ECDSA cards

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

ECDSA cards

Nikos Mavrogiannopoulos
Hello,
  I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
signing in gnutls via PKCS #11. However I have no such cards to test it.
Do you have any suggestion on which card to use? (My only requirement is
that it must be obtainable without placing a mass order)

regards,
Nikos
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA cards

Martin Paljak-4
Hello,

On Tue, Sep 6, 2011 at 14:21, Nikos Mavrogiannopoulos <[hidden email]> wrote:
> Hello,
>  I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
> signing in gnutls via PKCS #11. However I have no such cards to test it.
> Do you have any suggestion on which card to use? (My only requirement is
> that it must be obtainable without placing a mass order)

This is a difficult requirement. I'm not aware of any, except for a
PIV card that might work but that's not available any more from
smartcarfocus.com from where I got one. In fact, it seems that even
"decent java cards" is a rarity these days...

Best,
Martin
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA cards

Douglas E. Engert
In reply to this post by Nikos Mavrogiannopoulos


On 9/6/2011 6:21 AM, Nikos Mavrogiannopoulos wrote:
> Hello,
>    I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
> signing in gnutls via PKCS #11. However I have no such cards to test it.
> Do you have any suggestion on which card to use? (My only requirement is
> that it must be obtainable without placing a mass order)

The OpenSC ECDSA code was developed using Oberthur
"ID-One PIV FIPS 201 Validated Dual Interface Smart Card"
These cards were obtained from Oberthur at about $10 each
in small quantities. I do not know their policies on selling to
individuals.

I know at least one of the other developers obtained some of these
cards.

I am not sure if the OpenSC ECDSA code was added to any of the other
OpenSC card-*.c drivers. It could be, as Gemalto also says their IAS ECC
card can do ECDSA, and ECDH,
  http://www.gemalto.com/products/multiapp_id_ias_ecc/

I have not tried these.

If you get any of the PIV cards, I can fill you in on generating
keys and signing cert requests using the card.

>
> regards,
> Nikos
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA cards

Nikos Mavrogiannopoulos
In reply to this post by Martin Paljak-4
On 09/06/2011 03:38 PM, Martin Paljak wrote:

>>   I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
>> signing in gnutls via PKCS #11. However I have no such cards to test it.
>> Do you have any suggestion on which card to use? (My only requirement is
>> that it must be obtainable without placing a mass order)
> This is a difficult requirement. I'm not aware of any, except for a
> PIV card that might work but that's not available any more from
> smartcarfocus.com from where I got one. In fact, it seems that even
> "decent java cards" is a rarity these days...

Pretty strange. I couldn't find any elliptic curve supporting smart card
on the market. I'd expect them to be more widespread due to their
smaller memory requirements than rsa.

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA cards

Martin Paljak-4
On Fri, Sep 9, 2011 at 01:56, Nikos Mavrogiannopoulos <[hidden email]> wrote:

> On 09/06/2011 03:38 PM, Martin Paljak wrote:
>
>>>  I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
>>> signing in gnutls via PKCS #11. However I have no such cards to test it.
>>> Do you have any suggestion on which card to use? (My only requirement is
>>> that it must be obtainable without placing a mass order)
>>
>> This is a difficult requirement. I'm not aware of any, except for a
>> PIV card that might work but that's not available any more from
>> smartcarfocus.com from where I got one. In fact, it seems that even
>> "decent java cards" is a rarity these days...
>
> Pretty strange. I couldn't find any elliptic curve supporting smart card on
> the market. I'd expect them to be more widespread due to their smaller
> memory requirements than rsa.

Maybe Certicom and licensing is the reason...
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA cards

Edward Middleton-3
In reply to this post by Douglas E. Engert
On 09/06/2011 11:16 PM, Douglas E. Engert wrote:

>
>
> On 9/6/2011 6:21 AM, Nikos Mavrogiannopoulos wrote:
>> Hello,
>>    I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
>> signing in gnutls via PKCS #11. However I have no such cards to test it.
>> Do you have any suggestion on which card to use? (My only requirement is
>> that it must be obtainable without placing a mass order)
>
> The OpenSC ECDSA code was developed using Oberthur
> "ID-One PIV FIPS 201 Validated Dual Interface Smart Card"
> These cards were obtained from Oberthur at about $10 each
> in small quantities. I do not know their policies on selling to
> individuals.
>
> I know at least one of the other developers obtained some of these
> cards.
>
> I am not sure if the OpenSC ECDSA code was added to any of the other
> OpenSC card-*.c drivers. It could be, as Gemalto also says their IAS ECC
> card can do ECDSA, and ECDH,
>   http://www.gemalto.com/products/multiapp_id_ias_ecc/
>
> I have not tried these.
>
> If you get any of the PIV cards, I can fill you in on generating
> keys and signing cert requests using the card.

I would be very interested in hearing how to use these cards with
opensc.  I picked up a couple of "Cosmo V7 128K PIV" cards several
months ago from smartcardfocus.com[1]. I could get them to generate keys
but generating certificate requests kept asking for a pin.  I verified
the pin using

# piv-tool -A M:9B:03 --send-apdu 00:20:00:80:08:....:FF:FF

but that pin didn't work.

Edward

1. http://www.smartcardfocus.com/shop/ilp/id~410/p/index.shtml
2. http://www.opensc-project.org/opensc/wiki/PivTool
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA cards

Douglas E. Engert


On 9/9/2011 2:46 AM, Edward Middleton wrote:

> On 09/06/2011 11:16 PM, Douglas E. Engert wrote:
>>
>>
>> On 9/6/2011 6:21 AM, Nikos Mavrogiannopoulos wrote:
>>> Hello,
>>>     I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
>>> signing in gnutls via PKCS #11. However I have no such cards to test it.
>>> Do you have any suggestion on which card to use? (My only requirement is
>>> that it must be obtainable without placing a mass order)
>>
>> The OpenSC ECDSA code was developed using Oberthur
>> "ID-One PIV FIPS 201 Validated Dual Interface Smart Card"
>> These cards were obtained from Oberthur at about $10 each
>> in small quantities. I do not know their policies on selling to
>> individuals.
>>
>> I know at least one of the other developers obtained some of these
>> cards.
>>
>> I am not sure if the OpenSC ECDSA code was added to any of the other
>> OpenSC card-*.c drivers. It could be, as Gemalto also says their IAS ECC
>> card can do ECDSA, and ECDH,
>>    http://www.gemalto.com/products/multiapp_id_ias_ecc/
>>
>> I have not tried these.
>>
>> If you get any of the PIV cards, I can fill you in on generating
>> keys and signing cert requests using the card.
>
> I would be very interested in hearing how to use these cards with
> opensc.  I picked up a couple of "Cosmo V7 128K PIV" cards several
> months ago from smartcardfocus.com[1]. I could get them to generate keys
> but generating certificate requests kept asking for a pin.
You did not say how you where trying to generate the request.
The way I have done it for testing, is it use OpenSSL with
the OpenSC engine to do the signature.

If you are trying to use ECDSA, then you will need mods to
libp11 and engine_pkcs11.

See:
http://www.opensc-project.org/pipermail/opensc-devel/2011-February/016089.html
and:
http://www.opensc-project.org/pipermail/opensc-devel/2011-September/017163.html

The PIN would be the user PIN, which you may have to reset before trying
to use it. The vendor should have told you what the initial PIN and PUK were.
The PUK might be all hex zeros or maybe 99999999 The PIN may also be all hex
zeros or maybe 123456 or 12345678.

> I verified
> the pin using
>
> # piv-tool -A M:9B:03 --send-apdu 00:20:00:80:08:....:FF:FF
>
> but that pin didn't work.

You mean the verify failed, or the pin verified but the you could not
use the PIN with the cert request.

I have a set of scripts to track test cards, generate keys, and
cert requests, as well as change PINS. They are not meant to be
used in production as each PIV card vendor has different ways to
finalize a card, and to change the 9B03 key.

I sent these scripts to Martin in January. I will forward that
e-mail to you. It does not have the ECDSA code mods If that is what
you need I will have to clean up the scripts some more, before
posting them.

Also see the attached patch for OpenSSL-1.0.0 that maybe needed
if using ECDSA.

>
> Edward
>
> 1. http://www.smartcardfocus.com/shop/ilp/id~410/p/index.shtml
> 2. http://www.opensc-project.org/opensc/wiki/PivTool
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

openssl-ecdsa.patch (954 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA cards

Crypto Stick
In reply to this post by Nikos Mavrogiannopoulos
The Gnuk project [1] is working on support of ECDSA. But I expect a few
more weeks or months until a public release.

[1] http://www.fsij.org/gnuk/

Am 06.09.2011 19:21, schrieb Nikos Mavrogiannopoulos:

> Hello,
>   I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
> signing in gnutls via PKCS #11. However I have no such cards to test it.
> Do you have any suggestion on which card to use? (My only requirement is
> that it must be obtainable without placing a mass order)
>
> regards,
> Nikos
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA cards

Jean-Michel Pouré - GOOZE
In reply to this post by Nikos Mavrogiannopoulos
Le mardi 06 septembre 2011 à 13:21 +0200, Nikos Mavrogiannopoulos a
écrit :
> I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
> signing in gnutls via PKCS #11. However I have no such cards to test
> it.
> Do you have any suggestion on which card to use? (My only requirement
> is
> that it must be obtainable without placing a mass order)

The ePass2003 offers ECDSA as an option.
I contacted Feitian for information and will keep you informed.

If we can order a small batch of tokens with ECDSA we will make it.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Gnuk Open Hardware token. Was: ECDSA cards

Anders Rundgren
In reply to this post by Crypto Stick
On 2011-09-22 17:31, Crypto Stick wrote:
> The Gnuk project [1] is working on support of ECDSA. But I expect a few
> more weeks or months until a public release.
>
> [1] http://www.fsij.org/gnuk/

It was nice to see yet another Open Hardware token project!

The RSA signature numbers were quite impressive in spite of using standard electronics.

It is a pity that I can't use exactly the same STM32 model but my project
requires more Flash and RAM as well as an additional 4Mb store in order
to effectively work as a Gnome Keyring in hardware.

One token for each provider (trust network) seems like a bad idea
when Google already in their shipping product can do better:

http://mail.google.com/wallet

On-line provisioning [presumably] with end-to-end security; the works!

As all "genuine" smart card systems, there is no publicly available
description on how it works.  The NXP chip seems to be NDA protected :-)

Open Hardware rocks!

Anders

>
> Am 06.09.2011 19:21, schrieb Nikos Mavrogiannopoulos:
>> Hello,
>>   I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
>> signing in gnutls via PKCS #11. However I have no such cards to test it.
>> Do you have any suggestion on which card to use? (My only requirement is
>> that it must be obtainable without placing a mass order)
>>
>> regards,
>> Nikos
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA cards

Nikos Mavrogiannopoulos
In reply to this post by Crypto Stick
On 09/22/2011 05:31 PM, Crypto Stick wrote:
> The Gnuk project [1] is working on support of ECDSA. But I expect a few
> more weeks or months until a public release.
> [1] http://www.fsij.org/gnuk/

Looks pretty cool. About speed wouldn't using a gmp-based rsa (e.g. from
nettle) be of better performance?
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel