SmartCard

From Camp_2015_Wiki
Jump to: navigation, search

Description SmartCard OpenPGP card use with PGP & TAILS, X.509 Certificates, and turning your Smart phone into a SmartCard reader. Keep all your crypto material off your computer.
Has website
Persons working on Xetrov
Self-organized sessions
Tags SmartCards, PGP, Tails, SSL, TLS, Encryption, PKCS#11, Android, NFC, Firmware, BadBios
Located at village La Quadrature du Camp, C-Base
Other projects...

refresh

Why use smartcards?

"The security and reliability of asymmetric cryptography depends crucially on the confidentiality of the private key. While the public key can be sent to anyone, it is absolutely important that the private key is not compromised. Smartcards have their own processor, RAM and even operating system. They are hermetically sealed from the rest of the system (i.e. the host computer that might be compromised). Also, the developers and manufacturers of smartcards take a huge effort to ensure that no confidential data can be extracted from the card when it is not intended, even by using costly and time-consuming methods such as electron microscopy.

The Heartbleed Bug showed how dangerous saving the private key on conventional computers is. Many servers were affected (and probably, some are even still!). This bug made it possible for attackers to read private keys, user account names and passwords, encrypted communication data etc. without even being noticed. This is a horror scenario for any administrator (and of course, user). Using smartcards for authentication (e.g. with SSH) or signing and decrypting (e.g. with GnuPG) is a great way to minimize those security risks."

-- Philip Wendland 15 Dec 2014

After so many Snowden releases, we have learnt to distrust the integrity of our general computing devices. Not only BIOS, but the firmware of so many components (HDD, Optical Drives, Ethernet etc) have been found to be subverted by powerful players to the point where even the Tails OS cannot protect you. The philosophy of encrypt everything makes it more expensive for corporate surveillance and intelligence organisations to monitor or subvert. Begin to rebuild trust in your communications. Move essential crypto keys off your computer.

Doing so makes it far more expensive for others to subvert the process of signing and encrypting your communication.

Talks & Workshops

Sessions will be a combination of introduction to modern smartcards & practical workshop to configure and start using modern GlobalPlatform Javacard flavours of smartcards with open source card applications.

  • Dual contact and NFC GlobalPlatform Java smartcards will be available to buy
  • Some USB smartcard readers will be available for use
  • Android (4.*+) NFC phones can be used as smartcard reader

Open discussions of varieties of use cases and threat scenarios, questions, criticisms and suggestions will be encouraged and expected.

Managing Smartcard Applications

Introduction to Martin Paljak's GlobalPlatformPro Smartcard management project. Managing Smartcards is best done offline on an OS you trust such as Tails.

Installing Smartcard Applications

Example:

gp --install openpgpcard.cap  --emv

Smartcard Apps

PGP

There are at least 3 Javacard projects for PGP Smartcard usage that intergrate into gpg.

JavacardOpenPGP OpenPGPApplet FluffyPGPApplet

Introduction to OpenPGP configuration and usage with keys generated or imported onto smartcards.

PKCS#11

ISOApplet allows storage of cryptographic materials on a Smartcard for a variety of uses, including

SSL/TLS Certificates

OpenSSH

OS Login, Boot Storage Encryption & Truecrypt ;)

etc.

How to Use an NFC Android Phone as Smartcard Reader

NFC smart card reader configuation (for those without a dedicated smartcard reader) see Frank Morgner's Virtual Smartcard Project.

On the Host (Linux)

The project includes vpcd, a TCP server and pcscd shim driver that allows an Android NFC phone to connect over the local network (say WiFi, Bluetooth or USB).

On the NFC Android

The project includes the Android Remote Smartcard Reader also available on F-Droid.

Feedback

Suggestions, criticisms, praise and assistance in this evolving documentation? Please, comment in the discussion section of this page!

An email list has been proposed to continue discussions, development and documentation after the camp. For participation, please email contact details below.

Contact

Further information: xetrov (at) c-base.org / xmpp vortex@jit.si