[gentoo-hardened] smartcards: apache & openssl - internet explorer / mozilla

[gentoo-hardened] smartcards: apache & openssl - internet explorer / mozilla

[Daniel Struck]

Hello,

I am a little bit puzzled how to solve what I try to do:

Idea: Clients should be authenticated to apache over openssl by a client-certificate.
I got it working on gentoo without a problem, well after applying a patch provided on bugs.gentoo.org (bug 25258) ;-)

Now I want to put the client-certificates on smartcards, problem:
I don't know yet how to do this :-(

My basic understanding is that, the key (private&public) is generated on the smartcard, then the public key? is send out to be signed by a CA.
I think on Windows this steps are performed by Internet Explorer by contacting a CA.

My question: Is it possible to prepare the smartcards for the clients on a gentoo station and how should one proceed to do it?
(I think opensc with muscle-driver could provide this fonctionality?)

Does anyone by chance know good documentations/ books on this subject?

Best regards,
Daniel Struck



--
gentoo-hardened@gentoo.org mailing list

re: [gentoo-hardened] smartcards: apache & openssl - internet explorer / mozilla

[Justin Jessup]

you need a smart card reader/writer
developer kit
most physical security product companies sell reader/writer development kits 
used to produce your own custom smart cards

keys will be stored on the cards
not generated by the card chip

generate keys on standalone
openssl CA server

then migrate public/private keys to the cards

jj

www.gezuinc.com

Daniel Struck <community@struck.lu> wrote:
__________
>Hello, 
> 
>I am a little bit puzzled how to solve what I try to do: 
> 
>Idea: Clients should be authenticated to apache over openssl by a client-certificate. 
>I got it working on gentoo without a problem, well after applying a patch provided on bugs.gentoo.org (bug 25258) ;-) 
> 
>Now I want to put the client-certificates on smartcards, problem: 
>I don't know yet how to do this :-( 
> 
>My basic understanding is that, the key (private&public) is generated on the smartcard, then the public key? is send out to be signed by a CA. 
>I think on Windows this steps are performed by Internet Explorer by contacting a CA. 
> 
>My question: Is it possible to prepare the smartcards for the clients on a gentoo station and how should one proceed to do it? 
>(I think opensc with muscle-driver could provide this fonctionality?) 
> 
>Does anyone by chance know good documentations/ books on this subject? 
> 
>Best regards, 
>Daniel Struck 
> 
> 
> 
>-- 
>gentoo-hardened@gentoo.org mailing list 
> 
> 



--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] smartcards: apache & openssl - internet explorer / mozilla

[Daniel Struck]

> keys will be stored on the cards
> not generated by the card chip

Strange, because I read the following on the Muscle website:
(http://www.linuxnet.com/cardsec.html)

"One of the key benefits of smart cards is the ability for some cards to support on board cryptography. ... By doing the actual cryptography on the card, the keys never have to leave their storage place. This gives the card holder a secure way of storing keys especially if the key pair was generated on the card."


Daniel

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] smartcards: apache & openssl - internet explorer / mozilla

[Justin Jessup]

interesting
question is how many bits?
40,128
can the card generate over 1024 for key size?

justin jessup
Gentoo Junky


www.gezuinc.com

Daniel Struck <community@struck.lu> wrote:
__________
>> keys will be stored on the cards 
>> not generated by the card chip 
> 
>Strange, because I read the following on the Muscle website: 
>(http://www.linuxnet.com/cardsec.html) 
> 
>"One of the key benefits of smart cards is the ability for some cards to support on board cryptography. ... By doing the actual cryptography on the card, the keys never have to leave their storage place. This gives the card holder a secure way of storing keys especially if the key pair was generated on the card." 
> 
> 
>Daniel 
> 
>-- 
>gentoo-hardened@gentoo.org mailing list 
> 
> 



--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] smartcards: apache & openssl - internet explorer / mozilla

[Daniel Struck]

On Thu, 28 Aug 2003 11:53:39 +0000 (GMT)
"Justin Jessup" <hackerotaku@palm.com> wrote:

> interesting
> question is how many bits?
> 40,128
> can the card generate over 1024 for key size?

I think one normally generates 1024-keys.

One problem I have is that the documentation for the muscle projects is sparse and the little bit I can find of the muscle and opensc mailing-list isn't sufficient for a newbie.

I can run to some degree pcsc-lite with the ifd-egate driver but don't know how to proceed.

I have found another interesting projet: Newpki (www.newpki.org)
With it you can run a whole public key infrastructure.
On Windows you could even with the Newpki-client generate the keys on the smartcard.
But it seems Newpki doesn't support egate yet.
(The Author reports in the documentation that he could successfully generate keys with the eToken from Aladdin)

Daniel

--
gentoo-hardened@gentoo.org mailing list