Differences

This shows you the differences between two versions of the page.

Link to this comparison view

project:cryptotoken [2013/01/16 14:06]
kappi [Order]
project:cryptotoken [2013/03/09 17:37] (current)
abyssal remove old sections
Line 3: Line 3:
 {{template>infobox| {{template>infobox|
 name=CryptoToken| name=CryptoToken|
-image=:projects:epass2003-001.png?200|+image=cryptotoken.jpg?200|
 sw=-| sw=-|
 hw=-| hw=-|
-founder=[[user:abyssal]]|+founder=|
 interested=| interested=|
-status=active+status=done
 }} }}
  
Line 20: Line 20:
   * [[http://www.gooze.eu/forums/support/difference-between-epass-2003-and-epass-pki-token-pki-card|Difference Between ePass 2003 and ePass PKI]]   * [[http://www.gooze.eu/forums/support/difference-between-epass-2003-and-epass-pki-token-pki-card|Difference Between ePass 2003 and ePass PKI]]
  
-===== Order =====+===== Notes and prepared packages =====
  
-^ Person                ^  Number of tokens  ^ +  * [[http://apt.gooze.eu/|APT repository for Ubuntu from gooze.eu]] 
-| abyssal               |  2                 +  * [[https://www.constructibleuniverse.net/Feitian/Feitian-notes.txt|Notes on installation and usage]] 
-| biiter                |  1                 +  * [[https://www.constructibleuniverse.net/Feitian/pkgs/|Compiled RPMs for EL6 x86_64 and source RPM packages for EL6/Fedora 17-18]] (note: F17/18 requires just the opensc package
-| kxt                   |  1                 | + 
-| ruza                  |  1                 | +===== epass2003 hacking and debugging ===== 
-| tlapka                |  1                 | + 
-| niekt0                |  1                 | +  * [[https://github.com/hiviah/epass2003-hacking|Documentation on how to decode APDUs, docs, scripts]]
-| JoHnY                 |  1                 | +
-| pborky                |  1                 | +
-| Stevko                |  1                 | +
-| Czestmyr              |  1                 | +
-| lukash                |  2                 | +
-| Vatoz (Vaclav Cerny |  1                 | +
-| sargon                |  1                 | +
-| axtheb                |  1                 | +
-| Eremiell (Jakub Marek)|  1                 | +
-| kappi                 |  1                 |+
  
  
 ===== Workshop ===== ===== Workshop =====
  
-Worshop is planned for making the token work on *nix systems once the tokens +Workshop took place in February. Few notes below. 
-arrive.+ 
 +==== Workshop notes ==== 
 + 
 +The token offers multiple interfaces: 
 + 
 +  * Import of [[http://www.gooze.eu/howto/smartcard-quickstarter-guide/scenario-4-reusing-existing-openssh-rsa-keys|existing RSA SSH key]], and [[http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-with-smart-cards|connecting]] 
 +    * note on ''~/.ssh/config'' - PKCS11Provider option (OpenSSH 5.5p1 or later recommended) 
 +  * Import of PGP/GnuPG key and basic operations - decrypt, verify ([[http://www.gooze.eu/links/gnupg-pkcs11-agent|GnuPG PKCS#11 interface]]) 
 +  * Overview of [[http://content.hccfl.edu/pollock/AUnix2/PAM-Help.htm|PAM and PAM configuration]]. 
 +    * [[https://github.com/OpenSC/pam_pkcs11|pam_pkcs11]] - PAM module to perform authentication via PKCS#11 interface offered by the token 
 +    * one example for some ''/etc/pam.d/'' config file (e.g. sudo) 
 +  * Import of [[http://www.gooze.eu/howto/smartcard-quickstarter-guide/scenario-1-importing-certificates-from-pkcs12-file|client certificate from PKCS#12 file]] 
 + 
 +OpenSC >= 0.13.0 required. Check [[https://github.com/OpenSC/OpenSC|OpenSC]] on github for recent fixes, I've commited some to upstream. 
 + 
 +Other [[http://www.gooze.eu/tutorials|tutorials on gooze.eu]]. 
 + 
 +GnuPG support is kind of hackish, PKCS#11 mostly works except for replug bug - if token is replugged while long-running app like Firefox or gpg-agent is still running, it won't get reinitialized correctly. The OpenSC driver should reissue SCP-01 handshake after ATR, but doesn't. 
 + 
 +===== Related hardware ===== 
 + 
 +=== Yubikey Neo === 
 + 
 +The [[https://www.yubico.com/products/yubikey-hardware/yubikey-neo/|Yubikey Neo]] with NFC seems interesting, too. It's the standard Yubikey with NFC NDEF type 4 tags and Mifare classic interface. Applications: 
 + 
 +  * OTP token working as USB HID keyboard that writes OTP when button is pushed (this is the original Yubikey's functionality) 
 +    * usable e.g. for SSH two-factor authentication 
 +  * multiple "slots" or "apps" 
 +    * can be [[http://static.yubico.com/var/uploads/pdfs/YubiKey_manual-2.2.pdf|personalized for challenge-response]] and other protocols 
 +    * [[https://www.yubico.com/2012/12/yubikey-neo-openpgp/|OpenPGP support]] (no key import, keys are generated on the chip) 
 +    various modes can be turned on/off - [[https://www.yubico.com/2012/12/yubikey-neo-composite-device/|combinations of HID, CCID and OpenPGP]] support 
 +  * some [[https://github.com/Yubico|Neo apps have sources available]], e.g. [[https://github.com/Yubico/ykneo-openpgp|source for OpenPGP app]] 
 + 
 +Issues: 
 + 
 +  * not much technical information yet (//"Yubico will share more information on how this can be used in Q1, 2013"//) 
 +    * product page says something about //Common Criteria certified bank grade authentication ICs//, but what EAL level? 
 +  * does attacking via [[https://en.wikipedia.org/wiki/MIFARE#Security_of_MIFARE_Classic.2C_DESfire_and_Ultralight|Mifare Classic interface]] reveal random seeds or RNG states usable for other interfaces? (HID, NFC) 
 +    * could the above be combined with [[http://www.nfc-forum.org/apps/group_public/download.php/9052/doi_10.1109_NFC.2011.9.pdf|NDEF record composition attack?]] 
 + 
 +Yubikey has its own [[https://github.com/Yubico/yubico-pam|PAM module pam_yubico]] which is quite configurable. E.g. it can provide two-factor auth or replacing passwords with OTP.
  
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki