Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
project:cryptotoken [2013/01/16 14:06]
kappi [Order]
project:cryptotoken [2013/03/09 17:37] (current)
abyssal remove old sections
Line 3: Line 3:
 {{template>​infobox| {{template>​infobox|
 name=CryptoToken| name=CryptoToken|
-image=:​projects:​epass2003-001.png?200|+image=cryptotoken.jpg?200|
 sw=-| sw=-|
 hw=-| hw=-|
-founder=[[user:​abyssal]]|+founder=|
 interested=| interested=|
-status=active+status=done
 }} }}
  
Line 20: Line 20:
   * [[http://​www.gooze.eu/​forums/​support/​difference-between-epass-2003-and-epass-pki-token-pki-card|Difference Between ePass 2003 and ePass PKI]]   * [[http://​www.gooze.eu/​forums/​support/​difference-between-epass-2003-and-epass-pki-token-pki-card|Difference Between ePass 2003 and ePass PKI]]
  
-===== Order =====+===== Notes and prepared packages ​=====
  
-^ Person ​               ^  Number of tokens ​ ^ +  * [[http://​apt.gooze.eu/​|APT repository for Ubuntu from gooze.eu]] 
-| abyssal ​              ​| ​ 2                 +  ​* [[https://​www.constructibleuniverse.net/​Feitian/​Feitian-notes.txt|Notes on installation and usage]] 
-| biiter ​               |  1                 +  ​* [[https://​www.constructibleuniverse.net/​Feitian/​pkgs/​|Compiled RPMs for EL6 x86_64 and source RPM packages for EL6/Fedora 17-18]] ​(note: F17/18 requires just the opensc package
-| kxt                   ​| ​ 1                 | + 
-| ruza                  |  1                 | +===== epass2003 hacking and debugging ===== 
-| tlapka ​               |  1                 | + 
-| niekt0 ​               |  1                 | +  ​* [[https://​github.com/​hiviah/​epass2003-hacking|Documentation on how to decode APDUs, docs, scripts]]
-| JoHnY                 ​| ​ 1                 | +
-| pborky ​               |  1                 | +
-| Stevko ​               |  1                 | +
-| Czestmyr ​             |  1                 | +
-| lukash ​               |  2                 | +
-| Vatoz (Vaclav Cerny ​| ​ 1                 | +
-| sargon ​               |  1                 | +
-| axtheb ​               |  1                 | +
-| Eremiell (Jakub Marek)| ​ 1                 | +
-| kappi                 ​| ​ 1                 |+
  
  
 ===== Workshop ===== ===== Workshop =====
  
-Worshop ​is planned ​for making ​the token work on *nix systems once the tokens +Workshop took place in February. Few notes below. 
-arrive.+ 
 +==== Workshop notes ==== 
 + 
 +The token offers multiple interfaces:​ 
 + 
 +  * Import of [[http://​www.gooze.eu/​howto/​smartcard-quickstarter-guide/​scenario-4-reusing-existing-openssh-rsa-keys|existing RSA SSH key]], and [[http://​www.gooze.eu/​howto/​using-openssh-with-smartcards/​using-ssh-with-smart-cards|connecting]] 
 +    * note on ''​~/​.ssh/​config''​ - PKCS11Provider option (OpenSSH 5.5p1 or later recommended) 
 +  * Import of PGP/GnuPG key and basic operations - decrypt, verify ([[http://​www.gooze.eu/​links/​gnupg-pkcs11-agent|GnuPG PKCS#11 interface]]) 
 +  * Overview of [[http://​content.hccfl.edu/​pollock/​AUnix2/​PAM-Help.htm|PAM and PAM configuration]]. 
 +    * [[https://​github.com/​OpenSC/​pam_pkcs11|pam_pkcs11]] - PAM module to perform authentication via PKCS#11 interface offered by the token 
 +    * one example for some ''/​etc/​pam.d/''​ config file (e.g. sudo) 
 +  * Import of [[http://​www.gooze.eu/​howto/​smartcard-quickstarter-guide/​scenario-1-importing-certificates-from-pkcs12-file|client certificate from PKCS#12 file]] 
 + 
 +OpenSC >= 0.13.0 required. Check [[https://​github.com/​OpenSC/​OpenSC|OpenSC]] on github for recent fixes, I've commited some to upstream. 
 + 
 +Other [[http://​www.gooze.eu/​tutorials|tutorials on gooze.eu]]. 
 + 
 +GnuPG support ​is kind of hackish, PKCS#11 mostly works except ​for replug bug - if token is replugged while long-running app like Firefox or gpg-agent is still running, it won't get reinitialized correctly. The OpenSC driver should reissue SCP-01 handshake after ATR, but doesn'​t. 
 + 
 +===== Related hardware ===== 
 + 
 +=== Yubikey Neo === 
 + 
 +The [[https://​www.yubico.com/​products/​yubikey-hardware/​yubikey-neo/​|Yubikey Neo]] with NFC seems interesting,​ too. It'​s ​the standard Yubikey with NFC NDEF type 4 tags and Mifare classic interface. Applications:​ 
 + 
 +  * OTP token working as USB HID keyboard that writes OTP when button is pushed (this is the original Yubikey'​s functionality) 
 +    * usable e.g. for SSH two-factor authentication 
 +  * multiple "​slots"​ or "​apps"​ 
 +    * can be [[http://​static.yubico.com/​var/​uploads/​pdfs/​YubiKey_manual-2.2.pdf|personalized for challenge-response]] and other protocols 
 +    * [[https://​www.yubico.com/​2012/​12/​yubikey-neo-openpgp/​|OpenPGP support]] (no key import, keys are generated ​on the chip) 
 +    ​various modes can be turned on/off - [[https://​www.yubico.com/​2012/​12/​yubikey-neo-composite-device/​|combinations of HID, CCID and OpenPGP]] support 
 +  * some [[https://​github.com/​Yubico|Neo apps have sources available]],​ e.g. [[https://​github.com/​Yubico/​ykneo-openpgp|source for OpenPGP app]] 
 + 
 +Issues: 
 + 
 +  * not much technical information yet (//"​Yubico will share more information on how this can be used in Q1, 2013"//​) 
 +    * product page says something about //Common Criteria certified bank grade authentication ICs//, but what EAL level? 
 +  * does attacking via [[https://​en.wikipedia.org/​wiki/​MIFARE#​Security_of_MIFARE_Classic.2C_DESfire_and_Ultralight|Mifare Classic interface]] reveal random seeds or RNG states usable for other interfaces? (HID, NFC) 
 +    * could the above be combined with [[http://​www.nfc-forum.org/​apps/​group_public/​download.php/​9052/​doi_10.1109_NFC.2011.9.pdf|NDEF record composition attack?]] 
 + 
 +Yubikey has its own [[https://​github.com/​Yubico/​yubico-pam|PAM module pam_yubico]] which is quite configurable. E.g. it can provide two-factor auth or replacing passwords with OTP.
  
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki