On 4/25/2012 10:20 AM, Marc Boorshtein wrote: > On Wed, Apr 25, 2012 at 10:36 AM, Douglas E. Engert<deeng...@anl.gov> wrote: >> >> >> On 4/25/2012 8:10 AM, Marc Boorshtein wrote: >>> So I now I have a PIV card that I know has a certificate on it because >>> I can login to my windows terminal with it (XP). >> >> Is this the same card you were trying a few days ago? Did you get the >> certificates on it? Are you sure the XP login is using the certificate? >> >> Or is this a different card. >> > > Different card. THey don't have a single card yet for both PACS and LACS > > >>> The card is using biometrics or a passphrase to unlock. >> >> The NIST PIV specifications 800-73 call for the storing of a fingerprint >> object on the card, but does not require the card to do the matching, >> and does not define commands to supply the card with a fingerprint and >> to do the match. >> >> Some vendors may may provide vendor specific drivers for their cards. Or >> a second application on the card to do the matching. >> > > Interesting, I never put in a PIN. So does this mean they're not > using a standard PIV technology? They're using software from SafeNet > (Borderless Security I think). When I plugged it into Windows 7 it > sad it could find a driver for the card.
Sounds like this: http://csrc.nist.gov/groups/SNS/piv/documents/workshop-Jun272005/SafeNet.pdf Card vendor's can add additional functionality to their cards on top of the PIV NIST standards. Or they can add additional applications to the card, that could share data with the PIV application on the card. To use these addition features, which are most likely proprietary, requires vendor drivers. Sounds like SafeNet has provided the driver to Microsoft to download.) OpenSC, and (ASFAIK the Microsoft PIV driver) only support the NIST standards and will thus work with all the standard features of any PIV complaint card. It sounds like your card has additional features, that could allow for an on card fingerprint match, which would not require the PIN. (The PIV fingerprint object as defined by NIST 800-73 requires PIN authentication to read the object off the card. But an on card match is not reading the object off the card, so I would speculate that it would be allowed.) > > >> Your reader vendor says it has a Linux driver. >> >> OpenSC can read the PIV fingerprint object so the match could be done in >> host software, if you also have some fingerprint reader with driver. >> > > I see, so it sounds like its the middleware thats doing the matching > as opposed to the pin being used to unlock the card. Is not clear. But from a security standpoint, your organization must have looked at the security risks of using these cards with their recommended readers and looked at what is going on under the covers. > >>> We're using Precise Biometrics >>> card reader. When I put the card into my OmniKey 3021 it didn't >>> recognize it at all, said it was an invalid card type (I'll send over >>> the logs). >> >> opensc-tool -a would help identify the card type then See: >> http://smartcard-atr.appspot.com/ >> >>> >>> Here's my question, does OpenSC support any of the biometric readers? >> >> Not at this time. Are there any standards for these, any open source >> available >> > > I don't think so, I can't seem to find anything anyways. > > Thanks > Marc > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
