Re: [opensc-devel] OpenSC shared mode
Hi! > Many thanks Franck and Martin, using exclusive mode solved my problem: ... > I wonder if there is not a problem in shared more or if we should not > ask users to use exclusive mode only. No problem, I had a similar problem where two applications accessed a smart card. One "initialized" the card leaving it in an unusable state for the other. IMHO, _shared_mode_ is not what you want for multiple applications. What Juan described sounds like a security nightmare. Smart cards do things like mutual authentication, which is not much mutual anymore from the smart cards point of view if applications on the one end can change. If such behaviour is required, applications should at least access the card through the same middleware and let the middleware do SM (and authentication of the different apps). In your example, Juan, you say that Firefox calls C_Init to initialize the card for pkcs11. I'm not an expert for p11, but is it really needed to actually lock the card on initialization and keep an established connection? Cheers, Frank. pgpKKCohNjRW8.pgp Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
On 06/05/2011 21:23, Juan Antonio Martinez wrote: > Sure: there are some cases where these approach fails: > SSL renegotiation when signing applet is running; two pkcs11 > trying concurrent access to the card... but this is not > as usual as thought. IMHO you could avoid troubles using a simple state machine: when the "server" sends a command to the card, it sets a busy flag to prevent access from other apps. Once card answers (could take a long time, like when generating an RSA key, but since card is actually "in use" there's no way to avoid it) a timer is started. If another command comes in from the same client, timer gets reset and cycle starts again. If no command is received before timer expires, then card is reset and busy flag is cleared. This way you can be sure that only an active app keeps control of the card. For example, for Firefox it will be like a card removal. It should reread it anyway (maybe a cert got added...). In your example, SSL renegotiation (or signing app) would be delayed the time needed to complete the other operation. An hung app could not lock the card for others. The only drawback I see is that no user intervention is possible during a command sequence: you can't stop to ask PIN, you have to know that a PIN is needed (by parsing PKCS#15 structs or by issuing a crypto op), ask for it and restart sending commands from the beginning. Unless (maybe) if reader comes with a pinpad and its "read PIN" is atomic (that is: no answer till user enters PIN). Or maybe I'm completely gone... :) BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
El vie, 06-05-2011 a las 16:43 +0200, Jean-Michel Pouré - GOOZE escribió: > Le vendredi 06 mai 2011 à 17:24 +0300, Martin Paljak a écrit : > > But daily smart card usage usually means using different applications. > > OK. But shared mode does not work very well, especially with OpenSSH and > Iceweasel (Firefox) together. I did some heavy testing and found > usability problems in shared mode. IMHO, shared mode is not usable. > Could someone confirm. Sure me not: For Spanish DNIe shared mode is the _only_ way to get so many applications working: A typical example is an authenticated https connection that loads and run a document signing applet. ( this is a common issue in many gov webpages ) OpenDNIe has an interesting issue related to Secure Messaging and shared mode: DNIe does not support logical channels with separated SM queues for each application. Every concurrent application _must_ share same Secure Channel... So my first approach was to "solve" as you suggested: forbid concurrent applications to make sure that there is only an SM channel at a time. But this approach failed with most of our e-admin public web pages. So exclusive mode is a no-no for me. Second approach was to implement a "secure channel server": divide OpenSC into a client-server application in a way that only the server talks with the reader driver... but too complex, and also found that many apps still try to bypass server and access directly to pcsc :-( So finally my solution was a "collision detector": first app open a card connection and creates an SM channel. When second app starts, some app (or both) receives "SM error" response; then just restart SM and retry. With proper locking this solution work in most tested scenarios... ... Due to the "Init & forget" common approach of most pkcs11 applications: For instance Firefox, calls C_Init at start... and forget pkcs11 until (really) needed. So any signing applet can in turn starts his own pkcs11, restart SM, do the work and call C_finalize. When firefox finally needs to access pkcs11, just receives his own "SM error", restart channel and continues normally Sure: there are some cases where these approach fails: SSL renegotiation when signing applet is running; two pkcs11 trying concurrent access to the card... but this is not as usual as thought. .. About security: I agree: We need some way to ensure that only one user can access to the card at a time Juan Antonio ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
On Fri, May 6, 2011 at 5:24 PM, Martin Paljak wrote: > Hello, > > > On May 6, 2011, at 17:16 , Jean-Michel Pouré - GOOZE wrote: >> >> I wonder if there is not a problem in shared more or if we should not >> ask users to use exclusive mode only. > > For the sake of usability, exclusive mode should only be used *if needed*. > From security perspective, it does not really matter, because if your host is > compromised, such software tricks are worthless. But daily smart card usage > usually means using different applications. > This is incorrect. Computer may be compromised in so many levels. It is true that if someone has total (root) control over the computer, he may do whatever. However, other none privileged user MUST NOT be able to gain access to resources used by other users. Well, you can argue: if I modify the access to readers to a specific user, then no other user can access the device anyway. If this is enough for users, let it be. I don't think it is enough, as this state is not much different than using file based cryptographic. I know we do not agree on this, but I have never seen hardware cryptography using any similar assumption. Some References: http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg05689.html http://www.opensc-project.org/opensc/ticket/186 http://www.opensc-project.org/pipermail/opensc-devel/2008-December/011525.html http://www.opensc-project.org/pipermail/opensc-user/2008-July/002561.html http://www.opensc-project.org/mailman/private/opensc-internal/2008-June/000335.html Discussion with Nils 5/2008, a prototype option, we agreed this is fundemental problem of the project, but neither had resources to actually solve it. Regards, Alon Bar-Lev. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
From a user's prospective, having to shut down an application so another could start is not very friendly. Do we need an tool to force a logoff/unlock/reset/... so a user could start an operation with another application, without having to shutdown the first? With the mini-driver, Windows login will keep keep the mini-driver loaded, not sure what state the card is in, so it also needs to be looked at. On 5/6/2011 9:24 AM, Martin Paljak wrote: > Hello, > > > On May 6, 2011, at 17:16 , Jean-Michel Pouré - GOOZE wrote: >> >> I wonder if there is not a problem in shared more or if we should not >> ask users to use exclusive mode only. > > For the sake of usability, exclusive mode should only be used *if needed*.> > From security perspective, it does not really matter, because if your host is > compromised, such software tricks are worthless. But daily smart card usage > usually means using different applications. > > Best, > Martin -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
Le vendredi 06 mai 2011 à 17:24 +0300, Martin Paljak a écrit : > But daily smart card usage usually means using different applications. OK. But shared mode does not work very well, especially with OpenSSH and Iceweasel (Firefox) together. I did some heavy testing and found usability problems in shared mode. IMHO, shared mode is not usable. Could someone confirm. How can I help on my side? Use pkcs11 spy? Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
Hello, On May 6, 2011, at 17:16 , Jean-Michel Pouré - GOOZE wrote: > > I wonder if there is not a problem in shared more or if we should not > ask users to use exclusive mode only. For the sake of usability, exclusive mode should only be used *if needed*. >From security perspective, it does not really matter, because if your host is compromised, such software tricks are worthless. But daily smart card usage usually means using different applications. Best, Martin -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
Le vendredi 06 mai 2011 à 15:41 +0200, Frank Morgner a écrit : > AFAIK, SCardConnect immediately returns an error if an application > wants > to access a reader which is already in exclusive use. Have you tried > switching on exclusive mode in the configuration file of OpenSC? (Note > that this does not completely remove security issues.) Many thanks Franck and Martin, using exclusive mode solved my problem: Running ssh-add first: 1) Run ssh-add -s /usr/lib/opensc-pkcs11.so => Success 2) Start Iceweasel 4 (based on Firefox 4). The security token is not shown ... which is normal as we are in exclusive mode. Iceweasel is started immediately. Running firefox first: 1) Start Iceweasel and login token. Iceweasel is started immediately. 2) ssh-add -s /usr/lib/opensc-pkcs11.so => Failure. Whch is normal as we are in exclusive mode. In exclusive mode, the response is fast, almost instantaneous. In shared mode, I experienced some strange timeouts, waiting for the application to launch. Even when only ONE applications is running. A typical example is ssh-add -s /usr/lib/opensc-pkcs11.so and then run ssh f...@bar.com. In shared more you can wait 12 seconds adding the card and 60 more seconds when using ssh. Or more before anything happens. In exclusive mode, works immediately. Exclusive more: time | ssh-add -s /usr/lib/opensc-pkcs11.so => 8s time | ssh foo@bar ; exit => 4s time | ssh-add -e /usr/lib/opensc-pkcs11.so => 2s Shared mode: time | ssh-add -s /usr/lib/opensc-pkcs11.so => 12s time | ssh foo@bar ; exit => fails 50% of the time or is VERY long. Also, in shared mode, running ssh-add first and then running firefox will block firefox startup. I wonder if there is not a problem in shared more or if we should not ask users to use exclusive mode only. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
Hello, On May 6, 2011, at 16:41 , Frank Morgner wrote: >> >> Is there a way to inform opensc-pkcs11.so that a communication is >> already established by Firefox and that SSH should start without using >> pkcs11? > > AFAIK, SCardConnect immediately returns an error if an application wants > to access a reader which is already in exclusive use. Have you tried > switching on exclusive mode in the configuration file of OpenSC? (Note > that this does not completely remove security issues.) It should be possible and it would be a nice feature to have. Figuring out what will happen when the card *will* be available and what to do when a reader is in use by another application is a tricky question though (not all applications can easily reload tokens) lock_login will not result in exclusive mode access to the reader (controlled by "connect_exclusive" configuration option, shared mode by default) but a transaction with SCardBeginTransaction being called on C_Login Cheers, Martin. -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
On Friday, May 06 at 03:03PM, Jean-Michel Pouré - GOOZE wrote: > Le vendredi 06 mai 2011 à 14:41 +0300, Martin Paljak a écrit : > > Have a look at the wiki: > > http://www.opensc-project.org/opensc/wiki/SecurityConsiderations > > Sure. > > I am worried about: > * Application A opens communication with token and locks it. > * Application B tries to open communication with token. > * Application B has no knowledge token is locked by application A. No > error message is given. The user waits during minutes, thinking "My > token does not work". > > Is there any mechanism informing an application requesting > opensc-pkcs11.so that a smartcard is locked in exclusive more (=being > accessed)? > To give an example, I could verify: > * Firefox runs, logs in the token in exclusive mode. > * SSH client runs with pkcs11 authentication. SSH client will wait for > minutes until it times out. No specific error message is displayed. > > Is there a way to inform opensc-pkcs11.so that a communication is > already established by Firefox and that SSH should start without using > pkcs11? AFAIK, SCardConnect immediately returns an error if an application wants to access a reader which is already in exclusive use. Have you tried switching on exclusive mode in the configuration file of OpenSC? (Note that this does not completely remove security issues.) Cheers, Frank. pgpzABZh648Lh.pgp Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
Le vendredi 06 mai 2011 à 14:41 +0300, Martin Paljak a écrit : > Have a look at the wiki: > http://www.opensc-project.org/opensc/wiki/SecurityConsiderations Sure. I am worried about: * Application A opens communication with token and locks it. * Application B tries to open communication with token. * Application B has no knowledge token is locked by application A. No error message is given. The user waits during minutes, thinking "My token does not work". Is there any mechanism informing an application requesting opensc-pkcs11.so that a smartcard is locked in exclusive more (=being accessed)? To give an example, I could verify: * Firefox runs, logs in the token in exclusive mode. * SSH client runs with pkcs11 authentication. SSH client will wait for minutes until it times out. No specific error message is displayed. Is there a way to inform opensc-pkcs11.so that a communication is already established by Firefox and that SSH should start without using pkcs11? Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
On 2011-05-06 13:41, Martin Paljak wrote: > > On May 5, 2011, at 23:02 , Jean-Michel Pouré - GOOZE wrote: > >> Dear all, >> >> Some simple questions: >> >> When used with lock_login = false; >> authenticated tokens are available for all users. >> >> For knowledge, what would be the technical solution to secure access in >> shared mode? > > > Have a look at the wiki: > > http://www.opensc-project.org/opensc/wiki/SecurityConsiderations "If keys on the card are left in authorized state, another application could misuse the keys" I'm happy that I opted for stateless operation in SKS for "using" keys and fully concurrent mode featuring SM for "provisioning" keys. No reason ever for locking (up) or fiddling with "config" files. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
On May 5, 2011, at 23:02 , Jean-Michel Pouré - GOOZE wrote: > Dear all, > > Some simple questions: > > When used with lock_login = false; > authenticated tokens are available for all users. > > For knowledge, what would be the technical solution to secure access in > shared mode? Have a look at the wiki: http://www.opensc-project.org/opensc/wiki/SecurityConsiderations -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Lock_login and mulithreading issues
Dear all, In a discussion with Alon Bar-Lev on OpenVPN mailing list, Alon explains that lock_login=true is better for security as it restricts login to the token. Also, multi-threaded applications may have problems accessing the token. On my side, I noticed that some applications like Firefox don't start until the token is available. All this worries me for usability. I am not worried about Firefox not starting, only that there is no user message. Of course, I would prefer Firefox to start and indicate that the token is not usable. So my question is: Is there a way for an application using opensc-pkcs11.so to know that a token is being accessed in locked mode and therefore is not available? What are your possible plans in this field? Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel