Menu
▾
▴
Re: [Opensc-devel] honoring PINPAD
|
From: Ludovic R. <lud...@gm...> - 2016-03-10 21:15:52
|
2016-03-10 17:53 GMT+01:00 Douglas E Engert <dee...@gm...>: > > > On 3/10/2016 9:23 AM, J.W...@mi... wrote: > > Hi all, > > > > Can anybody shine some light over this? > > > > We finally have found some pinpad-readers that do work under Linux, with > our cards and the AET-drivers. > > > > For instance, if I type opensc-tool –l, I can see with readers have a > pinpad or not > > > > Also, when I do pkcs11-tool –O –l, I _/must/_ enter the pin on the > reader. > > > > Furthermore the screen-lock (driven by pam) knows when to ask for a pin, > or refer to the reader-console. > > > > However, openvpn simply continueus to ask for the pin on the console (or > its management interface). > > > > I presume openvpn should have checked the reader’s capabilities, but > forgot to do that… > > There is more work to do to use the pinpad reader. The code has to setup > the template so the reader knows how to fill in the PIN. > > > > > Secondly, as the code works with the pin on the prompt, I presume there > is a switch (routine in libccid ??) that specifies IF a pinpad should be > used or not? > > I don't think so, it really enforced by the the calling software, OpenSC, > openvpn or whatever.... > > From a security standpoint, the card can not tell if the pin came from > the pin pad reader or from the host. > > There maybe readers that will not accept a pin command from the host. (I > don't know of any.) > Exact. At least Gemalto provides such pinpad readers. The feature is called "firewall" and the reader will refuse any VERIFY (and similar) command with the PIN sent from the host. With this reader you can only verify a PIN using the pinpad keyboard. You can have a look at some extra features available at https://pcsclite.alioth.debian.org/ccid/readers/extra_features/ For example https://pcsclite.alioth.debian.org/ccid/readers/extra_features/Gemalto_Ezio_Shield_PinPad_features.txt has: Firewall: True The same reader model can have the firewall feature enabled or not. I guess you will have to specify what configuration you want when buying the readers. So if you are trying to force the user to never expose their pin to host > (either on the keyboard or from a file) and always use the pin pad reader, > you would need > one of these readers. You would also have to force the user not to change > readers! > > There may be issues trying to enforce this with Remote Desktop over the > network. > The application can check the reader VendorID/ProductID to verify it is still the same reader. But you can't fight against the user if he is root on the system and can change any software and use another reader instead. But I am not sure why the user would want to steal his own secret PIN. > So you can optionally overrule the pinpad-capability??? > There is no switch in libccid for force the use of the pinpad. It is only an application decision. But the reader has such a switch. Bye -- Dr. Ludovic Rousseau |
