"Waiting for touch" notification

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

"Waiting for touch" notification

Thomas Habets
When it's waiting for a touch it just waits with no user notification
outside of the yubikey blinking. Since I have a Yubikey 4 Nano the
blinking is not always in view, which makes me type "ssh"/"git push"
and just stare at the screen.

Has anyone explored how to surface this "please touch the smartcard"
or something message to the user with opensc?

I can imagine an ugly solution where if there's an outstanding "sign"
operation for more than epsilon time, then maybe connect to this unix socket
and say something, or shell out to this command. I can then use that
to do something better than, but similar to, running:
  xmessage 'touch the yubikey'

[1] https://blog.habets.se/2016/01/Yubikey-4-for-SSH-with-physical-presence-proof

--
typedef struct me_s {
 char name[]      = { "Thomas Habets" };
 char email[]     = { "[hidden email]" };
 char kernel[]    = { "Linux" };
 char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
 char pgp[] = { "9907 8698 8A24 F52F 1C2E  87F6 39A4 9EEA 460A 0169" };
 char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "Waiting for touch" notification

Douglas E Engert
This sounds similar to PKCS#11 CKA_ALWAYS_AUTHENTICATE and C_Login ( CKU_CONTEXT_SPECIFIC) which is designed to request the PIN for each crypto operation. NIST 800-73 says a PIV compliant card
requires the verification of the PIN just before the use of the 9C key on the card. (The sign key)
OpenSC PKCS#11 supports this. But the  PKCS#11 application needs to recognize the CKA_ALWAYS_AUTHENTICATE attribute of the key and put up a prompt requesting the PIN.

It also sounds like an extension by Yubico of the official PIV specifications. Does the PIN need to be entered in addition or in place of touching?

You could try the Yubico PKCS#11 module and see if has the same problem.

If the only issue is you can't see it blinking,  you could use the Yubikey in a USB hub placed so you can see it :-)


On 10/16/2016 11:02 AM, Thomas Habets wrote:

> When it's waiting for a touch it just waits with no user notification
> outside of the yubikey blinking. Since I have a Yubikey 4 Nano the
> blinking is not always in view, which makes me type "ssh"/"git push"
> and just stare at the screen.
>
> Has anyone explored how to surface this "please touch the smartcard"
> or something message to the user with opensc?
>
> I can imagine an ugly solution where if there's an outstanding "sign"
> operation for more than epsilon time, then maybe connect to this unix socket
> and say something, or shell out to this command. I can then use that
> to do something better than, but similar to, running:
>    xmessage 'touch the yubikey'
>
> [1] https://blog.habets.se/2016/01/Yubikey-4-for-SSH-with-physical-presence-proof
>

--

  Douglas E. Engert  <[hidden email]>
 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "Waiting for touch" notification

Martin Paljak-4
In reply to this post by Thomas Habets
Hi,

I made a wrapper for OSX that shows a notification when the PGP keys are
used, can probably be extended to work on Linux etc.

Will publish the setup guide on Github after I verify that the
instructions are repeatable.

Martin

On 16/10/2016 19:02, Thomas Habets wrote:

> When it's waiting for a touch it just waits with no user notification
> outside of the yubikey blinking. Since I have a Yubikey 4 Nano the
> blinking is not always in view, which makes me type "ssh"/"git push"
> and just stare at the screen.
>
> Has anyone explored how to surface this "please touch the smartcard"
> or something message to the user with opensc?
>
> I can imagine an ugly solution where if there's an outstanding "sign"
> operation for more than epsilon time, then maybe connect to this unix socket
> and say something, or shell out to this command. I can then use that
> to do something better than, but similar to, running:
>    xmessage 'touch the yubikey'
>
> [1] https://blog.habets.se/2016/01/Yubikey-4-for-SSH-with-physical-presence-proof
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "Waiting for touch" notification

frankmorgner
There is
https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver.c#L2446-L2479
to ask a PIN on Windows and
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-dnie.c#L197-L370
to ask for consent (OK/Abort) on Linux, macOS and Windows.

Be aware that showing a GUI while the Windows minidriver tells you to be
"silent" may result in system instability (according to the docs).

I am working on a card with an integrated PIN-Pad and Fingerprintreader
[1]. Similarly to a reader with a PIN-Pad, all requests for verifying the
PIN or fingerprint are delegated to the card [2] (search for
`SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH`). Additionally I added the
Session PIN feature to OpenSC's minidriver for delegating an
authenticated session without user interaction.

As Doug suggested, you may similarly use the prompt for inserting the PIN on
an emulated PIN pad reader to tell the user to tap the card. This would
be quick and dirty, but has some drawbacks: 1. Verifying the PIN is not
neccecarily bound to using the key; 2. you need to handle the User's
PIN.


Greets, Frank.

[1] https://www.bundesdruckerei.de/en/3867-cebit-bundesdruckerei-exhibits-employee-id-card-tomorrow
[2] https://github.com/frankmorgner/OpenSC

On Monday, October 17 at 08:40AM, Martin Paljak wrote:

> Hi,
>
> I made a wrapper for OSX that shows a notification when the PGP keys are
> used, can probably be extended to work on Linux etc.
>
> Will publish the setup guide on Github after I verify that the
> instructions are repeatable.
>
> Martin
>
> On 16/10/2016 19:02, Thomas Habets wrote:
> > When it's waiting for a touch it just waits with no user notification
> > outside of the yubikey blinking. Since I have a Yubikey 4 Nano the
> > blinking is not always in view, which makes me type "ssh"/"git push"
> > and just stare at the screen.
> >
> > Has anyone explored how to surface this "please touch the smartcard"
> > or something message to the user with opensc?
> >
> > I can imagine an ugly solution where if there's an outstanding "sign"
> > operation for more than epsilon time, then maybe connect to this unix socket
> > and say something, or shell out to this command. I can then use that
> > to do something better than, but similar to, running:
> >    xmessage 'touch the yubikey'
> >
> > [1] https://blog.habets.se/2016/01/Yubikey-4-for-SSH-with-physical-presence-proof
> >
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: "Waiting for touch" notification

Douglas E Engert
What does Yubico say about this feature?
Have you asked them?

Is there any documented on the APDU command to tellĀ  if the feature is on?

And can it be set for individual keys or applies to all keys?

As Frank implied the PKCS#11 CKF_PROTECTED_AUTHENTICATION_PATH is another way to map the feature to PKCS#11 . But any card driver would still need to know how to test for it.

On 10/17/2016 9:03 AM, [hidden email] wrote:
There is
https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver.c#L2446-L2479
to ask a PIN on Windows and
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-dnie.c#L197-L370
to ask for consent (OK/Abort) on Linux, macOS and Windows.

Be aware that showing a GUI while the Windows minidriver tells you to be
"silent" may result in system instability (according to the docs).

I am working on a card with an integrated PIN-Pad and Fingerprintreader
[1]. Similarly to a reader with a PIN-Pad, all requests for verifying the
PIN or fingerprint are delegated to the card [2] (search for
`SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH`). Additionally I added the
Session PIN feature to OpenSC's minidriver for delegating an
authenticated session without user interaction.

As Doug suggested, you may similarly use the prompt for inserting the PIN on
an emulated PIN pad reader to tell the user to tap the card. This would
be quick and dirty, but has some drawbacks: 1. Verifying the PIN is not
neccecarily bound to using the key; 2. you need to handle the User's
PIN.


Greets, Frank.

[1] https://www.bundesdruckerei.de/en/3867-cebit-bundesdruckerei-exhibits-employee-id-card-tomorrow
[2] https://github.com/frankmorgner/OpenSC

On Monday, October 17 at 08:40AM, Martin Paljak wrote:
Hi,

I made a wrapper for OSX that shows a notification when the PGP keys are 
used, can probably be extended to work on Linux etc.

Will publish the setup guide on Github after I verify that the 
instructions are repeatable.

Martin

On 16/10/2016 19:02, Thomas Habets wrote:
When it's waiting for a touch it just waits with no user notification
outside of the yubikey blinking. Since I have a Yubikey 4 Nano the
blinking is not always in view, which makes me type "ssh"/"git push"
and just stare at the screen.

Has anyone explored how to surface this "please touch the smartcard"
or something message to the user with opensc?

I can imagine an ugly solution where if there's an outstanding "sign"
operation for more than epsilon time, then maybe connect to this unix socket
and say something, or shell out to this command. I can then use that
to do something better than, but similar to, running:
   xmessage 'touch the yubikey'

[1] https://blog.habets.se/2016/01/Yubikey-4-for-SSH-with-physical-presence-proof


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


    

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel