Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
Il 05/09/2012 13:29, helpcrypto helpcrypto ha scritto: > The most advanced i have seen here so far is 2048 :P I bought (but haven't yet had time to experiment with) Cryptomate64: http://www.acs.com.hk/index.php?pid=product&prod_sections=0&id=CRYPTOMATE64 See my message dated 2012/05/23. Doesn't cost too much (less than 50€, and a lot is due to shipment). I'm even thinking about using a Raspberry PI to handle it and "export" functions via Ethernet. Another possible (and maybe WAY cheaper, in medium volumes) alternative would be to use a "cut down" Android phone (take one the cheapest one, remove or don't install radios, write a custom firmware and bootloader, and you'll have a cheap token that can handle RSA16384, EC, OTP even when disconnected from a PC, and pretty much everything you can think of). Non-stripped "old" smartphones are already quite cheap, way cheaper than any other comparable solution. And if you ask a supplier for a lot w/o radios they should come at bargain price... The SIM slot could easily host a crypto smartcard to unlock credentials stored in the device (on a microSD, maybe). BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
> Do you want my Humble or Honest opinion ? :) None. Hacker one :P > It shall depend on the use case. I doubt that there will ever be a > "single, universal keychain", but many. VPN authentication with device > based (TMP etc) keys which get auto-provisioned and a "movable" > identity in the form of an eID smart card for digital signatures or > cross-domain authentication have different requirements. Key > containers for encryption is yet another story. > > And embedded keystores (phones, vpn devices, whatnot) that need a > provisioning scheme is also quite obvious, with the smartphone scene > creating the firsthand need for it. > > Martin > > As always, there's no golden bullet solution. I think the "perfect solution" will be DNA. In fact, i gave you the one-billion idea: A mouse/keyboard/device with a DNA sequencing/reader system which sends your public DNA profile. A simple way of matching your public DNA with your thoughts, memories and personality, to match both. As you can guess, that works as a keypair You develop it. For tomorrow. Free. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
On Wed, Sep 5, 2012 at 2:29 PM, helpcrypto helpcrypto wrote: >> And IMHO device-attached containers (TPM, Intel etc) are totally >> different from transportable key-containers (like smart cards or USB >> tokens) > > So, IYHO, whats the better option? Do you want my Humble or Honest opinion ? :) It shall depend on the use case. I doubt that there will ever be a "single, universal keychain", but many. VPN authentication with device based (TMP etc) keys which get auto-provisioned and a "movable" identity in the form of an eID smart card for digital signatures or cross-domain authentication have different requirements. Key containers for encryption is yet another story. And embedded keystores (phones, vpn devices, whatnot) that need a provisioning scheme is also quite obvious, with the smartphone scene creating the firsthand need for it. Martin As always, there's no golden bullet solution. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
On 2012-09-05 13:29, helpcrypto helpcrypto wrote: >> Huh, I'd guess (hope) nobody would be deploying *RSA* below 2048 bits >> (smart cards doing 3k and 4k are also slowly emerging) and elliptic >> curves are already becoming a viable option (in commodity software) as >> well.. > > The most advanced i have seen here so far is 2048 :P > >> There's also a bunch of applications and use cases where the new age >> vision of "wave your phone around" is not a good idea (for example I'd >> better avoid taking my smartphone out unless I want/have to, and using >> crowded public transport is not one of the places I'd like to do >> it...) >> >> And IMHO device-attached containers (TPM, Intel etc) are totally >> different from transportable key-containers (like smart cards or USB >> tokens) > > So, IYHO, whats the better option? As I wrote, the majority of eIDs will be used as secure bootstrap of credential clones so there really is no option here although BSI probably claims something else. Anders > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
-Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of helpcrypto helpcrypto Sent: Wednesday, September 05, 2012 1:29 PM To: opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card > Huh, I'd guess (hope) nobody would be deploying *RSA* below 2048 bits > (smart cards doing 3k and 4k are also slowly emerging) and elliptic > curves are already becoming a viable option (in commodity software) as > well.. The most advanced i have seen here so far is 2048 :P They (4K, ECC) are there for a couple of years, see: http://www.infineon.com/dgdl/Infineon+Chip+Card+and+Security+ICs+Portfolio-Overview_neu.pdf?folderId=db3a3043243b5f170124a48543c040a0&fileId=db3a3043243b5f170124a4898a2440a4 __ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
> Huh, I'd guess (hope) nobody would be deploying *RSA* below 2048 bits > (smart cards doing 3k and 4k are also slowly emerging) and elliptic > curves are already becoming a viable option (in commodity software) as > well.. The most advanced i have seen here so far is 2048 :P > There's also a bunch of applications and use cases where the new age > vision of "wave your phone around" is not a good idea (for example I'd > better avoid taking my smartphone out unless I want/have to, and using > crowded public transport is not one of the places I'd like to do > it...) > > And IMHO device-attached containers (TPM, Intel etc) are totally > different from transportable key-containers (like smart cards or USB > tokens) So, IYHO, whats the better option? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
On Wed, Sep 5, 2012 at 12:57 PM, helpcrypto helpcrypto wrote: > Also, considering how governments are involved in technology, probably > many countries will adopt them, like eID, DNIe, and so in the next > years. > In 1024bit mode, of course. Huh, I'd guess (hope) nobody would be deploying *RSA* below 2048 bits (smart cards doing 3k and 4k are also slowly emerging) and elliptic curves are already becoming a viable option (in commodity software) as well.. There's also a bunch of applications and use cases where the new age vision of "wave your phone around" is not a good idea (for example I'd better avoid taking my smartphone out unless I want/have to, and using crowded public transport is not one of the places I'd like to do it...) And IMHO device-attached containers (TPM, Intel etc) are totally different from transportable key-containers (like smart cards or USB tokens) Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
Just to sum up: -TPM (fail?) -Intel IPT (seem to be a draft and only for intel?) -SC (Welcome 1970) -Virtual/Cloud wallets (obscure?) -A mobile device to replace sc (standard?) IMHO, SC are old enough/well known to continue existing for quite long, until someone brings a new/better/big idea. Also, considering how governments are involved in technology, probably many countries will adopt them, like eID, DNIe, and so in the next years. In 1024bit mode, of course. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
Martin Paljak wrote: > IIRC it was apple who wants to make a phone self-register. Meaning > there are no parts to add or remove from the phone and you pair it to > your operator "online". The question IMHO is how much do telcos want > to give up the "freedom" of controlling access to their networks... Prepaid SIMs in the US are locked to the phone they ship with, upon "activation" in the store. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
On Sun, Aug 19, 2012 at 8:15 PM, Anders Rundgren wrote: > Who would buy a $100 solution if they can get one for free? > I don't think even the SIM will survive. IIRC it was apple who wants to make a phone self-register. Meaning there are no parts to add or remove from the phone and you pair it to your operator "online". The question IMHO is how much do telcos want to give up the "freedom" of controlling access to their networks... But in the long run you are probably right. Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
On 2012-08-19 18:55, NdK wrote: > Il 19/08/2012 15:50, Anders Rundgren ha scritto: > >> Everything you write is fine and probably correct as well. >> The only "fly in the soup" is that *it is not happening*. > I think it will be just like the TPM: when enough people will realize > what it is, it won't get accepted by the public. > It's not long since "restricted boot" 'failed' and memory isn't so short. > >> The smart card community has failed creating a cheap a readily >> available token that can be provisioned on-line while for example >> iPhone and Android already ships with built-in enrollment software. > It's still WIP: look at OpenKMS... > >> However, there will always be a small market that prefers something >> special. > That's for sure :) > >> I'm rather talking about the 99.999% that believes cost and availability >> matter. I also think that the poor GUI support offered by smart cards >> will make these look quite dated compared to virtual smart cards having >> cool logotypes and stuff. > SCs *are really* dated as concept. Old, messy interface, conflicting > high-level "standards" (so many that everybody uses his own)... > That's why a token or even a small "calculator format" w/ USB > connectivity (and a standardized 'KISS' interface over the USB bus) > would be better. > Such a device could easily cost less than $100 (you can already find > Android tablets w/ 7" display and cap ts at about $65, with wifi or even > GSM connectivity! -- probably the only really needed piece of software > needed could be a driver to use the SIM reader as a CAD, plus some "glue"). Who would buy a $100 solution if they can get one for free? I don't think even the SIM will survive. Anders > > BYtE, > Diego. > > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
Il 19/08/2012 15:50, Anders Rundgren ha scritto: > Everything you write is fine and probably correct as well. > The only "fly in the soup" is that *it is not happening*. I think it will be just like the TPM: when enough people will realize what it is, it won't get accepted by the public. It's not long since "restricted boot" 'failed' and memory isn't so short. > The smart card community has failed creating a cheap a readily > available token that can be provisioned on-line while for example > iPhone and Android already ships with built-in enrollment software. It's still WIP: look at OpenKMS... > However, there will always be a small market that prefers something > special. That's for sure :) > I'm rather talking about the 99.999% that believes cost and availability > matter. I also think that the poor GUI support offered by smart cards > will make these look quite dated compared to virtual smart cards having > cool logotypes and stuff. SCs *are really* dated as concept. Old, messy interface, conflicting high-level "standards" (so many that everybody uses his own)... That's why a token or even a small "calculator format" w/ USB connectivity (and a standardized 'KISS' interface over the USB bus) would be better. Such a device could easily cost less than $100 (you can already find Android tablets w/ 7" display and cap ts at about $65, with wifi or even GSM connectivity! -- probably the only really needed piece of software needed could be a driver to use the SIM reader as a CAD, plus some "glue"). BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
Diego, Everything you write is fine and probably correct as well. The only "fly in the soup" is that *it is not happening*. The smart card community has failed creating a cheap a readily available token that can be provisioned on-line while for example iPhone and Android already ships with built-in enrollment software. However, there will always be a small market that prefers something special. I'm rather talking about the 99.999% that believes cost and availability matter. I also think that the poor GUI support offered by smart cards will make these look quite dated compared to virtual smart cards having cool logotypes and stuff. Anders On 2012-08-19 14:23, NdK wrote: > Il 19/08/2012 10:14, Anders Rundgren ha scritto: > >> Virtual smart cards have unlimited capacity and doesn't occupy space in >> your pocket either. > Then an USB token paired with some form of "unsecure" storage and have > RSA capabilities and a button or a small keypad (display w/ > touchscreen?) to enter consent/authorization code in a way that can't be > intercepted/forged by software would be even better. > > The "unsecure storage" could be easily encrypted under a private key > that then gets encrypted under any number of "token public keys", so no > "single point of failure" exists and that storage can easily be > shared/copied to any number of tokens. (IIRC, something along this line > should/could be in next OpenPGP token). > > This way you would have benefits of both virtual (practically > "unlimited" number of certs/keys: if you use a 32G uSD as storage you'd > have to spend your life receiving certs before filling it...) and real > smart cards (bring it wherever you like, having full control). If such a > token would be issued by govs (so coming with a "universally trusted" > cert to certify that extra keys are generated by the token), it would be > the really universal "card". > > I don't like those "vendor lock-ins". Maybe I saw too many burnt mobos, > or just 'cause I prefer AMDs :), or simply it seems another way to > introduce "crippled boot feature" and have users be happy with that (a > "virtual smart card", implemented in SW, requires some form of > "certified boot", so it only works with a "certified OS"), or > reintroduce the dear old TPM (that have been cracked[1], BTW)... On the > other hand, a token/card is platform-agnostic... > > > [1] > http://www.computerworld.com/s/article/9151158/Black_Hat_Researcher_claims_hack_of_chip_used_to_secure_computers_smartcards > > BYtE, > Diego. > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
Il 19/08/2012 10:14, Anders Rundgren ha scritto: > Virtual smart cards have unlimited capacity and doesn't occupy space in > your pocket either. Then an USB token paired with some form of "unsecure" storage and have RSA capabilities and a button or a small keypad (display w/ touchscreen?) to enter consent/authorization code in a way that can't be intercepted/forged by software would be even better. The "unsecure storage" could be easily encrypted under a private key that then gets encrypted under any number of "token public keys", so no "single point of failure" exists and that storage can easily be shared/copied to any number of tokens. (IIRC, something along this line should/could be in next OpenPGP token). This way you would have benefits of both virtual (practically "unlimited" number of certs/keys: if you use a 32G uSD as storage you'd have to spend your life receiving certs before filling it...) and real smart cards (bring it wherever you like, having full control). If such a token would be issued by govs (so coming with a "universally trusted" cert to certify that extra keys are generated by the token), it would be the really universal "card". I don't like those "vendor lock-ins". Maybe I saw too many burnt mobos, or just 'cause I prefer AMDs :), or simply it seems another way to introduce "crippled boot feature" and have users be happy with that (a "virtual smart card", implemented in SW, requires some form of "certified boot", so it only works with a "certified OS"), or reintroduce the dear old TPM (that have been cracked[1], BTW)... On the other hand, a token/card is platform-agnostic... [1] http://www.computerworld.com/s/article/9151158/Black_Hat_Researcher_claims_hack_of_chip_used_to_secure_computers_smartcards BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
On 2012-08-17 22:32, Jean-Michel Pouré - GOOZE wrote: >> It also means that the "card" middleware will be a part of the OS. > > This will boost the smartcard technology to a wider public, which are > good news. It is essential to have the smartcard or token in the hand / > in the pocket. You computer cannot stand in your pocket. Only your > mobile phone. > The original idea was indeed that you carried your token in your pocket. This idea is challenged by the fact that we have so many and independent logins. Since each login typically translates to a token (using current smart card technology), you would eventually need very big pockets. Virtual smart cards have unlimited capacity and doesn't occupy space in your pocket either. Does this for example make eIDs or company smart cards useless? Not all! You use your token as a secure bootstrap for getting a cloned credential onto a device, be it a phone or laptop. This concept is by no means new or unique. The Swedish BankID CA have already issued more than 10M certificates in this fashion to consumers where the consumer typically uses an already deployed OTP token as bootstrap. The only problem is that BankID and friends have to write their own client software since the to 99% US-dominated platforms do not support consumer-PKI. Since traditional smart cards do not support on-line provisioning to end- users, virtual smart cards appear to be the only workable solution. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel