ACOS5 smart cards support

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

ACOS5 smart cards support

Pali Rohár
Hello,

what is status of ACOS5 cards support in OpenSC? On official wiki [1]
is written that ACOS5 cards are not supported yet. But there is fork
of OpenSC git repository [2] which claims that there is some support
[3]. I would like to know if ACOS5 cards are working or not (with
official OpenSC release or some fork).

[1] - https://github.com/OpenSC/OpenSC/wiki/ACOS5
[2] - https://github.com/pacew/OpenSC
[3] - https://github.com/pacew/OpenSC/wiki

--
Pali Rohár
[hidden email]

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

Martin Paljak-4
Hello,

On 27/03/14 11:40 , Pali Rohár wrote:
> what is status of ACOS5 cards support in OpenSC? On official wiki
> [1] is written that ACOS5 cards are not supported yet. But there is
> fork of OpenSC git repository [2] which claims that there is some
> support [3]. I would like to know if ACOS5 cards are working or not
> (with official OpenSC release or some fork).

IIRC last time I checked ACOS5 support was incomplete. As the
repository has not changed in last 3 years I guess the situation is
the same. Basic file system commands worked, AFAICR.


--
Martin
+372 515 6495

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

NdK-3
Il 27/03/2014 13:04, Martin Paljak ha scritto:

> IIRC last time I checked ACOS5 support was incomplete. As the
> repository has not changed in last 3 years I guess the situation is
> the same. Basic file system commands worked, AFAICR.
IIRC there's a *huge* problem with PINs, that have to be readable to be
useable... but then there's no security.

That's why I've not yet been able to use my ACOS5-64 (that supports 4096
bit keys...).

BYtE,
 Diego.


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

Martin Paljak-4
Hello,

On 27/03/14 18:40 , NdK wrote:
> IIRC there's a *huge* problem with PINs, that have to be readable to be
> useable... but then there's no security.

I have tried to read ACOS specs but as I have no real interest in the
card that has not been very successful.
> That's why I've not yet been able to use my ACOS5-64 (that supports 4096
> bit keys...).

But available hardware (and cheap hardware) that can do 4k RSA would be
really nice to have, even for PIN-less purposes (if we assume that keys
can not be copied)

Would that be a possible use case ?

Thanks,

--
Martin
+372 515 6495

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

Pali Rohár
2014-03-27 19:45 GMT+01:00 Martin Paljak <[hidden email]>:

> Hello,
>
> On 27/03/14 18:40 , NdK wrote:
>> IIRC there's a *huge* problem with PINs, that have to be readable to be
>> useable... but then there's no security.
>
> I have tried to read ACOS specs but as I have no real interest in the
> card that has not been very successful.
>> That's why I've not yet been able to use my ACOS5-64 (that supports 4096
>> bit keys...).
>
> But available hardware (and cheap hardware) that can do 4k RSA would be
> really nice to have, even for PIN-less purposes (if we assume that keys
> can not be copied)
>
> Would that be a possible use case ?
>
> Thanks,
>
> --
> Martin
> +372 515 6495
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Right, cheap hw which can do 4096 RSA... This is why I asked what is
current state of ACOS5-64 smart cards...

--
Pali Rohár
[hidden email]

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

Ondrej Mikle
In reply to this post by Martin Paljak-4
On 03/27/2014 07:45 PM, Martin Paljak wrote:
> Hello,
>
> On 27/03/14 18:40 , NdK wrote:
>> IIRC there's a *huge* problem with PINs, that have to be readable to be
>> useable... but then there's no security.
>
> I have tried to read ACOS specs but as I have no real interest in the
> card that has not been very successful.

Are the specs available anywhere? I couldn't find them and would like give it a
short try. Without the specs it was just "random APDU fuzzing". The ACOS5 refers
to the Cryptomate64 with RSA-4096 support or the ACOS5-64 card? (Hopefully they
are APDU-level compatible)

Ondrej

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

Ondrej Mikle
In reply to this post by NdK-3
On 03/27/2014 07:40 PM, NdK wrote:
> Il 27/03/2014 13:04, Martin Paljak ha scritto:
>
>> IIRC last time I checked ACOS5 support was incomplete. As the
>> repository has not changed in last 3 years I guess the situation is
>> the same. Basic file system commands worked, AFAICR.
> IIRC there's a *huge* problem with PINs, that have to be readable to be
> useable... but then there's no security.

Do I understand it correctly that there's something like a special APDU that can
be used to read the PIN without authentication and it can't be blocked in any
reasonable way?

Ondrej

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

NdK-3
In reply to this post by Martin Paljak-4
Il 27/03/2014 19:45, Martin Paljak ha scritto:

> But available hardware (and cheap hardware) that can do 4k RSA would be
> really nice to have, even for PIN-less purposes (if we assume that keys
> can not be copied)
IIRC an ACOS5-64 token costs about 60€... Not exactly cheap, but neither
unreasonable. An OpenPGP card (or a BasicCard) can do RSA4096 and costs
way less.

> Would that be a possible use case ?
It could be useful for Zeroshell's CA :)

BYtE,
 Diego.


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

NdK-3
In reply to this post by Ondrej Mikle
Il 28/03/2014 16:02, Ondrej Mikle ha scritto:

>> IIRC there's a *huge* problem with PINs, that have to be readable to be
>> useable... but then there's no security.
> Do I understand it correctly that there's something like a special APDU that can
> be used to read the PIN without authentication and it can't be blocked in any
> reasonable way?
No. IIRC (can't find the page saying so...)  it's a problem w/ ACLs...
If the user have a valid PIN, he's able to read 'em all!

BYtE,
 Diego.

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

Martin Paljak-4
> No. IIRC (can't find the page saying so...)  it's a problem w/ ACLs...
> If the user have a valid PIN, he's able to read 'em all!

Well, for a simple card with a single PIN this sounds like OK.

But 60$ for such a card is a bit too much, indeed. Yet I find a quote at 8USD?

http://www.securetech-corp.com/store/acos5c

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

Martin Paljak-4
On Fri, Mar 28, 2014 at 8:29 PM, Martin Paljak <[hidden email]> wrote:
>> No. IIRC (can't find the page saying so...)  it's a problem w/ ACLs...
>> If the user have a valid PIN, he's able to read 'em all!
>
> Well, for a simple card with a single PIN this sounds like OK.
>
> But 60$ for such a card is a bit too much, indeed. Yet I find a quote at 8USD?
>
> http://www.securetech-corp.com/store/acos5c

Now if someone fetched the reference manual from ACS it would be of
interest, as there are not so many cards that do 4k RSA, if one is
interested in RSA.

The reference manual is unfortunately a "file upon request".

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ACOS5 smart cards support

Ondrej Mikle
In reply to this post by Martin Paljak-4
On 03/28/2014 09:29 PM, Martin Paljak wrote:
>> No. IIRC (can't find the page saying so...)  it's a problem w/ ACLs...
>> If the user have a valid PIN, he's able to read 'em all!
>
> Well, for a simple card with a single PIN this sounds like OK.
>
> But 60$ for such a card is a bit too much, indeed. Yet I find a quote at 8USD?
>
> http://www.securetech-corp.com/store/acos5c

The ACOS5 card can be had for $8. The Cryptomate64 token is more expensive, but
can be bought for less than 30 EUR -
http://www.rassro.cz/cipove-karty-smart-card/cryptomate-64.html?sl=EN (I bought
it from there, might still make sense including shipping costs, depending on
where you're shipping to).

Paper-wise, it seems to have really nice features, RSA-4096 being the most
prominent.

There was some thread about Cryptomate and GnuPG RSA-4096 support but I could
never make working -
https://www.mail-archive.com/opensc-devel@.../msg09717.html

Ondrej

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel