|
|
|
Aladdin eTokenQ. Does the etoken (Product ID 0514) from Aladdin work in combination with pcsc-lite? A. OpenSC can put certificates and keys on it and use them and so can any other software that follows the pkcs#15
Q. I get errors when loading my smartcard. What do they mean? A. You have to take a look in the ISO 7816-4 specification. • The command was not issued in a secure channel or the preceding command was not the required Install command.
Q. How do these MUSCLE applet external authentication codes function? (a) when cipher-dir == CD_VERIFY, the applet will verify an MD5RSA signature (over the Value of challenge object), and perform strongLogon, if
the verification succeeds. A. The intended usage of the protocol command is straightforward: allow the other end communicating with the card to prove possession of a cryptographic key, either providing an encryption of the card-generated challenge, or providing a signature on the card-generated challenge. In the first case, the ExtAuth command is invoked with parameters analogous to an MSCComputeCrypt invocation for decrypting a cryptogram (by using an on-card symmetric key or asymmetric public key). In the latter one, it is invoked with parameters analogous to an MSCComputeCrypt invocation for verifying a signature (by using an on-card asymmetric public key). It performs a login - with the key/principal used to authenticate the exchange.
Q. Does openssl already provide some function and engine to interact with a usb token? A. openssl provides the possibility to use tokens for crypto operations via engines. OpenSC [1] has pkcs11 engine for openssl and a suitable pkcs11 lib for some tokens (actually opensc currently has two ssl engines: one native and one pkcs11).
Q. Where do I buy smart cards? A. Many prefer the Cryptoflex 32k in an egate token which is available at www.scmegastore.com , $150 US(+s/h) for 5 cards and 5 tokens.
Q. I was trying to learn more about the CERES card and it said here
http://www.cert.fnmt.es/pilotos/tarjetatext.htm#chip_ST that the card is PKCS#15. Does this mean that the file
system of the card has become public? Could you provide me with a link A. Yes and no: There are several incompatibilities such as: So saying that the card is pkcs15 compliant is definitely wrong. At http://opensc-ceres.software-libre.org you will find an opensc-0.8.1 based version of OpenSC modified to work with Ceres Cards. Note that there are two
proprietary modules dynamically linked: one is for card-level control and the other is for pkcs15-init
intrinsic Ceres is not really a eID card: it is just the Official SmartCard provided by FNMT-RCM. CERES, an internal department of FNMT is the Official National Certification Authority in Spain (although there are many public and privates CA's)
Q: What should we do if there is an error in the command response received from a reader? Should we send the RETRY command or just simply resend the command to the reader again. Are there any specific rules for certain errors where we must send the RETRY command as opposed to resending the previous command. A: The whole context of smart cards is one of a carefully designed environment, in which the handling of errors is planned by the programmer who writes the software (both the terminal side software and the software in the card). Retries are therefore not expected unless you are waiting for the user to do something very basic such as insert the card or enter a PIN. For example, when you send an application select, with correct parameters, to a card, you probably do not know if that application is
resident on the card. If the app is present, the select succeeds; if the application is not present, the select fails; if the card stops working
(pulled out of the reader, dirty contacts, power failure...) the command fails.
Q: Can you retrieve a password from a pinpad? A: No. That is the main purpose of a pinpad. The PIN only goes from the reader to the card without any possibility for the PC to know it. So when a pinpad is used no PAM module will ever know the PIN.
Q: Do I need to install "muslecardframework" along with pcsc-lite?
Q: Does OpenSC work with Java Cards? A: No. opensc cannot support java cards. At most it can support a specific applet on a java card.
Q: Does the Oberthur Authentic card have an applet that emulates the PKCS15 like JCOP has? A: This applet emulates the dynamic file system and supports ISOs 7816-4, 7816-8, 7816-9.
The native Oberthur's middleware (only for Windows) has PKCS11 and CSP. Their implementation of
PKCS#15 is not completely standard.
Q: What are the features of the Oberthur Authentic card? A: It is their 'JavaCard-OpenPlatform' card, with the cryptographic applet called 'AuthentIC'. As far as I know, usually Oberthur supplies the smart cards with some applet(s) loaded and the Card Manager in SECURED state (the new applet uploading is not allowed). The Oberthur-AuthentIC-64k card has about 60k of free memory. These are contactless cards. The unit price is around $20 in small quantities.
Q: I am trying to set up CAC access in Linux. Any tips? A: Experience has shown that the easiest way to get all this working is to have a device that is actually CCID compliant. The CCID driver page lists devices known to work, that probably work, and those that are paper weights. http://pcsclite.alioth.debian.org/ccid.html Some have had good luck with the SCM 331 and GemPC USB SL. Current models are ~$20 and when they are known to work, it makes life much easier.
Q: Is it possible to copy/dump from one smartcard onto another one? A: Yes, using proprietary commands (different ones if using cards from different providers) for EEPROM dump and EEPROM write, as long as you own the administrative keys that would allow it. In other words, forget about it.
Q: Tell me about the German online banking tool Hibiscus. A: http://www.willuhn.de/projects/hibiscus/ It uses the ctapi protocol.
Q: What is the ID code for the Cherry SmartTerminal ST-1044u ccid compliant reader. A: For the /etc/openct.conf file, the ID is usb:046a/002d.
Q: Are there any practical attempts to negotiate keys for SM by use of public keys? A: Yes, there is. Google for the e-SignK / CWA 14890 draft CEN standard. This describes secure messaging based on a shared secret key or using a hybrid scheme with card verifiable certificates (CVCs) (all based on ISO 7816-4). That is the procedure used by several smart card applications (eGK, ECC).
Q: What do you call a multilib platform? A: Platforms that can run 32-bit and 64-bit binaries at the same time. For
example, Solaris on SPARC or x64 hardware.
Q: Where can I install Python based PyCSC? A: Pythonists can now install PyCSC via: easy_install PyCSC pypi page: http://www.python.org/pypi/PyCSC Anybody interested in Python and PC/SC is welcome to review the code and send patches, etc.
Q: Is there documentation on how to use a smartcard for GnuPG encryption? A: Here is the guide at http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html
|
