And here is another type of card which is this one that we call crypto card. But it can do a lot more like manage your identity, sign and connect to VPS. How many of you know, well are using or know people who are using this kind of card?

And how many of you have never used them? Oh, just a few, okay. In fact, it appears that in a large public, very few people are using crypto cards.

Maybe you are developers, so I missed a little bit my presentation but I mean this is in my opinion an issue. And one of the goals here is to try to understand how we could better integrate crypto hardware into various environments.

And how we could improve usability because this is important that people want to buy this kind of cards that you can find very easily and can use them.

So actually I made a short presentation on hardware and standards to basically show the two kinds of hardware that we have.

Crypto and what we call one-time passwords. These are little devices with a button and you press and you obtain. So first maybe I will give it to the audience so that you can have a look at this during the presentation.

And I will also discuss and try to present very briefly the OpenSC library. This will be very short. I will present the states of integration in operating systems and applications.

I will not present everything. I will do something very short. Then again, after my presentation, I will go to the audience and I will try to give free crypto tools to the audience. So if you already have a good crypto tool, maybe try to leave the crypto tools for others.

And also I will stand in the back and if you want more information, you have a laptop, I can initialize the crypto tool with you and show you how it works. So let's go to hardware and standards. Basically, a lot of companies say we offer

USB tokens, but the USB token is basically a small PCSC reader with a crypto chip. If you already use these crypto tools, then you know why you always should use hardware devices.

Because these devices are kept to preserve the secret. It's not possible to open the chip or try to read inside the chip to have access to the RSA key. It has protection. It's nearly impossible. If you try to open and read using special tools, then the chip will destroy itself.

Also, the power of this tool is that it is able to compute the secrets

and to do the authentication or encryption and decryption work without displaying the RSA secrets. One very important issue is that when you use a crypto stick or a spot card, then you have them with you and they are like the keys of your cards.

If you lose them, you know that there is a problem. That's very important. The definition of these tools is that they are so small, either to be on your keys or to be in your wallet.

So, basically, there are two standards. There is a standard for RADOS, which is PCSC. This is the PCSC working group which is working on it. Which defines first the interaction. And then there is the RSA company which has set up various PKCS interfaces.

The main are PKCS 11 and 15. 15 is the way that information is stored on card and 11 is the way that you discuss with the device.

So, this is the second type of security tool. It is not exactly a crypto tool because the definition of a crypto tool by law is that you have access to the chip.

For example, if you have a video decoder inside a video machine or a dish machine, it is not considered a crypto tool because there is a chip but this chip cannot be accessed and you cannot interact with the chip.

Also, vendors that I discussed made statistics about users using smart cards and discovered that 30% of users were never able to configure their operating system to use smart cards.

So, they decided to work on a little degraded security devices that in fact compute a secret. There is a secret inside and by pressing the button you will generate a series of passwords. This kind of security device is vulnerable to man in the middle attack. It means that if you have this kind of security

device and you generate a password, for example to log on your bank account, if you receive an email which says log on because there is a problem, if you press the button and there is a man in the middle attack, your password may be caught.

But it is a huge progress upon traditional password strategies. Also, it is very cheap to buy. There is no contact with the interface of the computer so you don't have to configure drivers and you don't have to learn the people how to use this device.

It is very similar to the way that people live and remember passwords. So, it is really complementary and based on the level of security that you need, you may implement one of those.

And there are two main RFCs. The first one is even based. It means that when you press the button, then your password is always valid. It is valid until you use it. So, if you press the button in the morning and you come back in the evening and you connect to your computer, it will work.

So, they also then worked on an extension of this protocol which is TOTP which is time-based. There is a time frame from 30 seconds to 60 seconds and you have to connect during these 60 seconds.

Our tokens show a little display and you know that you have 60 seconds to connect. Also, people fear that the tokens may lose the time because you notice on computers that the time needs to be synchronized.

So, most servers allow to synchronize the tokens. So, it is not a real problem. These tokens are designed to work for years pressing 70 times a day. So, they can be pressed 100,000 times without losing synchronization. So, it is a pretty interesting tool.

But it is not a crypto tool. A lot of companies will say we provide two-factor OTP because it is a two-factor device. Yes, but it is not a crypto device because you cannot make any encryption.

When you use an operating system, you must deliver a promise. You promise something to the user. If you go to a cash machine, the promise is that when you put the card inside of it, it will give you some money. That is a promise.

So, when people use this kind of tool to connect to the computers, they have, in fact, but it is my opinion, there are two promises. The first promise is to be able to connect to your computer. A lot of people consider that, well, this is really private information. The computer can be stolen. It is important to be able to connect.

The second one is to be able to manage your identity. This includes signing, emails, accessing to encrypted websites, remote authentication, etc. So, I was wondering, in my own opinion, why so few people in the large public use these crypto cards?

No, I am not going to lie and say, yeah, a lot of people use them. Well, this technology has been around for 30 years. It should be on every computer, but it is not. So, I tried to compare the state of integration in Windows Vista, Mac OS, and GNU Linux to present something very, very easy.

Well, Windows has support for PKCS. It means that Windows is able to read PKCS 11 and 15 cards. It says we support this protocol, but it does that in an abstraction layer. This layer is kind of a loop. It is a library called the Windows card. They say we support it, but they support it through their library.

So, a lot of third-party software, like, for example, IceWhistle or other software, are not supported by default.

So, vendors, like Feshan, who produces this card, offer proprietary PKCS 11 libraries. One of the goals of OpenSC is to offer a free library to use PKCS 11.

Also, OpenSC is working on a Windows, a full Windows CSP driver. So, it is already in SVM. It is working. It is getting better. Soon, you will be able to use a full free solution under Windows. This will be kind of a revolution.

Also, I told you that there was a promise to be able to log on. The problem with Windows is that to be able to log on, you need a Windows Server, a 2003 server.

So, you need to invest a lot of money. As a result, the market is shrinking. The market is not very well developed. So, I made a few screenshots of a tool called Marsmark Logon that tries to fill this gap. That is very nice.

You can have a look at the software and try to develop something similar for the new Linux. Which is, you have this small card logon button here. You click. Your card is configured or it is not. If you have just bought this card, I am going to shop for a few euros. Then, you just insert the card and you can configure it.

You can either create your own certificate. You can use an existing certificate. You can import one. That is very easy. Then, in the end, you will be able to log. When you will be able to log, you will also be able to change the pin code. So, it is completely integrated for the end user. It makes things very easy. This is just an example.

Now, as for GNU Linux, we have now a very good framework. Which is, well, two frameworks. Which are PCSC muscle framework. This is the way that the readers are recognized.

Now, we are focusing more on CCID subsystem because it is like SCSC for disk or SATA. It is very common. So, all readers are compatible. We also provide a PKC11 library. This library will be able to discuss without this small card.

This small card will act as a repository.

Now, about the promise to connect. Of course, Linux has spam. So, there are two spam possibilities.

You can even connect to LDP, SS-Caleo's mappers. You can have those mappers. It means that you can connect over a network to a shared server and manage your identity on a network.

It is very, very advanced. But there is no real GNOME end user feature that allows a smart login to log in very easily. It is not a problem. As for macOS, it is also very special. They decided to say, okay, we are going to develop our own PCSC muscle interface.

They took it like that. They applied patches and they tried to make it their own. At the same time, they developed a framework called token. Now, let's have a look at this connection promise.

Like I said, it is charitable to set up. You enter smart card logon, macOS 6, and you have a technical data. There are eight pages to read. This is only for macOS 6, 10.4.

For 10.5 and 6, you can actually do it pretty easily. It is my fault because our users tried to do it and were not able to do it. The idea is that like on the Windows side, they have another instruction library.

It is also possible to have OpenSC on macOS so that you have a complete framework on Windows, macOS, and Linux.

Now, let's have a look at applications. As I said in the beginning, but this is my opinion, people using crypto tools are not very common. Maybe developers or hackers, but not your brother, your mother, and your friends.

Most of the time, crypto features are kind of hidden. I will show you just three examples and this will be the end of our presentation. You feel they have been developed, but in the end, they have been added after other features that were based on software crypto.

We know that software crypto is not the same as hardware crypto. It is not as reliable. This is the example of PuTTY. PuTTY has millions of users and if you want to use a smart card, that is quite difficult.

It took me maybe one day to understand how to set it up. You have to go here. First, you need to download a special version of PuTTY, which is called PuTTY CAC. Then, in this special version that has not been updated for maybe two years, you go to this EKCLC11 and you click there.

After you click, you will have to put your library. After you put the library, then you have the token info and then you have the level of your card. You click open and I think it will ask you for the pinko. You see, it is not the way that end users will ever adopt crypto.

I think they will never adopt it. If you compare with a newer version of PCSC that runs automatically through HART,

you are able to detect that there was an insert and then you can do an action. You don't have to configure all these kind of things. In the case of PuTTY, SSH claims they have had the patch for crypto for maybe four or five years.

They never implemented it. Then, a guy implemented his own crypto library. To use SSH is the same problem. Of course, it has come online. You have to add the library, but when you stop using it, you have to put D for delete.

It means that when you unplug it, you have to say afterwards, before you unplug, you have to say delete. But, SSH should be able, if the library doesn't respond, to run delete itself. This is the kind of issue that you have on nearly every software that makes it very difficult.

I hope the SSH developer is not here. I'm not doing a flame war. I'm just showing you what kind of drawbacks, in my opinion, stop the market from growing a lot. Firefox eyes whistle is the same.

You could imagine that Firefox under Windows or Linux could detect the library itself. Well, it's very well hidden. You have to look for security devices, you all know that. Then, you add the PKCS library, you have to configure it. Then, you have to maybe log in, or when you go to SSL, you automatically log in.

It's kind of complicated for end users, especially in companies or in a large organization where people are not software developers. So, my conclusion is that we have a very good framework now, which is called OpenSC.

It works on all platforms. It will soon be available, even for a CSP driver. It will provide a Windows driver. I don't know if it will be a mini CSP, but it will deliver a large number of features. But the integration lacks, in my opinion, a better usability.

I hope that this is why we are all here, is to discuss, is to organize a discussion and try to understand how we can improve things.

So that you can start contributing to OpenSC. To help you start contributing, we offer free host tokens or free smart cards to people interested.

Usually, we do that on the website. Today, I will offer you, I will come to you and offer you some hardware, if you need some. Otherwise, I will offer it to other people. So, thank you for listening.