Sta­tus cryp­to cards HOWTO: prob­lems with the card read­er (sup­port could be bet­ter)

After hours (spread over weeks) I come to the con­clu­sion that there is a lot of poten­tial to improve the doc­u­men­ta­tion of card read­ers (but I doubt the card read­er ven­dors will do it) and of the pcsc doc­u­men­ta­tion. It is not easy to arrive at a point where you under­stand every­thing. The com­pat­i­bil­i­ty list does not help much, as the card read­ers are part­ly past their end of life and the mod­els which replace them are not list­ed. Respec­tive­ly the one I bought does not sup­port all the fea­tures I need. I even port­ed the dri­ver to FreeB­SD (not com­mit­ted, I want­ed to test every­thing first) and a lot of stuff works, but one crit­i­cal part is that I can not store a cer­tifi­cate on the cryp­to card as the card read­er or the dri­ver  does not sup­port extend­ed APDUs (need­ed to trans­fer more than 255 bytes to the card read­er).

Well, the sta­tus so far:

  • I have a HOWTO what to install to use cryp­to cards in FreeB­SD
  • I have a HOWOT what to install / con­fig­ure in Win­dows
  • I have a HOWTO regard­ing cre­at­ing keys on a openpgp v2 card and how to use this key with ssh on FreeB­SD (or any oth­er unix-like OS which can run pcsc)
  • I have a card read­er which does not sup­port extend­ed APDUs
  • I want to make sure what I write in the HOW­TOs is also suit­able for the use with Win­dows / PuT­TY
  • it seems Win­dows needs a cer­tifi­cate and not only a key when using the Win­dows CAPI (using the ven­dor sup­plied card read­er dri­ver) in PuTTY-CSC (works at work with a USB token)
  • the pcsc pkcs11 Win­dows DLL is not suit­able yet for use on Win­dows 8 64bit
  • I con­tact­ed the card read­er ven­dor if the card read­er or the dri­ver is the prob­lem regard­ing the extend­ed APDUs
  • I found prob­lems in gpg4win / pcsc on Win­dows 8
  • I have send some mon­ey to the devel­op­ers of gpg4win to sup­port their work (if you use gnupg on Win­dows, try to send a few units of mon­ey to them, the work stag­nat­ed as they need to spend their time for paid work)

So either I need a new card read­er, or have to wait for an update of the lin­ux dri­ver of the ven­dor… which prob­a­bly means it may be a lot faster to buy a new card read­er. When look­ing for one with at least a PIN pad, I either do not find any­thing which is list­ed as sup­port­ed by pcsc on the ven­dor pages (it is incred­i­ble how hard it is to nav­i­gate the web­sites of some com­pa­nies… a lot of buzz­words but no way to get to the real prod­ucts), or they only list updat­ed mod­els where I do not know if they will work.

When I have some­thing which works with FreeB­SD and Win­dows, I will pub­lish all the HOW­TOs here at once.

Send to Kin­dle

OpenPGP cryp­to cards ordered

I wrote in a pre­vi­ous blog post that I want to switch to cryp­to cards for use with ssh and GnuPG. After some research I set­tled on the OpenPGP cry­to cards. I ordered them from ker­nel­con­cepts. As soon as they arrive (and I have some free time), I will start to use them and write down how to work with them with FreeB­SD.

Send to Kin­dle

Which cryp­to card to use with FreeB­SD (ssh/gpg)

The recent secu­ri­ty inci­dent trig­gered a dis­cus­sion how to secure ssh/gpg keys.

One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a cryp­to card. I did some research for suit­able cryp­to cards and found one which is called Feit­ian PKI Smart­card, and one which is called OpenPGP card. The OpenPGP card also exists in a USB ver­sion (basi­cal­ly a small ver­sion of the card is already inte­grat­ed into a small USB card read­er).

The Feit­ian card is report­ed to be able to han­dle RSA keys upto 2048 bits. They do not seem to han­dle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­me­ters of the card to store upto 9 keys on it.

The spec of the OpenPGP card tells that it sup­ports RSA keys upto 3072 bits, but there are reports that it is able to han­dle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to han­dle that big keys on the cryp­to card). It looks to me like the card is not han­dle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card read­er. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-proof” way to go ahead. I found a Rein­er SCT cyber­Jack sec­oder card read­er, which is believed to be sup­port­ed by Open­SC and seems to be a good bal­ance between cost and fea­tures of the Rein­er SCT card read­ers.

If any­one read­ing this can sug­gest a bet­ter cryp­to card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA  sup­port), or a bet­ter card read­er, or has any prac­ti­cal expe­ri­ence with any of those com­po­nents on FreeB­SD, please add a com­ment.

Send to Kin­dle

Hats off to the peo­ple han­dling the recent secu­ri­ty inci­dent

I pull my hat to the peo­ple han­dling the recent secu­ri­ty inci­dent on the FreeB­SD infra­struc­ture.

Guys:

  • Thanks a lot for the count­less hours you invest­ed to find and close the ini­tial attack vec­tor.
  • Thanks a lot for the count­less hours you invest­ed to get the machines back to a well known state.
  • Thanks a lot for the count­less hours you invest­ed to ver­i­fy the source repos­i­to­ry.
  • Thanks a lot for the count­less hours you invest­ed to get back to a trust­ed pack­age build­ing envi­ron­ment.
  • Thanks a lot for the count­less hours you invest­ed to get the “remain­ing” infra­struc­ture (and every­thing else I for­got to men­tion) back into a good state.

Or in short: Thanks a lot for the count­less hours you invest­ed to get us from “we’re bust­ed” to “we’re back”.

And last but not least, thanks for the deci­sion to be bet­ter safe than sor­ry regard­ing our user­base (while it is the only way to han­dle some­thing like this in a OSS project, I unfor­tu­nate­ly think it has to be men­tioned instead of tak­ing it as an obvi­ous deci­sion).

Send to Kin­dle

Dear script-kiddy com­ing in via 5.39.218.138

After 84 lock­outs from your IP address for your tries to guess the pass­word of just one account (not count­ing your attempts to login to the oth­er accounts were you received just one lock­out) I changed the secu­ri­ty set­tings to lock­out IP’s faster, and to lock them out longer.

P.S.: I use One-Time-Passwords.

Send to Kin­dle