True Crypt keyfile can not be saved to the smart card

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

True Crypt keyfile can not be saved to the smart card

Marcin Małecki
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear All,

I am not sure that I should ask this question in here but I thought I
give it a go.

In TrueCrypt I wanted to use Smart Card for authentication. However
after I added proper library and authenticated the card problem arisen.

I wanted to add pre-existing keyfile 64bits to the smartcard but when I
try to use import function in TrueCrypt it comes up with General Error.

It is not very descriptive.
I am using:
1) Siemens CardOS M4
2) MSI StarReader SMART

I successfully completed all stages of the Quick Start guide on the
website. After that I wanted to start using TrueCrypt with the smartcard
but have no luck.

Any ideas how can I try? Is there a way to copy this keyfile to the
smartcard without using TrueCrypt?

Thanks
- --
Marcin Tomasz Malecki
Skryba Limited
+44 (0) 7538 450 106
(0) 845 430 20 92
http://www.skryba.co.uk
[hidden email]
- ---
Member of The Institute of Certified Bookkeepers
Practice Licence no: 8895
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAku+L3IACgkQRUOilnbowFm2mgCfUZJbWr0/f5EY36WimRmmlKuR
vKEAnAgGP8HoKjcfT5nFqxM60mBaNqzv
=+wHb
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: True Crypt keyfile can not be saved to the smart card

Andreas Jellinghaus-2
Am Donnerstag 08 April 2010 21:33:06 schrieb Marcin Małecki:
> Dear All,
>
> I am not sure that I should ask this question in here but I thought I
> give it a go.
>
> In TrueCrypt I wanted to use Smart Card for authentication. However
> after I added proper library and authenticated the card problem arisen.

how does truecrypt use opensc? with opensc-pkcs11.so? then you can use
pkcs11-spy.so (see the wiki for details) between truecrypt and opensc-
pkcs11.so to generate a log file and find out what is wrong.

(keep the hexdump content to yourself, might be your secret data/password...)

also try command line tools: with pkcs15-init you can store a secret
as private data object.

Good luck!

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: True Crypt keyfile can not be saved to the smart card

Marcin Małecki
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank you for taking time to respond.

yes:
/usr/lib/opensc-pkcs11.so
so I changed it over to:
/usr/lib/pkcs11-spy.so
but I got Device Error when I click ok.

Wiki does not contain that much info about using spy to be honest. I
made small modification to the config file but I am not sure that is
sufficient.

pkcs11-sky.la looks like this:

/////////////////////

# pkcs11-spy.la - a libtool library file
# Generated by ltmain.sh (GNU libtool) 2.2.6 Debian-2.2.6a-1ubuntu1
#
# Please DO NOT delete this file!
# It is necessary for linking the library.

# The name that we can dlopen(3).
dlname='pkcs11-spy.so'

# Names of this library.
library_names='pkcs11-spy.so pkcs11-spy.so pkcs11-spy.so'

# The name of the static archive.
old_library=''

# Linker flags that can not go in dependency_libs.
inherited_linker_flags=' -pthread'

# Libraries that this one depends upon.
dependency_libs='/usr/lib/opensc-pkcs11.so'

# Names of additional weak libraries provided by this library
weak_library_names=''

# Version information for pkcs11-spy.
current=0
age=0
revision=0

# Is this an already installed library?
installed=yes

# Should we warn about portability when linking against -modules?
shouldnotlink=yes

# Files to dlopen/dlpreopen
dlopen=''
dlpreopen=''

# Directory that this library needs to be installed in:
libdir='/usr/lib'


/////////////////////

I also did
pkcs15-init -W /file.ext
but TrueCrypt does not see the file on the card. It asks for the user
pin and then shows blank list.

pkcs15-init -W /file.ext - have asked me for security office pin how
does it know that this file is to be bound to my user? Is there a way to
specify this? I tried change attribute but this can only do label.

Marcin Tomasz Malecki
Skryba Limited
+44 (0) 7538 450 106
(0) 845 430 20 92
http://www.skryba.co.uk
[hidden email]
- ---
Member of The Institute of Certified Bookkeepers
Practice Licence no: 8895


Andreas Jellinghaus wrote:

> Am Donnerstag 08 April 2010 21:33:06 schrieb Marcin Małecki:
>> Dear All,
>>
>> I am not sure that I should ask this question in here but I thought I
>> give it a go.
>>
>> In TrueCrypt I wanted to use Smart Card for authentication. However
>> after I added proper library and authenticated the card problem arisen.
>
> how does truecrypt use opensc? with opensc-pkcs11.so? then you can use
> pkcs11-spy.so (see the wiki for details) between truecrypt and opensc-
> pkcs11.so to generate a log file and find out what is wrong.
>
> (keep the hexdump content to yourself, might be your secret data/password...)
>
> also try command line tools: with pkcs15-init you can store a secret
> as private data object.
>
> Good luck!
>
> Regards, Andreas
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAku+/mcACgkQRUOilnbowFn3pwCdG4c3q/KxDQBvldodTYAhflAY
LqwAn3raa8TXrQQ/063sipg4DR5wWGZY
=JWQ0
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: True Crypt keyfile can not be saved to the smart card

Andreas Jellinghaus-2
Am Freitag 09 April 2010 12:16:07 schrieb Marcin Małecki:

> Thank you for taking time to respond.
>
> yes:
> /usr/lib/opensc-pkcs11.so
> so I changed it over to:
> /usr/lib/pkcs11-spy.so
> but I got Device Error when I click ok.
>
> Wiki does not contain that much info about using spy to be honest. I
> made small modification to the config file but I am not sure that is
> sufficient.

you need to set PKCS11SPY=/usr/lib/opensc-pkcs11.so
and PKCS11SPY_OUTPUT=/path/to/your/pkcs11-spy.log

hmm, wiki should be improved to clearly state this.

set those environment variables with "export" and start the app
again, and see if that helps.

Good luck!

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: True Crypt keyfile can not be saved to the smart card

Martin Paljak-2
In reply to this post by Marcin Małecki
Hello,
On Apr 8, 2010, at 22:33 , Marcin Małecki wrote:
> I wanted to add pre-existing keyfile 64bits to the smartcard but when I
> try to use import function in TrueCrypt it comes up with General Error.
>
> It is not very descriptive.
> I am using:
> 1) Siemens CardOS M4
> 2) MSI StarReader SMART
It probably depends on OpenSC version as well. I tried it as well and fixed (can't remember if I commited the change) that caused the error so I got further. I can't recall if I successfully managed to use TrueCrypt or not.

But it is important to know that TrueCrypt "abuses" PKCS#11 as a "file system interface" and that it is still possible to intercept the encryption key with local attacks. For performance reasons it is not realistic to encrypt a whole drive with keys *inside the card*.
Just a notice that data objects are always not sensitive and always exportable. So it is just to carry around your encryption key in a secure package (like FIPS 140-2 level 2) and have less stress if you loose your wallet with the card inside.




--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: True Crypt keyfile can not be saved to the smart card

Marcin Małecki
In reply to this post by Andreas Jellinghaus-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank you again!
I have done:
export PKCS11SPY=/usr/lib/opensc-pkcs11.so
export PKCS11SPY_OUTPUT=/home/marcin/pkcs11-spy.log

and export prints:
declare -x PKCS11SPY="/usr/lib/opensc-pkcs11.so"
declare -x PKCS11SPY_OUTPUT="/home/marcin/pkcs11-spy.log"

However after reboot it is no longer there. I guess this is normal.

In True Crypt library I am pointing to is: /usr/lib/pkcs11-spy.so

After I try to read it result is:
////
Failed to initialize PKCS #11 security token library.
Please make sure the specified path and filename refer to a valid PKCS
#11 library. To specify a PKCS #11 library path and filename, select
'Settings' > 'Security Tokens'.
////

What I am thinking now is maybe some modification to the config file are
needed?

I changed one line to read: dependency_libs='/usr/lib/opensc-pkcs11.so'

Full file pkcs11-sky.la looks like this:

/////////////////////

# pkcs11-spy.la - a libtool library file
# Generated by ltmain.sh (GNU libtool) 2.2.6 Debian-2.2.6a-1ubuntu1
#
# Please DO NOT delete this file!
# It is necessary for linking the library.

# The name that we can dlopen(3).
dlname='pkcs11-spy.so'

# Names of this library.
library_names='pkcs11-spy.so pkcs11-spy.so pkcs11-spy.so'

# The name of the static archive.
old_library=''

# Linker flags that can not go in dependency_libs.
inherited_linker_flags=' -pthread'

# Libraries that this one depends upon.
dependency_libs='/usr/lib/opensc-pkcs11.so'

# Names of additional weak libraries provided by this library
weak_library_names=''

# Version information for pkcs11-spy.
current=0
age=0
revision=0

# Is this an already installed library?
installed=yes

# Should we warn about portability when linking against -modules?
shouldnotlink=yes

# Files to dlopen/dlpreopen
dlopen=''
dlpreopen=''

# Directory that this library needs to be installed in:
libdir='/usr/lib'


/////////////////////


I think this is really lame that TrueCrypt is now using proper SmartCard
functionality but only pretending to do it via leaving keyfile on the
card. Even then it is better then just hold it on the hard drive :)

I am happy to provide you with text to update Wiki on the site once I
know myself how to do this. I am putting together How To for ubuntu
users anyway: http://ubuntuforums.org/showthread.php?p=9077683#post9077683

Kind regards
Marcin Tomasz Malecki
Skryba Limited
+44 (0) 7538 450 106
(0) 845 430 20 92
http://www.skryba.co.uk
[hidden email]
- ---
Member of The Institute of Certified Bookkeepers
Practice Licence no: 8895


Andreas Jellinghaus wrote:

> Am Freitag 09 April 2010 12:16:07 schrieb Marcin Małecki:
>> Thank you for taking time to respond.
>>
>> yes:
>> /usr/lib/opensc-pkcs11.so
>> so I changed it over to:
>> /usr/lib/pkcs11-spy.so
>> but I got Device Error when I click ok.
>>
>> Wiki does not contain that much info about using spy to be honest. I
>> made small modification to the config file but I am not sure that is
>> sufficient.
>
> you need to set PKCS11SPY=/usr/lib/opensc-pkcs11.so
> and PKCS11SPY_OUTPUT=/path/to/your/pkcs11-spy.log
>
> hmm, wiki should be improved to clearly state this.
>
> set those environment variables with "export" and start the app
> again, and see if that helps.
>
> Good luck!
>
> Regards, Andreas
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvAeioACgkQRUOilnbowFm4PwCgkK7GSR/wtg0RabckeA4rJt4I
ExsAoKRRvOjn23DjB+1cMsHWJRIoVBUS
=xmM+
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: True Crypt keyfile can not be saved to the smart card

Marcin Małecki
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi
I am bit stuck on this one.  Can some please post their
/usr/lib/pkcs11-spy.so file as my modes seam not to work :(
and I have not done a back up copy sadly.
Thanks
Marcin Tomasz Malecki
Skryba Limited
+44 (0) 7538 450 106
(0) 845 430 20 92
http://www.skryba.co.uk
[hidden email]
- ---
Member of The Institute of Certified Bookkeepers
Practice Licence no: 8895


Marcin Małecki wrote:

> Thank you again!
> I have done:
> export PKCS11SPY=/usr/lib/opensc-pkcs11.so
> export PKCS11SPY_OUTPUT=/home/marcin/pkcs11-spy.log
>
> and export prints:
> declare -x PKCS11SPY="/usr/lib/opensc-pkcs11.so"
> declare -x PKCS11SPY_OUTPUT="/home/marcin/pkcs11-spy.log"
>
> However after reboot it is no longer there. I guess this is normal.
>
> In True Crypt library I am pointing to is: /usr/lib/pkcs11-spy.so
>
> After I try to read it result is:
> ////
> Failed to initialize PKCS #11 security token library.
> Please make sure the specified path and filename refer to a valid PKCS
> #11 library. To specify a PKCS #11 library path and filename, select
> 'Settings' > 'Security Tokens'.
> ////
>
> What I am thinking now is maybe some modification to the config file are
> needed?
>
> I changed one line to read: dependency_libs='/usr/lib/opensc-pkcs11.so'
>
> Full file pkcs11-sky.la looks like this:
>
> /////////////////////
>
> # pkcs11-spy.la - a libtool library file
> # Generated by ltmain.sh (GNU libtool) 2.2.6 Debian-2.2.6a-1ubuntu1
> #
> # Please DO NOT delete this file!
> # It is necessary for linking the library.
>
> # The name that we can dlopen(3).
> dlname='pkcs11-spy.so'
>
> # Names of this library.
> library_names='pkcs11-spy.so pkcs11-spy.so pkcs11-spy.so'
>
> # The name of the static archive.
> old_library=''
>
> # Linker flags that can not go in dependency_libs.
> inherited_linker_flags=' -pthread'
>
> # Libraries that this one depends upon.
> dependency_libs='/usr/lib/opensc-pkcs11.so'
>
> # Names of additional weak libraries provided by this library
> weak_library_names=''
>
> # Version information for pkcs11-spy.
> current=0
> age=0
> revision=0
>
> # Is this an already installed library?
> installed=yes
>
> # Should we warn about portability when linking against -modules?
> shouldnotlink=yes
>
> # Files to dlopen/dlpreopen
> dlopen=''
> dlpreopen=''
>
> # Directory that this library needs to be installed in:
> libdir='/usr/lib'
>
>
> /////////////////////
>
>
> I think this is really lame that TrueCrypt is now using proper SmartCard
> functionality but only pretending to do it via leaving keyfile on the
> card. Even then it is better then just hold it on the hard drive :)
>
> I am happy to provide you with text to update Wiki on the site once I
> know myself how to do this. I am putting together How To for ubuntu
> users anyway: http://ubuntuforums.org/showthread.php?p=9077683#post9077683
>
> Kind regards
> Marcin Tomasz Malecki
> Skryba Limited
> +44 (0) 7538 450 106
> (0) 845 430 20 92
> http://www.skryba.co.uk
> [hidden email]
> ---
> Member of The Institute of Certified Bookkeepers
> Practice Licence no: 8895
>
>
> Andreas Jellinghaus wrote:
>> Am Freitag 09 April 2010 12:16:07 schrieb Marcin MaBecki:
>>> Thank you for taking time to respond.
>>>
>>> yes:
>>> /usr/lib/opensc-pkcs11.so
>>> so I changed it over to:
>>> /usr/lib/pkcs11-spy.so
>>> but I got Device Error when I click ok.
>>>
>>> Wiki does not contain that much info about using spy to be honest. I
>>> made small modification to the config file but I am not sure that is
>>> sufficient.
>> you need to set PKCS11SPY=/usr/lib/opensc-pkcs11.so
>> and PKCS11SPY_OUTPUT=/path/to/your/pkcs11-spy.log
>
>> hmm, wiki should be improved to clearly state this.
>
>> set those environment variables with "export" and start the app
>> again, and see if that helps.
>
>> Good luck!
>
>> Regards, Andreas
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvKsBwACgkQRUOilnbowFkS3gCgpMMZnkeiCfuO3yLRtxoSCse6
88YAoJHBj2k044HFKiiNvQ6PXaLhPg62
=tDam
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user