busy with renov­a­tion at home, it took me a while to check if it is really the PSU or some­thing else. When I was sure about the failed piece, I have sent the PSU to the RMA ad­dress the En­er­max sup­port gave me (the PSU has a 5 year war­ranty, and I have it since one year). Due to hol­i­days it took a while to get the re­paired unit back, but I want to say thank you to the En­er­max sup­port:

  • Thank you for hand writ­ten re­sponses, I did not get ob­vi­ous auto­mat­ic re­sponses or canned re­sponses (well, may­be they did some copy&paste for the RMA ad­dress and such, but each mail had at least a part which was not com­ing from copy&paste).
  • Thank you for get­ting back to me with­in a reas­on­able time.
  • Thank you for po­litely an­swer­ing all my sup­port re­quests.
  • Thank you for be­ing hon­est in your com­mu­nic­a­tion (slow hand­ling of the re­pair due to people be­ing in hol­i­day, not be­cause of miss­ing pieces from sup­pli­ers or oth­er ex­cuses out­side En­er­max).

This is how the sup­port shall be, un­for­tu­nately this is not al­ways the case, but at least here it was. Thank you!

A smart­watch I would buy

Af­ter read­ing an art­icle about smart watches, I tried to come up with a spec of a smart watch I would buy:

  • It needs to look like a nor­mal watch (I wear a stain­less steel ana­log one, about two thumbs wide with the strap be­ing one thumb wide) and needs to be thin (or at least give the im­pres­sion it is thin, even if it is not).
  • It needs to be an ex­ten­sion to my smart­phone, but be­ing able to dis­play date and time without it.
  • It needs to have an open pro­to­col, so that people can write smart­phone apps which are able to dis­play any­thing they want.
  • It would be nice if the vendor-​supplied app would dis­play in­com­ing calls/​SMS and at least cal­en­dar no­ti­fic­a­tions (ad­di­tion­al no­ti­fic­a­tions should be con­fig­ur­able, I do not want to see “you are roam­ing now” mes­sages, but email mes­sages could be nice when you are wait­ing for an im­port­ant one) from the smart­phone. I am not sure how many columns/​rows for char­ac­ters there need to be or if it shall be a pixel-​display with a spe­cific min­im­um amount of DPI.
  • There needs to be at least one easy to use by in­tend but hard to use by mis­take but­ton which switches back to the date/​time dis­play (and/​or switches between sev­er­al de­fault dis­plays like weather, date/​time, agenda… when con­nec­ted to the smart­phone – again, ideally this is con­fig­ur­able in the app). Bo­nus points for an ad­di­tion­al con­text sens­it­ive but­ton (e.g. “snooze 5 minutes” or “dis­miss” for cal­en­dar no­ti­fic­a­tions, ideally this can be con­figured in the app).
  • The bat­tery needs to last long and be easy to re­place (like with my cur­rent watch, so it needs to last years). While I would prefer a re­chargeable way of hand­ling this, the cur­rent tech­no­logy is clum­sy (stand­ard­ized con­nect­ors like micro-​USB to charge are too big… non-​standard con­nect­ors are not an op­tion) and does not last enough (I would be OK if one charge would last nearly a year).
  • I do not need col­ors, but a good con­trast even in full sun­light is man­dat­ory.
  • Med­ic­al or life-​style sensors (com­pass, gyro­scope, blood pres­sure, ac­cel­er­o­met­ers, ra­di­ation, air qual­ity, …) are not ne­ces­sary, but as long as they come for free (read: do not make the watch much thick­er), I would not mind.