Alexander Leidinger

Just another weblog

Mar
16

Sta­tus crypto cards HOWTO: prob­lems with the card reader (sup­port could be better)

After hours (spread over weeks) I come to the con­clu­sion that there is a lot of poten­tial to improve the doc­u­men­ta­tion of card read­ers (but I doubt the card reader ven­dors will do it) and of the pcsc doc­u­men­ta­tion. It is not easy to arrive at a point where you under­stand every­thing. The com­pat­i­bil­ity list does not help much, as the card read­ers are partly past their end of life and the mod­els which replace them are not listed. Respec­tively the one I bought does not sup­port all the fea­tures I need. I even ported the dri­ver to FreeBSD (not com­mit­ted, I wanted to test every­thing first) and a lot of stuff works, but one crit­i­cal part is that I can not store a cer­tifi­cate on the crypto card as the card reader or the dri­ver  does not sup­port extended APDUs (needed to trans­fer more than 255 bytes to the card reader).

Well, the sta­tus so far:

  • I have a HOWTO what to install to use crypto cards in FreeBSD
  • I have a HOWOT what to install / con­fig­ure in Windows
  • I have a HOWTO regard­ing cre­at­ing keys on a openpgp v2 card and how to use this key with ssh on FreeBSD (or any other unix-like OS which can run pcsc)
  • I have a card reader which does not sup­port extended APDUs
  • I want to make sure what I write in the HOW­TOs is also suit­able for the use with Win­dows / PuTTY
  • it seems Win­dows needs a cer­tifi­cate and not only a key when using the Win­dows CAPI (using the ven­dor sup­plied card reader dri­ver) in PuTTY-CSC (works at work with a USB token)
  • the pcsc pkcs11 Win­dows DLL is not suit­able yet for use on Win­dows 8 64bit
  • I con­tacted the card reader ven­dor if the card reader or the dri­ver is the prob­lem regard­ing the extended APDUs
  • I found prob­lems in gpg4win / pcsc on Win­dows 8
  • I have send some money to the devel­op­ers of gpg4win to sup­port their work (if you use gnupg on Win­dows, try to send a few units of money to them, the work stag­nated as they need to spend their time for paid work)

So either I need a new card reader, or have to wait for an update of the linux dri­ver of the ven­dor… which prob­a­bly means it may be a lot faster to buy a new card reader. When look­ing for one with at least a PIN pad, I either do not find any­thing which is listed as sup­ported by pcsc on the ven­dor pages (it is incred­i­ble how hard it is to nav­i­gate the web­sites of some com­pa­nies… a lot of buzz­words but no way to get to the real prod­ucts), or they only list updated mod­els where I do not know if they will work.

When I have some­thing which works with FreeBSD and Win­dows, I will pub­lish all the HOW­TOs here at once.

GD Star Rat­ing
load­ing…
GD Star Rat­ing
load­ing…

Jan
15

OpenPGP crypto cards ordered

I wrote in a pre­vi­ous blog post that I want to switch to crypto cards for use with ssh and GnuPG. After some research I set­tled on the OpenPGP cryto cards. I ordered them from ker­nel­con­cepts. As soon as they arrive (and I have some free time), I will start to use them and write down how to work with them with FreeBSD.

GD Star Rat­ing
load­ing…
GD Star Rat­ing
load­ing…

Nov
25

Which crypto card to use with FreeBSD (ssh/gpg)

The recent secu­rity inci­dent trig­gered a dis­cus­sion how to secure ssh/gpg keys.

One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a crypto card. I did some research for suit­able crypto cards and found one which is called Feit­ian PKI Smart­card, and one which is called OpenPGP card. The OpenPGP card also exists in a USB ver­sion (basi­cally a small ver­sion of the card is already inte­grated into a small USB card reader).

The Feit­ian card is reported to be able to han­dle RSA keys upto 2048 bits. They do not seem to han­dle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­me­ters of the card to store upto 9 keys on it.

The spec of the OpenPGP card tells that it sup­ports RSA keys upto 3072 bits, but there are reports that it is able to han­dle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to han­dle that big keys on the crypto card). It looks to me like the card is not han­dle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card reader. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-proof” way to go ahead. I found a Reiner SCT cyber­Jack sec­oder card reader, which is believed to be sup­ported by OpenSC and seems to be a good bal­ance between cost and fea­tures of the Reiner SCT card readers.

If any­one read­ing this can sug­gest a bet­ter crypto card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA  sup­port), or a bet­ter card reader, or has any prac­ti­cal expe­ri­ence with any of those com­po­nents on FreeBSD, please add a comment.

GD Star Rat­ing
load­ing…
GD Star Rat­ing
load­ing…

Aug
24

Good Ener­max sup­port in Germany

The power sup­ply of my server at home failed at the end of last month. As I was busy with ren­o­va­tion at home, it took me a while to check if it is really the PSU or some­thing else. When I was sure about the failed piece, I have sent the PSU to the RMA address the Ener­max sup­port gave me (the PSU has a 5 year war­ranty, and I have it since one year). Due to hol­i­days it took a while to get the repaired unit back, but I want to say thank you to the Ener­max support:

  • Thank you for hand writ­ten responses, I did not get obvi­ous auto­matic responses or canned responses (well, maybe they did some copy&paste for the RMA address and such, but each mail had at least a part which was not com­ing from copy&paste).
  • Thank you for get­ting back to me within a rea­son­able time.
  • Thank you for politely answer­ing all my sup­port requests.
  • Thank you for being hon­est in your com­mu­ni­ca­tion (slow han­dling of the repair due to peo­ple being in hol­i­day, not because of miss­ing pieces from sup­pli­ers or other excuses out­side Enermax).

This is how the sup­port shall be, unfor­tu­nately this is not always the case, but at least here it was. Thank you!

GD Star Rat­ing
load­ing…
GD Star Rat­ing
load­ing…

Tags: , , , , , , , , ,
Aug
22

A smart­watch I would buy

After read­ing an arti­cle about smart watches, I tried to come up with a spec of a smart watch I would buy:

  • It needs to look like a nor­mal watch (I wear a stain­less steel ana­log one, about two thumbs wide with the strap being one thumb wide) and needs to be thin (or at least give the impres­sion it is thin, even if it is not).
  • It needs to be an exten­sion to my smart­phone, but being able to dis­play date and time with­out it.
  • It needs to have an open pro­to­col, so that peo­ple can write smart­phone apps which are able to dis­play any­thing they want.
  • It would be nice if the vendor-supplied app would dis­play incom­ing calls/SMS and at least cal­en­dar noti­fi­ca­tions (addi­tional noti­fi­ca­tions should be con­fig­urable, I do not want to see “you are roam­ing now” mes­sages, but email mes­sages could be nice when you are wait­ing for an impor­tant one) from the smart­phone. I am not sure how many columns/rows for char­ac­ters there need to be or if it shall be a pixel-display with a spe­cific min­i­mum amount of DPI.
  • There needs to be at least one easy to use by intend but hard to use by mis­take but­ton which switches back to the date/time dis­play (and/or switches between sev­eral default dis­plays like weather, date/time, agenda… when con­nected to the smart­phone — again, ide­ally this is con­fig­urable in the app). Bonus points for an addi­tional con­text sen­si­tive but­ton (e.g. “snooze 5 min­utes” or “dis­miss” for cal­en­dar noti­fi­ca­tions, ide­ally this can be con­fig­ured in the app).
  • The bat­tery needs to last long and be easy to replace (like with my cur­rent watch, so it needs to last years). While I would pre­fer a recharge­able way of han­dling this, the cur­rent tech­nol­ogy is clumsy (stan­dard­ized con­nec­tors like micro-USB to charge are too big… non-standard con­nec­tors are not an option) and does not last enough (I would be OK if one charge would last nearly a year).
  • I do not need col­ors, but a good con­trast even in full sun­light is mandatory.
  • Med­ical or life-style sen­sors (com­pass, gyro­scope, blood pres­sure, accelerom­e­ters, radi­a­tion, air qual­ity, …) are not nec­es­sary, but as long as they come for free (read: do not make the watch much thicker), I would not mind.
GD Star Rat­ing
load­ing…
GD Star Rat­ing
load­ing…

Tags: , , , , , , , , ,