Smart Card diagram for beginners

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Smart Card diagram for beginners

SiR GadaBout
Hi,

Okay, I'm in the process of trying to document my experience with creating this Smart Card device for login purposes with a view to posting it on my website.  I'd like to make it easier for those who don't like, or aren't accustomed to using, strong passwords for login (such as my parents) to implement Smart Cards more cheaply than proprietary solutions allow.  It's also a way for me to formalise what I've learned into something concrete that I can refer to when my memory goes south on the subject.

If nobody minds, I'd like to ask for opinions on the veracity of the information I've presented (not the presentation - that kind of criticism can come later). It's a work in progress, but I'd rather verify my understanding of what I've done so far before continuing.

Here's the link: 


If I have one doubt, it's concerning the last section - am I right in positing that there are two tokend's supplied by OpenSC: one for backwards compatibility with Mozilla and SSH (PKCS#11), and one for integration with Apple's CDSA security implementation (OpenSC)?

If that's the case, I have a second question.  The instructions at gooze.eu rely on the use of the PKCS#11 tokend, so far as I can tell, but I'm not a Mozilla user.  So, how do I go about setting up a Smart Card for compatibility with the OpenSC tokend, and therefore direct compatibility with Apple's tokend implementation?  Are there instructions for that somewhere?

Kind regards,

S.



_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Smart Card diagram for beginners

Ludovic Rousseau
2010/6/13 Simon Burrell <[hidden email]>:

> Hi,
> Okay, I'm in the process of trying to document my experience with creating
> this Smart Card device for login purposes with a view to posting it on my
> website.  I'd like to make it easier for those who don't like, or aren't
> accustomed to using, strong passwords for login (such as my parents) to
> implement Smart Cards more cheaply than proprietary solutions allow.  It's
> also a way for me to formalise what I've learned into something concrete
> that I can refer to when my memory goes south on the subject.
> If nobody minds, I'd like to ask for opinions on the veracity of the
> information I've presented (not the presentation - that kind of criticism
> can come later). It's a work in progress, but I'd rather verify my
> understanding of what I've done so far before continuing.
> Here's the link:
> http://picasaweb.google.co.uk/lh/photo/UqygBvgQQW8fJacGJ33wZNXwv3IzuXrXt10JRK_0TjM?feat=directlink
> If I have one doubt, it's concerning the last section - am I right in
> positing that there are two tokend's supplied by OpenSC: one for backwards
> compatibility with Mozilla and SSH (PKCS#11), and one for integration with
> Apple's CDSA security implementation (OpenSC)?
> If that's the case, I have a second question.  The instructions at gooze.eu
> rely on the use of the PKCS#11 tokend, so far as I can tell, but I'm not a
> Mozilla user.  So, how do I go about setting up a Smart Card for
> compatibility with the OpenSC tokend, and therefore direct compatibility
> with Apple's tokend implementation?  Are there instructions for that
> somewhere?

What you call a PKCS#11 tokend is not a tokend. It is a PKCS#11
library using the CDSA infrastructure (so the tokend bellow).

Maybe you should add a PC/SC layer between CCID and Entersafe

Entersafe is in fact OpenSC with the Entersafe driver

The communications between the boxes are bi-directional.

CDSA (Common Data Security Architecture) is not a proprietary
technology. The specs are public [1]. But only Apple uses it AFAIK.

[1] http://www.opengroup.org/security/l2-cdsa.htm

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Smart Card diagram for beginners

Martin Paljak-2
Hello,

On Jun 13, 2010, at 11:55 , Ludovic Rousseau wrote:
> 2010/6/13 Simon Burrell <[hidden email]>:
>> http://picasaweb.google.co.uk/lh/photo/UqygBvgQQW8fJacGJ33wZNXwv3IzuXrXt10JRK_0TjM?feat=directlink

Here's a quick re-make of your picture:

http://martinpaljak.net/OpenSC-MacOSX.png

>> If I have one doubt, it's concerning the last section - am I right in
>> positing that there are two tokend's supplied by OpenSC: one for backwards
>> compatibility with Mozilla and SSH (PKCS#11), and one for integration with
>> Apple's CDSA security implementation (OpenSC)?

There's just one tokend, OpenSC.tokend and it is not used by Mozilla or SSH (at least not directly) but with native OS X applications like Mail.app and Safari (and logon).


>> If that's the case, I have a second question.  The instructions at gooze.eu
>> rely on the use of the PKCS#11 tokend, so far as I can tell, but I'm not a
>> Mozilla user.
Don't know about those instructions or if they are valid.


>>  So, how do I go about setting up a Smart Card for
>> compatibility with the OpenSC tokend, and therefore direct compatibility
>> with Apple's tokend implementation?  Are there instructions for that
>> somewhere?

Once you have initialized a token with OpenSC (which at this time means using pkcs15-init) your card enters a "ready for use, (mostly) read only" stage which means it is usable via either PKCS#11 as provided by the OpenSC implementation or native Mac applications via OpenSC.tokend. There are no extra introductions for using OpenSC.tokend, the instructions would be generic "how to use mac apps" like Safari or Mail.app with encryption or authentication.



>
> CDSA (Common Data Security Architecture) is not a proprietary
> technology. The specs are public [1]. But only Apple uses it AFAIK.

It is like ObjC - in theory it is not a proprietary language but I don't know any other major incarnation of ObjC than Apple.

--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Smart Card diagram for beginners

SiR GadaBout
Hi,

Now that I've managed to get the Smart Card login working, I'll sit back and try to get a handle on what I've actually done.  Ludovic, thanks for the constructive criticism.  And Martin, thanks for your version of my diagram - that actually helps a lot, because you tied together all the parts that originate with OpenSC.

Kind regards,

S.

On 13 June 2010 12:38, Martin Paljak <[hidden email]> wrote:
Hello,

On Jun 13, 2010, at 11:55 , Ludovic Rousseau wrote:
> 2010/6/13 Simon Burrell <[hidden email]>:
Here's a quick re-make of your picture:

http://martinpaljak.net/OpenSC-MacOSX.png

>> If I have one doubt, it's concerning the last section - am I right in
>> positing that there are two tokend's supplied by OpenSC: one for backwards
>> compatibility with Mozilla and SSH (PKCS#11), and one for integration with
>> Apple's CDSA security implementation (OpenSC)?

There's just one tokend, OpenSC.tokend and it is not used by Mozilla or SSH (at least not directly) but with native OS X applications like Mail.app and Safari (and logon).


>> If that's the case, I have a second question.  The instructions at gooze.eu
>> rely on the use of the PKCS#11 tokend, so far as I can tell, but I'm not a
>> Mozilla user.
Don't know about those instructions or if they are valid.


>>  So, how do I go about setting up a Smart Card for
>> compatibility with the OpenSC tokend, and therefore direct compatibility
>> with Apple's tokend implementation?  Are there instructions for that
>> somewhere?

Once you have initialized a token with OpenSC (which at this time means using pkcs15-init) your card enters a "ready for use, (mostly) read only" stage which means it is usable via either PKCS#11 as provided by the OpenSC implementation or native Mac applications via OpenSC.tokend. There are no extra introductions for using OpenSC.tokend, the instructions would be generic "how to use mac apps" like Safari or Mail.app with encryption or authentication.



>
> CDSA (Common Data Security Architecture) is not a proprietary
> technology. The specs are public [1]. But only Apple uses it AFAIK.

It is like ObjC - in theory it is not a proprietary language but I don't know any other major incarnation of ObjC than Apple.

--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495




_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user