Smartcard recommendation?

T

TCM

Gawd
Joined
Nov 10, 2011
Messages
641
Hi,

having no idea about smartcards so far, what would be a recommended reader that's supported on Windows, BSD? I need it for general PKI (OpenSSL), SSH, PGP, maybe later online banking (in Europe). If I can do my Windows login with it, it's a bonus but not required. I mainly do SSH with cygwin. It should have its own PIN pad obviously and a display. I definitely don't want any wireless transfer methods (RFID, NFC).

I'm reading about CT-API and PC/SC. It should have those, right? The cards need their own processor obviously so private keys never leave it.

What about backing up cards then? Are keypairs always generated on-card? If I can't get the private key out, how do I back it up?

What about time sync and a good RNG? The cards should know the correct time and have a good RNG if it generates keypairs on-card. Is this a given or do I need to look for it?

I looked but I didn't find a good introductory crash course to smartcards. Where do I go?
 
Last edited:
Most software that interacts with Smartcards readers will allow the process asking for smartcard access to supply a pin (which they get from the user via a popup window or CLI prompt), obviously that is not as secure as a hardware pin pad but works just fine for most use cases.

It is worth noting that just because one process has the smartcard open doesn't unlock it for other processes on the OS, each process will have to authenticate separately. Example; if I'm using my card to sign email in Thunderbird, Firefox doesn't automatically have it open when I visit a site that asks for a client certificate and I have to enter in my pin again for Firefox to access the card. I do not know if this behavior holds when using a hardware pin pad.
 
My understanding is that entering anything on a computer is subject to compromise by malware and that's why you should have a reader with a PIN pad. This way both the PIN and the private key never leak to the computer and all the reader/card is sending is computed challenges.
 
TCM said:
My understanding is that entering anything on a computer is subject to compromise by malware and that's why you should have a reader with a PIN pad. This way both the PIN and the private key never leak to the computer and all the reader/card is sending is computed challenges.
Click to expand...

Even with software-entered pin the private key is still protected unless the key is marked exportable which it should not be. Most smartcard deployments I see use basic readers, it is a convenience and cost trade-off.

EDIT: I'm not trying to dissuade you from using hardware pin readers as they are more secure, just explaining alternatives.
 
Last edited:
I understand wanting to have a hardware PIN pad but that is going to add a lot of cost. I have never used any smartcard/DoD CAC readers that have had a PIN pad on them. You are correct that it is more secure and harder to compromise but I figure if the DoD does not have them it is a pretty good bet that you are pretty safe without.

From what I have seen to use a smartcard to sign into windows you need active directory and a CA to sign the cert. If you have that it is do able to set it up.

I own and have used that SCM reader a lot and it works great, it uses generic drivers so nothing to load after plugging it in.
 
Don't get me wrong. I'm not trying to roll out hundreds of readers. I want one reader for myself to manage all my SSH/SSL/PGP stuff. If it costs 100 instead of 10, that's perfectly fine if it's future-proof.
 
http://www.amazon.co.uk/gp/product/B003SW1IL2
This one is based on a Realtek chipset/controller and works fine with PCSC OOTB, not sure what you're are looking for but you can find this easily around Europe at least. As far as I can tell its a bit better than the Cardman 3X21-series.
//Danne
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
You must log in or register to reply here.
Back
Top