Project

General

Profile

strongSwan smart card configuration HOWTO » History » Version 22

« Previous - Version 22/159 (diff) - Next » - Current version
Jean-Michel Pouré, 25.12.2009 18:49


strongSwan for Smart cards HOWTO

Smartcards are a mature technology, which intruduces Two-Factor authentication and avoids your CA from being stolen by a theft.

Introduction

Software requirements

strongSwan supports PKCS#11 RSA standard using opensc libraries, which specifies how to store cryptographic information on devices.

To install opensc under Debian based distributions:

sudo apt-get install opensc

To enable smart card support in strongSwan, you may need to compile from sources:

./configure <add your options there> \
--enable-smartcard
make
sudo make install

Supported smartcards

opensc supports a variety of smart card readers.

  • Second hand Omnikey 3121 CardMan USB and Omnikey 4040 PCMCIA smartcard readers can be found on eBay for less than 10 euros.
  • Smartcard readers with an integrated PIN pad offer an increased security level because the PIN entry cannot be sniffed on the host computer e.g. by a surrepticiously installed key logger. The Omnikey 3821 secure smartcard reader with LCD display and keypad for secure PIN entry may be a good choice [anyone using it?].
  • Cryptoflex 32k blank cards are a common choice.

Read Buyers Guide section in opensc FAQ for more information.

Certification Authority

We recommend using a certificate GUI to set-up your CA. One important thing to keep in mind is that, you shouldn't create private keys with a length not supported by your smart card (check the specs to be sure). Keys with a maximum length is 2048 bits are known to work.

Initialisation of cards

Check that the card reader is correctly recognized by OpenSC:

$ opensc-tool -l
Readers known about:
Nr.    Driver     Name
0      pcsc       OmniKey CardMan 3121 00 00
1      openct     OpenCT reader (detached)
2      openct     OpenCT reader (detached)
3      openct     OpenCT reader (detached)
4      openct     OpenCT reader (detached)
5      openct     OpenCT reader (detached)

strongSwan configuration

Acknowledgements

This article was inspired by http://michele.pupazzo.org/docs/smart-cards-openvpn.html