Smartcards / USB Tokens

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Smartcards / USB Tokens

Stephen Paul Weber-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I wish to purchase a smartcard/reader or USB token (I'm not sure pros/cons
on these... it seems that since there are hardware standards for USB tokens
and you don't need to carry around a reader they might be better?) that I
can use to log into websites, my local system, remote systems, and sign and
decrypt email.  I want this card to not provide a facility for reading off
my private key (though I understand that through the use of acid and magic
one might extract the key from the card) and I want to use Firefox, PAM,
OpenSSH, Putty, and GnuPG to do this.

I'd also like to be able to support RSA keys up to 4096 bits.

- From what I can see of the industry (which mostly looks pretty hobo) this
*might* be possible today.  Hacks for OpenSSH/GPG exist to use PKCS#11 drivers,
which OpenSC makes for many different cards (since apparently you have to
support each card/reader seperately...  that's awesome...) and Firefox
supports that protocol just fine and there is a PAM module.  So Firefox is
the only "plug in and go".  Also I can't find anything with decryption or
RSA over 2048 bits.

Does the hardware/software to do this exist, and if not how much is missing?

- --
Stephen Paul Weber, @singpolyma
Please see <http://singpolyma.net> for how I prefer to be contacted.
edition right joseph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMk7DFAAoJENEcKRHOUZzey7MP/2WiJrAen2OMrrtrZSPULchJ
sssIIC6VyPj6nuCX6MfIW9HS8Qus6P4GZU7d9DhRnMJiinpHOSk1p507NOhSx9vu
H5jrQaAS2FD6AwNGhiKNIYfRHWa7rqCAKy+8aHkj3GlHeAeUq74hkpsk6HGLhYVc
CSU0+lTsNQULCT/ydbwIiIXTOnvVBd/BO9T1fljbx0S70He3LX9HTRLq799QANRS
Mr6Lb2VMyLF6AtbCfKCF3BI8O8AejXyDHiMbbJTi4E8q4bFk1HGbJU0PaSs5EEMK
+yHdZz/ytgJCFktQ71AbZMZuSnj4xilkn9EmBM8I136H6NTLzIu/sbQcbxWaXMhb
NmDzEWKG3LrPXr58Ni5dZkRkDbg+Q5ivvkS5U9cvOOB+smkeTnYiESys3A/6b3vJ
1QwUmcqH+hXA5Xemp7yr265OFkHMx1GUEcqKln5s8Mnd3G58CfQvFZFP7HO7obwr
oHLMmw8g+maJNK5iAYbr2QQRpANudNQ0t+x5wWmQP31eA6ayZWEJDtJD/95ddMXB
o+sErBLDERY2o55l309i9vqPFdQFzncEWQNKn9C4aH4O5/vRw10626+gu5H1Ao8G
/DxkWynlF2VOj9YFqYJMP8/BBosLLnP0b0Vlrhg+e0JZ+5AAQK+UhmJFe+N1wgcc
pbu1FrfzX1gOQNpL3kMH
=cP7n
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Smartcards / USB Tokens

Martin Paljak-2
Hello
On Sep 17, 2010, at 9:17 PM, Stephen Paul Weber wrote:
> I wish to purchase a smartcard/reader or USB token (I'm not sure pros/cons
> on these... it seems that since there are hardware standards for USB tokens
> and you don't need to carry around a reader they might be better?)
They both have hardware standards. USB tokens might be more convenient (no reader needed), normal smart cards can be used with pinpad readers and other appliances with built in smart card readers, that don't allow plugging in arbitrary USB devices.


> that I
> can use to log into websites, my local system, remote systems, and sign and
> decrypt email.  I want this card to not provide a facility for reading off
> my private key (though I understand that through the use of acid and magic
> one might extract the key from the card)
Most smart cards don't allow exporting plaintext keys. Better cards have intrusion detection and key erasing capabilities. The fact that you ask on a public mailing list probably means you are safe from CIA and NSA and acid attacks.


> and I want to use Firefox, PAM,
> OpenSSH, Putty, and GnuPG to do this.
GnuPG is the only one that does not have straightforward PKCS#11 support.



> I'd also like to be able to support RSA keys up to 4096 bits.
Most cards can do 2048b keys these days. I know only CryptoStick that can do 3072b keys. I don't know any smart card with 4k key capabilities.

The lifetime of casual client keys usually is smaller than the suggested security lifetime of 2048b keys. At least it should be smaller.


> - From what I can see of the industry (which mostly looks pretty hobo) this
> *might* be possible today.  Hacks for OpenSSH/GPG exist to use PKCS#11 drivers,
OpenSSH 5.3+ support smart cards without any hacks.

> which OpenSC makes for many different cards (since apparently you have to
> support each card/reader seperately...  that's awesome...) and Firefox
> supports that protocol just fine and there is a PAM module.  So Firefox is
> the only "plug in and go".  
The "plug and play" capabilities of Firefox are not the best. Most PKCS#11 applications could be pretty much plug and go (and yes, you need to "plug" the right PKCS#11 module into the application)


> Also I can't find anything with decryption or
> RSA over 2048 bits.
See above.

--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Smartcards / USB Tokens

Jean-Michel Pouré - GOOZE
In reply to this post by Stephen Paul Weber-3
> Does the hardware/software to do this exist, and if not how much is
> missing?

You may try visiting theses pages:
http://www.gooze.eu/smart-card-starter-kit
http://www.gooze.eu/feitian-epass-pki-token

Like written previously, very few smartcards go beyond 2048bit.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

smime.p7s (8K) Download Attachment