LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Trusted internet identity

Trusted internet identity

Posted Jan 13, 2011 5:09 UTC (Thu) by wahern (subscriber, #37304)
Parent article: Trusted internet identity

Almost 10 years ago I bought a Schlumberger Cryptoflex crypto card. It had secure on-board signing (i.e. it wasn't just a fancy flash drive w/ a password) and a builtin USB controller--you could pop out the chip and insert it into a tiny USB adapter thus creating a keyfob. I bought a pack of 5 for $10 or $20.

Not then nor now is it even remotely possible to use the thing conveniently with Free Software (and I've never tried with Windows or OS X). Almost every part of the necessary stack is missing, broken, or in hopelessly poor shape. (Although notably Mozilla then and now still seems to maintain their PKCS11 support.)

Even the most obvious use, SSH, is still wanting. OpenSC still exists--after being temporarily abandoned for a couple of years, I think--but is still about as useful as it was--not very, and definitely not plug-and-play. OpenSSH support is still mystical. Some sort of PKCS11 support seems to have finally been merged, but I haven't heard much about it (I'm on the mailing-lists), and certainly I wouldn't even know how to begin to get it working on my OS X laptop. (The ssh-pkcs11-helper manpage is basically a stub, and from a cursory look of the source it seems it in turn punts to OpenSSL.)

Even worse I think that there are _fewer_ cryptocard products on the market than when I originally bought my Cryptoflex card. I think the entire industry may be in worse shape today than yesteryear. (Notably, however, there's now a chip with an attached LCD screen so you can see and physically authorize--with a button press--key operations: http://www.ftsafe.com/products/interpass.html. That was the cool feature I was hoping would be one day added because inserting and removing the fob everytime I logged in somewhere would be burdensome, but keeping it plugged in means anyone who rooted your local machine could use it.)

I would love to be able authenticate over SSH and HTTPS hosts with my cryptocard handling key negotiation. But it seems less feasible today than ever.

Using closed source applications for this, however, is definitely out of the question. Too many brochures, and too many applications, spoof functionality by merely saving keys to the flash drive. Often they seem to do this even if the card actually supports onboard key operations. Without Free access to the source you could hardly trust what the software is actually doing. The same applies to the hardware, but that's almost the least of the current issues.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds