Re: MUSCLE GemPlus MPCOS-EMV
Pauley, John wrote: All, First, sorry for the long post. My problem is that I have to authenticate the terminal with a GemPlus MPCOS-EMV smart card using the following algorithm (this is in the G+ MPCOS-EMV manual): [description deleted] I'm not sure what your problem is but I have myself successfully implemented the algorithm based on the information in the G+ manual, though I think the references to CRnd7 to CRnd4 should be CRnd3 to CRnd0 since CRnd is only 4 bytes long. The actual 3DES algorithm used is also commonly referred to as two key triple DES and it is ECB mode. You may find the GPK pilot tool useful (available from G+ site). If you can get it to initiate secure messaging with the trace activated you can use the trace file to check your implementation. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Disk encryption and more
Patrick Valsecchi wrote: I don't have to store each signature of each bin into the smartcard. I won't have enough RAM for that! I'll store inside each executable and library the signed crypto hash. The kernel will check if the crypto hash is still the same and the smartcard will just check if the signature of the crypto hash. I'm curious as to why the smartcard is being used for the crypto verification as opposed to the boot-loader and subsequently the executable loader. They might for example have a hard coded public key or some root CA depending on how sophisticated you want to be. You of course have to be very careful that the public key or certificate cannot be replaced. If there is some reason to use a smart card then that also has to be handled carefully, otherwise someone could just replace it with something that either always returns successful (for any signature) or allows other (known) keys to sign the executables. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Carlos Prados wrote: Again, I would pay more athention to local security. Why is the file /tmp/.pcscrx world writtable? isn't this a security hole? On the subject of security... As may be apparent I've only just got my setup working and I've not examined things in any detail. I did notice a few things which might be cause for concern. Consider a Netscape PKCS#11 module. In this application the connection to the reader may need to be kept open for an extended period of time (typically the whole browser session) and may not be closed cleanly. As we are all painfully aware its not entirely unknown for a browser to crash. This situation needs to be handled, i.e. a connection can be kept open for a long time with no security issues and if the application using it crashes then the session is cleaned up appopriately. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE and gemplus readers.
Jean-Luc GIRAUD wrote: Dr S N Henson wrote: I suspect the answer is 'none of the above' :-) Yes and no :-) (see below). I'm compiling MUSCLE 0.9.1 and the GemPC430 driver from source. There are a few problems with 'make install' in MUSCLE, at least on my setup: for example it installs reader.conf in /usr/local/etc but expects to find it in /etc and it doesn't seem to install the pcsd binary (well script) anywhere. The default 'make install' does not compile pcscd with usb support (which was the reason of the problem with the packages). You should first './configure --enable-usb' to enable usb support. If you have the GemPC430 bundle in the 'drivers' folder of the pcsc install, it should work. I did run ./configure with --enable-usb. I also ran pcsd under strace and it seems to be reading the 'bundle' files and there's also some additional activity when the reader is plugged in. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE and gemplus readers.
David Corcoran wrote: Hi, Try removing bundleparser.c and doing the ./configure --enable-usb and everything over again. That did the trick. I still get a few kernel warning messages when I plug the device in but I can now access the reader, thanks. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
MUSCLE and gemplus readers.
I've been testing out MUSCLE and some related software with some gemplus readers, all with RHL 6.1 2.2.12 kernel and RHL7.0 2.2.16 with backported USB and 2.4.5. The serial reader (GemPC 410) seems to work fine. I haven't got the USB reader GemPC430 to work though. All I get when I plug the reader in is a message saying no driver supports the device. This also happens with 2.4.5 kernel. Any pointers as to the possible cause? I recall seeing that the PCMCIA reader (GemPC400 aka GPR400) would have a PC/SC driver 'coming soon' any news on that? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***