Nothing is impossible for the man who doesn't have to do it himself. -- A.H. Weiler
This guide is about initialising and personalising (no distinction made) cards with the OpenSC library and tools (mostly pkcs15-init).
Some knowlegde about smart cards is assumed. Below is a short overview of some key words and concepts. For more info, see the opensc.html manual.
Filesystem - MF - DF - EF - FID
A smart cards has a non-volatile memory (EEPROM) in which usually a
PC-like file system is implemented. The directories are called Dedicated Files
(DF) and the files are called Elementary Files (EF). They are identified by a
a File ID (FID) on 2 bytes. For example, the root of the file system (called
Master File or MF) has FID = 3F 00 (hex).
Commands - APDUs
It is possible to send commands (APDUs) to the card to select, read, write,
create, list, delete, ... EFs and DFs (not all cards allow all commands).
Access control, PIN, PUK
The file system usually implements some sort of access control on EFs and DFs.
This is usually done by PINs or Keys: you have to provide a PIN or show
knowledge of a key before you can perform some command on some EF/DF. A PIN
is usually accompanied by a PUK (Pin Unblock Key), which can be used to reset
(or unblock) that PIN.
Cryptographic keys
On crypto cards, it is also possible to sign, decrypt, generate a key pair
(what can be done exactly depends on the card). on some cards, key and/or PINs
are files in the filesystem, on other cards, they don't exist in the
filesystem but are referenced through an ID.
Reader - PC/SC - OpenCT - CT-API
Smart card readers come with a library that can be used on a PC to send APDUs
to the card. Commonly used APIs for those libraries are PC/SC, OpenCT and
CT-API.
PKCS#15
There are standards (e.g. ISO7816, parts 4-...) that specify how to select,
read, write, EFs and DFs, and how to sign, decrypt, login, ...
However, there is also a need to know which files contain what, or where the
keys, PINs, .. can be found.
For crypto cards, PKCS15 adresses this need by defining some files that contain info on where to find keys, certificates, PINs, and other data. For example, there is a PrKDF (Private Key Directory File) that contains the EFs or ID of the private keys, what those keys can be used for, by which PINs they are protected, ...
So a "PCKS#5 card" is nothing but any other card on which the right set of files has been added. In short: PKCS15 allows you to describe where to find PINs, keys, certificates and data on a card, plus all the info that is needed to use them.
Here's the textual contents of 3 PKCS#15 files: the AODF (Authentication Object Directory File), PrKDF (Private Key Directory File) and CDF (Certificate Directory File) that contain info on resp. the PINs, private keys and certificates. Each of them contains 1 entry.
AODF:
Com. Flags : private, modifiable
Auth ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1
Encoding : ASCII-numeric
Path : 3F005015
PrKDF:
Com. Flags : private, modifiable
Com. Auth ID: 01
Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 0
Native : yes
Path : 3F00501530450012
ID : 45
X.509 Certificate [/C=BE/ST=...]
Com. Flags : modifiable
Authority : no
Path : 3f0050154545
ID : 45
Some things to note:
means that you first have to do a login with this PIN before you can use this key.
turn is a DF with ID = 5015, which on its turn is a DF of the MF (3F00).
Use the pkcs15-tool --dump tool to see yourself what pkcs15 data is on your card, or opensc-explorer to browse through the files.
Have the PKCS#15 files a fixed place so everyone can find them? No, there's only one: the EF(DIR) in the MF and with ID 2F00. That's the starting place.
Reading and writing files, PIN verification, signing and decryption happen in much the same way on all cards. Therefore, the "normal life" commands have been implemented in OpenSC for all supported cards.
However, creating and deleting files, PINs and keys is very card specific and has not yet been implemented for all cards. Currently, pkcs15-init is implemented for: Cryptoflex, Cyberflex, CardOS (etoken), GPK, Miocos, Starcos JCOP and Oberthur. (Check src/pkcs15init/pkcs15-*.c for possible updates). Because of this, and because pkcs15-init is not necessary for "normal life" operations, it has been put in a separate library and in a separate directory.
Profile
Because the initialisation/personalisation is so card-specific, it would be
very hard to make a a fixnDiscussion.html��������������������������������������������������������0000644�0000000�0000000�00000007023�10671167315�020034� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Every change that is not a small fix or minor enhancement requires some kind of design. In order to discuss design decisions as much as possible and leave some kind of track about decisions made and design in place other than source code and comments and maybe even documentation, this sector of the wiki could be used. As always - feel free to comment (but please leave your name after your comment).
(Martin) Current state of secure pin entry methods in OpenSC is somewhat limited and hairy. Checks and features and functionality spans several component borders (application, library, card driver, reader, pkcs15 layer, etc). The target is to provide smooth pinpad support.
In theory different layers affect the total pinpad-oriented functioning:
All these should be put to work for a common goal in a nice way.
... to be continued ...
StarSign® USB Token
The user-friendly combination of chip card and card reader
StarSign USB Token belongs to a new generation of manipulation-proof IT security products, designed for costeffective use in PKI systems. It combines the security features of a chip card with the advantages of USB devices. StarSign USB Token contributes to the improved efficiency of IT applications, reduces costs, and offers optimum flexibility. The token is small, light, and so conveniently sized that it fits on a key chain. It requires no additional reader since it connects directly to the PC via USB interface. In many environments, such as Wireless LAN, it can be used for authentication as an alternative or supplement to the conventional combination of chip card and reader.
An intelligent solution that ensures high-level security
Two-factor authentication ensures that the user can only access the system with the combination of StarSign USB Token and PIN. Unless both match, the user is not authorized to access the corresponding applications and data. StarSign USB Token offers recognized and certified security. Sensitive information is securely saved on the token. All actions, e.g. encryption or digital signatures, are executed on the token itself. This ensures that private keys cannot be read or copied from the token. Compared to software-based solutions, this provides a considerably higher level of security.
Flash memory for saving further data
On request the StarSign USB Token is available with additional flash memory. It does not only securely store the user’s data such as personal profiles and X.509 digital certificates, but also offers the user a memory capacity of up to 1 GB. This can be used for saving further data and applications.
See more on: http://www.gi-de.com/portal/page?_pageid=42,104630&_dad=portal&_schema=PORTAL
Nothing is impossible for the man who doesn't have to do it himself. -- A.H. Weiler
This guide is about initialising and personalising (no distinction made) cards with the OpenSC library and tools (mostly pkcs15-init).
Some knowlegde about smart cards is assumed. Below is a short overview of some key words and concepts. For more info, see the opensc.html manual.
Filesystem - MF - DF - EF - FID
A smart cards has a non-volatile memory (EEPROM) in which usually a
PC-like file system is implemented. The directories are called Dedicated Files
(DF) and the files are called Elementary Files (EF). They are identified by a
a File ID (FID) on 2 bytes. For example, the root of the file system (called
Master File or MF) has FID = 3F 00 (hex).
Commands - APDUs
It is possible to send commands (APDUs) to the card to select, read, write,
create, list, delete, ... EFs and DFs (not all cards allow all commands).
Access control, PIN, PUK
The file system usually implements some sort of access control on EFs and DFs.
This is usually done by PINs or Keys: you have to provide a PIN or show
knowledge of a key before you can perform some command on some EF/DF. A PIN
is usually accompanied by a PUK (Pin Unblock Key), which can be used to reset
(or unblock) that PIN.
Cryptographic keys
On crypto cards, it is also possible to sign, decrypt, generate a key pair
(what can be done exactly depends on the card). on some cards, key and/or PINs
are files in the filesystem, on other cards, they don't exist in the
filesystem but are referenced through an ID.
Reader - PC/SC - OpenCT - CT-API
Smart card readers come with a library that can be used on a PC to send APDUs
to the card. Commonly used APIs for those libraries are PC/SC, OpenCT and
CT-API.
PKCS#15
There are standards (e.g. ISO7816, parts 4-...) that specify how to select,
read, write, EFs and DFs, and how to sign, decrypt, login, ...
However, there is also a need to know which files contain what, or where the
keys, PINs, .. can be found.
For crypto cards, PKCS15 adresses this need by defining some files that contain info on where to find keys, certificates, PINs, and other data. For example, there is a PrKDF (Private Key Directory File) that contains the EFs or ID of the private keys, what those keys can be used for, by which PINs they are protected, ...
So a "PCKS#5 card" is nothing but any other card on which the right set of files has been added. In short: PKCS15 allows you to describe where to find PINs, keys, certificates and data on a card, plus all the info that is needed to use them.
Here's the textual contents of 3 PKCS#15 files: the AODF (Authentication Object Directory File), PrKDF (Private Key Directory File) and CDF (Certificate Directory File) that contain info on resp. the PINs, private keys and certificates. Each of them contains 1 entry.
AODF:
Com. Flags : private, modifiable
Auth ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1
Encoding : ASCII-numeric
Path : 3F005015
PrKDF:
Com. Flags : private, modifiable
Com. Auth ID: 01
Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 0
Native : yes
Path : 3F00501530450012
ID : 45
X.509 Certificate [/C=BE/ST=...]
Com. Flags : modifiable
Authority : no
Path : 3f0050154545
ID : 45
Some things to note:
means that you first have to do a login with this PIN before you can use this key.
turn is a DF with ID = 5015, which on its turn is a DF of the MF (3F00).
Use the pkcs15-tool --dump tool to see yourself what pkcs15 data is on your card, or opensc-explorer to browse through the files.
Have the PKCS#15 files a fixed place so everyone can find them? No, there's only one: the EF(DIR) in the MF and with ID 2F00. That's the starting place.
Reading and writing files, PIN verification, signing and decryption happen in much the same way on all cards. Therefore, the "normal life" commands have been implemented in OpenSC for all supported cards.
However, creating and deleting files, PINs and keys is very card specific and has not yet been implemented for all cards. Currently, pkcs15-init is implemented for: Cryptoflex, Cyberflex, CardOS (etoken), GPK, Miocos, Starcos JCOP and Oberthur. (Check src/pkcs15init/pkcs15-*.c for possible updates). Because of this, and because pkcs15-init is not necessary for "normal life" operations, it has been put in a separate library and in a separate directory.
Profile
Because the initialisation/personalisation is so card-specific, it would be
very hard to make a a fixnDiscussion.html��������������������������������������������������������0000644�0000000�0000000�00000007023�10671167315�020034� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������