Yubico Neo with OpenPGP and PIV applets

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Yubico Neo with OpenPGP and PIV applets

Douglas E Engert
There has been a discussion among the OpenSC developers on how to support the Neo with the PIV application and the OpenPGP applications.

https://github.com/OpenSC/OpenSC/pull/507

https://github.com/OpenSC/OpenSC/issues/538

Some of the issues include:

How does Yubico see the Neo being used if it has both a PIV and OpenPGP application?
Is one default?
How is the default set?
Can the default be set on the card?

The Neo presents the same ATR for both. The Neo does not take advantage of the ATR Historical bytes.

Are there end users who want to use both, at the same time?

Has Yubico look at presenting the Neo as two devices on the UCB bus with a different ATRs for the
OpenPGP and PIV applications? (Historical bytes including the AID?)

The OpenSC PIV drivers checks for the PIV AID. The OpenSC OpenPGP driver has not, but issue #507 is trying to address this.

The OpenSC developer community consists mostly of individual developers or companies that are interested in only one card or application.
Very few have the ability to test more then a few cards with their favorite application or how modifications to OpenSC affect other
cards or other applications they don't have.

Does Yubico developers follow the OpenSC discussions?
Do they test OpenSC with their devices?

I would like to hear from Yubico on these issues.
Either on the OpenSC-devel list or via comments on the above Gihhub issues.

Thanks.



--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Yubico Neo with OpenPGP and PIV applets

Klas Lindfors
Hello,


How does Yubico see the Neo being used if it has both a PIV and OpenPGP application?

From Yubico's (or at least my) perspective the thinking around the applications is that PIV is used through OpenSC/Windows and OpenPGP is used through gnupg. Our perspective has been that they're typically not used at the same time.
 
Is one default?
How is the default set?
Can the default be set on the card?

We've not thought of one of those two as default, more as options depending on what the user wants / what the application supports. There is no default selected applet on the Neo, and it can't be set.
 

The Neo presents the same ATR for both. The Neo does not take advantage of the ATR Historical bytes.

No, we've not used the ATR at all to advertise what applications are present, the ATR is also different over the contactless interface.


Are there end users who want to use both, at the same time?

There has been questions about this, not very common and we've not come up with a good solution for it.
 

Has Yubico look at presenting the Neo as two devices on the UCB bus with a different ATRs for the
OpenPGP and PIV applications? (Historical bytes including the AID?)

It's an interesting idea, I'm not sure how practical it is (due to several issues) but I'm happy to discuss possible solutions to simultaneous use.
 

The OpenSC PIV drivers checks for the PIV AID. The OpenSC OpenPGP driver has not, but issue #507 is trying to address this.

I've always found checking for AID to be more exact, but that's coming from and angle where multiple applications can be loaded and you can't really tell from the ATR exactly what applications might be found on a specific card.
 

Does Yubico developers follow the OpenSC discussions?

I try to follow opensc-devel for relevant stuff and keep up to date with what happens in the code.
 
Do they test OpenSC with their devices?

As I wrote above our view is that the PIV parts of YubiKey devices should work with OpenSC we test that.
 

Thanks.

Thank you!

/klas

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Yubico Neo with OpenPGP and PIV applets

Frank Morgner
Hi, Klas!

Thanks for clearifying. With your response we'll use PIV as default for
the NEO.

Just one more question: We encountered a bug in the PIV applet that's
specific for the NEO, see https://github.com/OpenSC/OpenSC/pull/530.
We'd like to add a workaround only for the NEO. How do we identify the
NEO if the ATR is not unique (or may change depending on the interface)?

Greets, Frank.


Am Mittwoch, dem 02. September, um 12:10 Uhr schrieb Klas Lindfors:

> Hello,
>
>
> How does Yubico see the Neo being used if it has both a PIV and OpenPGP
> > application?
> >
>
> >From Yubico's (or at least my) perspective the thinking around the
> applications is that PIV is used through OpenSC/Windows and OpenPGP is used
> through gnupg. Our perspective has been that they're typically not used at
> the same time.
>
>
> > Is one default?
> > How is the default set?
> > Can the default be set on the card?
> >
>
> We've not thought of one of those two as default, more as options depending
> on what the user wants / what the application supports. There is no default
> selected applet on the Neo, and it can't be set.
>
>
> >
> > The Neo presents the same ATR for both. The Neo does not take advantage of
> > the ATR Historical bytes.
> >
>
> No, we've not used the ATR at all to advertise what applications are
> present, the ATR is also different over the contactless interface.
>
>
> > Are there end users who want to use both, at the same time?
> >
>
> There has been questions about this, not very common and we've not come up
> with a good solution for it.
>
>
> >
> > Has Yubico look at presenting the Neo as two devices on the UCB bus with a
> > different ATRs for the
> > OpenPGP and PIV applications? (Historical bytes including the AID?)
> >
>
> It's an interesting idea, I'm not sure how practical it is (due to several
> issues) but I'm happy to discuss possible solutions to simultaneous use.
>
>
> >
> > The OpenSC PIV drivers checks for the PIV AID. The OpenSC OpenPGP driver
> > has not, but issue #507 is trying to address this.
> >
>
> I've always found checking for AID to be more exact, but that's coming from
> and angle where multiple applications can be loaded and you can't really
> tell from the ATR exactly what applications might be found on a specific
> card.
>
>
> >
> > Does Yubico developers follow the OpenSC discussions?
> >
>
> I try to follow opensc-devel for relevant stuff and keep up to date with
> what happens in the code.
>
>
> > Do they test OpenSC with their devices?
> >
>
> As I wrote above our view is that the PIV parts of YubiKey devices should
> work with OpenSC we test that.
>
> >
> >
> > Thanks.
> >
>
> Thank you!
>
> /klas

> ------------------------------------------------------------------------------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Yubico Neo with OpenPGP and PIV applets

Douglas E Engert
In reply to this post by Klas Lindfors
Thanks for the response!
and a few additional comments...

On 9/2/2015 5:10 AM, Klas Lindfors wrote:
> Hello,
>
>
>     How does Yubico see the Neo being used if it has both a PIV and OpenPGP application?
>
>
>  From Yubico's (or at least my) perspective the thinking around the applications is that PIV is used through OpenSC/Windows and OpenPGP is used through gnupg. Our perspective has been that they're
> typically not used at the same time.

Yes. But IIRC there have some comments in this or other mail list that while openpgp is using the card it locks the card up via PCSC, so the PIV can not be used for web authentication.
Which implies that some users have programs running trying to use both applets. This may not be a Neo problem, but the openpgp card drivers.

>
>     Is one default?
>     How is the default set?
>     Can the default be set on the card?
>
>
> We've not thought of one of those two as default, more as options depending on what the user wants / what the application supports. There is no default selected applet on the Neo, and it can't be set.

The OpenSC issue is it can support both, and we need a better way for a user to tell OpenSC what it should do, or OpenSC need a way to present them via PKCS#11 as different tokens,
in multiple slots.

>
>
>     The Neo presents the same ATR for both. The Neo does not take advantage of the ATR Historical bytes.
>
>
> No, we've not used the ATR at all to advertise what applications are present, the ATR is also different over the contactless interface.

The PIV driver does not compare ATRs these days. I never noticed. It looks for the PIV aid on any card, its looking the the applet, not the card.
The OpenPGP driver needs to do this too.

>
>
>     Are there end users who want to use both, at the same time?
>
>
> There has been questions about this, not very common and we've not come up with a good solution for it.
>
>
>     Has Yubico look at presenting the Neo as two devices on the UCB bus with a different ATRs for the
>     OpenPGP and PIV applications? (Historical bytes including the AID?)

For example, using the NIST test cards. In my set (other sets may be different)

card 1 is a Gemalto PIV 1.5.5 DLv1 no NFC, uses T=0
3b:7d:96:00:00:80:31:80:65:b0:83:11:17:d6:83:00:90:00

Card 2 is a Oberthur ID-One PIV has NFC, uses T=1
3b:df:96:00:81:b1:fe:45:1f:83:80:73:cc:91:cb:f9:a0:00:00:03:08:00:00:10:00:79

Note the PIV AID in the historical bytes a0:00:00:03:08:00:00:10:00

>
>
> It's an interesting idea, I'm not sure how practical it is (due to several issues) but I'm happy to discuss possible solutions to simultaneous use.

If Neo hardware can support it, it could get around the openpgp locking problem. The Neo already presents itself as a USB keyboard, and a USB smartcard reader.

It could present itself as a keyboard, and a USB reader for each application it supports via CCID. Each application having its own ATR.
To the OS it looks like the user plugged in multiple readers with a different type of smart card in each.
PCSC would treat them as separate readers and devices. Thus different smartcard middleware would not lock each other out while trying to use the cards.
So combinations of Windows PIV driver, OpenSC or some other OpenPGP driver would see the card they wanted to see looking for the AID or ATR.

>
>
>     The OpenSC PIV drivers checks for the PIV AID. The OpenSC OpenPGP driver has not, but issue #507 is trying to address this.
>
>
> I've always found checking for AID to be more exact, but that's coming from and angle where multiple applications can be loaded and you can't really tell from the ATR exactly what applications might
> be found on a specific card.

I agree, it also means as an applet is ported to newer cards, because some issuing agency (gov or company...) wants to change cards.
The AID stays the same, the applet will still be found by the existing middleware.


>
>
>     Does Yubico developers follow the OpenSC discussions?
>
>
> I try to follow opensc-devel for relevant stuff and keep up to date with what happens in the code.
>
>     Do they test OpenSC with their devices?
>
>
> As I wrote above our view is that the PIV parts of YubiKey devices should work with OpenSC we test that.
>
>
>     Thanks.
>
>
> Thank you!
>
> /klas

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Yubico Neo with OpenPGP and PIV applets

Simon Josefsson
Douglas E Engert <[hidden email]> writes:

> Thanks for the response!
> and a few additional comments...
>
> On 9/2/2015 5:10 AM, Klas Lindfors wrote:
>> Hello,
>>
>>
>>     How does Yubico see the Neo being used if it has both a PIV and OpenPGP application?
>>
>>
>>  From Yubico's (or at least my) perspective the thinking around the applications is that PIV is used through OpenSC/Windows and OpenPGP is used through gnupg. Our perspective has been that they're
>> typically not used at the same time.
>
> Yes. But IIRC there have some comments in this or other mail list that
> while openpgp is using the card it locks the card up via PCSC, so the
> PIV can not be used for web authentication.
> Which implies that some users have programs running trying to use both
> applets. This may not be a Neo problem, but the openpgp card drivers.
That problem is because scdaemon opens the smartcard (via pcsc) in
exclusive mode, thereby locking out other pcsc users.  This was
discussed recently on the GnuPG devel list, and it is not related to NEO
or OpenSC.  One solution is to kill scdaemon when you want to do
non-scdaemon-based access.  It is not particulary pleasing, but at least
it works reliably.

>>     Is one default?
>>     How is the default set?
>>     Can the default be set on the card?
>>
>>
>> We've not thought of one of those two as default, more as options
>> depending on what the user wants / what the application
>> supports. There is no default selected applet on the Neo, and it
>> can't be set.
>
> The OpenSC issue is it can support both, and we need a better way for
> a user to tell OpenSC what it should do, or OpenSC need a way to
> present them via PKCS#11 as different tokens,
> in multiple slots.
Using PKCS#11 URLs in application contexts may help.  Then the user can
specify which token is intended.

>> It's an interesting idea, I'm not sure how practical it is (due to
>> several issues) but I'm happy to discuss possible solutions to
>> simultaneous use.
>
> If Neo hardware can support it, it could get around the openpgp
> locking problem. The Neo already presents itself as a USB keyboard,
> and a USB smartcard reader.
>
> It could present itself as a keyboard, and a USB reader for each
> application it supports via CCID. Each application having its own ATR.
> To the OS it looks like the user plugged in multiple readers with a different type of smart card in each.
> PCSC would treat them as separate readers and devices. Thus different
> smartcard middleware would not lock each other out while trying to use
> the cards.
> So combinations of Windows PIV driver, OpenSC or some other OpenPGP
> driver would see the card they wanted to see looking for the AID or
> ATR.
Interesting idea, but I don't see that it is feasible.  For example, how
to deal with concurrent access?  The smartcard can only have one app
selected at the same time anyway, as far as I understand.

/Simon

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

signature.asc (482 bytes) Download Attachment