[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] adding smartcard support to Tor

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] adding smartcard support to Tor
From: Razvan Dragomirescu <razvan.dragomirescu@xxxxxxx>
Date: Tue, 24 May 2016 20:39:15 +0300
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 24 May 2016 13:39:30 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=veri-fi.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=G1BxjJmHqe89sLR1eRdCXfcnWyyESeeAG+80Xtvkn+Y=; b=eph1C6DMH2l+VtICO4G4syX6/UgfMWR2vmDsiM7/HswlJWlmj0o1vWZhKtfSSi7MfT r8KHprvTzs0wnfWzJhzJVllnoSfEftkls+ynz32g0SXS2e57ZTtKKLj5+Xx2NwEJc3SL YhedwtBudwVIoC/GJk1qKxb/XqEHUsNVSxaGqQ2yqzgRSeVKbHI/p/8qoQ4mWLA1v/0G DfQwXdMPfAesenDGLWUdwQnxoVXZFmCaV6bpI6N2rmtOiZmvxi7xv2rbDYoBRVRxsQJp V/buxzqCdZv/Ot63RlNd4j9lca2ARKeEoHK6bOuYpn3poIcreJM9Q6enaT5RvmrK5GBz UYPA==
In-reply-to: <57436776.4030109@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAFnyNAdw5P53+6-YyOBfa1dmc_TMO2yCta_=4oj3ss3zR9JbuQ@xxxxxxxxxxxxxx> <5621A7CD.9070600@xxxxxxxxxx> <CAFnyNAdcY3aTHqbmdTWVGpx6N4PS8iDzKmA3GqvtJ0YWc9_-VA@xxxxxxxxxxxxxx> <5622954B.7000706@xxxxxxxxxxx> <CAFnyNAdAMGx41CmB+znVcH30OsWt3ddzsK3OdXAAEqSzoo+aFg@xxxxxxxxxxxxxx> <56229EC9.2090704@xxxxxxxxxxx> <5622A116.3050003@xxxxxxxxxx> <5622A675.4000703@xxxxxxxxxxx> <5622B250.4030503@xxxxxxxxxx> <CAFnyNAeK0zAaetcd-pLBFZ_Y68ao-tu9NJwMg9mN4jtc_z1V2w@xxxxxxxxxxxxxx> <CAD2Ti28OKNz9jU6a4aKxyzKyJCR3SyeWzRwW9Y20N+fKZZkLsg@xxxxxxxxxxxxxx> <CAD2Ti2-PmEoDBksFXwwueCeuafJ=gq29Rq9YXn+m9=QcpPQGnA@xxxxxxxxxxxxxx> <56269067.3020502@xxxxxxxxxx> <CAFnyNAdjRBFBaMrTpGDX8gR1LiqtmY0LmiirS3pRrkQumpcE5Q@xxxxxxxxxxxxxx> <5742AA6B.1070001@xxxxxxxxxx> <57436776.4030109@xxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Thank you Evan, Donncha,

Regarding 1024-bit RSA support, take a look atÂhttp://www.fi.muni.cz/~xsvenda/jcsupport.html - almost all JavaCard cards support that.Â

I'm a Java developer but it looks like I'm going to have to switch to (and learn) Python for this since almost all Tor utilities appear to only be maintained in Python (and I don't feel like reinventing the wheel in Java). We'll see...

Thanks Evan for the .onion links, I'll take a look. I'm still collecting data, testing hardware, etc. BTW, one of the cheapest options for this isÂhttp://www.ftsafe.com/product/epass/eJavaToken - $12 atÂhttp://javacardos.com/store/smartcard_eJavaToken.php . Unfortunately it has a bug that prevents OpenPGP from running (something to do with signature padding, I didn't look much into it). My plan is to write a very small JavaCard-based applet to load onto the card - that only does RSA key generation and signing, nothing else. Easy to write and easy to audit.

Thanks again,

Razvan

--

Razvan Dragomirescu

Chief Technology Officer

Cayenne Graphics SRL

On Mon, May 23, 2016 at 11:26 PM, Evan Margin <twim@xxxxxxxxxx> wrote:

Hello Donncha!

Donncha Ã Cearbhaill:
> However his code was integrating with a smartcard at a very low
> level by sending AT commands manually. I don't think that is the
> best approach for compatibility.
>
> I think a better way would be to interface with the tokens via the
> PKCS#11 protocol. The majority of smartcards and HSMs implement this
>Â standard and there are compatible implementations available for most
>Â operating systems. The Python pykcs11 module should be a helpful
> start [1].

Yeah, interfacing smartcard directly or via GnuPG scdaemon is not the
best approach. But PKCS#11 in even worse. Much much worse. This standard
is so huge that noone can implement it right. It raises enterance
threshold so high that it will be used only by overproprietary entities.
OpenPGP Card spec is pretty small so that everyone can write code within
an hour and start to interface with a card. So did I. At least I know
what's going on under the hood and these transparency and simplicity
makes this setup more secure.

--
Ivan Markin
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] adding smartcard support to Tor
  - From: Ivan Markin

References:
- Re: [tor-dev] adding smartcard support to Tor
  - From: Razvan Dragomirescu
- Re: [tor-dev] adding smartcard support to Tor
  - From: Donncha Ã Cearbhaill
- Re: [tor-dev] adding smartcard support to Tor
  - From: Evan Margin

Prev by Author: Re: [tor-dev] estimating traffic/bandwidth needed to run a Tor node
Next by Author: [tor-dev] Memory usage of Tor daemon
Previous by thread: Re: [tor-dev] adding smartcard support to Tor
Next by thread: Re: [tor-dev] adding smartcard support to Tor
Index(es):
- Author
- Thread