Basics
Home Up

 

Aladdin eToken

Q. Does the etoken (Product ID 0514) from Aladdin work in combination with pcsc-lite?

A. OpenSC can put certificates and keys on it and use them and so can any other software that follows the pkcs#15
standard.  However, if you've already created keys and/or certificates with the Aladdin software, opensc will not be able to use, see, or alter them, as Aladdin uses a proprietary format that is not pkcs#15 compatible and opensc does not understand it.

If your token has enough space, both formats - pkcs#15 and Aladdin - can live side by side. pkcs#15 uses the 2f00 file and the 5015/ directory, Aladdin uses the 6666/ directory. 

So, you can't mix opensc with the Aladdin software but if you use opensc everywhere, you should be fine.  Simply use openct and opensc (you don't need pcsc-lite), and follow each QUICKSTART guide.

Please note that Aladdin uses cardos on the internal smart card which has a limitation: keys can only be used for signing or for decryption, but not both. if you add the "--split-key" option to pkcs15-init --generate-key then you should be fine (software keygen and save it two times with different flags).

Q. I get errors when loading my smartcard.  What do they mean?

A. You have to take a look in the ISO 7816-4 specification.

For example, error code 69 85 means: "Conditions of use not satisfied."

Look in the Open Platform specification (if your card complies with Open Platform 2.0.1').

Maybe this error means that a requirement for using the command is not satisfied.  For example:

The command was not issued in a secure channel or the preceding command was not the required Install command.
If DAP verification was required, the associated security domain did not have the appropriate privilege in the application privilege byte.
The mandatory load file data block DAP was not present in the data field.
The security domain AID does not match the AID of a security domain with mandated DAP privileges.
If at least one personalized security domain with mandated DAP verification privilege is present on the card, the Load File Data Block DAP field is mandatory, and the security domain AID data field should match the AID of one of those personalized security domains.

Q. How do these MUSCLE applet external authentication codes function?

(a) when cipher-dir == CD_VERIFY, the applet will verify an MD5RSA signature (over the Value of challenge object), and perform strongLogon, if the verification succeeds.

(b) when cipher-dir == CD_DECRYPT, the applet will decrypt the incoming ciphertext using TDES_CBC_NOPAD, compare the plaintext for equality with the stored challenge value V, and reflect the plaintext value back to the consumer (over an insecure channel), if there is a match, without performing strongLogon.

A. The intended usage of the protocol command is straightforward: allow the other end communicating with the card to prove possession of a cryptographic key, either providing an encryption of the card-generated challenge, or providing a signature on the card-generated challenge.

In the first case, the ExtAuth command is invoked with parameters analogous to an MSCComputeCrypt invocation for decrypting a cryptogram (by using an on-card symmetric key or asymmetric public key).

In the latter one, it is invoked with parameters analogous to an MSCComputeCrypt invocation for verifying a signature (by using an on-card asymmetric public key). It performs a login - with the key/principal used to authenticate the exchange.

Q. Does openssl already provide some function and engine to interact with a usb token?

A. openssl provides the possibility to use tokens for crypto operations via engines. OpenSC [1] has pkcs11 engine for openssl and a suitable pkcs11 lib for some tokens (actually opensc currently has two ssl engines: one native and one pkcs11).

Q. Where do I buy smart cards?

A. Many prefer the Cryptoflex 32k in an egate token which is available at www.scmegastore.com , $150 US(+s/h) for 5 cards and 5 tokens.

Q. I was trying to learn more about the CERES card and it said here http://www.cert.fnmt.es/pilotos/tarjetatext.htm#chip_ST that the card is PKCS#15. Does this mean that the file system of the card has become public? Could you provide me with a link 
where to find detailed information?

I would be particularly interested in some information on what to find on the card, following (the more technical section of) this template ( http://porvoo7.fjarmalaraduneyti.is/media/Porvoo7/Country_updates_template.ppt
but maybe going in more detail.

A.  Yes and no:

There are several incompatibilities such as:
- Use of data compression in some files
- FileID changes in filesystem structure
- Data size in bytes instead of bits
- Use of strange string types (T.61)
- strange use of the authId attribute

So saying that the card is pkcs15 compliant is definitely wrong.

Most of the differences are due to the fact that Ceres support was first done to work with M$ CryptoAPI without other OS's in mind.

At http://opensc-ceres.software-libre.org you will find an opensc-0.8.1 based version of OpenSC modified to work with Ceres Cards. Note that there are two proprietary modules dynamically linked: one is for card-level control and the other is for pkcs15-init intrinsic

In sources you'll find a pkcs15.profile file slightly different from official one.

Ceres is not really a eID card: it is just the Official SmartCard provided by FNMT-RCM. CERES, an internal department of FNMT is the Official National Certification Authority in Spain (although there are many public and privates CA's)

Q: What should we do if there is an error in the command response received from a reader? Should we send the RETRY command or just simply resend the command to the reader again. Are there any specific rules for certain errors where we must send the RETRY command as opposed to resending the previous command.

A: The whole context of smart cards is one of a carefully designed environment, in which the handling of errors is planned by the programmer who writes the software (both the terminal side software and the software in the card). Retries are therefore not expected unless you are waiting for the user to do something very basic such as insert the card or enter a PIN. 

For example, when you send an application select, with correct parameters, to a card, you probably do not know if that application is resident on the card. If the app is present, the select succeeds; if the application is not present, the select fails; if the card stops working (pulled out of the reader, dirty contacts, power failure...) the command fails.

Another example: when you write a record to a file in the card, if the parameters that you send are correct and the file is selected and there is space in the file, the command succeeds; if there is a failure, your application has to analyze the failure code and take the appropriate action.

Q: Can you retrieve a password from a pinpad?

A: No. That is the main purpose of a pinpad. The PIN only goes from the reader to the card without any possibility for the PC to know it. So when a pinpad is used no PAM module will ever know the PIN.

Q: Do I need to install "muslecardframework" along with pcsc-lite?

A: No. Not unless you want to use a musclecard.

Q: Does OpenSC work with Java Cards?

A: No. opensc cannot support java cards. At most it can support a specific applet on a java card.

Q: Does the Oberthur Authentic card have an applet that emulates the PKCS15 like JCOP has?

A: This applet emulates the dynamic file system and supports ISOs 7816-4, 7816-8, 7816-9. The native Oberthur's middleware (only for Windows) has PKCS11 and CSP. Their implementation of PKCS#15 is not completely standard.

OpenSC contains the driver for this card (Oberthur AuthentIC 64k) with the standard PKCS#15 (not compatible with Oberthur's Windows middleware). It has the extensions for OpenSC support to initialize the smart card so that it's compatible with both the OpenSC and Oberthur middleware as well as make Oberthur native cards compatible with OpenSC.

Q: What are the features of the Oberthur Authentic card?

A: It is their 'JavaCard-OpenPlatform' card, with the cryptographic applet called 'AuthentIC'. As far as I know, usually Oberthur supplies the smart cards with some applet(s) loaded and the Card Manager in SECURED state (the new applet uploading is not allowed). The Oberthur-AuthentIC-64k card has about 60k of free memory. These are contactless cards. The unit price is around $20 in small quantities.

Q: I am trying to set up CAC access in Linux. Any tips?

A: Experience has shown that the easiest way to get all this working is to have a device that is actually CCID compliant. The CCID driver page lists devices known to work, that probably work, and those that are paper weights. http://pcsclite.alioth.debian.org/ccid.html Some have had good luck with the SCM 331 and GemPC USB SL. Current models are ~$20 and when they are known to work, it makes life much easier.

Q: Is it possible to copy/dump from one smartcard onto another one?

A: Yes, using proprietary commands (different ones if using cards from different providers) for EEPROM dump and EEPROM write, as long as you own the administrative keys that would allow it. In other words, forget about it.

Q: Tell me about the German online banking tool Hibiscus.

A: http://www.willuhn.de/projects/hibiscus/  It uses the ctapi protocol.

Q: What is the ID code for the Cherry SmartTerminal ST-1044u ccid compliant reader.

A: For the /etc/openct.conf file, the ID is usb:046a/002d.

Q: Are there any practical attempts to negotiate keys for SM by use of public keys?

A: Yes, there is. Google for the e-SignK / CWA 14890 draft CEN standard. This describes secure messaging based on a shared secret key or using a hybrid scheme with card verifiable certificates (CVCs) (all based on ISO 7816-4). That is the procedure used by several smart card applications (eGK, ECC).

Q: What do you call a multilib platform?

A: Platforms that can run 32-bit and 64-bit binaries at the same time. For example, Solaris on SPARC or x64 hardware.

For 32-bit or 64-bit only platforms (ie, where the OS or the distro, not necessarily the hardware, only supports a single model), pkg-config is fine because there is only one set of paths for pkg-config to emit.

Q: Where can I install Python based PyCSC?

A: Pythonists can now install PyCSC via: easy_install PyCSC pypi page: http://www.python.org/pypi/PyCSC

Anybody interested in Python and PC/SC is welcome to review the code and send patches, etc.

Q: Is there documentation on how to use a smartcard for GnuPG encryption?

A: Here is the guide at http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html

Google
Web www.smartcardscanada.com