Biometric integraiton?

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Biometric integraiton?

Marc Boorshtein-2
So I now I have a PIV card that I know has a certificate on it because
I can login to my windows terminal with it (XP).  The card is using
biometrics or a passphrase to unlock.  We're using Precise Biometrics
card reader.  When I put the card into my OmniKey 3021 it didn't
recognize it at all, said it was an invalid card type (I'll send over
the logs).

Here's my question, does OpenSC support any of the biometric readers?

Thanks
Marc
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

Martin Paljak-4
Hello,

On Wed, Apr 25, 2012 at 16:10, Marc Boorshtein <[hidden email]> wrote:
> So I now I have a PIV card that I know has a certificate on it because
> I can login to my windows terminal with it (XP).  The card is using
> biometrics or a passphrase to unlock.  We're using Precise Biometrics
> card reader.  When I put the card into my OmniKey 3021 it didn't
> recognize it at all, said it was an invalid card type (I'll send over
> the logs).
>
> Here's my question, does OpenSC support any of the biometric readers?
I don't know about the readers or their internals, but OpenSC for sure
does not support any kind of biometric authentication.

Martin
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

Douglas E. Engert
In reply to this post by Marc Boorshtein-2


On 4/25/2012 8:10 AM, Marc Boorshtein wrote:
> So I now I have a PIV card that I know has a certificate on it because
> I can login to my windows terminal with it (XP).

Is this the same card you were trying a few days ago? Did you get the
certificates on it?  Are you sure the XP login is using the certificate?

Or is this a different card.

> The card is using biometrics or a passphrase to unlock.

The NIST PIV specifications 800-73 call for the storing of a fingerprint
object on the card, but does not require the card to do the matching,
and does not define commands to supply the card with a fingerprint and
to do the match.

Some vendors may may provide vendor specific drivers for their cards. Or
a second application on the card to do the matching.

Your reader vendor says it has a Linux driver.

OpenSC can read the PIV fingerprint object so the match could be done in
host software, if you also have some fingerprint reader with driver.

> We're using Precise Biometrics
> card reader.  When I put the card into my OmniKey 3021 it didn't
> recognize it at all, said it was an invalid card type (I'll send over
> the logs).

opensc-tool -a would help identify the card type then See:
  http://smartcard-atr.appspot.com/

>
> Here's my question, does OpenSC support any of the biometric readers?

Not at this time. Are there any standards for these, any open source
available

>
> Thanks
> Marc
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

Marc Boorshtein-2
On Wed, Apr 25, 2012 at 10:36 AM, Douglas E. Engert <[hidden email]> wrote:

>
>
> On 4/25/2012 8:10 AM, Marc Boorshtein wrote:
>> So I now I have a PIV card that I know has a certificate on it because
>> I can login to my windows terminal with it (XP).
>
> Is this the same card you were trying a few days ago? Did you get the
> certificates on it?  Are you sure the XP login is using the certificate?
>
> Or is this a different card.
>

Different card.  THey don't have a single card yet for both PACS and LACS


>> The card is using biometrics or a passphrase to unlock.
>
> The NIST PIV specifications 800-73 call for the storing of a fingerprint
> object on the card, but does not require the card to do the matching,
> and does not define commands to supply the card with a fingerprint and
> to do the match.
>
> Some vendors may may provide vendor specific drivers for their cards. Or
> a second application on the card to do the matching.
>

Interesting, I never put in a PIN.  So does this mean they're not
using a standard PIV technology?  They're using software from SafeNet
(Borderless Security I think).  When I plugged it into Windows 7 it
sad it could find a driver for the card.


> Your reader vendor says it has a Linux driver.
>
> OpenSC can read the PIV fingerprint object so the match could be done in
> host software, if you also have some fingerprint reader with driver.
>

I see, so it sounds like its the middleware thats doing the matching
as opposed to the pin being used to unlock the card.

>> We're using Precise Biometrics
>> card reader.  When I put the card into my OmniKey 3021 it didn't
>> recognize it at all, said it was an invalid card type (I'll send over
>> the logs).
>
> opensc-tool -a would help identify the card type then See:
>  http://smartcard-atr.appspot.com/
>
>>
>> Here's my question, does OpenSC support any of the biometric readers?
>
> Not at this time. Are there any standards for these, any open source
> available
>

I don't think so, I can't seem to find anything anyways.

Thanks
Marc
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

Douglas E. Engert


On 4/25/2012 10:20 AM, Marc Boorshtein wrote:

> On Wed, Apr 25, 2012 at 10:36 AM, Douglas E. Engert<[hidden email]>  wrote:
>>
>>
>> On 4/25/2012 8:10 AM, Marc Boorshtein wrote:
>>> So I now I have a PIV card that I know has a certificate on it because
>>> I can login to my windows terminal with it (XP).
>>
>> Is this the same card you were trying a few days ago? Did you get the
>> certificates on it?  Are you sure the XP login is using the certificate?
>>
>> Or is this a different card.
>>
>
> Different card.  THey don't have a single card yet for both PACS and LACS
>
>
>>> The card is using biometrics or a passphrase to unlock.
>>
>> The NIST PIV specifications 800-73 call for the storing of a fingerprint
>> object on the card, but does not require the card to do the matching,
>> and does not define commands to supply the card with a fingerprint and
>> to do the match.
>>
>> Some vendors may may provide vendor specific drivers for their cards. Or
>> a second application on the card to do the matching.
>>
>
> Interesting, I never put in a PIN.  So does this mean they're not
> using a standard PIV technology?  They're using software from SafeNet
> (Borderless Security I think).  When I plugged it into Windows 7 it
> sad it could find a driver for the card.

Sounds like this:
http://csrc.nist.gov/groups/SNS/piv/documents/workshop-Jun272005/SafeNet.pdf

Card vendor's can add additional functionality to their cards on top of
the PIV NIST standards. Or they can add additional applications to the card,
that could share data with the PIV application on the card. To use these
addition features, which are most likely proprietary, requires vendor drivers.

Sounds like SafeNet has provided the driver to Microsoft to download.)

OpenSC, and (ASFAIK the Microsoft PIV driver) only support the NIST standards
and will thus work with all the standard features of any PIV complaint card.

It sounds like your card has additional features, that could allow for
an on card fingerprint match, which would not require the PIN. (The PIV
fingerprint object as defined by NIST 800-73 requires PIN authentication
to read the object off the card. But an on card match is not reading the
object off the card, so I would speculate that it would be allowed.)

>
>
>> Your reader vendor says it has a Linux driver.
>>
>> OpenSC can read the PIV fingerprint object so the match could be done in
>> host software, if you also have some fingerprint reader with driver.
>>
>
> I see, so it sounds like its the middleware thats doing the matching
> as opposed to the pin being used to unlock the card.

Is not clear. But from a security standpoint, your organization must
have looked at the security risks of using these cards with their
recommended readers and looked at what is going on under the covers.

>
>>> We're using Precise Biometrics
>>> card reader.  When I put the card into my OmniKey 3021 it didn't
>>> recognize it at all, said it was an invalid card type (I'll send over
>>> the logs).
>>
>> opensc-tool -a would help identify the card type then See:
>>   http://smartcard-atr.appspot.com/
>>
>>>
>>> Here's my question, does OpenSC support any of the biometric readers?
>>
>> Not at this time. Are there any standards for these, any open source
>> available
>>
>
> I don't think so, I can't seem to find anything anyways.
>
> Thanks
> Marc
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

helpcrypto helpcrypto
In reply to this post by Martin Paljak-4
Hello martin.
Just to know (im asking myself about it...)

> I don't know about the readers or their internals, but OpenSC for sure
> does not support any kind of biometric authentication.

PKCS#11 interface define both, ui callback (notify) and that login can
be made using pinpads/external devices. (C_Login can receive the pin,
or can show a dialog if pin==NULL).

Biometric/other kind of pinpads can be used using external libraries
provided in config. This, of course, could mean a security risk 'cause
someone could proxyfy the libraries.

Couldnt opensc provide a way to do this safely?
Could signed libraries solve this?

Any reading regarding this specific topic?

Thanks for the info.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

Ludovic Rousseau
Hello,

Le 26 avril 2012 09:18, helpcrypto helpcrypto <[hidden email]> a écrit :
>> I don't know about the readers or their internals, but OpenSC for sure
>> does not support any kind of biometric authentication.
>
> PKCS#11 interface define both, ui callback (notify)

What is that? Can you be more specific?

> and that login can
> be made using pinpads/external devices. (C_Login can receive the pin,
> or can show a dialog if pin==NULL).

Yes. That is the flag CKF_PROTECTED_AUTHENTICATION_PATH in CK_TOKEN_INFO.

> Biometric/other kind of pinpads can be used using external libraries
> provided in config. This, of course, could mean a security risk 'cause
> someone could proxyfy the libraries.
>
> Couldnt opensc provide a way to do this safely?
> Could signed libraries solve this?

What is the threat model?
Who is the attacker and what can he do?

Signing a library will not solve much if the attacker has root access
or is the user itself.

Regards

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

helpcrypto helpcrypto
>> PKCS#11 interface define both, ui callback (notify)
>
> What is that? Can you be more specific?

I was thinking about CK_NOTIFY as a way to notify operation progress

>> Couldnt opensc provide a way to do this safely?
>> Could signed libraries solve this?
>
> What is the threat model?
> Who is the attacker and what can he do?

I was thinking about this:
if biometirc login is made using a library
    opensc library<->biometric-reader library
and
    opensc library<->man-in-the-middle library<->biometric-reader library

probably this is not how its supposed to be done.

> Signing a library will not solve much if the attacker has root access
> or is the user itself.

Windows csp's must be signed to be used. That was what i was thinking.

As you an see, thinking in many things, nor correct ones
:P

The question remains, anyway: how could opensc support
biometric/whatever readers?
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

Ludovic Rousseau
Le 26 avril 2012 10:23, helpcrypto helpcrypto <[hidden email]> a écrit :
> The question remains, anyway: how could opensc support
> biometric/whatever readers?

Report CKF_PROTECTED_AUTHENTICATION_PATH to the application. OpenSC
then calls an external lib to do do what is needed to authenticate the
user.

The external lib can do anything like display a dialog box, talk to
the biometric reader, talk to a remote server, etc.

Todo list:
- define an API between OpenSC and an external lib
- define a configuration to tell OpenSC to use an external lib

I don't know how/if OpenSC can know the smart card reader is
biometric. I have not seen any thing like that in PC/SC.

A few years ago I played with fprint [1] and a COVADIS Alya reader [2].
Another API to loot at may be bioapi [3].

Bye

[1] http://www.freedesktop.org/wiki/Software/fprint
[2] http://pcsclite.alioth.debian.org/ccid/features.html#201
[3] http://code.google.com/p/bioapi-linux/

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

helpcrypto helpcrypto
> Report CKF_PROTECTED_AUTHENTICATION_PATH to the application. OpenSC
> then calls an external lib to do do what is needed to authenticate the
> user.
>
> The external lib can do anything like display a dialog box, talk to
> the biometric reader, talk to a remote server, etc.

and what about the library-in-the-middle attack?

> Todo list:
> - define an API between OpenSC and an external lib

maybe the readers have many different system of autehtication (pin,
biometric, "on the fly /time generated")
I have to think this twice.

> - define a configuration to tell OpenSC to use an external lib

and, what if i edit your current config and replace the lib with my
modified evil lib?

> I don't know how/if OpenSC can know the smart card reader is
> biometric. I have not seen any thing like that in PC/SC.

neither I.
what about something like "declaring reader features" ?
If the reader support extended apdus, then EXTENDED_APDU_SUPPORT flag is set.
What do you think of BIOMETRIC_SUPPORT / EXTERNAL_LOGIN_SUPPORT? to know that?
have this been discussed (improve readers feature info on PCSC wg?)

> A few years ago I played with fprint [1] and a COVADIS Alya reader [2].
> Another API to loot at may be bioapi [3].

I'll have a look, thanks.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

Ludovic Rousseau
Le 26 avril 2012 11:32, helpcrypto helpcrypto <[hidden email]> a écrit :
>> Report CKF_PROTECTED_AUTHENTICATION_PATH to the application. OpenSC
>> then calls an external lib to do do what is needed to authenticate the
>> user.
>>
>> The external lib can do anything like display a dialog box, talk to
>> the biometric reader, talk to a remote server, etc.
>
> and what about the library-in-the-middle attack?

See bellow

>> Todo list:
>> - define an API between OpenSC and an external lib
>
> maybe the readers have many different system of autehtication (pin,
> biometric, "on the fly /time generated")
> I have to think this twice.

The only information needed by OpenSC is a boolean: did the
authentication succeeded?

>> - define a configuration to tell OpenSC to use an external lib
>
> and, what if i edit your current config and replace the lib with my
> modified evil lib?

The config file should be secured by the file access rights.
/etc/opensc/opensc.conf is owned by root with no write access for
normal users.

If you can edit a root file you can do anything much more evil.

>> I don't know how/if OpenSC can know the smart card reader is
>> biometric. I have not seen any thing like that in PC/SC.
>
> neither I.
> what about something like "declaring reader features" ?
> If the reader support extended apdus, then EXTENDED_APDU_SUPPORT flag is set.
> What do you think of BIOMETRIC_SUPPORT / EXTERNAL_LOGIN_SUPPORT? to know that?
> have this been discussed (improve readers feature info on PCSC wg?)

Biometric do not use PC/SC. PC/SC has no use of biometric.

If a biometric lib is configured in OpenSC then OpenSC should query
the lib to know if the/a connected reader is biometric or not.

Bye

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

helpcrypto helpcrypto
IIUC, the readers are 'dumb' devices, so this is how opensc works actually:
  Opensc invoke select DF...
  Opensc shows a login and send it to card / request login to card
which shows a login popup,  and gets 9000 if ok
  Opensc request sign...

Having a pinpad/biometric could work like this:
  Opensc knows CKF_PROTECTED_AUTHENTICATION_PATH is set
  Opensc invoke select DF...
  Opensc request login to reader (passing login apdu ?), and gets 9000 if ok
  Opensc request sign...

What i dont understand is how reader authenticate against card:
  fingerprint is translated to char* and sent to card?
  how the reader kow whats the login apdu for that card?
(please, give me some doc about that...)

There must be a flag at reader level which says "im a reader, and im
able to biometric/pinpad verify". Is there any "feature_support_flag"
to do that, like when using extended_apdus?

> If you can edit a root file you can do anything much more evil.

having root acces < having pin => using private key

<offtopic>By the way: does any of you know how to use "encrypted
memory" in applications?
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

NdK-3
In reply to this post by helpcrypto helpcrypto
Il 26/04/2012 11:32, helpcrypto helpcrypto ha scritto:

> and, what if i edit your current config and replace the lib with my
> modified evil lib?
And what if I replace the trusted reader w/ another, hacked?
Not too hard, it seems, since many supermarkets got hacked this way...

The only really trusted method (for the user) would be a card with
integrated display and pinpad and/or fingerprint sensor. Maybe
impractical for a card, quite feasible for a token (there already are
thumb drives with fingerprint reader and matcher that doesn't require SO
support except for mass-storage).

BYtE,
 Diego.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

NdK-3
In reply to this post by helpcrypto helpcrypto
Il 26/04/2012 12:22, helpcrypto helpcrypto ha scritto:

>> If you can edit a root file you can do anything much more evil.
> having root acces < having pin => using private key
Just install a keylogger (maybe an HW one on the PS/2 cable? I've seen
one that is quite hard to recognize... or even one INSIDE the
keyboard...) and root (or user w/ physical access to the computer...
that quite easily translates to "root" anyway) knows your PIN.

Simply put, you can't make it secure, regardless of the effort you place
in it. The best you can obtain is to design it in a way that who have
physical access to it, is the party interested in keeping it secure.

BYtE,
 Diego.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Biometric integraiton?

helpcrypto helpcrypto
> And what if I replace the trusted reader w/ another, hacked?
> Not too hard, it seems, since many supermarkets got hacked this way...

IMVHO, changing your physical reader from .cn its much harder that
editing a file...

> Just install a keylogger (maybe an HW one on the PS/2 cable? I've seen
> one that is quite hard to recognize... or even one INSIDE the
> keyboard...) and root (or user w/ physical access to the computer...
> that quite easily translates to "root" anyway) knows your PIN.

Repeat above
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel