Le 26 avril 2012 11:32, helpcrypto helpcrypto <helpcry...@gmail.com> a écrit : >> Report CKF_PROTECTED_AUTHENTICATION_PATH to the application. OpenSC >> then calls an external lib to do do what is needed to authenticate the >> user. >> >> The external lib can do anything like display a dialog box, talk to >> the biometric reader, talk to a remote server, etc. > > and what about the library-in-the-middle attack?
See bellow >> Todo list: >> - define an API between OpenSC and an external lib > > maybe the readers have many different system of autehtication (pin, > biometric, "on the fly /time generated") > I have to think this twice. The only information needed by OpenSC is a boolean: did the authentication succeeded? >> - define a configuration to tell OpenSC to use an external lib > > and, what if i edit your current config and replace the lib with my > modified evil lib? The config file should be secured by the file access rights. /etc/opensc/opensc.conf is owned by root with no write access for normal users. If you can edit a root file you can do anything much more evil. >> I don't know how/if OpenSC can know the smart card reader is >> biometric. I have not seen any thing like that in PC/SC. > > neither I. > what about something like "declaring reader features" ? > If the reader support extended apdus, then EXTENDED_APDU_SUPPORT flag is set. > What do you think of BIOMETRIC_SUPPORT / EXTERNAL_LOGIN_SUPPORT? to know that? > have this been discussed (improve readers feature info on PCSC wg?) Biometric do not use PC/SC. PC/SC has no use of biometric. If a biometric lib is configured in OpenSC then OpenSC should query the lib to know if the/a connected reader is biometric or not. Bye -- Dr. Ludovic Rousseau _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
