Projects:SmartCard
Description | SmartCard OpenPGP card use with PGP & TAILS, X.509 Certificates, and turning your Smart phone into a SmartCard reader. Keep all your crypto material off your computer. |
---|---|
Has website | |
Persons working on | Xetrov |
Self-organized sessions | |
Tags | SmartCards, PGP, Tails, SSL, TLS, Encryption, PKCS#11, Android, NFC, Firmware, BadBios |
Located at village | Village:La Quadrature du Camp, Village:C-Base |
Other projects... ... further results |
Contents
Why use smartcards?
"The security and reliability of asymmetric cryptography depends crucially on the confidentiality of the private key. While the public key can be sent to anyone, it is absolutely important that the private key is not compromised. Smartcards have their own processor, RAM and even operating system. They are hermetically sealed from the rest of the system (i.e. the host computer that might be compromised). Also, the developers and manufacturers of smartcards take a huge effort to ensure that no confidential data can be extracted from the card when it is not intended, even by using costly and time-consuming methods such as electron microscopy.
The Heartbleed Bug showed how dangerous saving the private key on conventional computers is. Many servers were affected (and probably, some are even still!). This bug made it possible for attackers to read private keys, user account names and passwords, encrypted communication data etc. without even being noticed. This is a horror scenario for any administrator (and of course, user). Using smartcards for authentication (e.g. with SSH) or signing and decrypting (e.g. with GnuPG) is a great way to minimize those security risks."
-- Philip Wendland 15 Dec 2014
After so many Snowden releases, we have learnt to distrust the integrity of our general computing devices. Not only BIOS, but the firmware of so many components (HDD, Optical Drives, Ethernet etc) have been found to be subverted by powerful players to the point where even the Tails OS cannot protect you. The philosophy of encrypt everything makes it more expensive for corporate surveillance and intelligence organisations to monitor or subvert. Begin to rebuild trust in your communications. Move essential crypto keys off your computer.
Doing so makes it far more expensive for others to subvert the process of signing and encrypting your communication.
Talks & Workshops
Sessions will be a combination of introduction to modern smartcards & practical workshop to configure and start using modern GlobalPlatform Javacard flavours of smartcards with open source card applications.
- Dual contact and NFC GlobalPlatform Java smartcards will be available to buy
- Some USB smartcard readers will be available for use
- Android (4.*+) NFC phones can be used as smartcard reader
Open discussions of varieties of use cases and threat scenarios, questions, criticisms and suggestions will be encouraged and expected.
Managing Smartcard Applications
Introduction to Martin Paljak's GlobalPlatformPro Smartcard management project. Managing Smartcards is best done offline on an OS you trust such as Tails.
Installing Smartcard Applications
Example:
gp --install openpgpcard.cap --emv
Smartcard Apps
PGP
There are at least 3 Javacard projects for PGP Smartcard usage that intergrate into gpg.
JavacardOpenPGP OpenPGPApplet FluffyPGPApplet
Introduction to OpenPGP configuration and usage with keys generated or imported onto smartcards.
PKCS#11
ISOApplet allows storage of cryptographic materials on a Smartcard for a variety of uses, including
OS Login, Boot Storage Encryption & Truecrypt ;)
etc.
How to Use an NFC Android Phone as Smartcard Reader
NFC smart card reader configuation (for those without a dedicated smartcard reader) see Frank Morgner's Virtual Smartcard Project.
On the Host (Linux)
The project includes vpcd, a TCP server and pcscd shim driver that allows an Android NFC phone to connect over the local network (say WiFi, Bluetooth or USB).
On the NFC Android
The project includes the Android Remote Smartcard Reader also available on F-Droid.
Feedback
Suggestions, criticisms, praise and assistance in this evolving documentation? Please, comment in the discussion section of this page!
An email list has been proposed to continue discussions, development and documentation after the camp. For participation, please email contact details below.
Contact
Further information: xetrov (at) c-base.org / xmpp vortex@jit.si