Status crypto cards HOWTO: prob­lems with the card reader (sup­port could be bet­ter)

After hours (spread over weeks) I come to the con­clu­sion that there is a lot of po­ten­tial to im­prove the doc­u­ment­a­tion of card read­ers (but I doubt the card reader vendors will do it) and of the pcsc doc­u­ment­a­tion. It is not easy to ar­rive at a point where you un­der­stand everything. The com­pat­ib­il­ity list does not help much, as the card read­ers are partly past their end of life and the mod­els which re­place them are not lis­ted. Re­spect­ively the one I bought does not sup­port all the fea­tures I need. I even por­ted the driver to FreeBSD (not com­mit­ted, I wanted to test everything first) and a lot of stuff works, but one crit­ical part is that I can not store a cer­ti­fic­ate on the crypto card as the card reader or the driver  does not sup­port ex­ten­ded AP­DUs (needed to trans­fer more than 255 bytes to the card reader).

Well, the status so far:

  • I have a HOWTO what to in­stall to use crypto cards in FreeBSD
  • I have a HOWOT what to in­stall /​ con­fig­ure in Win­dows
  • I have a HOWTO re­gard­ing cre­at­ing keys on a open­pgp v2 card and how to use this key with ssh on FreeBSD (or any other unix-​like OS which can run pcsc)
  • I have a card reader which does not sup­port ex­ten­ded AP­DUs
  • I want to make sure what I write in the HOW­TOs is also suit­able for the use with Win­dows /​ PuTTY
  • it seems Win­dows needs a cer­ti­fic­ate and not only a key when us­ing the Win­dows CAPI (us­ing the vendor sup­plied card reader driver) in PuTTY-​CSC (works at work with a USB token)
  • the pcsc pkcs11 Win­dows DLL is not suit­able yet for use on Win­dows 8 64bit
  • I con­tac­ted the card reader vendor if the card reader or the driver is the prob­lem re­gard­ing the ex­ten­ded AP­DUs
  • I found prob­lems in gpg4win /​ pcsc on Win­dows 8
  • I have send some money to the de­velopers of gpg4win to sup­port their work (if you use gnupg on Win­dows, try to send a few units of money to them, the work stag­nated as they need to spend their time for paid work)

So either I need a new card reader, or have to wait for an up­date of the linux driver of the vendor… which prob­ably means it may be a lot faster to buy a new card reader. When look­ing for one with at least a PIN pad, I either do not find any­thing which is lis­ted as sup­por­ted by pcsc on the vendor pages (it is in­cred­ible how hard it is to nav­ig­ate the web­sites of some com­pan­ies… a lot of buzzwords but no way to get to the real products), or they only list up­dated mod­els where I do not know if they will work.

When I have some­thing which works with FreeBSD and Win­dows, I will pub­lish all the HOW­TOs here at once.

StumbleUponXINGBalatarinBox.netDiggGoogle GmailNetvouzPlurkSiteJotTypePad PostYahoo BookmarksVKSlashdotPocketHacker NewsDiigoBuddyMarksRedditLinkedInBibSonomyBufferEmailHatenaLiveJournalNewsVinePrintViadeoYahoo MailAIMBitty BrowserCare2 NewsEvernoteMail.RuPrintFriendlyWaneloYahoo MessengerYoolinkWebnewsStumpediaProtopage BookmarksOdnoklassnikiMendeleyInstapaperFarkCiteULikeBlinklistAOL MailTwitterGoogle+PinterestTumblrAmazon Wish ListBlogMarksDZoneDeliciousFlipboardFolkdJamespotMeneameMixiOknotiziePushaSvejoSymbaloo FeedsWhatsAppYouMobdiHITTWordPressRediff MyPageOutlook.comMySpaceDesign FloatBlogger PostApp.netDiary.RuKindle ItNUjijSegnaloTuentiWykopTwiddlaSina WeiboPinboardNetlogLineGoogle BookmarksDiasporaBookmarks.frBaiduFacebookGoogle ClassroomKakaoQzoneSMSTelegramRenrenKnownYummlyShare/​Save

Open­PGP crypto cards ordered

I wrote in a pre­vi­ous blog post that I want to switch to crypto cards for use with ssh and GnuPG. After some re­search I settled on the Open­PGP cryto cards. I ordered them from ker­nel­con­cepts. As soon as they ar­rive (and I have some free time), I will start to use them and write down how to work with them with FreeBSD.

Which crypto card to use with FreeBSD (ssh/​gpg)

The re­cent se­cur­ity in­cid­ent triggered a dis­cus­sion how to se­cure ssh/​gpg keys.

One way I want to fo­cus on here (be­cause it is the way I want to use at home), is to store the keys on a crypto card. I did some re­search for suit­able crypto cards and found one which is called Fei­tian PKI Smart­card, and one which is called Open­PGP card. The Open­PGP card also ex­ists in a USB ver­sion (ba­sic­ally a small ver­sion of the card is already in­teg­rated into a small USB card reader).

The Fei­tian card is re­por­ted to be able to handle RSA keys upto 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­met­ers of the card to store upto 9 keys on it.

The spec of the Open­PGP card tells that it sup­ports RSA keys upto 3072 bits, but there are re­ports that it is able to handle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card reader. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-​proof” way to go ahead. I found a Reiner SCT cy­ber­Jack secoder card reader, which is be­lieved to be sup­por­ted by OpenSC and seems to be a good bal­ance between cost and fea­tures of the Reiner SCT card read­ers.

If any­one read­ing this can sug­gest a bet­ter crypto card (keys upto 4096 bits, more than 3 slots, and/​or DSA/​ECDSA  sup­port), or a bet­ter card reader, or has any prac­tical ex­per­i­ence with any of those com­pon­ents on FreeBSD, please add a com­ment.

Hats off to the people hand­ling the re­cent se­cur­ity in­cid­ent

I pull my hat to the people hand­ling the re­cent se­cur­ity in­cid­ent on the FreeBSD in­fra­struc­ture.


  • Thanks a lot for the count­less hours you in­ves­ted to find and close the ini­tial at­tack vec­tor.
  • Thanks a lot for the count­less hours you in­ves­ted to get the ma­chines back to a well known state.
  • Thanks a lot for the count­less hours you in­ves­ted to verify the source re­pos­it­ory.
  • Thanks a lot for the count­less hours you in­ves­ted to get back to a trus­ted pack­age build­ing en­vir­on­ment.
  • Thanks a lot for the count­less hours you in­ves­ted to get the “re­main­ing” in­fra­struc­ture (and everything else I for­got to men­tion) back into a good state.

Or in short: Thanks a lot for the count­less hours you in­ves­ted to get us from “we’re bus­ted” to “we’re back”.

And last but not least, thanks for the de­cision to be bet­ter safe than sorry re­gard­ing our userbase (while it is the only way to handle some­thing like this in a OSS pro­ject, I un­for­tu­nately think it has to be men­tioned in­stead of tak­ing it as an ob­vi­ous de­cision).

Dear script-​kiddy com­ing in via

After 84 lock­outs from your IP ad­dress for your tries to guess the pass­word of just one ac­count (not count­ing your at­tempts to lo­gin to the other ac­counts were you re­ceived just one lock­out) I changed the se­cur­ity set­tings to lock­out IP’s faster, and to lock them out longer.

P.S.: I use One-​Time-​Passwords.