LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/text/Smart-Card-HOWTO

653 lines
32 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Smart Card HOWTO
Tolga KILIÇLI
           tolga@deepnight.org
        
Copyright © 2001 by Tolga KILIÇLI
Revision History
Revision 1.0.4 2001-09-19 Revised by: tk
This is the first release of Smart Card HOWTO.
This document gives information on the smart card technology and its
applications in Linux environment. Smart cards are mainly used in situations
where security is an issue. But this is not the only situation where smart
cards are used. They have many properties which a service provider wants to
use, such as "one card for many applications".
-----------------------------------------------------------------------------
Table of Contents
1. Introduction
1.1. Copyright Information
1.2. Disclaimer
1.3. New Versions
1.4. Feedback
1.5. Translations
2. What is a Smart Card?
3. Classification of Smart Cards
3.1. Contact vs Contactless
3.2. Memory vs Microprocessor
4. Operating Systems
5. Programming
5.1. CT-API
5.2. PC/SC
5.3. OpenCard
5.4. GlobalPlatform
5.5. To Sum Up
6. Applications on Linux
6.1. [http://crackinghacking.de/~henning/scas/] scas
6.2. [http://www.lionking.org/~kianga/software/smartcard/] smartcard
6.3. [http://www.conostix.com/ssh-smart] ssh-smart
6.4. [http://www.linuxnet.com] smarttools-rsa
6.5. [http://smartsign.sourceforge.net] smartsign
6.6. [http://www.citi.umich.edu/projects/smartcard/] CITI Projects
7. The Relation of Smart Cards with PKI
8. Further Information
8.1. News groups
8.2. Mailing Lists
8.3. Web Sites
9. TODO
1. Introduction
For various reasons this brand new release is codenamed the OberoN release.
New code names will appear as per industry standard guidelines to emphasize
the state-of-the-art-ness of this document.
This document was written when a friend (JaSoN) asked me if I could write a
document on smart cards and applications. And all the pages here was once a
bunch of papers. Thanks JaSoN...
-----------------------------------------------------------------------------
1.1. Copyright Information
Copyright (c) 2001 by Tolga KILIÇLI
Please freely copy and distribute (sell or give away) this document in any
format. It's requested that corrections and/or comments be fowarded to the
document maintainer. You may create a derivative work and distribute it
provided that you:
1. Send your derivative work (in the most suitable format such as sgml) to
the LDP (Linux Documentation Project) or the like for posting on the
Internet. If not the LDP, then let the LDP and the author know where it
is available.
2. License the derivative work with this same license or use GPL. Include a
copyright notice and at least a pointer to the license used.
3. Give due credit to previous authors and major contributors.
If you're considering making a derived work other than a translation, it's
requested that you discuss your plans with the current maintainer.
As the author of this document, I would like to list the derivative works and
publications in this document.
-----------------------------------------------------------------------------
1.2. Disclaimer
No liability for the contents of this documents can be accepted. Use the
concepts, examples and other content at your own risk. As this is a new
edition of this document, there may be errors and inaccuracies, that may of
course be damaging to your system. Proceed with caution, and although this is
highly unlikely, the author do not take any responsibility for that.
All copyrights are held by their by their respective owners, unless
specifically noted otherwise. Use of a term in this document should not be
regarded as affecting the validity of any trademark or service mark.
Naming of particular products or brands should not be seen as endorsements.
You are strongly recommended to take a backup of your system before major
installation and backups at regular intervals.
-----------------------------------------------------------------------------
1.3. New Versions
This is the initial release.
The latest version number of this document can be found on [http://
deepnight.org/smartcard/howto/] my website.
-----------------------------------------------------------------------------
1.4. Feedback
Please send your additions, comments and criticisms to the following email
address : <tolga@deepnight.org>.
-----------------------------------------------------------------------------
1.5. Translations
Not everyone speaks English, pointers to translations are nice. Also your
translators tend to give very important inputs. If you want to translate this
document in your own language please let me know so I could list it down
here.
-----------------------------------------------------------------------------
2. What is a Smart Card?
Simple plastic card, just at the size of a credit card, with a microprocessor
and memory embedded inside is a smart card. Beside its tiny little structure
it has many uses and wide variety of applications ranging from phone cards to
digital identification of the individuals.
These application could be; identity of the customer, library card, e-wallet,
keys to various doors, etc... And only one card can be issued to an
end-entity for all these applications. Smart cards hold these data within
different files, and , as you will read, these data is only visible to its
program depending on the operating system of the card. These data files are
arranged in a file system much like a Linux directory structure.
+---------------------------------------------------------------------------+
| MF (Master File) |
| | |
| -------------+-------------- |
| | | | |
| EF (Elementary File) EF DF (Dedicated File) |
| | |
| ---------+-------- |
| | | | |
| EF DF EF |
| | |
| EF |
+---------------------------------------------------------------------------+
MF (Master File), can be seen as the root directory where the headers of
elementary files and dedicated files are contained. Dedicated files are like
the ordinary directories and elementary files are just data files. The PIN is
also stored in an EF but only the card has access permission to this file.
The attributes of the files on UNIX environments are changed to access
conditions. Many cards have access condition lists which must be fulfilled
before accessing the data.
With the file system, access conditions, a microcomputer, RAM, ROM, EEPROM a
smart card is just a computer running its own operating system inside your
wallet.
-----------------------------------------------------------------------------
3. Classification of Smart Cards
Due to the communication with the reader and functionality of smart cards,
they are classified differently.
-----------------------------------------------------------------------------
3.1. Contact vs Contactless
As smart cards have embedded microprocessors, they need energy to function
and some mechanism to communicate, receiving and sending the data. Some smart
cards have golden plates, contact pads, at one corner of the card. This type
of smart cards are called Contact Smart Cards. The plates are used to supply
the necessary energy and to communicate via direct electrical contact with
the reader. When you insert the card into the reader, the contacts in the
reader sit on the plates. According to ISO7816 standards the PIN connections
are below:
+---------------------------------------------------------------------------+
| ,----, ,----, |
| | C1 | | C5 | C1 : Vcc = 5V C5 : Gnd |
| '----' '----' C2 : Reset C6 : Vpp |
| ,----, ,----, C3 : Clock C7 : I/O |
| | C2 | | C6 | C4 : RFU C8 : RFU |
| '----' '----' |
| ,----, ,----, |
| | C3 | | C7 | |
| '----' '----' |
| ,----, ,----, |
| | C4 | | C8 | |
| '----' '----' |
| |
+---------------------------------------------------------------------------+
  * I/O : Input or Output for serial data to the integrated circuit inside
the card.
  * Vpp : Programing voltage input (optional use by the card).
  * Gnd : Ground (reference voltage).
  * CLK : Clocking or timing signal (optional use by the card).
  * RST : Either used itself (reset signal supplied from the interface
device) or in combination with an internal reset control circuit
(optional use by the card). If internal reset is implemented, the voltage
supply on Vcc is mandatory.
  * Vcc : Power supply input (optional use by the card).
The readers for contact smart cards are generally a separate device plugged
into serial or USB port. There are keyboards, PCs or PDAs which have built-in
readers like GSM cell phones. They also have embedded readers for GSM style
mini smart cards.
Some smart cards do not have a contact pad on their surface.The connection
between the reader and the card is done via radio frequency (RF). But they
have small wire loop embedded inside the card. This wire loop is used as an
inductor to supply the energy to the card and communicate with the reader.
When you insert the card into the readers RF field, an induced current is
created in the wire loop and used as an energy source. With the modulation of
the RF field, the current in the inductor, the communication takes place.
The readers of smart cards usually connected to the computer via USB or
serial port. As the contactless cards are not needed to be inserted into the
reader, usually they are only composed of a serial interface for the computer
and an antenna to connect to the card. The readers for contactless smart
cards may or may not have a slot. The reason is some smart cards can be read
upto 1.5 meters away from the reader but some needs to be positioned a few
millimeters from the reader to be read accurately.
There is one another type of smart card, combo card. A combo card has a
contact pad for the transaction of large data, like PKI credentials, and a
wire loop for mutual authentication. Contact smart cards are mainly used in
electronic security whereas contactless cards are used in transportation and/
or door locks.
-----------------------------------------------------------------------------
3.2. Memory vs Microprocessor
The most common and least expensive smart cards are memory cards. This type
of smart cards, contains EEPROM(Electrically Erasable Programmable Read-Only
Memory), non-volatile memory. Because it is non-volatile when you remove the
card from the reader, power is cut off, card stores the data. You can think
of EEPROM, inside, just like a normal data storage device which has a file
system and managed via a microcontroller (mostly 8 bit). This microcontroller
is responsible for accessing the files and accepting the communication. The
data can be locked with a PIN (Personal Identification Number), your
password. PIN's are normally 3 to 8 digit numbers those are written to a
special file on the card. Because this type is not capable of cryptography,
memory cards are used in storing telephone credits, transportation tickets or
electronic cash.
Microprocessor cards, are more like the computers we use on our desktops.
They have RAM, ROM and EEPROM with a 8 or 16 bit microprocessor. In ROM there
is an operating system to manage the file system in EEPROM and run desired
functions in RAM.
+---------------------------------------------------------------------------+
| ---------------- |
| | 8 or 16 bit | |
| Reader <===| microprocessor |-----+ |
| ---------------- | |
| | |
| |---> RAM |
| NON-CRYPTOGRAPHIC | |
| CARD |---> ROM |
| | |
| +---> EEPROM |
| |
+---------------------------------------------------------------------------+
As seen in the diagram above all communication is done over the
microprocessor, There is no direct connection between the memory and the
contacts. The operating system is responsible for the security of the data in
memory because the access conditions are controlled by the OS.
+---------------------------------------------------------------------------+
| ---------------- -------- |
| | 8 or 16 bit | | Crypto | |
| Reader <===| microprocessor |-----------| Module | |
| ---------------- | -------- |
| | |
| |---> RAM |
| CRYPTOGRAPHIC | |
| CARD |---> ROM |
| | |
| +---> EEPROM |
+---------------------------------------------------------------------------+
With the addition of a crypto module our smart card can now handle complex
mathematical computations regarding to PKI. Because the internal clock rate
of microcontrollers are 3 to 5 MHz, there is a need to add a component,
accelerator for the cryptographic functions. The crypto-cards are more
expensive than non-crypto smart cards and so do microprocessor card than
memory cards.
Depending on your application you should choose right card.
-----------------------------------------------------------------------------
4. Operating Systems
New trend in smart card operating systems is JavaCard Operating System.
JavaCard OS was developed by Sun Microsystems and than promoted to JavaCard
Forum. Java Card OS is popular because it gives independence to the
programmers over architecture. And Java OS based applications could be used
on any vendor of smart card that support JavaCard OS.
Most of the smart cards today use their own OS for underlying communication
and functions. But to give true support for the applications smart cards
operating systems go beyond the simple functions supplied by ISO7816
standards. As a result porting your application, developed on one vendor, to
another vendor of smart card becomes very hard work.Another advantage of
JavaCard OS is, it allows the concept of post-issuance application loading.
This allows you to upgrade the applications on smart card after delivering
the card to the end-user. The importance is, when someone needs a smart card
he/she is in need of a specific application to run. But later the demand can
change and more applications could be necessary.
Another operating system for smart cards is MULTOS (Multi-application
Operating System). As the name suggests MULTOS also supports
multi-applications. But MULTOS was specifically designed for high-security
needs. And in many countries MULTOS has achieved "ITSec E6 High" in many
countries.
And also Microsoft is on the smart card highway with Smart Card for Windows.
In a point of view the above Operating Systems are Card-Side API's to develop
cardlets or small programs that run on the card. Also there is Reader-Side
API's like OpenCard Framework and GlobalPlatform.
-----------------------------------------------------------------------------
5. Programming
-----------------------------------------------------------------------------
5.1. CT-API
This API depends on the card terminal used, but supplies generic functions
that allow communication with memory cards and processor cards. This API is a
low level interface to the reader. But still used because it complies with
the ISO7816 standards and have a simple programming logic resembling
assembly. You just send code byes along with the data packets and receive the
response.
-----------------------------------------------------------------------------
5.2. PC/SC
PC/SC Workgroup is responsible for the development of the PC/SC
Specifications. Under Windows, MacOS and Linux corresponding APIs could be
found. Under Linux, pcsc-lite suit could be downloaded from [http://
www.linuxnet.com/] http://www.linuxnet.com.
-----------------------------------------------------------------------------
5.3. OpenCard
OpenCard Framework, OCF, is an object-oriented framework for smart card
communications. OCF uses Java's inter-operability between environments to
deploy architecture and APIs for application developers and service
providers.
-----------------------------------------------------------------------------
5.4. GlobalPlatform
GlobalPlatform was formed in 1999 by organizations those were interested in
issuing multiple application smart cards. The major goal of GlobalPlatform is
to define the specifications and infrastructure for multi-application smart
cards.
-----------------------------------------------------------------------------
5.5. To Sum Up
As you could understand from above, the standardization period of smart cards
is not finished. The demand on smart cards is growing on the basis of
end-user and developer. In my opinion, if you are a developer or in a
decision making position, you should carefully analyse all the standards as
well as the companies manufacturing smart cards. As a developers point of
view, in the near future I think, Java will evaluate itself as the standard
because of portability and cross-platform uses in spite of its slowness and
fast evolution.
-----------------------------------------------------------------------------
6. Applications on Linux
In this section there will be applications that uses smart cards for some
reason on Linux environment. If you are a developer of a software and your
development environment is Linux please let me know. I will add you in the
list.
-----------------------------------------------------------------------------
6.1. [http://crackinghacking.de/~henning/scas/] scas
SCAS is a simple program that checks the code inside the card with the code
inside the computer. As an example of showing a way of authentication with
memory cards scas is very good.
-----------------------------------------------------------------------------
6.2. [http://www.lionking.org/~kianga/software/smartcard/] smartcard
smartcard is a general smart card utility in Linux which uses CT-API. With
smartcard utility you can read/write data from/into smart cards. As long as
your reader can be accessed via CT-API, smartcard can be used to control the
reader. Currently smartcard could only be used with memory cards using I2C or
3W protocols. There is also a GTK+/Gnome graphical front end which support
all functions of smartcard utility.
-----------------------------------------------------------------------------
6.3. [http://www.conostix.com/ssh-smart] ssh-smart
ssh-smart is a basic proof-of-concept of ssh identity on smart card, as the
author says. ssh-smart uses smartcard utility to communicate with the smart
card. Basically, ssh-smart-add tool (perl script) call ssh-keygen to generate
RSA public and private keys. Than puts the private key on the memory card.
Later the ssh-smart-addagent tool can be used to extract the private key from
the card to use with ssh-agent.
-----------------------------------------------------------------------------
6.4. [http://www.linuxnet.com] smarttools-rsa
This is another PAM Module for Unix systems but supports RSA authentication
through your private key on the smart card. You must have a Schlumberger
Cyberflex Access card or Schlumberger Cryptoflex for Windows Card and a
working reader to use this tool.
-----------------------------------------------------------------------------
6.5. [http://smartsign.sourceforge.net] smartsign
This utility is some-complete PKI integration with the smart cards. To use
you must establish a working OpenCA and have Schlumberger's "Cyberflex Access
16K" smart cards. During the certification process of OpenCA, private key and
public certificate can be stored on the smart card and private key, later,
could be used with Netscape to sign outgoing mails and news. Also smartsign
supports authentication of local users via a PAM Module through a public key
authentication. Smartsign comes with gpkcs11, a PKCS#11 implementation,
smastsh, a command line shell that allows browsing smart card contents,
sign_sc/verify_sc to sign and verify any file with smart card.
-----------------------------------------------------------------------------
6.6. [http://www.citi.umich.edu/projects/smartcard/] CITI Projects
At CITI, Center for Information Technology Integration of Michigan
University, there are some new projects. For example, Webcard is a web server
running on a Schlumberger Cyberflex Access Java Card. Features a stripped TCP
/IP stack that supports HTTP only. The system is designed to have a router
which frames IP packets in ISO7816 and a Java Virtual Machine in the card.
Detailed technical report can be found at [http://www.citi.umich.edu/projects
/smartcard/webcard/citi-tr-99-3.html] http://www.citi.umich.edu/projects/
smartcard/webcard/citi-tr-99-3.html
-----------------------------------------------------------------------------
7. The Relation of Smart Cards with PKI
As we already know smart cards are secure place to hold sensitive data, such
as money and identity. And if the identity is the subject we should talk
about PKI, Public Key Infrastructure, and smart cards.
Think that, you are working in a company with many branch offices and many
facilities. In such large companies often employers have access permissions
to different physical places. Also you access the servers inside the company
for various purposes like sending mail, uploading the web pages and accessing
the databases of the company. Just think, one password for each server and
one key for each door and some money in your wallet to buy food or drink from
the local restaurant.
Actually you could just use a smart card. If you use a microprocessor card
and a the cards operating software or Java cardlets permit, you could use
only one card for all these. For this scenario to work, the company must
establish a local CA, Certificate Authority. Below there is a diagram showing
the structure of a PKI simply, as described in RFC 2459.
+---------------------------------------------------------------------------+
| +---+ |
| | C | +------------+ |
| | e | <-------------------->| End entity | |
| | r | Operational +------------+ |
| | t | transactions ^ |
| | | and management | Management |
| | / | transactions | transactions |
| | | | PKI users |
| | C | v |
| | R | -------------------+--+-----------+---------------- |
| | L | ^ ^ |
| | | | | PKI management |
| | | v | entities |
| | R | +------+ | |
| | e | <---------------------| RA | <---+ | |
| | p | Publish certificate +------+ | | |
| | o | | | |
| | s | | | |
| | I | v v |
| | t | +------------+ |
| | o | <------------------------------| CA | |
| | r | Publish certificate +------------+ |
| | y | Publish CRL ^ |
| | | | |
| +---+ Management | |
| transactions | |
| v |
| +------+ |
| | CA | |
| +------+ |
+---------------------------------------------------------------------------+
  * end entity: user of PKI certificates and/or end user system that is the
subject of a certificate;
  * RA: registration authority, i.e., an optional system to which a CA
delegates certain management functions; (in some implementations, where
you register your self to the system)
  * CA: certification authority; (Your public key, can be issue when you
register yourself or can be self-issued, is signed and your certificate
is issued to you at CA)
  * repository: a system or collection of distributed systems that store
certificates and CRLs, Certificate Revocation Lists, and serves as a
means of distributing these certificates and CRLs to end entities.
In fact, this is just a simplified view of the entities PKI. The employer or
the end entity just applies to the CA or RA to get a certificate A
certificate is just a public key digitally signed with the issuer's, CA,
private key. By signed with the CA's private key, all which trust the CA, can
also trust the end entity. Your digital ID is ready. Just write your digital
ID and private key to your smart card. Or a better way, new smart cards are
deployed with embedded functions that generate public and private keys inside
the card which means your private key is not exported to anywhere.
New deployed cards are capable of PKI functions which you do not need to
export the private key to the application you use. For example when you want
to send a signed mail, your mail applications first generates a hash of the
document you just wrote and starts the communication with the card. Your
application sends the hash value to the card which is than signed with your
private key inside the card. By this way your private key is never exported
to the public, your computer.
Also, while accessing your remote shell account you could use ssh, secure
shell, client. In man page of OpenSSH, an authentication method for ssh
protocol 2 is described. Main purpose of the method is true identification of
the person trying to access the account and secure connection between the
host, if the user is accepted. Theoretically, only you can know your private
key. Although your private key is only readable by yourself, this could be a
security risk. But if your private key is inside a smart card, this is an
increased security. Of course, a smart card can get lost. But at this point
another security subject is on the line, your PIN. Generally speaking, smart
card's security comes from two things, one you know and one you own.
SSH is not the only application that smart cards can be used. Other
applications like, money transactions on the net, identification of yourself
to the website you connect can be done with smart cards. The system is more
or less the same. Your identification is checked via your private key and
secure session is started with your keys. Than application specific part
comes which is designed and deployed by the service provider of the
application. Some money transactions are just done inside the smart card but
some applications just ask the card for your banking account number. There
could be more methods.
Electronic locks that can communicate with a smart card can be found on the
market. PKI can support, in addition to the mutual authentication between the
card and the reader, access accounting in the building. Just mutual
authentication can be used or the lock ask to a local server that keeps the
user data and checks if the user is permitted to go behind the door. And
whether the permission is granted or not the server keeps the tracks of the
access trials.
With integration of smart cards into PKI world, many more applications could
be built. These application are mostly security specific or to ease the life
of the customers.
-----------------------------------------------------------------------------
8. Further Information
In this section there are places to visit for more in-depth information.
-----------------------------------------------------------------------------
8.1. News groups
Some news groups are:
  * [news://alt.technology.smartcards] alt.technology.smartcards
  * [news://sci.crypt.research] sci.crypt.research
  * [news://sci.crypt.random-numbers] sci.crypt.random-numbers
-----------------------------------------------------------------------------
8.2. Mailing Lists
From the MUSCLE Project, <sclinux@linuxnet.com>, Smart Card Developers
mailing list. The subject of the list is smart card development under Unix
and Mac OS. Just send <majordomo@linuxnet.com> with subscribe linux in the
body of your mail. Also you can reach the archives at [http://
www.mail-archive.com/sclinux@linuxnet.com/] The Mail Archive. See [http://
www.linuxnet.com/list.html] linuxnet.com mailing list page for more
information.
-----------------------------------------------------------------------------
8.3. Web Sites
There are a huge number of informative web sites available. They could change
and get outdated.
A good starting point is [http://www.linuxnet.com/] Movement for the Use of
Smart Cards in a Linux Environment home page, an information central for
documentation, project pages and much more.
Also, [http://www.usenix.org/publications/library/proceedings/smartcard99/]
USENIX Workshop on Smartcard Technology can take your interest.
Please let me know if you have any other leads that can be of interest.
-----------------------------------------------------------------------------
9. TODO
As all HOWTOs should be, this document will retain in "Under Development"
phase as long as smart card technology is not obsolete.
  * The part about the physical characteristics of smart cards should be
re-organized.
  * In the "Programming" section there must be more information about the
standards of programming smart cards.
  * A new section of examples must be added.
  * Scenario section (e.g. Building a Corporate PKI) should be added with
in-depth information. (I will add some time in a few weeks :))
  * There could be a section about the tamper resistance of smart cards. How
tamper resistance is supplied and how secure is smart cards against new
high-tech gamers. (I have found some references and information but they
must be organized before adding.)
Wow, it seems like I have many things to add :))
Reference in New Issue View Git Blame Copy Permalink