Re: [Passwordsafe-devel] PKCS11 Smartcard Support
Popular easy-to-use and secure password manager
Brought to you by:
ronys
Menu
▾
▴
Re: [Passwordsafe-devel] PKCS11 Smartcard Support
|
From: Rony S. <ro...@gm...> - 2007-02-18 18:24:45
|
Hm, Interesting project. Having a separate file seems the most elegant way to go. The existence of the file could be the hint for pwsafe to use the token for authentication, instead of deriving the key from the passphrase & salt. Alternately, a "special" salt value could be the trigger to look for such a file... In terms of the formatv3.txt document, the smartcard's private key would decrypt P'. Once the application has a value for P', processing should continue as before (calculate H(P') to verify the key's correctness, decrypt K and L, etc.). In the corelib code, I think the best approach would be to create and overloaded version of PWSfileV3::CheckPassword() that takes the relevant parameters and calculates P'. Note that the GUI code that accepts passwords also needs to be modified. Of course, the issue of generating the file with the encrypted key also needs to be addressed. I'd like to see this in a branch off the main code trunk, to start with. Once it's working, we can consider how to merge it into the main project. Rony -----Original Message----- From: pas...@li... [mailto:pas...@li...] On Behalf Of John Conneely Sent: Sunday, February 18, 2007 1:14 AM To: pas...@li... Subject: Re: [Passwordsafe-devel] PKCS11 Smartcard Support Doh! GMail sent my mail before I was done. As I was saying, if we were to build PKCS#11 support into the password safe GUI, I think it would require storing the following additional data elements with the password file: 1) A reference to the PKCS#11 DLL you want to use. 2) Information on locating the private key on the smartcard. 3) The symmetric encryption key encrypted with the public key that corresponded to the one on the smartcard. Alternatively I could store these in a separate file so as to not touch the file format of the existing document. This might simplify development because it would allow the user to modify the document themselves instead of having a GUI to manage entry of that information. I'm also interested in where you guys think the proper place is for me to patch the app for smart card support. I'm currently looking in the PWSFile.cpp to see if there's a central place I might be able to hook in my code with as little changes to the existing functionality as possible. Thanks! John On 2/17/07, John Conneely <jo...@gm...> wrote: > I've got an EToken NG flash that I'm using opensc with, and I'd love > to use a private key on the token to decrypt my password file. This > device is a smartcard and a USB flash drive in one device. I'd love > to put password safe and my password file on it in such a way that it > would be difficult for someone to use a key logger to gain access to > my encryption key. > > So, unless someone else has plans to do it (which would make me very, > very happy) I'd like to implement PKCS#11 support for password safe. > If I do this, is there interest in including it in your product? > > If so (and even if there is no interest) where do you think the best > architecture to use? When using PKCS#11, I would want password safe > to ask for the smartcard's PIN, and store that in memory. I would set > the timeouts for locking the app to be somewhat aggressive, but > unlocking the app would be transparent provided the smartcard was > still present. When using a smart card, the encryption key would be > chosen randomly and then encrypted with the public key of a > certificate stored on the smart card and storred with the database. > > If we were to build PKCS#11 support into the password safe GUI, it > would require storing the following additional data elements with the > password file: > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Passwordsafe-devel mailing list Pas...@li... https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel |
