Nov 04 2007
Have you ever been trying to get commercial smart card solution available on the marked to work with more than just one operating system? Then you might be familiar with that it’s not a walk in the park to get it to work. During my evaluation of both hardware and software I quickly noticed that trying to mix hardware and software from different vendors wasn’t that great idea and didn’t work out that well – So much for standards.
Having used OpenPGP for quite some time and earlier PGP (OpenPGP derives from PGP, first created by Phil Zimmermann) on various operating systems I’ve quite often been looking into the possibility of using some kind of token to keep my encryption and ssh keys safe and a simple USB-memory isn’t an option. Problem is that it hasn’t been that easy earlier and as well it also depends on what kind of token you chose. From that start I’ve been looking at using smart card solution and while evaluating different smart card readers it clearly looks like that USB CCID (Chip/Smart Card Interface Devices) based dongle reader seems to be the best and actually the easiest solution when having several operating systems in mind (drivers are available for two of the operating system that I use; Windows and Linux).
When starting to look into this topic I gave it a try with GemPlus PC400 smart card reader which works fine under Windows and Linux, but unfortunately missing drivers for OS2 which is another operating system I still use. Linux drivers for the GemPlus PC400 smart card reader can be found at LinuxNet and there is an active software bounty available at OS2 World for those who wants to continue on that track.
There are various smart card implementations available and one of the widely available solution for at least Windows and Linux system is U.S. Department of Defense CIC, Common Access Card which is a Java Card OpenPlatform card with GSC-IS (Government Smart Card Interoperability Specification) applets which is primarily used to access email with varying levels of support for the mentioned operating systems. There are various manufacturers that sells this kind of smart card. For larger corporation or due to customer demand the DoD CIC smart card might be the track to continue on when selection standard to build ones solution around.
Features of this card are:
- 3 independent 1024 bit RSA keys (signing,encryption,authentication).
- Key generation on card or import of existing keys.
- Signature counter.
- Data object to store an URL to access the full OpenPGP public key.
- Data objects for card holder name etc.
- Data object for login specific data.
- Length of PIN between 6 and 254 characters; not restricted to numbers.
- T=1 protocol; compatible with most readers.
- 40mm * 10mm sized writable field on the front matter.
- Specification freely available and usable without any constraints.
There shouldn’t be any problem to use DoD CIC smart cards; but I haven’t had the possibility to verify this myself and how well this card works together with GnuPG and OpenPGP. But, it’s my understanding that it works as supposed.
The GnuPG client and plug-in used for the mentioned systems supports PKCS#11 and by this it’s possible to get everything, with some tweaking, to work all together with a single smart card with a RSA-key for signing and ssh key handling. Getting it to work with Thunderbird and Enigmail is really easy and works more or less out of the box.
So by looking at open source utilities I’ve achieved my goal to get a working solution for secure handling of my encryption keys for at least two out of three operating system that I use.