Smartcard quickstarter guide Why use smartcards? - GOOZE ...
Smartcard quickstarter guide Why use smartcards? - GOOZE ...
Smartcard quickstarter guide Why use smartcards? - GOOZE ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Smartcard</strong> <strong>quickstarter</strong> <strong>guide</strong><br />
Some <strong>use</strong>rs have been using the same OpenSSH RSA key for a long time and feel happy to keep them.<br />
The pros: after transfer, copy your original certificates (id_rsa) to a laser disc and store it in a safe place. This is a very good way<br />
to enhance security and have a backup of your SSH keys.<br />
The cons: not all OpenSSH formats are supported and it seems that the Feitian PKI is a little bit picky. DSA format is not<br />
supported. This solution is not considered perfectly secure. If your computer is compromised, the secret key may be<br />
compromised.<br />
Reusing OpenSSH RSA keys<br />
Before all, you should know that the Feitian PKI only accepts 1024bit or 2048bit RSA key. OpenSSH DSA keys are not<br />
accepted.<br />
Save the OpenSSH private RSA key in PEM format:<br />
$ openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem<br />
Transfer the key to to smartcard:<br />
$ pkcs15-init --store-private-key id_rsa.pem --auth-id 01 --pin 0000<br />
Scenario 5: importing 3DES key<br />
OpenSC is able to generate RSA keys using the embedded processor, not 3DES keys.<br />
To <strong>use</strong> 3DES keys, we need to generate and import them to smartcard/token.<br />
Generate a 3des key using OpenSSL:<br />
$ openssl rand 24 -out 3des.key<br />
Import the 3DES key as an independant object and write private flag to forbid the <strong>use</strong>r from reading it back:<br />
$ pkcs11-tool -v --module opensc-pkcs11.so --slot 1 --label "3deskey" --write-object 3des.key --type data --<br />
private --login --pin 0000<br />
Now dump content of card/token:<br />
$ pkcs15-tool --dump<br />
Using reader with a card: Feitian ePass2003 00 00<br />
PKCS#15 Card [François Pérou]:<br />
Version : 0<br />
Serial number : 2431330916091101<br />
Manufacturer ID: EnterSafe<br />
Last update : 20111231100514Z<br />
Flags : EID compliant<br />
PIN [User PIN]<br />
Object Flags : [0x3], private, modifiable<br />
ID : 01<br />
Flags : [0x32], local, initialized, needs-padding<br />
Length : min_len:4, max_len:16, stored_len:16<br />
Pad char : 0x00<br />
Reference : 1<br />
Type : ascii-numeric<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 44 / 63