Status crypto cards HOWTO: prob­lems with the card read­er (sup­port could be bet­ter)

Af­ter hours (spread over weeks) I come to the con­clu­sion that there is a lot of po­ten­tial to im­prove the doc­u­ment­a­tion of card read­ers (but I doubt the card read­er vendors will do it) and of the pc­sc doc­u­ment­a­tion. It is not easy to ar­rive at a point where you un­der­stand everything. The com­pat­ib­il­ity list does not help much, as the card read­ers are partly past their end of life and the mod­els which re­place them are not lis­ted. Re­spect­ively the one I bought does not sup­port all the fea­tures I need. I even por­ted the driver to FreeBSD (not com­mit­ted, I wanted to test everything first) and a lot of stuff works, but one crit­ic­al part is that I can not store a cer­ti­fic­ate on the crypto card as the card read­er or the driver  does not sup­port ex­ten­ded AP­DUs (needed to trans­fer more than 255 bytes to the card read­er).

Well, the status so far:

  • I have a HOWTO what to in­stall to use crypto cards in FreeBSD
  • I have a HOWOT what to in­stall /​ con­fig­ure in Win­dows
  • I have a HOWTO re­gard­ing cre­at­ing keys on a open­p­gp v2 card and how to use this key with ssh on FreeBSD (or any oth­er unix-​like OS which can run pc­sc)
  • I have a card read­er which does not sup­port ex­ten­ded AP­DUs
  • I want to make sure what I write in the HOW­TOs is also suit­able for the use with Win­dows /​ PuTTY
  • it seems Win­dows needs a cer­ti­fic­ate and not only a key when us­ing the Win­dows CAPI (us­ing the vendor sup­plied card read­er driver) in PuTTY-​CSC (works at work with a USB token)
  • the pc­sc pkcs11 Win­dows DLL is not suit­able yet for use on Win­dows 8 64bit
  • I con­tac­ted the card read­er vendor if the card read­er or the driver is the prob­lem re­gard­ing the ex­ten­ded AP­DUs
  • I found prob­lems in gpg4win /​ pc­sc on Win­dows 8
  • I have send some money to the de­velopers of gpg4win to sup­port their work (if you use gnupg on Win­dows, try to send a few units of money to them, the work stag­nated as they need to spend their time for paid work)

So either I need a new card read­er, or have to wait for an up­date of the linux driver of the vendor… which prob­ably means it may be a lot faster to buy a new card read­er. When look­ing for one with at least a PIN pad, I either do not find any­thing which is lis­ted as sup­por­ted by pc­sc on the vendor pages (it is in­cred­ible how hard it is to nav­ig­ate the web­sites of some com­pan­ies… a lot of buzzwords but no way to get to the real products), or they only list up­dated mod­els where I do not know if they will work.

When I have some­thing which works with FreeBSD and Win­dows, I will pub­lish all the HOW­TOs here at once.

Open­P­GP crypto cards ordered

I wro­te in a pre­vi­ous blog post that I want to switch to crypto cards for use with ssh and GnuPG. Af­ter some re­search I settled on the Open­P­GP cryto cards. I ordered them from ker­nel­con­cepts. As soon as they ar­rive (and I have some free time), I will start to use them and write down how to work with them with FreeBSD.

Which crypto card to use with FreeBSD (ssh/​gpg)

The re­cent se­cur­ity in­cid­ent triggered a dis­cus­sion how to se­cure ssh/​gpg keys.

One way I want to fo­cus on here (be­cause it is the way I want to use at home), is to store the keys on a crypto card. I did some re­search for suit­able crypto cards and found one which is called Fei­tian PKI Smart­card, and one which is called Open­P­GP card. The Open­P­GP card also ex­ists in a USB ver­sion (ba­sic­ally a small ver­sion of the card is already in­teg­rated in­to a small USB card read­er).

The Fei­tian card is re­por­ted to be able to handle RSA keys up­to 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­met­ers of the card to store up­to 9 keys on it.

The spec of the Open­P­GP card tells that it sup­ports RSA keys up­to 3072 bits, but there are re­ports that it is able to handle RSA keys up­to 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for up­to 3 keys on it.

If I go this way, I would also need a card read­er. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-​proof” way to go ahead. I found a Rein­er SCT cy­ber­Jack secoder card read­er, which is be­lieved to be sup­por­ted by OpenSC and seems to be a good bal­ance between cost and fea­tures of the Rein­er SCT card read­ers.

If any­one read­ing this can sug­gest a bet­ter crypto card (keys up­to 4096 bits, more than 3 slots, and/​or DSA/​ECDSA  sup­port), or a bet­ter card read­er, or has any prac­tic­al ex­per­i­ence with any of those com­pon­ents on FreeBSD, please add a com­ment.

Hats off to the people hand­ling the re­cent se­cur­ity in­cid­ent

I pull my hat to the people hand­ling the re­cent se­cur­ity in­cid­ent on the FreeBSD in­fra­struc­ture.


  • Thanks a lot for the count­less hours you in­ves­ted to find and close the ini­tial at­tack vec­tor.
  • Thanks a lot for the count­less hours you in­ves­ted to get the ma­chines back to a well known state.
  • Thanks a lot for the count­less hours you in­ves­ted to veri­fy the source re­pos­it­ory.
  • Thanks a lot for the count­less hours you in­ves­ted to get back to a trus­ted pack­age build­ing en­vir­on­ment.
  • Thanks a lot for the count­less hours you in­ves­ted to get the “re­main­ing” in­fra­struc­ture (and everything else I for­got to men­tion) back in­to a good state.

Or in short: Thanks a lot for the count­less hours you in­ves­ted to get us from “we’re bus­ted” to “we’re back”.

And last but not least, thanks for the de­cision to be bet­ter safe than sorry re­gard­ing our userbase (while it is the only way to handle some­thing like this in a OSS pro­ject, I un­for­tu­nately think it has to be men­tioned in­stead of tak­ing it as an ob­vi­ous de­cision).

Dear script-​kiddy com­ing in via

Af­ter 84 lock­outs from your IP ad­dress for your tries to guess the pass­word of just one ac­count (not count­ing your at­tempts to lo­gin to the oth­er ac­counts were you re­ceived just one lock­out) I changed the se­cur­ity set­tings to lock­out IP’s faster, and to lock them out longer.

P.S.: I use One-​Time-​Passwords.