Menu

KeeChipCardWiki

Martin Hofmann

Welcome to the KeeChipCard wiki! Plans, technical details, user documentation will be collected here.

This page has some general information about the project.

Other wiki pages:

  • [CryptoOps] presents the cryptographic operations performed by KeePass and the planned plugin, in a formal manner. There are also some preliminary remarks on the security of the system.

Project Goals

I want to be able to open my KeePass database on various computers either with a chip card, or alternatively with a key file (on a USB stick) on a computer where no card reader is available (or when the card is lost ;-).

The term "chip card" here means both "dumb" memory cards in ISO 7816 format (like the SLE 4432) and "smart" processor cards - eg supporting ISO 7816-8 cryptographic functions (like bank or credit cards, or the OpenPGP card).

For now I want to use just the cards I already have (eg, my bank card, health insurance card, credit card), or else a generic and cheap memory card. That means, the chipcard is solely used as a readable data storage without security or encryption features - exactly like a key file on a USB stick.

Using "smart" cards with crypotgraphy support is postponed to a later stage in the project.

Planned Features

  • The plugin registers one ore more cards for a given user (account) on a machine with a card reader (eg in the HKCU registry subtree).

  • Each card can be associated with a PIN (a string of digits); this PIN is of course stored nowhere.

  • In the password dialog, the user can select the appropriate card, insert it in the card reader, optionally enter the PIN (if the card reader has a numpad), optionally enter the password for the database, and open it. While the card is available in the reader, the database can be locked and unlocked again without entering the PIN again.

  • The PIN is used to transform (encrypt) the card's content, in order to balance against the unprotected nature of memory cards.

  • The plugin derives a second key (in addition to the main password) from the card's content and the PIN.

  • This plugin-provided second key, together with the user-entered optional password, is used to open the database.

  • To open the database without a card reader, a key file can be used; this key file contains the equivalent of the (transformed) card's content and is created on request when registering the card with the plugin. As always, this key file shoud be well-guarded and probably encrypted (outside and independent of the plugin's actions).

KeePass Developer Documentation

Here is a quick-access list of online documentation about developing in/for/with KeePass Ver. 1.*:

Chip Card Documentation

I have collected some documentation (standards, protocol and API specifications etc) about chip cards rsp smart cards. You can download this stuff, partitioned into several ZIP archives, from the File section of this project site: the ZIP files are in the "chipcard_doc" directory. The README.md, displayed at the bottom of the File Manager page, describes the archives and also has some relevant web links.

Platform and Tools

  • I use and therefore develop for Keepass Version 1.xx (this is because I also use KeePassX on FreeBSD and Mac OS 10.4).

  • I am one of those old farts who stubbornly continue to use Windows XP (but I can also test on Windows 7 64-bit).

  • I am one of those old farts who stubbornly continue to use Visual C++ 7.1 (but I can also compile with Visual C++ 9.0).

  • From time to time I'm even old-fashioned and stubborn enough to fire up my Windows 2000 machine and work with Visual C++ 6.0 :-p

  • Project files for Visual Studio 2003 .NET (and Visual Studio 2008) will be provided; users of these newfangled versions of Visual Studio should be able to automatically upgrade the project files when opening them.

  • I have a Fujitsu-Siemens KBPC CX keyboard with a built-in OmniKey class II card reader (numpad), and a

  • Reiner SCT RFID standard external (USB-connected) class III card reader (display and numpad).

Related

Wiki: CryptoOps