Project

General

Profile

strongSwan smart card configuration HOWTO

Smart cards are a mature technology which prevent your PKI from getting easily compromised by theft.

With the pkcs11 plugin strongSwan can use any PKCS#11 library to access smart cards, for instance, the one provided by OpenSC.

In this HOWTO, we give minimal information how to use a reader, initialize cards and configure strongSwan.

Compatible hardware

You need a USB smart card reader and a blank smart card, or a USB token that combines the two in a convenient form factor, preferably with support of 2048-bit RSA keys.

Compatible card readers

Thanks to OpenSC, GNU/Linux supports most CCID smart card readers, using the PCSC-Lite library.

Most recent USB card readers are compatible. You may refer to the matrix of supported smartcard readers published by the PCSC-Lite project.

These Omnikey readers are quite popular:
  • Second hand Omnikey 3121 CardMan USB smart card readers can be found on eBay for less than 10€. These are good units for testing a setup.
  • Smart card readers with an integrated PIN pad offer an increased security level because the PIN entry cannot be sniffed on the host computer e.g. by a surreptitiously installed key logger. The Omnikey 3821 secure smart card reader with LCD display and keypad for secure PIN entry may be a good choice.

Compatible smart cards and tokens

You may use blank cards with support for 1024/2048 bit RSA to store credentials:
  • Feitian PKI card. The original author of this HOWTO recommends using Feitian PKI cards. Feitian PKI cards allow 2048 bit RSA key and are very well supported by GNU/Linux.
  • STARCOS SPK 2.4 cards are compatible, but cannot be erased, therefore any error may be fatal. You may buy developer versions which can be erased.
  • Siemens Card OS 4.3 B may be a good choice, but OpenSC does not know how to initialize them. You have to blank them using Windows software.
  • ACOS5 PKI cards are cheap, but unsupported. With a little work, OpenSC could support them.

Tested USB tokens include the Feitian ePass2003.

The OpenSC project maintains a list of compatible cards and USB tokens.

You may also use read-only, pre-personalized read-only cards:
  • eID cards. Many European countries offer them and you don't need to buy extra cards for VPN use.
  • [fix-me] Please provide us with names of providers.
Where to buy: in Europe, you may try:
  • Cryptoshop sells cards and readers from multiple manufacturers (Gemalto, STARCOS SPK, Siemens Card OS).
  • Smartcard Focus also sells cards and readers from several different manufacturers.

These shops are not related to the strongSwan community in any way.

Preparation

Smart card reader

To install pcsc-tools with ccid support, under Debian based distributions use:

sudo apt-get install pcsc-tools libccid

strongSwan supports the PKCS#11 standard, which specifies how to access cryptographic information on devices. Thus, any shared object file that provides a PKCS#11 interface may be used. In this HOWTO we use OpenSC.

To install OpenSC use:

sudo apt-get install opensc

Do not install the OpenCT package, as it is incompatible with the pcsc-lite package.

Check that the card reader is correctly recognized by OpenSC:

$ opensc-tool -l
Readers known about:
Nr.    Driver     Name
0      pcsc       OmniKey CardMan 3121 00 00

At Nr. 0 we have our recognized Omnikey CardMan 3121 reader. Let's insert our smart card in the reader (note that when buying the card you'll also receive the TRANSPORT KEY. Make sure that the transport key proposed by OpenSC matches the one you got in the mail. You will destroy the card by entering the wrong Key three times).

Let's double check that the card is recognized by printing its ATR:

$ opensc-tool -r0 -a
3b:9f:95:81:31:fe:9f:00:65:46:53:05:30:06:71:df:00:00:00:81:61:10:c6

We can also check the name of the card with the -n switch (we can omit the -r0 since we only have one reader connected):

$ opensc-tool -n
Using reader with a card: OmniKey CardMan 3121 00 00
entersafe

At this point we know both the card and reader are fully recognized and functional, and we can proceed to erase the card (you will be asked for the transport key you got in your mail).

Certification Authority

To set up your CA you may use OpenSSL or our own PKI tool. To simplify things you may also use a graphical user interface to set up your CA. One important thing to keep in mind is that you shouldn't create private keys with a length not supported by your smart card (check the specs to be sure). Keys with a maximum length of 2048 bits are known to work.

Make a backup of your keys/certificates and store it in a safe place.

With most cards/tokens it is also possible to generate the private keys directly on the device. This way you can ensure nobody can get their hands on the keys, but you also can't create a backup, so any information encrypted with the corresponding public key will be inaccessible if the card is lost/stolen.

Configuring a smart card with pkcsc15-init

Credentials on smart cards are usually stored according to the PKCS#15 Cryptographic Token Information Format Standard fully supported by OpenSC.

The following command erases the card and removes the existing PKCS#15 structure and all stored cryptographic objects:

    pkcs15-init --erase-card

This may result in a error if the card is already blank.

With the next command a fresh PKCS#15 file structure is created on a smart card or crypto token:

pkcs15-init  --create-pkcs15 --profile pkcs15+onepin \
             --use-default-transport-key \
             --pin 0000 --puk 111111 \
             --label "Test" 

A secret PIN code is stored in an irretrievable location on the smart card. The PIN will protect the signing operation. If the PIN is entered incorrectly more than three times then the smart card will be locked and the PUK code can be used to unlock the card again.

Next the private key is transferred to the smart card

    pkcs15-init --auth-id 1 --store-private-key myKey.pem
               [--id 45]

By default the PKCS#15 smart card record will be assigned the ID 45. Using the --id option, multiple key records can be stored on a smart card.

At last we load the matching X.509 certificate onto the smart card

    pkcs15-init --auth-id 1 --store-certificate myCert.pem
               [--id 45]

The pkcs15-tool can now be used to verify the contents of the smart card.

    pkcs15-tool --list-pins --list-keys --list-certificates

strongSwan configuration

pkcs11 plugin

To use smart cards with strongSwan the pkcs11 plugin has to be enabled and configured.

If you installed strongSwan with your Linux distribution and the pkcs11 plugin is not provided, you'll need to compile strongSwan from sources:

./configure <add your options there> --enable-pkcs11
make
sudo make install

Next you need to configure the PKCS#11 library provided by OpenSC in strongswan.conf, as described in the pkcs11 plugin documentation.

Since 5.1.2 the plugin is configured in /etc/strongswan.d/charon/pkcs11.conf:

pkcs11 {
    modules {
        opensc {
            path = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
        }
    }
}

Entering the PIN code

Since the smart card signing operation needed during authentication is protected by a PIN code, the secret PIN must be made available to the IKE daemon.

For gateways that must be able to start IPsec tunnels automatically in unattended mode after a reboot, the secret PIN can be stored statically in ipsec.secrets:

: PIN %smartcard:45 "12345678" 

or with the general notation

: PIN %smartcard<slotnr>:<keyid> "<PIN code>" 

or if multiple PKCS#11 modules are loaded

: PIN %smartcard<slotnr>@<module>:<keyid> "<PIN code>" 

On a personal notebook computer that could get stolen, you wouldn't want to store your PIN in ipsec.secrets.

Thus the alternative form

: PIN %smartcard:45 %prompt

will prompt you for the PIN when triggered with the command

ipsec rereadsecrets

or the alias

ipsec secrets

Configuring certificates/connections

The pkcs11 plugin will automatically load all certificates from the smart card when the daemon initializes it. CA certificates are also automatically available as trust anchors without the need to copy them into the /etc/ipsec.d/cacerts directory first.

Therefore, it is usually not necessary to configure leftcert in ipsec.conf, instead leftid is configured to either the subject distinguished name, or one of the subjectAltNames contained in the certificate.

For instance, if alice@strongswan.org is contained in the certificate as subjectAltName extension simply configure:

leftid=alice@strongswan.org

In situations where multiple certificates match the same identity configuring leftcert might be necessary. This can be the case with some eID cards that contain separate signature and encryption certificates with the same identities.

The syntax is the same like that for PIN secrets in ipsec.secrets:

leftcert=%smartcard[<slotnr>[@<module>]]:<keyid>

Thus

leftcert=%smartcard:50

will look in all available modules and slots for ID 0x50 starting with the first slot whereas

leftcert=%smartcard4:50

will directly check slot 4 (which is usually the first slot on the second reader/token when using the OpenSC library) for a key with ID 0x50.

Acknowledgements and other resources

  • This article was originally adapted from Smartcard HOWTO written by Michele Baldessari. Permission granted by Michele Baldessari to reproduce the text here.

strongswan-smartcard.png View (10.6 KB) Jean-Michel Pouré, 27.12.2009 11:13