Any chance in opensc supporting ACOS5 smartcards?

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Any chance in opensc supporting ACOS5 smartcards?

Jean-Michel Pouré
Dear friends,

I looked at the compatibility matrix and ordered Siemens Card OS 4.3B
and Starcos SPK 2.3 for testing opensc with strongswan. Thanks for your
support and answers.

IMHO, it is a pity that ACOS5 crypto cards are not supported, given the
quality and price of the smartcard.

For example, the ACOS5 card can be found for 9€ on this shop:
http://www.smartcardfocus.com/shop/ilp/id~146/p/index.shtml

It is half price of other cards!

Is there any chance for supporting the ACOS5 card? I can buy a couple of
them and send them to interested developers. Just let me know.

Kind regards,
Jean-Michel

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Dan Peterson [ESnet]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you need any help with Aladdin eTokens (Siemens Card OS 4.3B) drop me a note I have them working as two factor auth for SSH (SSH-RSA keys) using a cert from a CA. This is with OpenSC and Aladdin on MAC, CENTOS, Windows, FreeBSD.

- --
Dan

>-----Original Message-----
>From: [hidden email] [mailto:opensc-user-
>[hidden email]] On Behalf Of Jean-Michel Pouré
>Sent: Sunday, December 27, 2009 2:32 PM
>To: [hidden email]
>Subject: [opensc-user] Any chance in opensc supporting ACOS5 smartcards?
>
>Dear friends,
>
>I looked at the compatibility matrix and ordered Siemens Card OS 4.3B
>and Starcos SPK 2.3 for testing opensc with strongswan. Thanks for your
>support and answers.
>
>IMHO, it is a pity that ACOS5 crypto cards are not supported, given the
>quality and price of the smartcard.
>
>For example, the ACOS5 card can be found for 9€ on this shop:
>http://www.smartcardfocus.com/shop/ilp/id~146/p/index.shtml
>
>It is half price of other cards!
>
>Is there any chance for supporting the ACOS5 card? I can buy a couple of
>them and send them to interested developers. Just let me know.
>
>Kind regards,
>Jean-Michel


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFLOAMo5chTNtilRz8RAjoGAKCx0CYigUiYo0ZJZNyWGhKfv9/RBwCdH3qd
To6QSytExqcAawpPwU7CAKI=
=YgR2
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Jean-Michel Pouré
Le dimanche 27 décembre 2009 à 17:00 -0800, Dan Peterson a écrit :
> If you need any help with Aladdin eTokens (Siemens Card OS 4.3B) drop
> me a note I have them working as two factor auth for SSH (SSH-RSA
> keys) using a cert from a CA. This is with OpenSC and Aladdin on MAC,
> CENTOS, Windows, FreeBSD.

Thanks a lot Dan, this will be very helpful.

My first need will be to locate a Windows computer for initialization of
the 4.3B, as I haven't been using Windows for 10 years. I have some old
XP licences somewhere and I have to initialize a station for the sole
purpose of blanking the card.

Do you think the Siemens card can be blanked using opensc? Even using
opensc dev code?

Kind regards,
Jean-Michel

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Andreas Jellinghaus-2
In reply to this post by Jean-Michel Pouré
Am Sonntag 27 Dezember 2009 23:32:28 schrieb Jean-Michel Pouré:

> IMHO, it is a pity that ACOS5 crypto cards are not supported, given the
> quality and price of the smartcard.
>
> For example, the ACOS5 card can be found for 9€ on this shop:
> http://www.smartcardfocus.com/shop/ilp/id~146/p/index.shtml
>
> It is half price of other cards!
>
> Is there any chance for supporting the ACOS5 card? I can buy a couple of
> them and send them to interested developers. Just let me know.

Can you write a driver? What we need is people writing code...

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Martin Paljak-2
On 28.12.2009, at 10:06, Andreas Jellinghaus wrote:

> Am Sonntag 27 Dezember 2009 23:32:28 schrieb Jean-Michel Pouré:
>> IMHO, it is a pity that ACOS5 crypto cards are not supported, given the
>> quality and price of the smartcard.
>>
>> For example, the ACOS5 card can be found for 9€ on this shop:
>> http://www.smartcardfocus.com/shop/ilp/id~146/p/index.shtml
>>
>> It is half price of other cards!
>>
>> Is there any chance for supporting the ACOS5 card? I can buy a couple of
>> them and send them to interested developers. Just let me know.
>
> Can you write a driver? What we need is people writing code...


Actually ACS things seem to come with pretty decent documentation (ACR122U NFC/RFID reader and AET63BioTrustKey are the ones I've checked out) and the reference manual for ACOS5 seems to be available as well ("upon request" on the website).

So it should be relatively easy, given enough time and interest.


--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495




_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Ralf Schlatterbeck-3
In reply to this post by Jean-Michel Pouré
On Sun, Dec 27, 2009 at 11:32:28PM +0100, Jean-Michel Pouré wrote:
> Dear friends,
>
> I looked at the compatibility matrix and ordered Siemens Card OS 4.3B
> and Starcos SPK 2.3 for testing opensc with strongswan. Thanks for your
> support and answers.

Aren't the Siemens Card OS cards announced end-of-life by Siemens?
My sources for this are a shop I recently bought a card from and
according to Aladdin (who have announced end-of-life status for their
Card OS based crypto-tokens).

Ralf
--
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  Fax:   +43/2243/26465-23
Reichergasse 131                        www:   http://www.runtux.com
A-3411 Weidling                         email: [hidden email]
osAlliance member                       email: [hidden email]
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Jean-Michel Pouré
Le lundi 28 décembre 2009 à 12:12 +0100, Ralf Schlatterbeck a écrit :
> Aren't the Siemens Card OS cards announced end-of-life by Siemens?
> My sources for this are a shop I recently bought a card from and
> according to Aladdin (who have announced end-of-life status for their
> Card OS based crypto-tokens).

I am new to OpenSC but I wonder why so many products are announced
end-of-life and then replaced by more expensive products. Maybe there is
room for powerful cheap cards. Just my guess, maybe the ACOS5 would be
the solution on long term.

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Andreas Jellinghaus-2
In reply to this post by Martin Paljak-2
Am Montag 28 Dezember 2009 09:35:21 schrieb Martin Paljak:

> On 28.12.2009, at 10:06, Andreas Jellinghaus wrote:
> > Am Sonntag 27 Dezember 2009 23:32:28 schrieb Jean-Michel Pouré:
> >> IMHO, it is a pity that ACOS5 crypto cards are not supported, given the
> >> quality and price of the smartcard.
> >>
> >> For example, the ACOS5 card can be found for 9€ on this shop:
> >> http://www.smartcardfocus.com/shop/ilp/id~146/p/index.shtml
> >>
> >> It is half price of other cards!
> >>
> >> Is there any chance for supporting the ACOS5 card? I can buy a couple of
> >> them and send them to interested developers. Just let me know.
> >
> > Can you write a driver? What we need is people writing code...
>
> Actually ACS things seem to come with pretty decent documentation (ACR122U
>  NFC/RFID reader and AET63BioTrustKey are the ones I've checked out) and
>  the reference manual for ACOS5 seems to be available as well ("upon
>  request" on the website).

it is or was available for download, and a simple mail also gets you a copy
of the recent versions. no NDA/strings/... attached.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Andreas Jellinghaus-2
In reply to this post by Ralf Schlatterbeck-3
Am Montag 28 Dezember 2009 12:12:25 schrieb Ralf Schlatterbeck:
> Aren't the Siemens Card OS cards announced end-of-life by Siemens?
> My sources for this are a shop I recently bought a card from and
> according to Aladdin (who have announced end-of-life status for their
> Card OS based crypto-tokens).

yes and no. I was told some cardos cards are end of life, as the
chip used inside the cards is end of life. but newer versions of
the card use a different chip, and those continue to be available,
and new versions of cardos 4 and even a new major new version will
be released next year, AFAIK.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Martin Paljak-2
In reply to this post by Jean-Michel Pouré

On 28.12.2009, at 14:43, Jean-Michel Pouré wrote:

> Le lundi 28 décembre 2009 à 12:12 +0100, Ralf Schlatterbeck a écrit :
>> Aren't the Siemens Card OS cards announced end-of-life by Siemens?
>> My sources for this are a shop I recently bought a card from and
>> according to Aladdin (who have announced end-of-life status for their
>> Card OS based crypto-tokens).
>
> I am new to OpenSC but I wonder why so many products are announced
> end-of-life and then replaced by more expensive products. Maybe there is
> room for powerful cheap cards. Just my guess, maybe the ACOS5 would be
> the solution on long term.
Anything that supports only up to 1024b RSA keys is not a solution in the long term.


--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495




_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Ralf Schlatterbeck-3
On Mon, Dec 28, 2009 at 02:28:38PM +0100, Andreas Jellinghaus wrote:

> Am Montag 28 Dezember 2009 12:12:25 schrieb Ralf Schlatterbeck:
> > Aren't the Siemens Card OS cards announced end-of-life by Siemens?
> > My sources for this are a shop I recently bought a card from and
> > according to Aladdin (who have announced end-of-life status for their
> > Card OS based crypto-tokens).
>
> yes and no. I was told some cardos cards are end of life, as the
> chip used inside the cards is end of life. but newer versions of
> the card use a different chip, and those continue to be available,
> and new versions of cardos 4 and even a new major new version will
> be released next year, AFAIK.

Great to hear, Card OS is one of the best supported cards according to
my tests.

On Mon, Dec 28, 2009 at 04:41:08PM +0200, Martin Paljak wrote:
> Anything that supports only up to 1024b RSA keys is not a solution in
> the long term.
The aladdin 32k crypto-token with Card OS 3.2 support 2048 bit keys
according to my tests. But it was announced end of life some time ago.
So I guess newer Card OS based cards should support 2048 bit keys, too.
Don't know how good support for newer card OS versions is, though.

Ralf
--
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  Fax:   +43/2243/26465-23
Reichergasse 131                        www:   http://www.runtux.com
A-3411 Weidling                         email: [hidden email]
osAlliance member                       email: [hidden email]
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

JP Szikora-2
In reply to this post by Andreas Jellinghaus-2

Le 28-déc.-09 à 14:28, Andreas Jellinghaus a écrit :

> Am Montag 28 Dezember 2009 12:12:25 schrieb Ralf Schlatterbeck:
>> Aren't the Siemens Card OS cards announced end-of-life by Siemens?
>> My sources for this are a shop I recently bought a card from and
>> according to Aladdin (who have announced end-of-life status for their
>> Card OS based crypto-tokens).
>
> yes and no. I was told some cardos cards are end of life, as the
> chip used inside the cards is end of life. but newer versions of
> the card use a different chip, and those continue to be available,
> and new versions of cardos 4 and even a new major new version will
> be released next year, AFAIK.
>

Hi,

Yes, I heard that too... CardOS 4.3B is end of life, but CardOS 4.2C  
and CardOS 4.4 are on the market. At least for integrators and in  
quantities (http://www.advanide.com/controller.htm). The good question  
when these products will be on the market in small quantities for  
anyone...

I received CardOS 4.2C samples some time ago, and it's works nicely  
with OpenSC (and support 2048bit RSA keys). No feedback yet for CardOS  
4.4.

Cheers,

Jean-Pierre
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Any chance in opensc supporting ACOS5 smartcards?

Dan Peterson [ESnet]
In reply to this post by Jean-Michel Pouré
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jean-Michel,

Well I need to get clear when you say the Siemens Card are you talking about Aladdin eToken? If so then read on...

Aladdin supports MAC, RedHat/CENTOS and Windows. You should be able to initialize the token from any of these OS with the Aladdin software. The vender that sold you the tokens should give you a something to gain access to the Aladdin web site for downloading the software from Aladdin.


I have not had to format the tokens before using, they come formatted and ready to use. OpenSC and the Aladdin partitions* work independent** of each other so if you are only using OpenSC you can simply ignore the Aladdin partition, remember they need physical access to the token to do anything.  

You wrote:
"I have some old XP licenses somewhere and I have to initialize a station for the sole purpose of blanking the card."

If you still want to use Windows here is a few tips to test things; don’t use Windows 7 at this time, Aladdin has not released the code for W7 and the formatting commands don’t work and the Aladdin code has limited functionality under W7. You might want to think about VISTA (evaluation is for 30 days) you can install the Aladdin code on that and see how well it blanks the tokens, takes about 1 min to format a token, if you know what I mean....

I have an old laptop that I use just for the management of the tokens, runs XP, works great... I have Aladdin software, OpenSC and Firefox installed.



Once I have the tokens and I can "see" the token (OpenSC and the card reader is working on your OS) then this is what I do to get things going:  (The labels are specific to my environment but give you the right idea.)

pkcs15-init --erase --use-default-transport-key
pkcs15-init --create-pkcs15 --use-default-transport-key
pkcs15-init --store-pin --auth-id 01 --label "[User Email Address]"
pkcs15-init --generate-key rsa/2048 --auth-id 01 --public-key-label [User name]

the openssl-CA.cnf is specific to my CA's requirement:
openssl req -engine pkcs11 -new -key id_45 -keyform engine -out [UserName.req] -config openssl-CA.cnf

Once that is done then I submit the request to my CA and it will generate a certificate file I call it username.pem that I can apply with:
pkcs15-init --store-certificate [UserName.pem] --format PEM

pkcs15-tool --dump
pkcs15-tool --change-pin -a xx    



* this is my term for the two different containers or sides or whatever the correct term is for defining what is accessible with PKCS15 (openSC) and PKCS11 (Aladdin). OpenSC will create its own working area and that does not interact with what Aladdin has created.

** It is possible to access some things on that Aladdin partition with the OpenSC code IF you have installed the Aladdin software. For example from a MAC with the Aladdin and the OpenSC software installed:

pkcs11-tool --module /usr/local/lib/libeTPkcs11.dylib -O -l

Please enter User PIN:
Public Key Object; RSA 2048 bits
  label:
  ID:         0abfd85feab6018d4a118b56cfa92d93a3719b77
  Usage:      encrypt, verify, wrap
Private Key Object; RSA
  label:      731340's  ID
  ID:         0abfd85feab6018d4a118b56cfa92d93a3719b77
  Usage:      decrypt, sign, unwrap
Certificate Object, type = X.509 cert
  label:      731340's  ID
  ID:         0abfd85feab6018d4a118b56cfa92d93a3719b77



Hope all of this helps
- --
Dan


>-----Original Message-----
>From: [hidden email] [mailto:opensc-user-
>[hidden email]] On Behalf Of Jean-Michel Pouré
>Sent: Sunday, December 27, 2009 9:32 PM
>To: [hidden email]
>Subject: Re: [opensc-user] Any chance in opensc supporting ACOS5
>smartcards?
>
>Le dimanche 27 décembre 2009 à 17:00 -0800, Dan Peterson a écrit :
>> If you need any help with Aladdin eTokens (Siemens Card OS 4.3B) drop
>> me a note I have them working as two factor auth for SSH (SSH-RSA
>> keys) using a cert from a CA. This is with OpenSC and Aladdin on MAC,
>> CENTOS, Windows, FreeBSD.
>
>Thanks a lot Dan, this will be very helpful.
>
>My first need will be to locate a Windows computer for initialization of
>the 4.3B, as I haven't been using Windows for 10 years. I have some old
>XP licences somewhere and I have to initialize a station for the sole
>purpose of blanking the card.
>
>Do you think the Siemens card can be blanked using opensc? Even using
>opensc dev code?
>
>Kind regards,
>Jean-Michel


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFLOPpl5chTNtilRz8RAqQwAJwKLUWjmIoDUhIjFn+Z4AzHL0m3xgCcDZfu
5uZgN6eWB2CxZ5RrWglg56g=
=r1Bh
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user