Menu
▾
▴
opensc-devel
|
From: Daniel P. <da...@po...> - 2016-01-12 22:08:17
|
Hi all, I was looking at the specs for Smartcard HSM: http://www.smartcard-hsm.com/features.html#devaut and it suggests that a "Scheme Root CA maintained by CardContact issues certificates for Device Issuer CAs, which in turn issue an unique device certificate for each SmartCard-HSM produced." Does this mean the card has some dependency on the manufacturer/vendor? Is this typical? Regards, Daniel |
|
From: Andreas S. <and...@ca...> - 2016-01-12 22:38:31
|
Hi Daniel, the purpose of the SmartCard-HSM PKI is to allow a relying party to authenticate public keys for private keys generated on the device. It does both, proof of possession and proof of correspondence. It also allows using the public key without a certificate, because the internally generated certificate signing request is signed by the device authentication key. In some applications like the n-of-m scheme [1] this is sufficient, i.e. there is no need for another separate PKI to issue certificates that bind the public key to a identity (each SmartCard-HSM has an identity asserted by the device certificate and linked to the device authentication key). This means, that if someone relies on this PKI, he must rely on the device issuer and the correct operation of the systems at the two PKI layers. This is not limited to ourselves, as we have customers that are operating their own root and production CA. Having a full PKI for public key authentication is something that - as far as I know - only the SmartCard-HSM provides for. Other schemes provide key attestation, but typically with a key shared amongst all devices. Andreas [1] http://www.smartcard-hsm.com/docs/SmartCard-HSM_n-of-m_Authentication_V1.0_2015-03-25.pdf On 01/12/2016 11:08 PM, Daniel Pocock wrote: > > > Hi all, > > I was looking at the specs for Smartcard HSM: > > http://www.smartcard-hsm.com/features.html#devaut > > and it suggests that a "Scheme Root CA maintained by CardContact issues > certificates for Device Issuer CAs, which in turn issue an unique device > certificate for each SmartCard-HSM produced." > > Does this mean the card has some dependency on the manufacturer/vendor? > Is this typical? > > Regards, > > Daniel > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Daniel P. <da...@po...> - 2016-01-13 10:52:52
|
On 12/01/16 23:38, Andreas Schwier wrote: > Hi Daniel, > > the purpose of the SmartCard-HSM PKI is to allow a relying party to > authenticate public keys for private keys generated on the device. It > does both, proof of possession and proof of correspondence. > > It also allows using the public key without a certificate, because the > internally generated certificate signing request is signed by the device > authentication key. In some applications like the n-of-m scheme [1] this > is sufficient, i.e. there is no need for another separate PKI to issue > certificates that bind the public key to a identity (each SmartCard-HSM > has an identity asserted by the device certificate and linked to the > device authentication key). > > This means, that if someone relies on this PKI, he must rely on the > device issuer and the correct operation of the systems at the two PKI > layers. > > This is not limited to ourselves, as we have customers that are > operating their own root and production CA. > > Having a full PKI for public key authentication is something that - as > far as I know - only the SmartCard-HSM provides for. Other schemes > provide key attestation, but typically with a key shared amongst all > devices. > Can you please be more specific about some aspects of this PKI: a) if CardContact goes out of business for any reason, what is the impact on people using the cards? Will people using the intermediate certificates signed by your root be able to keep using them until they expire? How long are they valid? b) if the CardContact root certificate is compromised (private key stolen, etc), what is the impact on people using the cards? c) you say that some customers operate their own root, does that mean they can completely eliminate or replace the "device authentication key" you create at the factory? |
|
From: Andreas S. <and...@ca...> - 2016-01-13 11:27:46
|
Sure > Can you please be more specific about some aspects of this PKI: > > a) if CardContact goes out of business for any reason, what is the > impact on people using the cards? Will people using the intermediate > certificates signed by your root be able to keep using them until they > expire? How long are they valid? If CardContact goes out of business, then the Scheme Root CA will stop operating and will not issue new device issuer certificates. Existing device issuer can of course continue to operate their CA instance and can produce legitimate SmartCard-HSMs. A device issuer certificate is valid for 8 years. Device certificates have a validity date, which does not exceed the expiration date of the device issuer CA certificate. But remember that these certificates are card-verifiable-certificates not suitable for X.509 based applications. We are not operating a X509 PKI. > > b) if the CardContact root certificate is compromised (private key > stolen, etc), what is the impact on people using the cards? The Scheme Root CA private key is - of course - stored on a SmartCard-HSM with dual-control for both, operation and recovery. The CA is an offline CA. We do our best to protect the Scheme Root CA, but if it would be compromised, a relying party could no longer trust public keys generated in the device. The impact would need to be evaluated in the actual application scenario. Any customer is of course free to become a device issuer himself and even operate his own scheme root CA. This is common for customers that have additional security requirements that we can't (or don't want to) fulfil. > > c) you say that some customers operate their own root, does that mean > they can completely eliminate or replace the "device authentication key" > you create at the factory? The device authentication key is generated during SmartCard-HSM personalization, which can be done by any device issuer. Our business model with the SmartCard-HSM is to license the applet to device issuer and to provide the required infrastructure to produce the devices. At the same time we are a device issuer for the USB and MicroSD based form factor. > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X