Generating keypairs on PIV cards

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Generating keypairs on PIV cards

William Roberts
Suppose you had a blank card in this state:
1. Most of the private keys are empty (9A, 9C, 9D, 9E)
2. The Card Management Key (9B) is set
3. The containers (5FC105, 5FC10A, 5FC10B, 5FC101) are empty

What commands would run using piv-tool to take the card into an
initialized state?

My best guess is some combination of GENERATE ASYMMETRIC KEY PAIR and
PUT DATA commands. Im not quite clear what the GENERATE KEY PAIR
command should do on the card side, does it actually update the
corresponding x509. Ie does a generate request on '9A' update the x509
in 5FC105?

--
Respectfully,

William C Roberts

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Generating keypairs on PIV cards

Douglas E Engert


On 7/28/2014 1:59 PM, William Roberts wrote:

> Suppose you had a blank card in this state:
> 1. Most of the private keys are empty (9A, 9C, 9D, 9E)
> 2. The Card Management Key (9B) is set
> 3. The containers (5FC105, 5FC10A, 5FC10B, 5FC101) are empty
>
> What commands would run using piv-tool to take the card into an
> initialized state?
>
> My best guess is some combination of GENERATE ASYMMETRIC KEY PAIR and
> PUT DATA commands. Im not quite clear what the GENERATE KEY PAIR
> command should do on the card side, does it actually update the
> corresponding x509.


No. Its a multi-step process defined in:

   https://github.com/OpenSC/OpenSC/wiki/PivTool

to generate a key pair, save the pubkey, get the card to sign
certificate request containing the pubkey, have the CA sign the request
creating the certificate then load the certificate onto the card.


https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-key-pair

the piv-tool -o option says where to write out the public key, to a file.
This is the only time the public key can be retrieved from the card.


https://github.com/OpenSC/OpenSC/wiki/PivTool#clear-a-certificate-on-the-card

Make sure there is no old certificate on the card that has a public key
for a previous run of this multi-step process.  See why in the last paragraph
in this section.

https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-certificate-request

If no certificate is on the card, the card-piv.c will use the env PIV_*_KEY
to find the matching public key saved by piv-tool -o.

https://github.com/OpenSC/OpenSC/wiki/PivTool#signing-the-request

Have your CA sign the request to create a certificate. Before I retired,
we would use the Microsoft Enterprise CA, making the card usable for
Windows smart card login, (which is also Kerberos PKINIT for unix logins)
We used AD as the Kerberos KDC.

NIST only defines some of the commands that would be used in a true card
management system, leaving up to the card vendor to provide any additional commands,
such as: writing a private key to the card, reading a private key
(both could be used for key escrow), changing the 9B key, locking the card
Global Platform operations, etc.

NIST defined just enough commands to create test cards.

The OpenSC code was designed to support the user client using only the
NIST defined commands, and be able to create test cards to test the client code.

The piv-tool -s option was added to allow one to write scripts to implement
in a simple way any additional commands needed to personalize the card using
the vendors private commands.

If you need to add additional non-NIST defined commands in the OPenSC code,
lets talk first.

  Ie does a generate request on '9A' update the x509
> in 5FC105?

No, but in the examples, PIV_9A_KEY, ID=1 and 5FC105 all refer to the key and tag
of matching certificate. Change as needed to refer to other key referenced, IDs and
tags.



>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Generating keypairs on PIV cards

William Roberts

Thanks Doug, no the part I was missing was that the card signs the csr. I now notice that general AUTH can also be used to encrypt data.

On Jul 29, 2014 7:01 AM, "Douglas E Engert" <[hidden email]> wrote:


On 7/28/2014 1:59 PM, William Roberts wrote:
> Suppose you had a blank card in this state:
> 1. Most of the private keys are empty (9A, 9C, 9D, 9E)
> 2. The Card Management Key (9B) is set
> 3. The containers (5FC105, 5FC10A, 5FC10B, 5FC101) are empty
>
> What commands would run using piv-tool to take the card into an
> initialized state?
>
> My best guess is some combination of GENERATE ASYMMETRIC KEY PAIR and
> PUT DATA commands. Im not quite clear what the GENERATE KEY PAIR
> command should do on the card side, does it actually update the
> corresponding x509.


No. Its a multi-step process defined in:

   https://github.com/OpenSC/OpenSC/wiki/PivTool

to generate a key pair, save the pubkey, get the card to sign
certificate request containing the pubkey, have the CA sign the request
creating the certificate then load the certificate onto the card.


https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-key-pair

the piv-tool -o option says where to write out the public key, to a file.
This is the only time the public key can be retrieved from the card.


https://github.com/OpenSC/OpenSC/wiki/PivTool#clear-a-certificate-on-the-card

Make sure there is no old certificate on the card that has a public key
for a previous run of this multi-step process.  See why in the last paragraph
in this section.

https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-certificate-request

If no certificate is on the card, the card-piv.c will use the env PIV_*_KEY
to find the matching public key saved by piv-tool -o.

https://github.com/OpenSC/OpenSC/wiki/PivTool#signing-the-request

Have your CA sign the request to create a certificate. Before I retired,
we would use the Microsoft Enterprise CA, making the card usable for
Windows smart card login, (which is also Kerberos PKINIT for unix logins)
We used AD as the Kerberos KDC.

NIST only defines some of the commands that would be used in a true card
management system, leaving up to the card vendor to provide any additional commands,
such as: writing a private key to the card, reading a private key
(both could be used for key escrow), changing the 9B key, locking the card
Global Platform operations, etc.

NIST defined just enough commands to create test cards.

The OpenSC code was designed to support the user client using only the
NIST defined commands, and be able to create test cards to test the client code.

The piv-tool -s option was added to allow one to write scripts to implement
in a simple way any additional commands needed to personalize the card using
the vendors private commands.

If you need to add additional non-NIST defined commands in the OPenSC code,
lets talk first.

  Ie does a generate request on '9A' update the x509
> in 5FC105?

No, but in the examples, PIV_9A_KEY, ID=1 and 5FC105 all refer to the key and tag
of matching certificate. Change as needed to refer to other key referenced, IDs and
tags.



>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Generating keypairs on PIV cards

Douglas E Engert


On 7/29/2014 10:43 AM, William Roberts wrote:
> Thanks Doug, no the part I was missing was that the card signs the csr. I now notice that general AUTH can also be used to encrypt data.

Yes, with 3DES or AES if you send a challenge the card will return the encrypted data.
With RSA, it only has raw mode, so send the PKCS padded data to be encrypted. With EC you need to do key derivation.

If you really want to get ahead of the curve see NIST 800-73-4 drafts, that
allow for secure messaging.


You also ask:
   "What commands would run using piv-tool to take the card into an
    initialized state?"

Depending on your card, this may be outside of what the piv-tool can do.
The piv-tool expects that card has the PIV application loaded,
and has a 9B key loaded by the vendor.

Some cards come from the vendor as Global Platform Cards that are locked.
The provide the unlocking key. They must be unlocked before using the piv-tool.

To change the 9B key requires non NIST standard commands to.
The piv-tool -s command can do simple commands, but not the Global Platform
unlocking for example.



>
> On Jul 29, 2014 7:01 AM, "Douglas E Engert" <[hidden email] <mailto:[hidden email]>> wrote:
>
>
>
>     On 7/28/2014 1:59 PM, William Roberts wrote:
>      > Suppose you had a blank card in this state:
>      > 1. Most of the private keys are empty (9A, 9C, 9D, 9E)
>      > 2. The Card Management Key (9B) is set
>      > 3. The containers (5FC105, 5FC10A, 5FC10B, 5FC101) are empty
>      >
>      > What commands would run using piv-tool to take the card into an
>      > initialized state?
>      >
>      > My best guess is some combination of GENERATE ASYMMETRIC KEY PAIR and
>      > PUT DATA commands. Im not quite clear what the GENERATE KEY PAIR
>      > command should do on the card side, does it actually update the
>      > corresponding x509.
>
>
>     No. Its a multi-step process defined in:
>
>     https://github.com/OpenSC/OpenSC/wiki/PivTool
>
>     to generate a key pair, save the pubkey, get the card to sign
>     certificate request containing the pubkey, have the CA sign the request
>     creating the certificate then load the certificate onto the card.
>
>
>     https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-key-pair
>
>     the piv-tool -o option says where to write out the public key, to a file.
>     This is the only time the public key can be retrieved from the card.
>
>
>     https://github.com/OpenSC/OpenSC/wiki/PivTool#clear-a-certificate-on-the-card
>
>     Make sure there is no old certificate on the card that has a public key
>     for a previous run of this multi-step process.  See why in the last paragraph
>     in this section.
>
>     https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-certificate-request
>
>     If no certificate is on the card, the card-piv.c will use the env PIV_*_KEY
>     to find the matching public key saved by piv-tool -o.
>
>     https://github.com/OpenSC/OpenSC/wiki/PivTool#signing-the-request
>
>     Have your CA sign the request to create a certificate. Before I retired,
>     we would use the Microsoft Enterprise CA, making the card usable for
>     Windows smart card login, (which is also Kerberos PKINIT for unix logins)
>     We used AD as the Kerberos KDC.
>
>     NIST only defines some of the commands that would be used in a true card
>     management system, leaving up to the card vendor to provide any additional commands,
>     such as: writing a private key to the card, reading a private key
>     (both could be used for key escrow), changing the 9B key, locking the card
>     Global Platform operations, etc.
>
>     NIST defined just enough commands to create test cards.
>
>     The OpenSC code was designed to support the user client using only the
>     NIST defined commands, and be able to create test cards to test the client code.
>
>     The piv-tool -s option was added to allow one to write scripts to implement
>     in a simple way any additional commands needed to personalize the card using
>     the vendors private commands.
>
>     If you need to add additional non-NIST defined commands in the OPenSC code,
>     lets talk first.
>
>        Ie does a generate request on '9A' update the x509
>      > in 5FC105?
>
>     No, but in the examples, PIV_9A_KEY, ID=1 and 5FC105 all refer to the key and tag
>     of matching certificate. Change as needed to refer to other key referenced, IDs and
>     tags.
>
>
>
>      >
>
>     --
>
>        Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>
>     ------------------------------------------------------------------------------
>     Infragistics Professional
>     Build stunning WinForms apps today!
>     Reboot your WinForms applications with our WinForms controls.
>     Build a bridge from your legacy apps to the future.
>     http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel