Re: [Opensc-devel] honoring PINPAD

[Frank M. <mo...@in...>]

Use `enable_pinpad = false;` to disable the PIN-pad
https://github.com/OpenSC/OpenSC/blob/master/etc/opensc.conf.in#L96.
But have in mind the limitations already spoken about.

You should delegate the PIN-Pad problem to OpenVPN!



Am Donnerstag, dem 10. März, um 22:15 Uhr schrieb Ludovic Rousseau:
> 2016-03-10 17:53 GMT+01:00 Douglas E Engert <dee...@gm...>:
> 
> >
> >
> > On 3/10/2016 9:23 AM, J.W...@mi... wrote:
> > > Hi all,
> > >
> > > Can anybody shine some light over this?
> > >
> > > We finally have found some pinpad-readers that do work under Linux, with
> > our cards and the AET-drivers.
> > >
> > > For instance, if I type opensc-tool –l, I can see with readers have a
> > pinpad or not
> > >
> > > Also, when I do pkcs11-tool –O –l, I _/must/_ enter the pin on the
> > reader.
> > >
> > > Furthermore the screen-lock (driven by pam) knows when to ask for a pin,
> > or refer to the reader-console.
> > >
> > > However, openvpn simply continueus to ask for the pin on the console (or
> > its management interface).
> > >
> > > I presume openvpn should have checked the reader’s capabilities, but
> > forgot to do that…
> >
> > There is more work to do to use the pinpad reader. The code has to setup
> > the template so the reader knows how to fill in the PIN.
> >
> > >
> > > Secondly, as the code works with the pin on the prompt, I presume there
> > is a switch (routine in libccid ??) that specifies IF a pinpad should be
> > used or not?
> >
> > I don't think so, it really enforced by the the calling software, OpenSC,
> > openvpn or whatever....
> >
> >  From a security standpoint, the card can not tell if the pin came from
> > the pin pad reader or from the host.
> >
> > There maybe readers that will not accept a pin command from the host. (I
> > don't know of any.)
> >
> 
> Exact. At least Gemalto provides such pinpad readers.
> The feature is called "firewall" and the reader will refuse any VERIFY (and
> similar) command with the PIN sent from the host. With this reader you can
> only verify a PIN using the pinpad keyboard.
> 
> You can have a look at some extra features available at
> https://pcsclite.alioth.debian.org/ccid/readers/extra_features/
> For example
> https://pcsclite.alioth.debian.org/ccid/readers/extra_features/Gemalto_Ezio_Shield_PinPad_features.txt
> has:
> 
> Firewall: True
> 
> The same reader model can have the firewall feature enabled or not. I guess
> you will have to specify what configuration you want when buying the
> readers.
> 
> So if you are trying to force the user to never expose their pin to host
> > (either on the keyboard or from a file) and always use the pin pad reader,
> > you would need
> > one of these readers. You would also have to force the user not to change
> > readers!
> >
> > There may be issues trying to enforce this with Remote Desktop over the
> > network.
> >
> 
> The application can check the reader VendorID/ProductID to verify it is
> still the same reader. But you can't fight against the user if he is root
> on the system and can change any software and use another reader instead.
> But I am not sure why the user would want to steal his own secret PIN.
> 
> 
> > So you can optionally overrule the pinpad-capability???
> >
> 
> There is no switch in libccid for force the use of the pinpad. It is only
> an application decision.
> But the reader has such a switch.
> 
> Bye
> 
> -- 
>  Dr. Ludovic Rousseau

> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc