Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Muscle] Restricting reader/card access by user account
From: Martin Paljak (martin.paljakgmail.com)
Date: Thu Mar 23 2006 - 02:19:55 CST
On 23.03.2006, at 4:04, Shawn Willden wrote:
> To clarify: Given that users will refuse to re-enter their PIN
> hundreds of
> times every day, using the approach mentioned by David Corcoran to
> the multi-user access issue means that some higher-level mechanism
> must be
> implemented to cache the PIN so that each time the application
> needs to
> perform a PIN-protected operation it can re-present the PIN. If many
> different user-level applications use the smart card, then it's
> necessary to
> either have each of them cache the PIN (requiring the user to enter
> the PIN
> once per application) or else create some sort of a PIN-caching
> daemon which
> they all connect to. More likely, it would become the smart card
> daemon. That's unwieldy and also requires the PIN to be kept
> around in RAM
> all the time, which is uncomfortable from a security perspective
> (though not
Many eID cards have to keys and thus two pins: one for
authentication, one for digital signature.
The card in .ee (800 000 cards handed out to folks) does it this way.
The authentication key requires a pin
only once and one can use the key untill you remove or reset the
card. Digital signature key requires a pin for every operation. This
is enforced on the card.
Then there are CSP-s, where as a CSP works much like a 'smart card
daemon'. Especially on OS X, where the CDSA subsystem uses a 'tokend'
daemon that is responsible for card communication, and is 'the
application'. Tokend talks to the CDSA subsystem that is responsible
for everything crypto on os x.
For cryptographic operations this is the right way, as applications
don't have to know from where exactly the signatures come from or
operations are done, they just 'talk to cdsa'
If you add a pinpad reader, it still works (though pinpad support on
os x does not exist currently, AFAIK)
as you enter your pin once for the authentication key when you insert
your card / access it for the first time,
the internal state of the card becomes 'authenticated' and CDSA takes
care of stuff like restricting access to the once authenticated card
to processes of only a single user and so on. No pin cache, you enter
a pin only once.
The concept of having applications talking directly to smartcards or
having to deal with 'smart card centric pkcs#11 issues' is, at least
for generic cryptocards and eID cards, IMHO a stupid design.
Of course, i can not talk about more compicated smartcard
applications and setups.
Martin Paljak / martinpaljak.pri.ee
martin.paljak.pri.ee / ideelabor.ee
+372 515 64 95
Muscle mailing list