After hours (spread over weeks) I come to the conclusion that there is a lot of potential to improve the documentation of card readers (but I doubt the card reader vendors will do it) and of the pcsc documentation. It is not easy to arrive at a point where you understand everything. The compatibility list does not help much, as the card readers are partly past their end of life and the models which replace them are not listed. Respectively the one I bought does not support all the features I need. I even ported the driver to FreeBSD (not committed, I wanted to test everything first) and a lot of stuff works, but one critical part is that I can not store a certificate on the crypto card as the card reader or the driver does not support extended APDUs (needed to transfer more than 255 bytes to the card reader).
Well, the status so far:
- I have a HOWTO what to install to use crypto cards in FreeBSD
- I have a HOWOT what to install / configure in Windows
- I have a HOWTO regarding creating keys on a openpgp v2 card and how to use this key with ssh on FreeBSD (or any other unix-like OS which can run pcsc)
- I have a card reader which does not support extended APDUs
- I want to make sure what I write in the HOWTOs is also suitable for the use with Windows / PuTTY
- it seems Windows needs a certificate and not only a key when using the Windows CAPI (using the vendor supplied card reader driver) in PuTTY-CSC (works at work with a USB token)
- the pcsc pkcs11 Windows DLL is not suitable yet for use on Windows 8 64bit
- I contacted the card reader vendor if the card reader or the driver is the problem regarding the extended APDUs
- I found problems in gpg4win / pcsc on Windows 8
- I have send some money to the developers of gpg4win to support their work (if you use gnupg on Windows, try to send a few units of money to them, the work stagnated as they need to spend their time for paid work)
So either I need a new card reader, or have to wait for an update of the linux driver of the vendor… which probably means it may be a lot faster to buy a new card reader. When looking for one with at least a PIN pad, I either do not find anything which is listed as supported by pcsc on the vendor pages (it is incredible how hard it is to navigate the websites of some companies… a lot of buzzwords but no way to get to the real products), or they only list updated models where I do not know if they will work.
When I have something which works with FreeBSD and Windows, I will publish all the HOWTOs here at once.
I wrote in a previous blog post that I want to switch to crypto cards for use with ssh and GnuPG. After some research I settled on the OpenPGP cryto cards. I ordered them from kernelconcepts. As soon as they arrive (and I have some free time), I will start to use them and write down how to work with them with FreeBSD.
The recent security incident triggered a discussion how to secure ssh/gpg keys.
One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a crypto card. I did some research for suitable crypto cards and found one which is called Feitian PKI Smartcard, and one which is called OpenPGP card. The OpenPGP card also exists in a USB version (basically a small version of the card is already integrated into a small USB card reader).
The Feitian card is reported to be able to handle RSA keys upto 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smartcard quick starter guide they have (the Tuning smartcard file system part) tells how to change the parameters of the card to store upto 9 keys on it.
The spec of the OpenPGP card tells that it supports RSA keys upto 3072 bits, but there are reports that it is able to handle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.
If I go this way, I would also need a card reader. It seems a class 3 one (hardware PIN pad and display) would be the most “future-proof” way to go ahead. I found a Reiner SCT cyberJack secoder card reader, which is believed to be supported by OpenSC and seems to be a good balance between cost and features of the Reiner SCT card readers.
If anyone reading this can suggest a better crypto card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA support), or a better card reader, or has any practical experience with any of those components on FreeBSD, please add a comment.
I pull my hat to the people handling the recent security incident on the FreeBSD infrastructure.
- Thanks a lot for the countless hours you invested to find and close the initial attack vector.
- Thanks a lot for the countless hours you invested to get the machines back to a well known state.
- Thanks a lot for the countless hours you invested to verify the source repository.
- Thanks a lot for the countless hours you invested to get back to a trusted package building environment.
- Thanks a lot for the countless hours you invested to get the “remaining” infrastructure (and everything else I forgot to mention) back into a good state.
Or in short: Thanks a lot for the countless hours you invested to get us from “we’re busted” to “we’re back”.
And last but not least, thanks for the decision to be better safe than sorry regarding our userbase (while it is the only way to handle something like this in a OSS project, I unfortunately think it has to be mentioned instead of taking it as an obvious decision).
After 84 lockouts from your IP address for your tries to guess the password of just one account (not counting your attempts to login to the other accounts were you received just one lockout) I changed the security settings to lockout IP’s faster, and to lock them out longer.
P.S.: I use One-Time-Passwords.