MUSCLE and gemplus readers.
I've been testing out MUSCLE and some related software with some gemplus readers, all with RHL 6.1 2.2.12 kernel and RHL7.0 2.2.16 with backported USB and 2.4.5. The serial reader (GemPC 410) seems to work fine. I haven't got the USB reader GemPC430 to work though. All I get when I plug the reader in is a message saying no driver supports the device. This also happens with 2.4.5 kernel. Any pointers as to the possible cause? I recall seeing that the PCMCIA reader (GemPC400 aka GPR400) would have a PC/SC driver 'coming soon' any news on that? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE and gemplus readers.
Jean-Luc GIRAUD wrote: > > Dr S N Henson wrote: > > > > I've been testing out MUSCLE and some related software with some gemplus > > readers, all with RHL 6.1 2.2.12 kernel and RHL7.0 2.2.16 with > > backported USB and 2.4.5. > > > > I haven't got the USB reader GemPC430 to work though. All I get when I > > plug the reader in is a message saying no driver supports the device. > > This also happens with 2.4.5 kernel. Any pointers as to the possible > > cause? > > Could you please copy the message, it would be very helpful. Also, what > do you use to install pcsc-lite: the tarball or a rpm package? Which > version is it? > > Here is a list of possible cause: > - the first versions of the debian package were not compiled with USB > support, maybe it was the same for the rpms. > - if you have USB support compiled as module, you have to install the > usb-uhci module "by hand" > - if you get the following message, you may not have copied the bundle > to the right location. > pcscd:pcscdaemon.c 126: /var/run/pcscd.pid > pcscd:pcscdaemon.c 146: main: PC/SC Lite Daemon Ready. > pcscd: hotplug_linux.c 146: No bundle files in pcsc drivers directory > I suspect the answer is 'none of the above' :-) The precise message I get is: usb.c: USB device 2 (vend/prod 0x8e6/0x430) is not claimed by any active driver. I'm compiling MUSCLE 0.9.1 and the GemPC430 driver from source. There are a few problems with 'make install' in MUSCLE, at least on my setup: for example it installs reader.conf in /usr/local/etc but expects to find it in /etc and it doesn't seem to install the pcsd binary (well script) anywhere. pcsd doesn't give any error message on start up. Presumably the hotplug support registers the vend/prod id when it looks through the bundle, my guess is that it isn't doing that for some reason, but I'm not familiar enough with how Linux USB works to trace it any further. BTW do you know anything about the GPR400 device driver? One problem I get with that is that after the 'power down' command it stays powered down and doesn't respond to any commands (including 'reset' which I believe is supposed to power it up again). A reboot or eject/reinsert is needed. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE and gemplus readers.
Jean-Luc GIRAUD wrote: > > Dr S N Henson wrote: > > > > I suspect the answer is 'none of the above' :-) > > Yes and no :-) (see below). > > > > > I'm compiling MUSCLE 0.9.1 and the GemPC430 driver from source. There > > are a few problems with 'make install' in MUSCLE, at least on my setup: > > for example it installs reader.conf in /usr/local/etc but expects to > > find it in /etc and it doesn't seem to install the pcsd binary (well > > script) anywhere. > > The default 'make install' does not compile pcscd with usb support > (which was the reason of the "problem" with the packages). You should > first './configure --enable-usb' to enable usb support. If you have the > GemPC430 bundle in the 'drivers' folder of the pcsc install, it should > work. > I did run ./configure with --enable-usb. I also ran pcsd under strace and it seems to be reading the 'bundle' files and there's also some additional activity when the reader is plugged in. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE and gemplus readers.
Jean-Luc GIRAUD wrote: > > > > > > I'm compiling MUSCLE 0.9.1 and the GemPC430 driver from source. There > > are a few problems with 'make install' in MUSCLE, at least on my setup: > > for example it installs reader.conf in /usr/local/etc but expects to > > find it in /etc and it doesn't seem to install the pcsd binary (well > > script) anywhere. > > The default 'make install' does not compile pcscd with usb support > (which was the reason of the "problem" with the packages). You should > first './configure --enable-usb' to enable usb support. If you have the > GemPC430 bundle in the 'drivers' folder of the pcsc install, it should > work. > A bit more progress. I've enabled debugging output and more importantly edited syslog.conf so it doesn't throw debugging output away :-) I get the following on startup: Jun 5 17:19:24 localhost pcscd:pcscdaemon.c 128: main: PC/SC Lite Daemon Ready. Jun 5 17:19:24 localhost pcscd: bundleparser.l 95: Value/Key not defined for: CFBundleExecutable I'll see if I can trace it a bit further. Looks like it doesn't like the bundle config file for some reason. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE and gemplus readers.
David Corcoran wrote: > > Hi, > > Try removing bundleparser.c and doing the ./configure --enable-usb > and everything over again. > That did the trick. I still get a few kernel warning messages when I plug the device in but I can now access the reader, thanks. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Ludovic Rousseau wrote: > > > I don't think using RPC is a good idea. > You use a smartcard to provide security in a unsecure environment. > I don't want to send my PIN code in clear over RPC. You need to have > authentication, integrity and confidentiality of your networks > communications. > You could use 'secure RPC' but it will be hard to find implementations > of it outside SUN. > > If you send your PIN code in clear over the network why not just use > telnet ? :-( > > I want a secure channel between my smartcard and the program sending > commands to it. > Yes, I agree. I also don't want some untrusted program (even if the server is authenticated) sending arbitrary commands to the smart card and, for example, grabbing the PIN and signing/decrypting anything it wants. For accessing remote computers (which the original query was about) something like ssh or secure telnet using smart card based keys for authentication would be more appropriate. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
David Corcoran wrote: > > Hi, > > Sorry for the confusion, when I said RPC like service I meant a service > that uses GSS-API or something tunnelled under ssh. Keep in mind this is > a separate service that acts as an application to PC/SC - I would never > make this part of PC/SC and it would never be Sun RPC. > > I do need some sort of authentication service which uses GSS-API or > something so that in an environment such as the SunRay or Citrix I can > call back to the local smartcard reader since the authentication device > does not reside on the machine wishing to authenticate. Also, this is > needed for remote authentication services such as ftp/telnet. > Well it depends on how you do it. If you allow a remote application unrestricted access to a smart card reader, even if the traffic is encrypted it can have bad consequences. For example it could send a request to the card to sign additional data (e.g. to access another host) or to decrypt data (e.g. S/MIME email secured with the same key). If the protocol is designed properly, such problems can readily be avoided. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Carlos Prados wrote: > > > Again, I would pay more athention to local security. > Why is the file /tmp/.pcscrx world writtable? isn't > this a security hole? > On the subject of security... As may be apparent I've only just got my setup working and I've not examined things in any detail. I did notice a few things which might be cause for concern. Consider a Netscape PKCS#11 module. In this application the connection to the reader may need to be kept open for an extended period of time (typically the whole browser session) and may not be closed cleanly. As we are all painfully aware its not entirely unknown for a browser to crash. This situation needs to be handled, i.e. a connection can be kept open for a long time with no security issues and if the application using it crashes then the session is cleaned up appopriately. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Disk encryption and more
Patrick Valsecchi wrote: > > > I don't have to store each signature of each bin into the smartcard. I won't > have enough RAM for that! I'll store inside each executable and library the > signed crypto hash. The kernel will check if the crypto hash is still the same > and the smartcard will just check if the signature of the crypto hash. > I'm curious as to why the smartcard is being used for the crypto verification as opposed to the boot-loader and subsequently the executable loader. They might for example have a hard coded public key or some root CA depending on how sophisticated you want to be. You of course have to be very careful that the public key or certificate cannot be replaced. If there is some reason to use a smart card then that also has to be handled carefully, otherwise someone could just replace it with something that either always returns successful (for any signature) or allows other (known) keys to sign the executables. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE GemPlus MPCOS-EMV
> "Pauley, John" wrote: > > All, > > First, sorry for the long post. > > My problem is that I have to authenticate the terminal with a GemPlus > MPCOS-EMV smart card using the following algorithm (this is in the G+ > MPCOS-EMV manual): > [description deleted] I'm not sure what your problem is but I have myself successfully implemented the algorithm based on the information in the G+ manual, though I think the references to CRnd7 to CRnd4 should be CRnd3 to CRnd0 since CRnd is only 4 bytes long. The actual "3DES" algorithm used is also commonly referred to as "two key triple DES" and it is ECB mode. You may find the "GPK pilot" tool useful (available from G+ site). If you can get it to initiate secure messaging with the trace activated you can use the trace file to check your implementation. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
