Using Smart Cards with Keepasss

Help
2008-06-22
2014-04-05
  • Thomas Munn
    Thomas Munn
    2008-06-22

    I have a smart card that I want to use with keepass.  I see tons of reference to a 'smart card' plugin, but cannot, for the life of me, figure out which plugin gives me the smartcard key provider.  How do I do this?

    Thomas

     
    • Paul
      Paul
      2008-06-23

      Nobody has written one yet. Maybe your smart card has software that will interact with KeePass?

      cheers, Paul

       
  • Martin Hofmann
    Martin Hofmann
    2014-04-05

    I'm about to embark on a project to develop a KeePass plugin for this purpose: using chipcards as a replacement for key files.

    I want to be able to open my KeePass database on various computers either with a chipcard, or alternatively with a key file (on a USB stick) on a computer where no card reader is available (or when the card is lost ;-).

    For now I want to use just the cards I already have (eg, my bank card, health insurance card, credit card), or else a generic and cheap memory card like the SLE 4432.

    What is planned technically is this:

    • The plugin registers one ore more cards for a given user (account) on a machine with a card reader (eg in the HKCU registry subtree).

    • Each card can be associated with a PIN (a string of digits); this PIN is of course stored nowhere.

    • In the password dialog, the user can select the appropriate card, insert it in the card reader, optionally enter the PIN (if the card reader has a numpad), optionally enter the password for the database, and open it. While the card is available in the reader, the database can be locked and unlocked again without entering the PIN again.

    • The PIN is used to transform (encrypt) the card's content, in order to balance against the unprotected nature of memory cards.

    • The plugin derives a second key (additonal to the main password) from the card's content and the PIN.

    • This plugin-provided second key, together with the user-entered optional password, is used to open the database.

    • To open the database without a card reader, a key file can be used; this key file contains the equivalent of the (transformed) card's content and is created on request when registering the card with the plugin. As always, this key file shoud be well-guarded and probably encrypted (outside and independent of the plugin's actions).

    While I see no problems with the programming and basic cryptography aspects of the project (I'm a mathematician, with a day job programming in C and C++), I'm new to writing plugins for KeePass. I did build and use the "Test Plugin" so far, I can more or less find my way around the KeePass source code, and browse through the plugin development documentation at

    http://keepass.info/help/v1_dev/plg_index.html

    (Btw: I'm using KeePass 1.* and thus the plugin will be for these KeePass versions.)

    Therefore, I can give no reasonable guess when this plugin will be ready to be published (on SourceForge).

    If any experienced KeePass plugin programmers are around in this forum, I would very much appreciate their support on plugin-API questions during the course of this project ...

    Don't hesitate with comments or suggestions on this project proposal, and if you are a security expert (as I'm not), please comment on the security implications of this concept!

    Kind regards,

    Martin Hofmann