--On Sunday, December 28, 2008 06:47:46 PM +0100 Andreas Jellinghaus <[email protected]> wrote:
> here is a preview for opensc 0.11.7: > http://www.opensc-project.org/files/opensc/testing/opensc-0.11.7-pre1.tar > .gz > > this new version has a number of changes for security: > * lock_login is now on as default. if you want to run thunderbird and > firefox at the same time, both with smart card support, you need to turn > this option off. but that would allow any application to talk to your > card, and steal a signature. Ugh. This doesn't improve security; any application can already talk to your card if no one happens to already be using it, and really, there is already plenty of opportunity for a program running as you to steal your PIN. I'm inclined to agree with Alon here; the right answer is to fix opensc to correctly support concurrent access from multiple PKCS#11 clients. > * software key generation: I think people expect the smart card to > generate rsa keys, not the opensc software on your host. but opensc can > do that, for example if the card cannot generate rsa keys itself, or for > corner cases like the cardos split key hack. now soft_keygen_allowed is > off in the default configuration. if you want to use cards, that cannot > create rsa keys themself or need special hacks, then you need to turn on > this option. Again, ugh. While there's certainly a security consideration here, I don't believe the marginal improvement gained by making people who have these cards make a configuration change is worth the pain. There is an actual improvement in security only if those people choose instead not to use the card, which somehow seems unlikely. I think here you're proposing trading real usability for false security. > * private data objects were not implemented securely: the > old code stored them with a flag "ask for the pin", but did nothing to > protect the data, thus everyone can read it. The new code sets the > access control right for such data objects, at least with the cryptoflex > 32k card I tried. please give the code a try, and let me know, if your > card still work. It's not clear to me what data objects are for. Are they actually supposed to be private, per PKCS#15? None of the profiles I looked at do this; are you updating them all, or just cryptoflex? > note for testing: > * you need to initialize the card with "pkcs15-init -p pkcs15+onepin" so > that you can store things with pkcs11-tool. Hrm. Ew. But, I suppose this is really just a limitation of PKCS#11. I expect it should also work to initialize with no SO pin, for cards where that works (e.g. cryptoflex). > * after storing data with pkcs11-tool, you can use opensc-explorer to > try to download the data. with the old version "cd 5015" and "get 4601" > would download the first data object, even if it was marked secure. > with the new code the file is now 4701 and protected with a proper ACL, > so you need to present the pin to the card before downloading that > data. Why the change in fileid? It's not like I have the documentation in front of me, but I'm pretty sure that's not one of the special ones. In any case, the fileID's you mention are specific to the cryptoflex profile. > also side note: I'm not sure about this, but I think we cannot fix old > cards with private data objects. what you can do is: > * download the data > * overwrite the data on the card with random data > * store the secret data once more, this time with the new code, so it is > properly secured this time. now you can delete the secret data from your > desktop/laptop (use the "wipe" command to do that securely). This is going to depend on the card. On cryptoflex, I'm pretty sure you cannot change the ACL on an existing file, but the approach you describe should work if there is enough room in the PIN directory. You could also delete the existing data EF, if it was the last thing created in the PIN directory. Incidentally, it is arguably time to change the DELETE ACL's on PIN and key directories in the cryptoflex and cyberflex access profiles to $SOPIN instead of NONE. Anyone have a comment on this? -- Jeff _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
