CryptoToken

CryptoToken
founder:
depends on:
interested:
software license:	-
hardware license:	-
status:	active

The aim of the project is to explore uses of cryptographic tokens, starting with Feitian ePass 2003. At first basic features like use for SSH and GnuPG, later possibly extended options provided by OpenSC and PKCS#11 interface - e.g. code signing, TLS client certificates.

• General information
• Download page for SDK, user docs and SDK docs
• Quickstart guide
• Difference Between ePass 2003 and ePass PKI

Tokens arrived by mail on 2013-01-30.

Either 450 CZK or 18 EUR, CZK preferred (8971.71 CZK total for 20 tokens, shipping included).

Write your nick/name the from the above table into payment's user info field, so that I can identify payments.

For extra paranoia, table with accounts signed with gnupg:

accounts.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
^ Currency ^ CZ internal      ^ IBAN                    ^ BIC/SWIFT   ^
| CZK      | 2100099326/2010 | CZ8320100000002100099326 | FIOBCZPPXXX |
| EUR      | 2800099327/2010 | CZ7320100000002800099327 | FIOBCZPPXXX |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
 
iQEcBAEBCAAGBQJRAtQ9AAoJEAy6xNgMZCEgKUEIAKV5I2pj52IY3rwVCtI266qV
IDzDCF3Xt3RKGIddZdEliuc0q4zbsHJD5A47YYiLBUK49A4CdmSx+0aIx1nbIWfu
FwCakOUIBzrfOSisCtPLCTXlZYRBNnW3sS+LBN+OC5vGZ3gpkdFbD+4rMYuEEGPO
gURT4jgGvlrOd8wvBNX1jNWGG6P9nS9S1GjaCQ83ThVf/3Lc6aqjPykRVPFDTJ/t
RJEmgopuYFllB3/ibeqG/lBwnwEywLXUHf+CTpVXa4OXV8siAMXaSMVJvnJ8730R
TRc3glTZKsiFO38iLRlSFxAmJK/5IA9Txzcrjd6aeti0yCaIgxnC2+KIKWrSaVw=
=MeOp
-----END PGP SIGNATURE-----

Worshop is planned for making the token work on *nix systems once the tokens arrive.

The token offers multiple interfaces, so we'd go likely in this order and see how far we can get:

• Import of existing RSA SSH key, and connecting
  • note on ~/.ssh/config - PKCS11Provider option (OpenSSH 5.5p1 or later recommended)
• Import of PGP/GnuPG key and basic operations - decrypt, verify (GnuPG PKCS#11 interface)
• Overview of PAM and PAM configuration.
  • pam_pkcs11 - PAM module to perform authentication via PKCS#11 interface offered by the token
  • one example for some /etc/pam.d/ config file (e.g. sudo)
• Import of client certificate from PKCS#12 file

OpenSC >= 0.12.2 recommended. AFAIK all rather modern Linux distros have it available (it's not in Debian Stable - Squeeze), Mac OS X has packages from gooze.eu available (in case those are not in Mac Ports).

Other tutorials on gooze.eu.

The Yubikey Neo with NFC seems interesting, too. It's the standard Yubikey with NFC NDEF type 4 tags and Mifare classic interface. Applications:

• OTP token working as USB HID keyboard that writes OTP when button is pushed (this is the original Yubikey's functionality)
  • usable e.g. for SSH two-factor authentication
• multiple “slots” or “apps”
  • can be personalized for challenge-response and other protocols
  • OpenPGP support (no key import, keys are generated on the chip)
  • various modes can be turned on/off - combinations of HID, CCID and OpenPGP support
• some Neo apps have sources available, e.g. source for OpenPGP app

Issues:

• not much technical information yet (“Yubico will share more information on how this can be used in Q1, 2013”)
  • product page says something about Common Criteria certified bank grade authentication ICs, but what EAL level?
• does attacking via Mifare Classic interface reveal random seeds or RNG states usable for other interfaces? (HID, NFC)
  • could the above be combined with NDEF record composition attack?

Yubikey has its own PAM module pam_yubico which is quite configurable. E.g. it can provide two-factor auth or replacing passwords with OTP.