Project

General

Profile

strongSwan smart card configuration HOWTO » History » Version 23

« Previous - Version 23/159 (diff) - Next » - Current version
Jean-Michel Pouré, 25.12.2009 18:54


strongSwan for Smart cards HOWTO

Smartcards are a mature technology, which intruduces Two-Factor authentication and avoids your CA from being stolen by a theft.

Introduction

Software requirements

strongSwan supports PKCS#11 RSA standard using opensc libraries, which specifies how to store cryptographic information on devices.

To install opensc under Debian based distributions:

sudo apt-get install opensc

To enable smart card support in strongSwan, you may need to compile from sources:

./configure <add your options there> \
--enable-smartcard
make
sudo make install

Supported smartcards

opensc supports a variety of smart card readers.

  • Second hand Omnikey 3121 CardMan USB and Omnikey 4040 PCMCIA smartcard readers can be found on eBay for less than 10 euros.
  • Smartcard readers with an integrated PIN pad offer an increased security level because the PIN entry cannot be sniffed on the host computer e.g. by a surrepticiously installed key logger. The Omnikey 3821 secure smartcard reader with LCD display and keypad for secure PIN entry may be a good choice [anyone using it?].
  • Cryptoflex 32k blank cards are a common choice.

Read Buyers Guide section in opensc FAQ for more information.

Certification Authority

We recommend using a certificate GUI to set-up your CA. One important thing to keep in mind is that, you shouldn't create private keys with a length not supported by your smart card (check the specs to be sure). Keys with a maximum length is 2048 bits are known to work.

Initialisation of cards

Check that the card reader is correctly recognized by OpenSC:

$ opensc-tool -l
Readers known about:
Nr.    Driver     Name
0      pcsc       OmniKey CardMan 3121 00 00
1      openct     OpenCT reader (detached)
2      openct     OpenCT reader (detached)
3      openct     OpenCT reader (detached)
4      openct     OpenCT reader (detached)
5      openct     OpenCT reader (detached)

At nr. 0 we have our recognized Omnikey CardMan 3121 reader. Let's insert our smart card in the reader (note that when buying the card you'll also receive the TRANSPORT KEY. Make sure that the transport key proposed by OpenSC matches the one you got in the mail. You will destroy the card by entering the wrong Key three times):

The OpenVPN Smartcard HOWTO
Foreword

This howto will explain how to set up OpenVPN with Smart Cards. The use of Smart Cards introduces Two-Factor Authentication to the OpenVPN setup. It all started when I was researching the use of Smart Cards with OpenVPN (having had very little knowledge about Smart Cards) and didn't find enough of documentation. The steps described in this document work for Linux and Windows since one of my initial goals was cross-platform compatibility (Mac OS X is still missing but on my TODO list). If you spot any mistakes, typos or have any suggestions on how to improve this document, feel free to send me a line.
Introduction

Proper Smart Card support has been implemented in OpenVPN in the 2.1 branch by adding PKCS#11 support (I don't consider the cryptoapicert option, since it is Windows only), so on the client you need OpenVPN 2.1 at least (you can still keep your OpenVPN 2.0 on the server). Besides OpenVPN 2.1, you'll also need OpenSC. OpenSC implements the PKCS#11 RSA standard, which specifies how to store cryptographic information on devices. On Linux you may want to use the packages your distribution of choice offers (that would be "apt-get install openct opensc pcscd" on Debian derived Distros), whereas on Windows you'll need the installer from the OpenSC Project. In this HOWTO I also presume you already have a PKI-based OpenVPN setup. The only additional requirement here is that the client has a OpenVPN from the 2.1 branch installed.
Hardware

First of all you need a supported smart card reader. You can find a list OpenSC supports (through OpenCT) here. For this document I used two readers:

An Omnikey 3121 CardMan USB Smard Card reader

An Omnikey PCMCIA 4040 Smart Card Reader

(For italian readers, I bought both of them from multimediait) Besides readers you'll also need proper writable (aka initializable) smart cards. Again, the recommended list from the OpenSC project website should guide your buying. I've bought two CryptoFlex 32k (not the e-Gate version) from the Axalto web store.
Certification Authority

I won't talk much about x.509 certificates, private keys and certification authorities. To quickly whip up a CA and make server and client certificates you can use TinyCA:

One important thing to keep in mind is that, you shouldn't create private keys with a length not supported by your smart card (check the specs to be sure). In my case the maximum length is 2048 bits, hence 4096 bit keys can't be stored on the card. The error you will get in such cases is: pkcs15-lib.c:1394:sc_pkcs15init_store_private_key: Card does not support this key. Failed to store private key: Key length/algorithm not supported by card
Card Initialization

From now on I assume that opensc has been correctly installed, and that on Windows systems the path C:\Program Files\OpenSC has been added to your PATH. I also assume you have set up your PKI, comprised of a CA, an OpenVPN Server Certificate and a couple of client certificates (preferably in PKCS#12 format).

As a first step we have to check that the card reader is correctly recognized by OpenSC:

$ opensc-tool -l
Readers known about:
Nr. Driver Name
0 pcsc OmniKey CardMan 3121 00 00
1 openct OpenCT reader (detached)
2 openct OpenCT reader (detached)
3 openct OpenCT reader (detached)
4 openct OpenCT reader (detached)
5 openct OpenCT reader (detached)

At nr. 0 we have our recognized Omnikey CardMan 3121 reader. Let's insert our smart card in the reader (note that when buying the card you'll also receive the TRANSPORT KEY. Make sure that the transport key proposed by OpenSC matches the one you got in the mail. You will destroy the card by entering the wrong Key three times):

Let's double check that the card is recongized by printing its ATR:

$ opensc-tool -r0 -a
3b:95:18:40:ff:62:04:01:01:05

We can also check the name of the card with the -n switch (we can omit the -r0 since we only have one reader connected):

$ opensc-tool -n
Cryptoflex 32K e-gate v4

At this point we know both the card and reader are fully recognized and functional, and we can proceed to erase the card: (You will be asked for the transport key you got in your mail)

$ pkcs15-init -E

Transport key (External authentication key #1) required.
Please enter key in hexadecimal notation (e.g. 00:11:22:aa:bb:cc),
or press return to accept default.

To use the default transport keys without being prompted,
specify the --use-default-transport-keys option on the
command line (or -T for short), or press Ctrl-C to abort.
Please enter key [2c:15:e5:26:e9:3e:8a:19]:

Now we Initialize the card and we format it the PKCS#15 way. We will be prompted for Security Officer PIN, User Unblocking PIN (PUK) and Transport Key:

$ pkcs15-init --create-pkcs15
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
Transport key (External authentication key #1) required.
Please enter key in hexadecimal notation (e.g. 00:11:22:aa:bb:cc),
or press return to accept default.

To use the default transport keys without being prompted,
specify the --use-default-transport-keys option on the
command line (or -T for short), or press Ctrl-C to abort.
Please enter key [2c:15:e5:26:e9:3e:8a:19]:

strongSwan configuration

Acknowledgements

This article was inspired by http://michele.pupazzo.org/docs/smart-cards-openvpn.html