smart cards in linux
play

SMART CARDS IN LINUX AND WHY YOU SHOULD CARE Jakub Jelen Red Hat - PowerPoint PPT Presentation

Feb 28, 2023 •358 likes •708 views

SMART CARDS IN LINUX AND WHY YOU SHOULD CARE Jakub Jelen Red Hat jjelen@redhat.com PRIVATE KEYS, CERTIFICATES: WHAT ARE THEY USED FOR? PRIVATE KEYS, CERTIFICATES: WHAT ARE THEY USED FOR? Email signatures & encryption SSH authentication

  1. SMART CARDS IN LINUX AND WHY YOU SHOULD CARE Jakub Jelen Red Hat jjelen@redhat.com

  2. PRIVATE KEYS, CERTIFICATES: WHAT ARE THEY USED FOR?

  3. PRIVATE KEYS, CERTIFICATES: WHAT ARE THEY USED FOR? Email signatures & encryption SSH authentication Git commit/tag signing TLS client authentication (eGovernment) More secure password replacement

  4. WHERE ARE THEY STORED? Hard drive Computer memory

  5. ARE THEY SECURE?

  6. SMART CARD: DEDICATED HW THE MOST OBVIOUS CREDITCARD-SIZE FORM

  7. "SMART CARD": HW TOKEN MORE PRACTICAL FORM

  8. IN THIS TALK Anatomy of smart card and software OpenSC project Practical examples Smart Card Other features Troubleshooting

  9. ANATOMY OF SMART CARD AND ITS SOFTWARE STACK

  10. ANATOMY Firefox Smartcard GnuPG NSS OpenSSH ISO/IEC 7816 - closed :( Electrical specification PKCS#11 Commands (APDU) scdaemon OpenSC pcsc-lite, CCID PC/SC protocol PC/SC Chip card interface device pcsc-lite + CCID: pcscd pcscd system daemon OpenSC USB drivers for cards Card reader USB token exposing PKCS#11 interface ISO/IEC 7816 PKCS#11 interface for applications/libraries Smart Card Applications, Libraries

  11. OPENSC PROJECT OPEN SOURCE SMART CARD TOOLS AND MIDDLEWARE

  12. OPENSC PROJECT Card drivers Most of current cards (almost 40) PIV, OpenPGP, CardOS, myEID Contributions: CAC, Coolkey (RHCS) Multiplatform (Linux, Mac, Windows, ...) Exposes PKCS#11 interface for other applications Way to read, write and operate on keys Prevents reading private data Testing Mostly manual CI running PKCS#11 testsuite for "our" cards

  13. EXAMPLES HOW CAN I DO ... WITH A SMART CARD? (assuming already provisioned card with preloaded keys)

  14. EXAMPLES Card inspection Atomic operations OpenSSH client sudo TLS Client Authentication Concurrent access GnuPG

  15. CARD INSPECTION PC/SC level (pcsc-tools) $ pcsc_scan PC/SC device scanner V 1.4.25 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr> Compiled with PC/SC lite version: 1.8.22 Using reader plug'n play mechanism Scanning present readers... 0: OMNIKEY AG CardMan 3121 00 00 Thu Jan 11 15:52:13 2018 Reader 0: OMNIKEY AG CardMan 3121 00 00 Card state: Card inserted, Shared Mode, ATR: 3B FF 14 00 FF 81 31 FE 45 80 25 A0 00 00 00 56 57 53 43 36 35 30 03 03 38 [...]

  16. CARD INSPECTION PKCS#11 level: Token (opensc) $ pkcs11-tool --list-slots Available slots: Slot 0 (0x0): OMNIKEY AG CardMan 3121 00 00 token label : jjelen (jjelen) token manufacturer : 534e SafeNet token model : PKCS#15 emulated token flags : login required, token initialized , PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : 4e06500042005002 pin min/max : 4/32

  17. CARD INSPECTION PKCS#11 level: Objects (opensc) $ pkcs11-tool --list-objects --login Using slot 0 with a present token (0x0) Logging in to "jjelen (jjelen)". Private Key Object; RSA label: signing key for jjelen ID: 01 Usage: sign Public Key Object; RSA 1024 bits label: signing key for jjelen ID: 01 Usage: verify Certificate Object; type = X.509 cert label: signing key for jjelen ID: 01 [...]

  18. ATOMIC OPERATIONS Download the certificate from a card and show its content $ pkcs11-tool --read-object --id 01 --type cert \ --output-file cert.der Using slot 0 with a present token (0x0) $ openssl x509 -inform DER -in cert.der > cert.pem $ openssl x509 -in cert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 41 (0x29) Signature Algorithm: sha256WithRSAEncryption Issuer: O = sjc.redhat.com Security Domain , CN = CA Signing Certificate Validity Not Before: Jul 15 20:57:58 2016 GMT Not After : Jul 14 20:57:58 2021 GMT Subject: CN = Jakub Jelen , O = Token Key User, UID = jjelen

  19. ATOMIC OPERATIONS Signature & Verification from command-line $ pkcs11-tool --sign --id 01 --mechanism RSA-PKCS --login \ --input-file data --output-file data.sig Using slot 0 with a present token (0x0) Logging in to "jjelen (jjelen)". Please enter User PIN: Using signature algorithm RSA-PKCS $ openssl rsautl -verify -certin -inkey cert.pem \ -in data.sig [original signed data]

  20. OPENSSH CLIENT List public keys on the smart card in OpenSSH format $ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11. $ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCXBle8[...]2YuRJF6AuwrpQ== Install the keys to the server Connect to server $ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so example.com $ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so example.com Enter PIN for 'PIV_II (PIV Card Holder pin)': Enter PIN for 'PIV_II (PIV Card Holder pin)': Store permanent configuration in client configuration $ cat ~/.ssh/config $ cat ~/.ssh/config Host shost Host example.com PKCS11Provider /usr/lib64/pkcs11/opensc-pkcs11.so PKCS11Provider /usr/lib64/pkcs11/opensc-pkcs11.so RSA keys only (OpenSSH bug #2474 )

  21. OPENSSH CLIENT (SSH-AGENT) Start ssh-agent (does not work with gnome-keyring): $ test -e "$SSH_AUTH_SOCK" || eval $(ssh-agent) so Add a card: $ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib64/pkcs11/opensc-pkcs11.so Connect to server: $ ssh example.com

  22. SUDO (PAM_SSH_AGENT_AUTH) Set up ssh-agent as in previous slide Store public key in /etc/security/authorized_keys Configure sudo through pam: $ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11. $ cat /etc/pam.d/sudo so ... Attempt to connect to server example auth sufficient pam_ssh_agent_auth.so \ file=/etc/security/authorized_keys Even on remote hosts (forwarded ssh-agent)

  23. TLS CLIENT AUTHENTICATION Firefox -> Preferences -> Privacy&Security -> Security -> Security Devices -> Load

  24. CONCURRENT ACCESS Configuration: opensc.conf drivers = PIV-II; # explicit for speed and to avoid mismatches drivers = PIV-II; # speed up detection and avoid mismatches a reader_driver pcsc { disconnect_action=leave; # do not break concurrent sessions a } a OpenSSH ssh-agent: long-running session eval `ssh-agent` && ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so eval `ssh-agent` && ssh-add -s /usr/lib64/opensc-pkcs11.so ssh example.com ssh example.com a pkcs11-tool: ad-hoc commands pkcs11-tool --login --id 02 --sign -m RSA-PKCS -i data -o data.sig pkcs11-tool --login --sign --id02 -mRSA-PKCS -i data -o data.sig Some applications require exclusive access (GnuPG sdaemon) :( More applet on a single card = problems

  25. GNUPG Email, git commit signing GnuPG's scdaemon not using PKCS#11 to access OpenPGP applets directly accessing PC/SC with exclusive access preventing other applications to use the card gnupg-pkcs11-scd Accessing cards using PKCS#11 More complicated configuration

  26. KERBEROS pkinit: pre-authentication (RFC 4556) Certificate and signature from PKCS#11 krb5.conf pkinit_identity = PKCS11: FreeIPA 4.5 : Mapping certificates to users Whole blobs X.509 blobs Flexible mapping rules replacing pam_pkcs11

  27. EXAMPLES WHAT CAN I DO WITH OTHER HARDWARE TOKENS?

  28. EXAMPLES Yubikey, Nitrokey, Feitian 2nd factor authentication FIDO U2F OTP Yubico OTP Does not verify PIN can not be the only factor!

  29. FIDO U2F FIDO Universal 2nd Factor Support: Chromium out of box Firefox 57: about:config security.webauth.u2f = true Use cases Fortify authentication to websites Local login (pam_u2f) Alternative to SMS or OTP apps Physical verification with touch

  30. OATH-HOTP/TOTP One-Time Password Standard OATH HMAC hash-based Securely stored secret key Client: Yubikey Authenticator + Android version Server (verification) : Usually with PAM module Physical verification with touch

  31. YUBICO OTP One-Time Password Yubico-version Client: no drivers needed USB HID keyboard Server (verification) : Usually with PAM module Physical verification with touch AES encryption

  32. TROUBLESHOOTING WHAT COULD GO WRONG?

  33. TROUBLESHOOTING SMART CARD Is the reader/USB device detected? $ lsusb Is the card detected in pcsc-lite? $ pcsc_scan PCSC trace (APDU messages) $ systemctl stop pcscd $ sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color Is the card detected in OpenSC? pkc11-tool -L PKCS#11 level trace: export PKCS11SPY=/usr/lib64/pkcs11/opensc-pkcs11.so pkcs11-tool -L /usr/lib64/pkcs11-spy.so OpenSC debug logs: OPENSC_DEBUG=9 pkc11-tool -L

  34. SMART CARDS SUMMARY Not only cards! Stores private keys securely PKCS#11 interface for developers Can replace passwords Can strengthen passwords: U2F or OTP for second factor Thank you for your attention

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Smart Cards Carrying certificates around How do you use your [digital] identity? Install your

Smart Cards Carrying certificates around How do you use your [digital] identity? Install your

4/25/08 Smart Cards Carrying certificates around How do you use your [digital] identity? Install your certificate in browser On-computer keychain file Need there be more? 1 4/25/08 Smart cards Smart card Portable device

316 views • 4 slides
ISG Seminar Agenda for Lecture 3 rd November 2011 Evolution of smart cards/RFIDs From Smart

ISG Seminar Agenda for Lecture 3 rd November 2011 Evolution of smart cards/RFIDs From Smart

ISG Seminar Agenda for Lecture 3 rd November 2011 Evolution of smart cards/RFIDs From Smart Cards to NFC Smart Phone Attacks/countermeasures Security Near Field Communication (NFC) Keith Mayes NFC Security Elements

550 views • 8 slides
INOSSEM i nsti tut de recherche Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards

INOSSEM i nsti tut de recherche Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards

Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Vulnerability Analysis on Smart Cards using Fault Tree Guillaume Bouffard Bhagyalekshmy N Thampi Jean-Louis Lanet Smart Secure Devices (SSD) Team

705 views • 39 slides
Fault enabled viruses against smart cards 1 2 1 Samiya

Fault enabled viruses against smart cards 1 2 1 Samiya

Fault enabled viruses against smart cards 1 2 1 Samiya HAMADOUCHE , Jean-Louis LANET , Mohamed MEZGHICHE 1 LIMOSE Laboratory, University

898 views • 36 slides
Smart Cards Smart Cards a(s) a(s) Safety Critical Systems Safety Critical Systems Gemplus

Smart Cards Smart Cards a(s) a(s) Safety Critical Systems Safety Critical Systems Gemplus

Smart Cards Smart Cards a(s) a(s) Safety Critical Systems Safety Critical Systems Gemplus Labs Gemplus Labs Pierre.Paradinas Paradinas@ @gemplus gemplus.com .com Pierre. Agenda Agenda Smart Card Technologies Smart Card

358 views • 31 slides
Gaming &amp; Smart Cards Smart Cards Empower Your Vision Gaming Industry Challenges Gaming

Gaming &amp; Smart Cards Smart Cards Empower Your Vision Gaming Industry Challenges Gaming

Gaming &amp; Gaming &amp; Smart Cards Smart Cards Empower Your Vision Gaming Industry Challenges Gaming Industry Challenges Customer Experience Customer Experience Security and Privacy Security and Privacy Integration

544 views • 27 slides
National ID Cards National Smart Card Office (NSCO)

National ID Cards National Smart Card Office (NSCO)

National ID Cards National Smart Card Office (NSCO) www.sabteahval.ir/houshmand/ National Organization for Civil Tell: 60902701-2 Fax: 66736526 Registration(NOCR) Agenda 1. Traditional ID

370 views • 23 slides
The Ins and Outs of Programming Cryptography in Smart Cards . . . and announcing the launch of

The Ins and Outs of Programming Cryptography in Smart Cards . . . and announcing the launch of

The Ins and Outs of Programming Cryptography in Smart Cards . . . and announcing the launch of OpenCard Pascal Paillier CryptoExperts Real World Crypto 2015 Jan 2015 Real World Crypto 2015 Jan 2015 What are Smart Cards? Real World

968 views • 51 slides
Distributed Systems On-computer keychain file Need there be more? Smart Cards, Biometrics,

Distributed Systems On-computer keychain file Need there be more? Smart Cards, Biometrics,

Carrying certificates around How do you use your [digital] identity? Install your certificate in browser Distributed Systems On-computer keychain file Need there be more? Smart Cards, Biometrics, &amp; CAPTCHA Paul Krzyzanowski

215 views • 5 slides
Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com

Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com

Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com http://christian.amsuess.com/ 2010-05-06 Overview objective understand smart card communication based on sniffable communication hardware standard card

468 views • 20 slides
www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create

www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create

www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create dialogue on learning. RETHINK CARDS Use as a brainstorming tool to spark new ideas. ACT CARDS Use to transform insights into action. Licence to Dare

434 views • 24 slides
Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, Nicko van Someren September 16, 2013 Problems with non-randomness 2012

810 views • 32 slides
Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, Nicko van Someren 5 December 2013 Problems with non-randomness 2012

545 views • 50 slides
Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela E.Fourneret J.Jurjens P. Yousefi ARES 2011 OUTLINE Introduction Background UMLsec Model-based Testing Security in smart-card

356 views • 17 slides
Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and

Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and

Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and Verifying an Debit and credit operations on a global example: balance. Secured communication and a decimal representation in Java

339 views • 5 slides
Combining Trusted Computing and Smart Cards for Trustworthy VPN Access Bachelor Thesis - Final

Combining Trusted Computing and Smart Cards for Trustworthy VPN Access Bachelor Thesis - Final

Combining Trusted Computing and Smart Cards for Trustworthy VPN Access Bachelor Thesis - Final Presentation Michael Dorner Chair for Network Architectures and Services Department of Computer Science Technical University of Munich 24.04.2013

763 views • 37 slides
Chip card sidelight on lightweight crypto Marc Girault CARDIS 2014 5-7 November 2014 Contents

Chip card sidelight on lightweight crypto Marc Girault CARDIS 2014 5-7 November 2014 Contents

Orange Labs Caen Chip card sidelight on lightweight crypto Marc Girault CARDIS 2014 5-7 November 2014 Contents 1. Back to 1985 Why 1985 ? Public phones Cryptology 2. Prepaid phone cards Background T1G T2G

786 views • 47 slides
CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom

CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom

CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom Chothia) Overview EMV Protocol Attacks EMV-Contactless Protocols Attacks Demo Stopping relay attacks What is

863 views • 60 slides
IETA Post-COP23 Webinar 20-21 November 2017 ANTITRUST GUIDELINES FOR IETA It is IETAs policy

IETA Post-COP23 Webinar 20-21 November 2017 ANTITRUST GUIDELINES FOR IETA It is IETAs policy

IETA Post-COP23 Webinar 20-21 November 2017 ANTITRUST GUIDELINES FOR IETA It is IETAs policy to comply fully with all applicable laws, including competition and antitrust laws. IETA has developed a Competition Policy to govern the conduct of

386 views • 12 slides
How does Wind affect Coal (Cycling, Emissions and Cost)

How does Wind affect Coal (Cycling, Emissions and Cost)

How does Wind affect Coal (Cycling, Emissions and Cost) Cycling Cycling is the opera1on of thermal electric generators at varying load levels

385 views • 13 slides
PART TWO - NOT FOR PROFIT CONFERENCE UBIT and 990 Update NFP Governance NFP A&amp;A Update Cyber

PART TWO - NOT FOR PROFIT CONFERENCE UBIT and 990 Update NFP Governance NFP A&amp;A Update Cyber

July 21, 2020 PART TWO - NOT FOR PROFIT CONFERENCE UBIT and 990 Update NFP Governance NFP A&amp;A Update Cyber Security PPP Q&amp;A Formed in 1967 through the merger of two firms with histories dating back to the 1920s, we are a full service

1.26k views • 97 slides
Overview of the COGO Report Card GAO Report to Congress Geospatial Data Act of 2015 Stephen D.

Overview of the COGO Report Card GAO Report to Congress Geospatial Data Act of 2015 Stephen D.

Session 6H: Overview of the COGO Report Card GAO Report to Congress Geospatial Data Act of 2015 Stephen D. DeGloria ASPRS COGO Delegate (15) ASPRS Immediate Past President (14 - 15) sdd4@cornell.edu ASPRS 2015 Annual Conference

592 views • 42 slides
CS 188: Artificial Intelligence Markov Decision Processes (MDPs) Pieter Abbeel UC Berkeley

CS 188: Artificial Intelligence Markov Decision Processes (MDPs) Pieter Abbeel UC Berkeley

CS 188: Artificial Intelligence Markov Decision Processes (MDPs) Pieter Abbeel UC Berkeley Some slides adapted from Dan Klein 1 Outline Markov Decision Processes (MDPs) Formalism Value iteration In essence a graph

615 views • 24 slides
Perspectives on Financial Cryptography Ronald L. Rivest MIT Lab for Computer Science (RSA /

Perspectives on Financial Cryptography Ronald L. Rivest MIT Lab for Computer Science (RSA /

Perspectives on Financial Cryptography Ronald L. Rivest MIT Lab for Computer Science (RSA / Security Dynamics) FC97 -- 2/27/97 Outline I present for your consideration some debatable propositions about financial systems and financial

572 views • 22 slides

More recommend