MyEID and PIV

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

MyEID and PIV

Douglas E Engert
This is a follow on question to that raised in
https://github.com/OpenSC/OpenSC/pull/926

As the MyEID and PIV compatibility are not related to the PR.

If I read your command correctly:
00 DA 01 50  14     80  11 1F FF   4B 01   43 04   00 00   00 00   00 00   00 00   00 00   00 00 90 00

0x14 bytes
80 is flag
11 1F FF is ACL?
4B 01     is  PIV auth key FID
43 04     is  PIV auth cert FID
No other keys or certs are mapped.
90 00 is status bytes


The OpenSC PIV card driver is based on NIST 800-73-3 which defines more objects then
4 keys and 4 certs on the card. It only uses the APDU commands defined in NIST 800-73-3.
There is no requirement that a PIV card support any other commands.

Having experience with other PIV-want-to-be cards such as the NEO, being PIV compliant
is not an easy task. (as the primary OpenSC PIV developer, I had to add code to
card-piv.c and pkcs15-piv.c to handle NEO issues.

Can you or will your documentation answer these questions:

All versions of 800-73 define the CHUID object. Do you?
Windows requires a CHUID (or used to require it). OpenSC uses the FASCN or GUID from
the CHUID to derive a card serial number as NIST 800-73 does not define or require a
serial number.  (For both Windows and OpenSC the CHUID does not need to be signed.)
How would one write a CHUID and how is it mapped?
Without a CHUID OpenSC uses 00000000 making using multiple cards on the same machine
a problem.

What version of NIST 800-73 is the card code based on?

NIST 800-73-3 introduced the History object and retired keys and certs.
Do you support these?
How would these be mapped?

800-73 requires the Signature key  to be "PIN Always" and the card enforces it.
Does your card enforce it?
(This is equivalent to  PKCS#15 user_consent or PKCS#11 CKA_ALWAYS_AUTHENTICATE.)

800-73 also says the Card Management key does not require the PIN. I only see one ACL in your command,
how do you handle this?

When in PIV mode, What is the ATR?  Most approved PIV cards put the AID in the
historical bytes making it easy to identify.

Is there any other way to determine this is a MyEID running in PIV mode?
The OpenSC card-piv.c does a SELECT of the PIV AID and then tries to determine if this
is a true PIV or a PIV-want-to-be card that needs special handling.

Look at the card-piv.c line 202:
  /* card_issues - bugs in PIV implementations requires special handling */
and code starting at line 3006 or grep card_issues card-piv.c
for other issues I have seen with PIV compatibility issues.

Any way to get one of these card for testing?

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: MyEID and PIV

Aventra - Hannu Honkanen
Hi,

Your interpretation of the sample command is correct.

I will answer the questions that I can, and will have to check the rest with my colleague who has programmed the PIV emulation, when he returns from holidays.

>> What version of NIST 800-73 is the card code based on?

I think it's 800-73-3 (have to confirm this)

>> All versions of 800-73 define the CHUID object. Do you?
I have to check with my colleague.

>> 800-73 requires the Signature key  to be "PIN Always" and the card enforces it.
>> Does your card enforce it?

In MyEID interface this can be optionally set for each key EF separately in CREATE FILE command, with "AC to be cleared after crypto operation" flag. If you set this flag for the key that is mapped as the signature key, the card enforces it also in PIV mode, but I am not sure if the PIV emulation does this automatically.

>>800-73 also says the Card Management key does not require the PIN. I only see one ACL in your command, how do you handle this?

Will have to check with the developer.

>>When in PIV mode, What is the ATR?  Most approved PIV cards put the AID in the historical bytes making it easy to identify.
When in PIV mode, the ATR is normally the same as in normal MyEID card and the PIV support can be detected by selecting the PIV AID. It is possible to order MyEID cards with special ATR's but in the cards sold in our web shop it is the "standard" MyEID ATR.

We are not even trying to implement the PIV specification fully. The cards should be used with MyEID middleware where possible. The main reason for implementing the PIV emulation is to make it possible to use the card in situations where installing OpenSC or other middleware is not possible: for example thin clients. Our goal is of course to comply with the PIV spec as well as possible for the parts that we implement.

Please send me your postal address and we will send you a couple of cards for testing.

- Hannu

-----Alkuperäinen viesti-----
Lähettäjä: Douglas E Engert [mailto:[hidden email]]
Lähetetty: torstai 29. joulukuuta 2016 18.32
Vastaanottaja: OpenSC-devel <[hidden email]>
Aihe: [Opensc-devel] MyEID and PIV

This is a follow on question to that raised in
https://github.com/OpenSC/OpenSC/pull/926

As the MyEID and PIV compatibility are not related to the PR.

If I read your command correctly:
00 DA 01 50  14     80  11 1F FF   4B 01   43 04   00 00   00 00   00 00   00 00   00 00   00 00 90 00

0x14 bytes
80 is flag
11 1F FF is ACL?
4B 01     is  PIV auth key FID
43 04     is  PIV auth cert FID
No other keys or certs are mapped.
90 00 is status bytes


The OpenSC PIV card driver is based on NIST 800-73-3 which defines more objects then
4 keys and 4 certs on the card. It only uses the APDU commands defined in NIST 800-73-3.
There is no requirement that a PIV card support any other commands.

Having experience with other PIV-want-to-be cards such as the NEO, being PIV compliant is not an easy task. (as the primary OpenSC PIV developer, I had to add code to card-piv.c and pkcs15-piv.c to handle NEO issues.

Can you or will your documentation answer these questions:

All versions of 800-73 define the CHUID object. Do you?
Windows requires a CHUID (or used to require it). OpenSC uses the FASCN or GUID from the CHUID to derive a card serial number as NIST 800-73 does not define or require a serial number.  (For both Windows and OpenSC the CHUID does not need to be signed.) How would one write a CHUID and how is it mapped?
Without a CHUID OpenSC uses 00000000 making using multiple cards on the same machine a problem.

What version of NIST 800-73 is the card code based on?

NIST 800-73-3 introduced the History object and retired keys and certs.
Do you support these?
How would these be mapped?

800-73 requires the Signature key  to be "PIN Always" and the card enforces it.
Does your card enforce it?
(This is equivalent to  PKCS#15 user_consent or PKCS#11 CKA_ALWAYS_AUTHENTICATE.)

800-73 also says the Card Management key does not require the PIN. I only see one ACL in your command, how do you handle this?

When in PIV mode, What is the ATR?  Most approved PIV cards put the AID in the historical bytes making it easy to identify.

Is there any other way to determine this is a MyEID running in PIV mode?
The OpenSC card-piv.c does a SELECT of the PIV AID and then tries to determine if this is a true PIV or a PIV-want-to-be card that needs special handling.

Look at the card-piv.c line 202:
  /* card_issues - bugs in PIV implementations requires special handling */ and code starting at line 3006 or grep card_issues card-piv.c for other issues I have seen with PIV compatibility issues.

Any way to get one of these card for testing?

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: MyEID and PIV

Douglas E Engert


On 1/4/2017 5:35 AM, Aventra Development wrote:

> Hi,
>
> Your interpretation of the sample command is correct.
>
> I will answer the questions that I can, and will have to check the rest with my colleague who has programmed the PIV emulation, when he returns from holidays.
>
>>> What version of NIST 800-73 is the card code based on?
>
> I think it's 800-73-3 (have to confirm this)
>
>>> All versions of 800-73 define the CHUID object. Do you?
> I have to check with my colleague.
>
>>> 800-73 requires the Signature key  to be "PIN Always" and the card enforces it.
>>> Does your card enforce it?
>
> In MyEID interface this can be optionally set for each key EF separately in CREATE FILE command, with "AC to be cleared after crypto operation" flag. If you set this flag for the key that is mapped as the signature key, the card enforces it also in PIV mode, but I am not sure if the PIV emulation does this automatically.
>
>>> 800-73 also says the Card Management key does not require the PIN. I only see one ACL in your command, how do you handle this?
>
> Will have to check with the developer.
>
>>> When in PIV mode, What is the ATR?  Most approved PIV cards put the AID in the historical bytes making it easy to identify.
> When in PIV mode, the ATR is normally the same as in normal MyEID card and the PIV support can be detected by selecting the PIV AID. It is possible to order MyEID cards with special ATR's but in the cards sold in our web shop it is the "standard" MyEID ATR.
>

That is OK the AID of the default application in the historical bytes is not a PIV requirement.

> We are not even trying to implement the PIV specification fully. The cards should be used with MyEID middleware where possible. The main reason for implementing the PIV emulation is to make it possible to use the card in situations where installing OpenSC or other middleware is not possible: for example thin clients. Our goal is of course to comply with the PIV spec as well as possible for the parts that we implement.
>

A good goal, but may lead to strange situations, where on application is using the card as MyEID, and an other is using it as PIV.
May make it hard to debug or identify conflicts if the AID is changed back and forth by both applications.


> Please send me your postal address and we will send you a couple of cards for testing.

Thanks, will send by separate e-mail.

>
> - Hannu
>
> -----Alkuperäinen viesti-----
> Lähettäjä: Douglas E Engert [mailto:[hidden email]]
> Lähetetty: torstai 29. joulukuuta 2016 18.32
> Vastaanottaja: OpenSC-devel <[hidden email]>
> Aihe: [Opensc-devel] MyEID and PIV
>
> This is a follow on question to that raised in
> https://github.com/OpenSC/OpenSC/pull/926
>
> As the MyEID and PIV compatibility are not related to the PR.
>
> If I read your command correctly:
> 00 DA 01 50  14     80  11 1F FF   4B 01   43 04   00 00   00 00   00 00   00 00   00 00   00 00 90 00
>
> 0x14 bytes
> 80 is flag
> 11 1F FF is ACL?
> 4B 01     is  PIV auth key FID
> 43 04     is  PIV auth cert FID
> No other keys or certs are mapped.
> 90 00 is status bytes
>
>
> The OpenSC PIV card driver is based on NIST 800-73-3 which defines more objects then
> 4 keys and 4 certs on the card. It only uses the APDU commands defined in NIST 800-73-3.
> There is no requirement that a PIV card support any other commands.
>
> Having experience with other PIV-want-to-be cards such as the NEO, being PIV compliant is not an easy task. (as the primary OpenSC PIV developer, I had to add code to card-piv.c and pkcs15-piv.c to handle NEO issues.
>
> Can you or will your documentation answer these questions:
>
> All versions of 800-73 define the CHUID object. Do you?
> Windows requires a CHUID (or used to require it). OpenSC uses the FASCN or GUID from the CHUID to derive a card serial number as NIST 800-73 does not define or require a serial number.  (For both Windows and OpenSC the CHUID does not need to be signed.) How would one write a CHUID and how is it mapped?
> Without a CHUID OpenSC uses 00000000 making using multiple cards on the same machine a problem.
>
> What version of NIST 800-73 is the card code based on?
>
> NIST 800-73-3 introduced the History object and retired keys and certs.
> Do you support these?
> How would these be mapped?
>
> 800-73 requires the Signature key  to be "PIN Always" and the card enforces it.
> Does your card enforce it?
> (This is equivalent to  PKCS#15 user_consent or PKCS#11 CKA_ALWAYS_AUTHENTICATE.)
>
> 800-73 also says the Card Management key does not require the PIN. I only see one ACL in your command, how do you handle this?
>
> When in PIV mode, What is the ATR?  Most approved PIV cards put the AID in the historical bytes making it easy to identify.
>
> Is there any other way to determine this is a MyEID running in PIV mode?
> The OpenSC card-piv.c does a SELECT of the PIV AID and then tries to determine if this is a true PIV or a PIV-want-to-be card that needs special handling.
>
> Look at the card-piv.c line 202:
>   /* card_issues - bugs in PIV implementations requires special handling */ and code starting at line 3006 or grep card_issues card-piv.c for other issues I have seen with PIV compatibility issues.
>
> Any way to get one of these card for testing?
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel