Open Source Smart Card Operating Systems for Smartcards
Sun is in the smart-card business by virtue of its Java programming language, which can be overlaid on any computer operating system. Java became the language of choice when the U.S. Government Services Authority (GSA) specified in its smart-card contract that an open architecture be used. This was so the government could choose several vendors while ensuring the products could operate together.
Java Card™ technology permits the development of smart card applications in the well-known Java™ programming language. This combines the merits of Java™ technology such as platform independence, easy code maintenance, productivity and tool availability with the outstanding benefits of smart cards, e.g. security, portability and one-to-one personalisation.
Open source smart card developer resources links from Gemplus.
PC/SC (personal computer/smart card)
For Microsoft platforms, the preferred interface is PC/SC (personal computer/smart card). Generic PC/SC support is built in all recent Microsoft Windows versions.
The Interoperability Specification for ICCs and Personal Computer Systems (PC/SC) has been developed to ease the introduction of smart cards into the world of PCs. The main advantage of PC/SC is that applications do not have to be aware of the details regarding the smart card reader in order to communicate with the smart card. Moreover, the application can function with any reader complying with the PC/SC standard.
OCF, the OpenCard Framework is a standard Java framework for working with Smart Cards.
OpenCard Framework is Java in the computer or terminal talking to the smartcard, JavaCard is a special, stripped-down version of Java that runs on the smartcard itself. Java applications running on the PC can use OpenCard to access JavaCard smartcards and standard smartcards. If you want to write Java applets (also known as cardlets) to run on the smartcard itself, you have to use a smartcard which is compliant with the JavaCard standard. One exception to this is MULTOS. MULTOS now offers the ability to write your applications in Java and then cross compile them into MEL prior to loading onto the MULTOS smart card. In this case you are not using a true Java Card according to the Java Card Specifications.
The general view on the relationship between the OCF and PC/SC standardization efforts is such that these efforts are considered complementary rather than competing - complementary with respect to the scope of their objectives as well as to the environments in which they will be deployed. In view of the fact that, in a broad sense, they both address the communication of computing devices and smartcards, some overlapping between them seems only natural.
Besides PCs, many systems ( (e.g. a POS terminal, set-top box, or a smart phone) that use smartcards today do not currently run Windows NT/95 and will, for various reasons (e.g. resource requirements) probably not do so in the future. Smartcard solutions developed for those systems currently only have two choices, they can either be tailored in an inflexible way to a given reader and card or they can be based on the Java platform and make use of OCF.
Visa Open Platform Terminal API
To hasten worldwide smartcard acceptance, Visa is currently working on an Open Platform Terminal API. This API enhances software development for smartcard acceptance. This API is not in competition but complementary to similar industry initiatives such as PC/SC and OpenCard Framework. Either one of these initiatives- PC/SC and OpenCard- are focusing on specific target platforms. The Visa Open Platform Terminal API is being developed having a wide range of devices in mind such as PC's, NC's, and EFT/POS, etc. The API and services offered by PC/SC and OpenCard can be utilized by Visa Open Platform Terminal API if available in the environment.
MUSCLE is a project to coordinate the development of smart cards and applications under Linux. The purpose is to develop a set of compliant drivers, API's, and a resource manager for various smart cards and readers for the GNU environment. Source code is now available which supports the Schlumbeger Reflex 60 line of reader and all ISO-7816-4 compliant smart cards.
Their goal is to promote smart card and cryptographic support for Unix based operating systems. Drivers for PCSC-lite for Linux, Solaris, MAC OS X and others. With the MuscleCard Applet or Cryptoflex you can begin using smartcards on over 7 platforms.
Their downloadable framework gives you everything you need to use smartcards across multiple platforms. In the package you will find management utilities, PKCS#11 support for SMIME, SSL authentication.
One software package includes everything you need to start using smartcards on a variety of platforms, including PKCS#11 support, smartcard authentication with PAM, and card administration. Start signing, encrypting, and authenticating with your smartcard with this easy to use package.
Another program with a complete installer comes with everything you need to get working with MuscleCard on Windows based platforms. Comes with a CSP for doing Windows Login, email signing/decryption, and web authentication. Applet loading and management for several Java Cards and PKCS#11 support too.
MuscleCard is a part of the MUSCLE project (Movement For The Use Of Smart Cards In A Linux Environment). MuscleCard defines an API for accessing smart card services through MuscleCard Plug-Ins, which implement the actual functionality for a set of cards. With MuscleCard you get a powerful key and object storage solution on smart cards with cryptographic functionality which can be used for a wide range of applications like logon purposes or document signatures.
OpenPGP Card - The OpenPGP Card from G10code in Germany is a specification of an ISO 7816-4,-8 compatible smartcard and also an actually available implementation of this specification as a standard sized card.
Features of this card are:
GNU Privacy Guard - GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.
This functional specification describes the OpenPGP application based on the functionality of ISO smart card operating systems. In principle it defines the interface of the application between card and terminal, in this context the OpenPGP software with a standard card reader on PC/SC basis.
The solution takes care of
· use of international standards,
Consequently this specification does not deal with the description of the global commands and data fields of the card, the security functions generally provided by the card, any features that apply to more than one application, such as transmission protocols, nor with the description of the general mechanical and electrical characteristics of the card.
In particular, the specification provides a detailed description of the data objects directly related to the applications and their respective content formats. Contents of the application data are only prescribed if they represent a constant factor of the application.
The encoding values mentioned in the specification are stated in hexadecimal form, unless otherwise indicated.
The OpenPGP application is designed to run under several ISO compatible card operating systems. So the application can be developed on several chips and from different manufacturers.
How To OpenPGP Card - screenshots of experimental use.
OpenSC provides a set of libraries and utilities to access smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as mail encryption, authentication, and digital signature. OpenSC implements the PKCS#11 API so applications supporting this API such as Mozilla Firefox and Thunderbird can use it. OpenSC implements the PKCS#15 standard and aims to be compatible with every software that does so, too.
This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.
The PKCS #11 modules must full-fit the requirements given by the RSA Asymmetric Client Signing Profile, which has been specified in the PKCS #11 Conformance Profile Specification by RSA Laboratories.
PAM-PKCS#11 is a PAM ( Pluggable Authentication Module ) (updated version) plug-in which allows someone to login into a UNIX/Linux System that supports PAM by means of
a Digital Certificates stored in a SmartCard.
User matching approves the ownership of a certificate is to allow the owner of a certificate to login as a particular user.
OpenSC-Ceres pkcs11 Library - a derived work from OpenSC for Spanish CA Ceres Smart Cards
OpenSC API Reference Guide - Open Smart Card project coverage of Initialization, File Operations, ASN.1 Functions, Data Types.
OpenSC Project Supported cards
Cryptoflex e-gate also work just fine, and the regular Cryptoflex 32K will probably work equally well.
OpenSignature is an open source project for the digital signature of documents. It works with all cards supported by OpenSC and focuses on adding support for cards from accredited Italian CAs. The goal of the project is to provide a first single product capable of supporting cards from multiple vendors/countries. This contrasts the approach taken by card vendors/providers whose software follows an exclusive single-vendor approach. OpenSignature thus attempts to make a major contribution to interoperability in the digital signature domain and aims to greatly facilitate the setup of public access points that are currently the objective of several projects in Italy. Moreover, we hope that the peer-review of the open source approach will allow us to at least match the security level of competing single-card software.