After hours (spread over weeks) I come to the conclusion that there is a lot of potential to improve the documentation of card readers (but I doubt the card reader vendors will do it) and of the pcsc documentation. It is not easy to arrive at a point where you understand everything. The compatibility list does not help much, as the card readers are partly past their end of life and the models which replace them are not listed. Respectively the one I bought does not support all the features I need. I even ported the driver to FreeBSD (not committed, I wanted to test everything first) and a lot of stuff works, but one critical part is that I can not store a certificate on the crypto card as the card reader or the driver does not support extended APDUs (needed to transfer more than 255 bytes to the card reader).
Well, the status so far:
- I have a HOWTO what to install to use crypto cards in FreeBSD
- I have a HOWOT what to install / configure in Windows
- I have a HOWTO regarding creating keys on a openpgp v2 card and how to use this key with ssh on FreeBSD (or any other unix-like OS which can run pcsc)
- I have a card reader which does not support extended APDUs
- I want to make sure what I write in the HOWTOs is also suitable for the use with Windows / PuTTY
- it seems Windows needs a certificate and not only a key when using the Windows CAPI (using the vendor supplied card reader driver) in PuTTY-CSC (works at work with a USB token)
- the pcsc pkcs11 Windows DLL is not suitable yet for use on Windows 8 64bit
- I contacted the card reader vendor if the card reader or the driver is the problem regarding the extended APDUs
- I found problems in gpg4win / pcsc on Windows 8
- I have send some money to the developers of gpg4win to support their work (if you use gnupg on Windows, try to send a few units of money to them, the work stagnated as they need to spend their time for paid work)
So either I need a new card reader, or have to wait for an update of the linux driver of the vendor… which probably means it may be a lot faster to buy a new card reader. When looking for one with at least a PIN pad, I either do not find anything which is listed as supported by pcsc on the vendor pages (it is incredible how hard it is to navigate the websites of some companies… a lot of buzzwords but no way to get to the real products), or they only list updated models where I do not know if they will work.
When I have something which works with FreeBSD and Windows, I will publish all the HOWTOs here at once.
I wrote in a previous blog post that I want to switch to crypto cards for use with ssh and GnuPG. After some research I settled on the OpenPGP cryto cards. I ordered them from kernelconcepts. As soon as they arrive (and I have some free time), I will start to use them and write down how to work with them with FreeBSD.
The recent security incident triggered a discussion how to secure ssh/gpg keys.
One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a crypto card. I did some research for suitable crypto cards and found one which is called Feitian PKI Smartcard, and one which is called OpenPGP card. The OpenPGP card also exists in a USB version (basically a small version of the card is already integrated into a small USB card reader).
The Feitian card is reported to be able to handle RSA keys upto 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smartcard quick starter guide they have (the Tuning smartcard file system part) tells how to change the parameters of the card to store upto 9 keys on it.
The spec of the OpenPGP card tells that it supports RSA keys upto 3072 bits, but there are reports that it is able to handle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.
If I go this way, I would also need a card reader. It seems a class 3 one (hardware PIN pad and display) would be the most “future-proof” way to go ahead. I found a Reiner SCT cyberJack secoder card reader, which is believed to be supported by OpenSC and seems to be a good balance between cost and features of the Reiner SCT card readers.
If anyone reading this can suggest a better crypto card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA support), or a better card reader, or has any practical experience with any of those components on FreeBSD, please add a comment.
The power supply of my server at home failed at the end of last month. As I was busy with renovation at home, it took me a while to check if it is really the PSU or something else. When I was sure about the failed piece, I have sent the PSU to the RMA address the Enermax support gave me (the PSU has a 5 year warranty, and I have it since one year). Due to holidays it took a while to get the repaired unit back, but I want to say thank you to the Enermax support:
- Thank you for hand written responses, I did not get obvious automatic responses or canned responses (well, maybe they did some copy&paste for the RMA address and such, but each mail had at least a part which was not coming from copy&paste).
- Thank you for getting back to me within a reasonable time.
- Thank you for politely answering all my support requests.
- Thank you for being honest in your communication (slow handling of the repair due to people being in holiday, not because of missing pieces from suppliers or other excuses outside Enermax).
This is how the support shall be, unfortunately this is not always the case, but at least here it was. Thank you!