Google PUBLICLY slashes smart card technology

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Google PUBLICLY slashes smart card technology

Anders Rundgren-2
Hi Guys,
Things are heating up.

http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html

IMO, their analysis is correct.  Smart cards were not designed for the web.

If they had been that we would have been able to perform EMV payments on the web rather than keying in all the boring stuff + the "password" on the back of the card.

Is U2F the "savior"?  We'll see.

Regards,
Anders


------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Google PUBLICLY slashes smart card technology

Andreas Schwier (ML)
FIDO specs are out and surprise, surprise: They are using ISO7816-4
APDUs to talk to the U2F device.

Am 10.02.2014 11:47, schrieb Anders Rundgren:

> Hi Guys,
> Things are heating up.
>
> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html
>
> IMO, their analysis is correct.  Smart cards were not designed for the web.
>
> If they had been that we would have been able to perform EMV payments on the web rather than keying in all the boring stuff + the "password" on the back of the card.
>
> Is U2F the "savior"?  We'll see.
>
> Regards,
> Anders
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Sch├╝lerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Google PUBLICLY slashes smart card technology

Anders Rundgren-2
On 2014-02-12 18:01, Andreas Schwier (ML) wrote:
> FIDO specs are out and surprise, surprise: They are using ISO7816-4
> APDUs to talk to the U2F device.

Indeed, the thing is that they only use 7816 as a "bit-pipe" for raw
client-to-token communication and use a high-level JS-based interface
to the issuer and applications.

This is similar to what I have planned for SKS/KeyGen2.

Anders

http://fidoalliance.org/specifications/download

>
> Am 10.02.2014 11:47, schrieb Anders Rundgren:
>> Hi Guys,
>> Things are heating up.
>>
>> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html
>>
>> IMO, their analysis is correct.  Smart cards were not designed for the web.
>>
>> If they had been that we would have been able to perform EMV payments on the web rather than keying in all the boring stuff + the "password" on the back of the card.
>>
>> Is U2F the "savior"?  We'll see.
>>
>> Regards,
>> Anders
>>
>>
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

PKCS #11? Was.Google PUBLICLY slashes smart card technology

Anders Rundgren-2
In reply to this post by Andreas Schwier (ML)
It seem to me that even our old friend PKCS #11 is out in the cold...

Anders

http://fidoalliance.org/specifications/download

>
> Am 10.02.2014 11:47, schrieb Anders Rundgren:
>> Hi Guys,
>> Things are heating up.
>>
>> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html
>>
>> IMO, their analysis is correct.  Smart cards were not designed for the web.
>>
>> If they had been that we would have been able to perform EMV payments on the web rather than keying in all the boring stuff + the "password" on the back of the card.
>>
>> Is U2F the "savior"?  We'll see.
>>
>> Regards,
>> Anders
>>
>>
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS #11? Was. Google PUBLICLY slashes smart card technology

Anders Rundgren-2
In reply to this post by Andreas Schwier (ML)
On 2014-02-12 18:01, Andreas Schwier (ML) wrote:

> FIDO specs are out and surprise, surprise: They are using ISO7816-4
> APDUs to talk to the U2F device.
>
> Am 10.02.2014 11:47, schrieb Anders Rundgren:
>> Hi Guys,
>> Things are heating up.
>>
>> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html
>>
>> IMO, their analysis is correct.  Smart cards were not designed for the web.
>>
>> If they had been that we would have been able to perform EMV payments on the web rather than keying in all the boring stuff + the "password" on the back of the card.
>>
>> Is U2F the "savior"?  We'll see.

It seems that PKCS #11 is also out in the cold.
There's no P11 in Android and it is not mentioned in U2F either and this Google road-map seems to be yet another step away from P11:

https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-DppMYwt9XvE6s

Anders

>>
>> Regards,
>> Anders
>>
>>
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS #11? Was. Google PUBLICLY slashes smart card technology

Martin Paljak-4
On 13/02/14 10:01 , Anders Rundgren wrote:

> On 2014-02-12 18:01, Andreas Schwier (ML) wrote:
>> FIDO specs are out and surprise, surprise: They are using
>> ISO7816-4 APDUs to talk to the U2F device.
>>
>> Am 10.02.2014 11:47, schrieb Anders Rundgren:
>>> Hi Guys, Things are heating up.
>>>
>>> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html
>>>
>>>
>>>
IMO, their analysis is correct.  Smart cards were not designed for the web.

Smart cards were designed for keeping cryptographic keys securely and
IMHO they do a pretty good job, also taking into account that cards
are a convenient form factor and easily usable/understandable even to
grandmas.

At the same time I believe I'm becoming old-fashioned and I don't
really get what "the web" is. Or if it is something I want to have/use.
I think it has something to do with instagram or such?

I'm more interested in "traditional" key containers that might add
some trusted elements like a display and on-device buttons (like those
OTP cards that have a chip but with not connection yet between the
chip and the display/buttons). If it gets used by PIV driver in
Windows or U2F driver in Chrome or some VPN application on android
tablet - no real difference.


>>>
>>> If they had been that we would have been able to perform EMV
>>> payments on the web rather than keying in all the boring stuff
>>> + the "password" on the back of the card.
>>>
>>> Is U2F the "savior"?  We'll see.

For some reason, the first impression of it (u2f) all looks too
similar to MS CardSpace. The fact that this project is dead by now is
a sign that being backed by a "supoerpower" might not be enough. But
Google has a climbing usage graph (both for Android and Chrome
browser) compared to MS+IE, which might give a better starting position.


>
> It seems that PKCS #11 is also out in the cold. There's no P11 in
> Android and it is not mentioned in U2F either and this Google
> road-map seems to be yet another step away from P11:
>
> https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-DppMYwt9XvE6s

Very
>
interesting read, thanks for the link.

PKCS#11 has never been a good standard from usability perspective, yet
similarly to http over tcpip it is the most used "plumbing" technique.
Yes, if you are Google and have your own servers and your own client,
you can make tricks like talk SPDY and hope that everybody picks it up.
"Runs without additional client software" if you first need to have a
downloaded browser that embeds the "additional client software" is
similar to advertisements telling "no programming needed" but you have
to edit a 35 page long XML file with hundreds of lines of strings that
only get checked during runtime...


Arguably also HTTPS is a really bad design, that works from technical
perspective (strong mutual authentication) but sucks from usable
implementation perspective (like ugly technical errors when you don't
have your card with necessary keys inserted)

The fact that Android and Linux don't have a common "key container" or
"trust register" API has been long known, to the extent of "We need to
make all apps talk NSS":
http://fedoraproject.org/wiki/FedoraCryptoConsolidation

And now the opposite of "NSS is worse, lets move everything to OpenSSL".

PKCS#11 is a software API and suitable for applications that require
"direct access" to different cryptographic keys (CA-s, dnssec etc).
"Consumer platforms" like Android or browsers ideally need a different
approach with usability in mind. For single vendor platforms
(Microsoft, Apple, Google.. or RedHat) it is understandable that
effort is made to accomplish that with a common platform API. And the
purpose of OpenSC would be to provide something that plugs into the
platform as closely as possible... given that the platform vendor
provides a way for such plugins. PKCS#11 has been one of such plugins.
Maybe U2F will be another one.

So anyway, I'd sit back and watch the show for a while. Meanwhile, to
add to the paranoia, Google taking the all-in path with OpenSSL...

http://mirrors.dotsrc.org/fosdem/2014/Janson/Sunday/NSA_operation_ORCHESTRA_Annual_Status_Report.webm



--
Martin
+372 515 6495

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS #11? Was. Google PUBLICLY slashes smart card technology

Nikos Mavrogiannopoulos-2
On Thu, Feb 13, 2014 at 12:45 PM, Martin Paljak <[hidden email]> wrote:

> IMO, their analysis is correct.  Smart cards were not designed for the web.
> Smart cards were designed for keeping cryptographic keys securely and
> IMHO they do a pretty good job, also taking into account that cards
> are a convenient form factor and easily usable/understandable even to
> grandmas.

And in addition it is often(*) easy to verify their security claims.

(*). if they implement a small subset of PKCS #11; otherwise it is impossible.

> At the same time I believe I'm becoming old-fashioned and I don't
> really get what "the web" is. Or if it is something I want to have/use.
> I think it has something to do with instagram or such?
> PKCS#11 has never been a good standard from usability perspective, yet
> similarly to http over tcpip it is the most used "plumbing" technique.
> Yes, if you are Google and have your own servers and your own client,
> you can make tricks like talk SPDY and hope that everybody picks it up.

My guess would be that the fact that openssl doesn't have decent smart
card support is one of the reasons google defined their own stuff. If
there have been a simple way to use smart cards cross-platform things
may have been different. Let's hope that pkcs11-urls would help here.

> The fact that Android and Linux don't have a common "key container" or
> "trust register" API has been long known, to the extent of "We need to
> make all apps talk NSS":
> http://fedoraproject.org/wiki/FedoraCryptoConsolidation

This is another story of failure to change the world :) That effort
has been abandoned.

regards,
Nikos

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

FedoraCryptoConsolidation. Was: PKCS #11? Was: Google PUBLICLY slashes smart card technology

Anders Rundgren-2
On 2014-02-13 14:17, Nikos Mavrogiannopoulos wrote:

> On Thu, Feb 13, 2014 at 12:45 PM, Martin Paljak <[hidden email]> wrote:
>
>> IMO, their analysis is correct.  Smart cards were not designed for the web.
>> Smart cards were designed for keeping cryptographic keys securely and
>> IMHO they do a pretty good job, also taking into account that cards
>> are a convenient form factor and easily usable/understandable even to
>> grandmas.
>
> And in addition it is often(*) easy to verify their security claims.
>
> (*). if they implement a small subset of PKCS #11; otherwise it is impossible.
>
>> At the same time I believe I'm becoming old-fashioned and I don't
>> really get what "the web" is. Or if it is something I want to have/use.
>> I think it has something to do with instagram or such?
>> PKCS#11 has never been a good standard from usability perspective, yet
>> similarly to http over tcpip it is the most used "plumbing" technique.
>> Yes, if you are Google and have your own servers and your own client,
>> you can make tricks like talk SPDY and hope that everybody picks it up.
>
> My guess would be that the fact that openssl doesn't have decent smart
> card support is one of the reasons google defined their own stuff. If
> there have been a simple way to use smart cards cross-platform things
> may have been different. Let's hope that pkcs11-urls would help here.
>
>> The fact that Android and Linux don't have a common "key container" or
>> "trust register" API has been long known, to the extent of "We need to
>> make all apps talk NSS":
>> http://fedoraproject.org/wiki/FedoraCryptoConsolidation
>
> This is another story of failure to change the world :) That effort
> has been abandoned.

When I read this, I only saw a huge internal streamlining / refactoring project
with *no immediate customer benefits at all*.

This is a big difference to Google who in their crypto platform renovation project
added entirely new things in the lower layer (the U2F as well as the TEE in Android),
and then put a shiny new web interface on the outermost layer.

It is as Torvalds himself once expressed to me: The security guys do not agree
on anything and therefore this space is pretty dead with respect to innovation.
He's right no U2F, no TEE, no browser-IF; only a lot of moderately interesting
redundant crypto sub-systems.  FOSS doesn't really cut it after Google entered
the fray, particularly not for end-user computing devices.

Cheers,
Anders
Who still works on refactoring the crypto world from the ground and up.

(There's no other way unless you are a true masochist who loves pushing around
stuff that was designed in another time and for another purpose around forever)





>
> regards,
> Nikos
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: FedoraCryptoConsolidation. Was: PKCS #11? Was: Google PUBLICLY slashes smart card technology

Martin Paljak-4
On 13/02/14 13:55 , Anders Rundgren wrote:
> When I read this, I only saw a huge internal streamlining / refactoring project
> with *no immediate customer benefits at all*.


Here's a different approach: "We started building a whole identity stack..."


https://wiki.mozilla.org/Identity/Persona_AAR


--
Martin
+372 515 6495

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: FedoraCryptoConsolidation. Was: PKCS #11? Was: Google PUBLICLY slashes smart card technology

Andreas Schwier (ML)
I kind of like the Google approach to do PKI without X.509 certificates.
X.509 is great if you want a validated identity, but in most web use
cases you only need uniqueness and authenticity.

However I believe users should demand a more universal secure key store
not limited to a certain application.

If I buy a key ring for my real-world keys, then I can certainly put all
my keys onto the key ring, because they all have a little hole that fits.

We need to achieve the same thing for cryptographic keys, and U2F,
SKS/KeyGen2 and CGCSR are on a good way to do that.

Andreas

On 02/15/2014 11:47 AM, Martin Paljak wrote:

> On 13/02/14 13:55 , Anders Rundgren wrote:
>> When I read this, I only saw a huge internal streamlining / refactoring project
>> with *no immediate customer benefits at all*.
>
>
> Here's a different approach: "We started building a whole identity stack..."
>
>
> https://wiki.mozilla.org/Identity/Persona_AAR
>
>


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel