Linux and smart cards for PKI - Overview

[2018.06.20]

When the company I work for decided to become serious about its Public Key Infrastructure (PKI), take on the role of Registration Authorithy (RA) on behalf of a well-known Certificate Service Provider (CSP) and teach its employees to use SSL certificates to secure e-mail messages, I did not suspect the vastness of the task that confronted me, includingly (but not exclusively) when it came to introduce smart cards into our daily Linux life.

Usually, when setting on a new Linux project, I netsearch for a few keywords, quickly find some exquisite documentation (thanks to whomever wrote it), and get going.
With smart cards… nope! Thou shall not have it that easy, you miserable ignorant twat!

To start with, I never encountered a domain with so many acronyms, standards, vendors, etc. entangled into such an obscure web of features, specifications, versions, etc. Oh dear! I quickly stood humbled…

So here follow a few clues for smart card illiterates (like me).

Software-wise

Smart cards support is usually - iow. the least troublelessly - implemented on Linux using three pieces of software:

• the CCID library (software driver), aka. libccid; website

• the PC/SC lite middleware and daemon, aka. pcscd; website

• OpenSC libraries and tools; website

Along the Public Key Cryptography Standards (PKCS) relevant to the matter at hand, namely:

• PKCS#11: the standardized API allowing to access and use public key cryptography material (public/private keys, certficates, etc.), implemented by OpenSC thanks to:

  • its opensc-pkcs11 library (for Firefox, Thunderbird, Chromium, etc.)
  • its engines/libpkcs11 library (for OpenSSL)

• PKCS#15: the standardized scheme for storing public key cryptographic material on smart cards, implemented by OpenSC thanks to:

  • its pkcs15-init and pkcs15-tool utilities

Hardware-wise

Using a smart card entails two pieces of hardware:

• a smart card reader:

  • nowadays connected to the host PC via its Universal Serial Bus (USB)
  • also able to write to the smart card
  • which must be compatible with the chosen smart card (see below)
  • and its host PC software stack, which shall cover:
    • smart card initialization
    • web authentication
    • e-mail signature and encryption
    • local and remote host login
    • etc. etc. etc.

• the smart card itself, which is nothing less than very tiny and highly specialized microcomputer, and which may come in many different flavors:

  • contact vs contactless
  • writeonce vs rewriteable
  • providing just basic storage vs additional cryptographic modules
  • with memory (EEPROM) capacity ranging from 1kB to 132kB
  • each vendor having its own Operating System (OS)
  • and Application Programming Interface (API)
  • etc. etc. etc.

Waddling our way through all the gibberish

The PC-to-reader interface

The protocols commonly used to allow the PC to communicate with the reader, via its USB connection, and the smart card are:

• hardware-wise: the Chip Card Interface Device (CCID), readily supported on Linux thanks to the CCID software driver

• software-wise: the Personal Computer/Smart Card (PC/SC) API, readily supported on Linux thanks to the PS/SC lite middleware

The reader-to-smartcard interface

Contact interface

The interfaces most commonly used for the reader to interact with the smart card via physical electrical contact are:

• hardware-wise: the ISO/IEC 7816 standard, along T=0 and T=1 transmission protocols (the latter often being required to fully support modern PKI operations)

• software-wise: the ISO/IEC 7816-15 part, mirroring the PKCS#15 specifications

Contactless interface

The interfaces most commonly used for the reader to interact with the smart card via radio communications are:

• hardware-wise:

  • the ISO/IEC 14443 standard, Type A and/or Type B (ideally both), operating at 13.56MHz, along the T=CL transmission protocol (or some other well-known vendor-specific protocol; e.g. MIFARE)
  • and/or the ISO/IEC 15693 standard, operating at the same frequency but over a greater distance (1-1.5 meters), although this makes it undesirable for PKI applications (security-wise)

• software-wise: the same forementioned PKCS#15 specifications

Smart card options

Like already mentioned, smart cards come into with a wide variety of options.

• contact vs contactless: mostly a question of compromise between usability and security. For qualified electronic signature (i.e. with legal value as per your country’s legislation; e.g. SuisseID), I would definitely opt for the contact version.

• writeonce vs rewritable: I personally haven’t thought of a use case (yet) that would benefit from a writeonce media.

• cryptographics modules: they allow for the key pairs to be generated by the smart card itself; the private key never leaves and can not be recovered from the smart card (signature and encryption being offloaded to it by the host PC via its PKCS#11 interface). I consider it a MUST for PKI applications.

• memory (EEPROM): a minimum of 64kB will be necessary to store the required key pair(s) and corresponding certificate(s)

• Operating System (OS): not an issue as long as the smart card supports the CCID and PC/SC interfaces (which shall be preferred on Linux)

• Application Programming Interface (API): like already said, the Personal Computer/Smart Card (PC/SC) interface is the preferred choice for Linux operations

Once all options sorted out, one may want to verify the chosen smart card compatibility with the Linux stack:

• OpenSC supported hardware

Operations

Preliminary checks

Let’s first verify our hardware choices are indeed compatible with the Linux stack and with one-another:

• Check the reader support/accessibility:

  opensc-tool --list-readers
  

• Check the smart card support/accessibility:

  opensc-tool --atr
  opensc-tool --name
  

Initialization

Most smart cards will be blank when received from their manufacturer.

The best course of action from here is too follow OpenSC’s exhaustive documentation.

• Quick start with OpenSC

• Card personalization

Shortly put, one will need to:

• Initialize the smart card with a PKCS#15 structure:

  pkcs15-init --create-pkcs15 ...
  

• Add a PIN/PUK code:

  pkcs15-init --store-pin ...
  

• Generate a key pair:

  pkcs15-init --generate-key ...
  

• Generate a Certificate Signing Request (CSR):

  openssl ...  # along engines/libpkcs11
  

• Install the signed certificate:

  pkcs15-init --store-certificate ...
  

Usage

(…a few eons later…)

Please read-on:

Linux and smart cards (OpenSC) - How-to