Re: [Passwordsafe-devel] PKCS11 Smartcard Support
Popular easy-to-use and secure password manager
Brought to you by:
ronys
From: John C. <jo...@gm...> - 2007-02-17 23:14:10
|
Doh! GMail sent my mail before I was done. As I was saying, if we were to build PKCS#11 support into the password safe GUI, I think it would require storing the following additional data elements with the password file: 1) A reference to the PKCS#11 DLL you want to use. 2) Information on locating the private key on the smartcard. 3) The symmetric encryption key encrypted with the public key that corresponded to the one on the smartcard. Alternatively I could store these in a separate file so as to not touch the file format of the existing document. This might simplify development because it would allow the user to modify the document themselves instead of having a GUI to manage entry of that information. I'm also interested in where you guys think the proper place is for me to patch the app for smart card support. I'm currently looking in the PWSFile.cpp to see if there's a central place I might be able to hook in my code with as little changes to the existing functionality as possible. Thanks! John On 2/17/07, John Conneely <jo...@gm...> wrote: > I've got an EToken NG flash that I'm using opensc with, and I'd love > to use a private key on the token to decrypt my password file. This > device is a smartcard and a USB flash drive in one device. I'd love > to put password safe and my password file on it in such a way that it > would be difficult for someone to use a key logger to gain access to > my encryption key. > > So, unless someone else has plans to do it (which would make me very, > very happy) I'd like to implement PKCS#11 support for password safe. > If I do this, is there interest in including it in your product? > > If so (and even if there is no interest) where do you think the best > architecture to use? When using PKCS#11, I would want password safe > to ask for the smartcard's PIN, and store that in memory. I would set > the timeouts for locking the app to be somewhat aggressive, but > unlocking the app would be transparent provided the smartcard was > still present. When using a smart card, the encryption key would be > chosen randomly and then encrypted with the public key of a > certificate stored on the smart card and storred with the database. > > If we were to build PKCS#11 support into the password safe GUI, it > would require storing the following additional data elements with the > password file: > |