strongSwan smart card configuration HOWTO » History » Version 56
« Previous -
Version 56/159
(diff) -
Next » -
Current version
Jean-Michel Pouré, 27.12.2009 11:13
strongSwan for Smartcards HOWTO¶
Smartcards are a mature technology which avoid your CA from being stolen by a theft.
strongSwan supports PKCS#11 RSA standard, which specifies how to store cryptographic information on devices.
The cost of a second hand reader with two blank cards is around 20€, so there is good reason to be interested in smartcards.
Introduction¶
GNU/Linux and other Unixes need two layers to be able to use smartcard readers:- OpenCT implements drivers for several smart card readers,
- OpenSC libraries specify how to store cryptographic information on devices.
In this HOWTO, we give minimal information how to use a reader, initialize cards and use strongSwan.
Supported smartcard readers¶
OpenCT supports CCID compatible readers. All recent usb readers most likely implement the CCID specification and thus the generic USB CCID driver should work.
These Ominikey readers are quite popular:- Second hand Omnikey 3121 CardMan USB and Omnikey 4040 PCMCIA smartcard readers can be found on eBay for less than 10€.
- Smartcard readers with an integrated PIN pad offer an increased security level because the PIN entry cannot be sniffed on the host computer e.g. by a surrepticiously installed key logger. The Omnikey 3821 secure smartcard reader with LCD display and keypad for secure PIN entry may be a good choice. It costs around 60 € new.
- Cryptoflex 32k are a common choice.
A list of supported card readers and smartcards can be found on OpenCT homepage.
Software requirements¶
To install pcsc-tools under Debian based distributions:
apt-get install pcsc-tools
If you own an Omnikey USB reader:
apt-get install pcsc-omnikey
strongSwan supports PKCS#11 RSA standard using opensc libraries, which specifies how to store cryptographic information on devices.
To install opensc:
sudo apt-get install opensc
To enable smart card support in strongSwan, you may need to compile from sources:
./configure <add your options there> \ --enable-smartcard make sudo make install
Installing and configuring the smartcard reader¶
Certification Authority¶
We recommend using a certificate GUI to set-up your CA. One important thing to keep in mind is that, you shouldn't create private keys with a length not supported by your smart card (check the specs to be sure). Keys with a maximum length is 2048 bits are known to work.
Make a backup of your keys/certificates on a CD-ROM and store it in a safe place.
Initialisation of cards¶
Check that the card reader is correctly recognized by OpenSC:
$ opensc-tool -l Readers known about: Nr. Driver Name 0 pcsc OmniKey CardMan 3121 00 00 1 openct OpenCT reader (detached) 2 openct OpenCT reader (detached) 3 openct OpenCT reader (detached) 4 openct OpenCT reader (detached) 5 openct OpenCT reader (detached)
At nr. 0 we have our recognized Omnikey CardMan 3121 reader. Let's insert our smart card in the reader (note that when buying the card you'll also receive the TRANSPORT KEY. Make sure that the transport key proposed by OpenSC matches the one you got in the mail. You will destroy the card by entering the wrong Key three times):
Let's double check that the card is recongized by printing its ATR:
$ opensc-tool -r0 -a 3b:95:18:40:ff:62:04:01:01:05
We can also check the name of the card with the -n switch (we can omit the -r0 since we only have one reader connected):
$ opensc-tool -n Cryptoflex 32K e-gate v4
At this point we know both the card and reader are fully recognized and functional, and we can proceed to erase the card: (You will be asked for the transport key you got in your mail)
The cost of a second hand reader with two blank cards is around 20€, so there is no reason to be interested in smartcards. $ pkcs15-init -E Transport key (External authentication key #1) required. Please enter key in hexadecimal notation (e.g. 00:11:22:aa:bb:cc), or press return to accept default. To use the default transport keys without being prompted, specify the --use-default-transport-keys option on the command line (or -T for short), or press Ctrl-C to abort. Please enter key [2c:15:e5:26:e9:3e:8a:19]:
Now we Initialize the card and we format it the PKCS#15 way. We will be prompted for Security Officer PIN, User Unblocking PIN (PUK) and Transport Key:
$ pkcs15-init --create-pkcs15 Please enter Security Officer PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify: Transport key (External authentication key #1) required. Please enter key in hexadecimal notation (e.g. 00:11:22:aa:bb:cc), or press return to accept default. To use the default transport keys without being prompted, specify the --use-default-transport-keys option on the command line (or -T for short), or press Ctrl-C to abort. Please enter key [2c:15:e5:26:e9:3e:8a:19]:
Storing the private key on the card¶
Now we'll add a PIN for the label "Michele Baldessari" and we'll associate the 01 auth id to it. We'll be prompted for the Security Officer Pin inserted one step above :
$ pkcs15-init --store-pin --auth-id 01 --label "Michele Baldessari" New User PIN. Please enter User PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify: Security officer PIN required. Please enter Security officer PIN: Transport key (External authentication key #1) required. Please enter key in hexadecimal notation (e.g. 00:11:22:aa:bb:cc), or press return to accept default. To use the default transport keys without being prompted, specify the --use-default-transport-keys option on the command line (or -T for short), or press Ctrl-C to abort. Please enter key [2c:15:e5:26:e9:3e:8a:19]:
Now we can check the PINs stored on the card:
$ pkcs15-tool --list-pins
PIN [Security Officer PIN]
Com. Flags: 0x3
ID : ff
Flags : [0xB2], local, initialized, needs-padding, soPin
Length : min_len:6, max_len:8, stored_len:8
Pad char : 0x00
Reference : 2
Type : ascii-numeric
Path : 3f005015
PIN [Michele Baldessari]
Com. Flags: 0x3
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Path : 3f0050154b01
Now we'll store the client Certificate (stored in a PKCS#12 file name client-cert.p12) on the card and we associate it to auth-id 01, which we just created:
$ pkcs15-init -S client-cert.p12 -f PKCS12 -a 01 error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure Please enter passphrase to unlock secret key: Importing 2 certificates: 0: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=Michele/emailAddress=michele@pupazzo.org 1: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=CA VPN/emailAddress=ca@pupazzo.org Security officer PIN required. Please enter Security officer PIN: User PIN required. Please enter User PIN: Security officer PIN required. Please enter Security officer PIN:
(We're asked for the PKCS#12 private key password, the Security Officer Pin and the User pin)
At this point we're set and the key is on the smartcard protected with a user pin from reading and with a security officer pin from writing.
You can double-check the certificates on the smart card with:
$ pkcs15-tool -c
X.509 Certificate [/C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=Michele/emailAddress=michele@pupazzo.org]
Flags : 2
Authority: no
Path : 3f0050154545
ID : 45
X.509 Certificate [/C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=CA VPN/emailAddress=ca@pupazzo.org]
Flags : 2
Authority: yes
Path : 3f0050154546
ID : 46
And the keys with:
$ pkcs15-tool -k
Private RSA Key [Private Key]
Com. Flags : 3
Usage : [0x2C], sign, signRecover, unwrap
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 0
Native : yes
Path : 3f0050154b0130450012
Auth ID : 01
ID : 45
strongSwan configuration¶
Acknowledgements¶
This article was adapted by Smartcard HOWTO written by Michele Baldessari. Permission granted by Michele Baldessari to reproduce the text on strongSwan wiki.