Re: MUSCLE applications?
On Mon, 1 Mar 1999, Dennis Wier wrote: Killer application of the (near) future would be when ADSL is really launched and people start downloading video. Like single sign-on, they will be tired of punching in their credit card, so smartcard will be the choice. But, the readers would likely have to be both swipe plus smartcard, plus probably pin so that legacy credit cards could be used. There is ecash and ecommerce where every click on every icon gets to nibble on your bank account too. This is (fortunately) not yet, but it could 'drive' development of smart cards. That's just one possibility. But this depends on credit card companies issuing smart cards. But they are sitting on some billion magnetic stripe cards so there is no reason to change, yet. Credit card companies have developed (their) applications using the smart card. The problem is standards. In France, we already use smartcards for banking, since about 10 years... And since a few months, we've got at least 2 systems for electronic commerce, using smartcards. One is only valid for French customers and French merchants, the other is SET compliant, but can use the French smartcard to authenticate. -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] Telephone: +33 1 34 38 29 50 *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Smartcards and Browsers
On Wed, 17 Mar 1999, Martin Sigbjorn wrote: I need information on how I can use smartcards with Netscape Navigator/Communicator and Internet Explorer, in order to perform secure authentication of a user. I know these browsers have support for smartcard authentication through certificates and SSL but I don't know how it works (or how to make it work). Is it possible just by the presense of PC/SC drivers + reader + card, or do I need additional software? Of course you need additional software to make the whole stuff work... For Netscape, you have to write a PKCS#11 module which will perform the necessary cryptographic operations (basically RSA sign/verify and crypt/decrypt). For MSIE, you'll have to write a CSP (Crypto Service Provider) that will do pretty much the same, and it MUST be signed by Microsoft (the key is operated by the NSA, maybe it's just the opposite, but the 2 are involved in the process). This CSP will also have to check for wether the original CSP is a basic or enhanced version (512/1024 bits for RSA, 40/128 bits for RC2 and others). I don't know if your source will have to be reviewed for it to be signed... The easiest will be to start with Netscape... But you'll have to learn about PKCS#1, PKCS#8, and PKCS#10 (maybe also PKCS#7). The PKCS documents are available freely on http://www.rsa.com. You've got a very hard work to do. Good luck ;-) -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
RE: MUSCLE SSH - PC/SC
I know this. Of course But look at the first contribution... | I have ssh2 working with PC/SC now. It generates keys and stores | them on the cards and the agent reads them off the card also. So the crypto operations are NOT performed by the OS smartcard On Fri, 9 Apr 1999, Enzo Romeo wrote: The keys should never be read off the smart cards...this is a fundamental rule of security. You can't trust any agent or software outside the cards. So, the keys must be used by the card OS algorithms and the cards are used as secure keys storage. Enzo On venerdi 9 aprile 1999 10.22, Erwann ABALEA [SMTP:[EMAIL PROTECTED]] wrote: | Why don't you use the crypto capabilities of the cards to perform the | crypto operations | | For me, it's a very bad way to use smartcards than considering them only | good for storage | | Erwann. | | | On Thu, 8 Apr 1999, David Corcoran wrote: | | Hello, | | I have ssh2 working with PC/SC now. It generates keys and stores them on | the cards and the agent reads them off the card also. I have tried 3 | cards as of now: The Multiflex, Cryptoflex, and Cyberflex Access 16k and | all seem to work successfully. I'll try to release it, the new C - API, | and the new version of PC/SC this weekend along with the Multiflex ICCSP | and a few new utilities. | | Thanks | Dave | | * | David Corcoran Internet Security/Smartcards | | Home: Purdue University | 2252 US Highway 52 WestDepartment of Computer Science | West Lafayette, IN 47906 CERIAS/COAST Laboratory | Home: (765) 463-2455 | Cell: (317) 514-4797 | | http://www.linuxnet.com | | * | | *** | Linux Smart Card Developers - M.U.S.C.L.E. | (Movement for the Use of Smart Cards in a Linux Environment) | http://www.linuxnet.com/smartcard/index.html | *** | | | -- | Erwann ABALEA | System and Development Engineer - Certplus SA | [EMAIL PROTECTED] | - RSA PGP Key ID: 0x2D0EABD5 - | | *** | Linux Smart Card Developers - M.U.S.C.L.E. | (Movement for the Use of Smart Cards in a Linux Environment) | http://www.linuxnet.com/smartcard/index.html | *** *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html *** -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE standards
smartcard, then the smartcard and PKCS#11 lib should be compliant with PKCS#15 and whatI called "ISO-7816-8" or whatever it's real name... -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Identifing Cards..
On Mon, 3 Jul 2000, Angie Mitchell wrote: I'm trying to figure out what kind of smartcard I have.. it's got all eight pads/pins, on a blank white card with no markings at all.. is there anything I can do to identify this card and the specs on this card? the transmission protocals, voltage and current values, atr, etc etc... any information would be helpfull.. thanks in advance.. You could see if the chip is in ISO or AFNOR position (AFNOR position is upper than ISO). You could check if it's an asynchronous card (ie microprocessor card), and tell us the ATR (Answer To Reset). -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Transaction times
This reader resets each inserted card twice? That's strange... I'm aware of special cards that change their behaviour after a second reset is performed while the card is still powered on... These cards couldn't then be used in such a reader... On Tue, 27 Feb 2001, David Corcoran wrote: Hi Michael, The Reflex 60 driver reset's the card twice most likely (cold/warm) On removal there is no reset but on insertion these reset's occur - the driver goes into a sleep waiting for this to happen - I am sure you can shorten this amount of time and I would be glad to help you if you send me a mail directly [EMAIL PROTECTED] -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - Against stupidity, the Gods themselves, contend in vain! *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE how can i use smart card with netscape?
On Mon, 21 May 2001, Ysek Chung wrote: i have GemPC410 reader and GPK8000 card, and i'm studing smart card on linux. now i'm tring to use smart card on netscape such as MS windows, but i can't find any information for help. how can i use smart card with netscape? You have to write or use a PKCS#11 compliant library. This library will use the smartcard as a cryptoprovider, and certificates container, and Netscape will use this PKCS#11 library to use high-level crypto operations. Right now, I don't think there exists any PKCS#11 library for the Gemplus GPK8000 card running under Unix/Linux. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - Computers are useless. They can only give you answers - Pablo Picasso *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
On Wed, 6 Jun 2001, Ludovic Rousseau wrote: On Mon, Jun 04, 2001 at 12:57:20PM -0700, David Corcoran wrote: Hello, You can't use pcsc-lite-0.9.1 for remote use of the resource manager. I wanted to create the core package as local only. I'm working on an RPC like service that sits atop the local service which will export the PC/SC interface . To the apps it will be identical to the older versions that used RPC. I don't think using RPC is a good idea. You use a smartcard to provide security in a unsecure environment. I don't want to send my PIN code in clear over RPC. You need to have authentication, integrity and confidentiality of your networks communications. You could use 'secure RPC' but it will be hard to find implementations of it outside SUN. Or maybe provide some kind of key exchange, and send the PIN code (and all the card commands) hidden in an opaque data blob, simply encrypted. That's surely difficult to design and implement correctly, but I agree with Ludovic, it's not a good idea to transmit everything in clear. If you send your PIN code in clear over the network why not just use telnet ? :-( I want a secure channel between my smartcard and the program sending commands to it. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - Two most common elements in the universe: Hydrogen and Stupidity. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
On Thu, 7 Jun 2001, Carlos Prados wrote: Hi, --- David Corcoran [EMAIL PROTECTED] wrote: Definitely. The interface exported must be a subset of the available functionality or else someone could write a worm which does a Verify Key function incorrectly and blocks cards where services are available. Even worst. If you leave your card with your private PGP key in the reader and the smartcard is accesible to anybody over the net, somebody could connect to it, and write signed messages with your private key, read your private e-mail... You can design your application so that whenever a signature (or decryption) operation is to be performed, a PIN code should be presented, the operation performed, and the authentication state reset. That's how it's done with the French banking applications. The card in itself doesn't reset the authentication state after the operation, but the payment terminals must do it. He only needs your PIN, that he can get by snooping the network, or donig trial and error. Trial and error is not a valid attack, as the card usually disables the code as soon as 3 bad code guesses have been presented. Since you can enhance the PIN length, guessing the PIN in 3 tries is difficult. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - ``There are basically two types of people. People who accomplish things, and people who claim to have accomplished things. The first group is less crowded.'' Mark Twain *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
On Fri, 8 Jun 2001, Dr S N Henson wrote: Carlos Prados wrote: Again, I would pay more athention to local security. Why is the file /tmp/.pcscrx world writtable? isn't this a security hole? On the subject of security... As may be apparent I've only just got my setup working and I've not examined things in any detail. I did notice a few things which might be cause for concern. Consider a Netscape PKCS#11 module. In this application the connection to the reader may need to be kept open for an extended period of time (typically the whole browser session) and may not be closed cleanly. As we are all painfully aware its not entirely unknown for a browser to crash. For the PKCS#11 part, there's a solution: just use random session numbers, and close all the sessions if you detect at least 3 invalid session numbers... That way, the application can crash, but trying to attach to this previous session and keep the authenticated state would be difficult. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - A computer is a state machine. Threads are for people who can't program state machines. Alan Cox in a discussion about the threads and the Linux scheduler *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE New to list, problems with PIN code ! (fwd)
On Mon, 18 Jun 2001, David Corcoran wrote: -- Forwarded message -- Date: Sun, 17 Jun 2001 02:14:01 +0200 From: Christoph Plattner [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: New to list, problems with PIN code ! Hello SmartCard Linux hackers ! Hi! I have recently bought a package from TOWITOKO CHIPDRIVE linuxpack which includes 2 memory cards. Those two cards seems to be of a different type: - 2Kbit I2C EEPROM Card (256 Byte, R/W) seems to be a 2-wire card (icc-type = 2) - 16Kbit I2C EEPROM Card (2048 Byte, R/W) seems to be a IC2 SHORT card (icc-type = 0) I don't know why these cards of different sizes are also of different types... ? Why not? But now to the problems: The ATR of the 16Kb card is always empty (NULL pointer, as it is no 2-/3-wire card). Is this implementation in the CT code correct ? A memory card does return no ATR... In fact, the reader might return one, if it wants to... And now the main problem: - The 2Kbit card seem to need the PIN code, is this correct (I cannot write on it, and I saw in the code, Yes, memory cards can have PIN codes entered. The method used to enter this PIN is 'implementation defined', i.e. you should ask your card manufacturer. that on type==2 and 3 cards, the PIN entering is always done. I have not seen any PIN (in the package, on the card, etc) So I don't know any key, and now the card always blocks PIN entering, as the retry counter is already on '0'. Can I do here anything ? If this is a real PIN code, and the card can't be reset, too bad... Good luck! -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - No wanna work. Wanna bang on keyboard. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE check for pinpad
On 10 Jul 2001, Stephan Heinze wrote: I have a question about card readers. How can I check (via pcsc-lite-api) if the reader is a simple card reader or if it has a pinpad to supply safe pin validation? I don't think that the current release of the PC/SC standard supports card readers with 'expansions', like PIN pads, screens, etc. Maybe the next version of the standard? -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - ``Do or do not. There is no try. Yoda *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
