Hi,
I think the PCSC is good enough if it enables access
to the local smartcard to local proceses, and
verifies that the user has UNIX permission to use the
smartcard reader (for instance if /tmp/.pcsctx anc
/tmp/.pcscrx are accessibe to the user).
For remote authentication, a client/server application
would need to implement the client/server dialog for
authentication.
For instance if a user in Computer A needs to connect
via ssh to Computer B, the user is authenticated to
Computer A OS and has UNIX priviledges to access to
the smartcard reader on Computer A:
1) When the ssh client connects to the ssh server, the
ssh server sends some random challenge to the ssh
client
2) The ssh client encrypts the challenge with the
private key stored in the smartcard and sends the
result back to the server.
3) The ssh server that has the public key of the user
on his local filesystem, decrypts the data and checks
that is the same challenge that was sent to the
client.
4) If the verification is OK, then the server has the
security that the client is the owner of the smartcard
which conveys the private key, and so it has access to
the server host.
The ssh client and server source code would neeed to
be modified, but I guess there is more chance if you
want to use improved security.
Said this, the "Secure Internet Smartcards" model
looks fine to me, and could be implemented to help
client/server applications to use smartcards for
authentication.
--- Jim Rees <[EMAIL PROTECTED]> wrote:
> For accessing remote computers (which the original
> query was about)
> something like ssh or secure telnet using smart
> card based keys
> for authentication would be more appropriate.
>
> Of course what you really want is for the session to
> be secure all the way
> to the card, not just to the terminal. And since
> you can't use the PIN as
> an encryption key, you need something like a
> diffie-hellman exchange. And
> since the terminal makes a perfect
> man-in-the-middle, you need to add some
> more protocol and use something like EKE, SPEKE, or
> OKE.
>
> We did all this and wrote a paper:
>
> N. Itoi, T. Fukuzawa, and P. Honeyman, "Secure
> Internet Smartcards," August
> 2000. Java Card Workshop, Cannes (September 2000).
>
>
http://www.citi.umich.edu/projects/smartcard/scpapers.html
>
***************************************************************
> Linux Smart Card Developers - M.U.S.C.L.E.
> (Movement for the Use of Smart Cards in a Linux
> Environment)
> http://www.linuxnet.com/smartcard/index.html
>
***************************************************************
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************
