EJBCA and OpenSC
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 64 | |
| Author | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/45892 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
FOSDEM 201157 / 64
3
7
10
11
17
19
21
28
33
34
35
37
40
44
48
49
52
55
57
59
62
63
64
00:00
Server (computing)Right angleMathematicsProduct (business)AuthorizationElectronic signatureChainPlastikkarteEnterprise architectureBitSign (mathematics)Open sourceDigitizingLecture/Conference
00:27
Integrated development environmentPlastikkarteData storage deviceComputer animation
00:41
Cycle (graph theory)Integrated development environmentCommunications protocolOrder (biology)Data managementMultiplication signPlastikkarteScaling (geometry)Enterprise architectureState of matterSlide ruleProcess (computing)Video gameIntrusion detection systemData storage deviceAutomationComputer animation
02:14
Different (Kate Ryan album)Web 2.0Integrated development environmentVirtuelles privates NetzwerkPlastikkarteType theoryCommunications protocolWeb browserSmartphoneDirectory serviceData managementProgram flowchart
02:57
AuthorizationComputer fileQuicksortDescriptive statisticsKey (cryptography)PlastikkarteChainMemory cardInformation securityRight angleGame controllerGroup actionMoment <Mathematik>Identity managementOrder (biology)Physical systemWater vaporRule of inferencePublic-key cryptographyWeb pageComputer hardwareAuthenticationElektronische WahlProcess (computing)Module (mathematics)CuboidForm (programming)SmartphoneData structureMereologyServer (computing)Data managementScripting languageCycle (graph theory)Graphical user interfaceVideo gameOpen setToken ringOffice suiteFile formatComputer animation
07:02
Canadian Mathematical SocietyData managementDatabaseMessage passingPhysical systemAuthorizationElectronic mailing listGroup actionEnterprise architectureSubsetIntegrated development environmentNumberWage labourNumerical integrationSelf-organizationPlastikkarteMemory cardTrailContext awarenessSmartphoneVideo gameCycle (graph theory)Content (media)CryptographyComputer animation
08:53
Memory cardPhysical systemJava appletStandard deviationRange (statistics)Data managementSound effectWeb browserDifferent (Kate Ryan album)Real numberWindowSoftware frameworkGoodness of fitBitCryptographyCommunications protocolAreaDesign by contractComputing platformRootComplete metric spaceOpen sourceChainRelational databasePlastikkarteCanadian Mathematical SocietyComputer hardwareSource codeOperator (mathematics)Open setServer (computing)Multiplication signGroup action1 (number)MereologyProduct (business)Ocean currentSelf-organizationFacebookSoftware developerCoefficient of determinationRow (database)CASE <Informatik>CodeTheory of relativityPrime idealKey (cryptography)Graphics tabletEndliche ModelltheorieVideoconferencingRight angleSheaf (mathematics)Order (biology)Polar coordinate systemFingerprintMiniDiscComputer animation
15:24
Data storage deviceMultiplication signMereologyMaxima and minimaWindowClient (computing)Source codeCanadian Mathematical SocietyStandard deviationPlastikkarteComputer animation
Transcript: English(auto-generated)
00:00
Okay, hi, my name is Thomas Küssersohn and I'm working for a small open source company, PrimeKey. We develop open source PDI, enterprise products. EDVCA is a certificate authority and the sign server is a server-side, digital signature server stuff. And I'm going to talk a little bit about the whole kind of chain when using smart cards.
00:23
Because there is... Well, let's skip that. When you have a smart card, it's not only that well, you can have a smart card and you can use it on your PC. There's actually, when you want to use it in a bigger environment for a kind of serious business like electronic ID, etc.
00:44
There's a whole life cycle around it that you have to manage. And this is called certificate life cycle management, this slide, but it might as well say smart card life cycle management. Because for each smart card or certificate, you first issue it to someone and then you can use it.
01:04
And then when it will expire, then you have to renew it. If you lose it, then you have to revoke it or you can revoke it so someone else can't steal it and use it. And in the end, it expires and you throw it away and you just can't use it anymore.
01:21
So those are the different states these certificates and smart cards go through during the time. And of course, you can manage this life cycle in various ways. One, you can do it manually in a small environment. Works fine for a small scale.
01:43
Of course, it's more labor intensive and takes a little more time. But you can easily issue hundreds of electronic IDs with that. And for larger enterprises or countries, etc., you want some more automated life cycle management in order to automate these processes, etc.
02:03
And then there are different standard protocols that can be used to back release automated life cycle management. So this is just something showing that there is actually a very large amount
02:24
of different protocols and different things that have to interact in a PKI environment where you can issue different types of certificates, different types of smart cards for different purposes. You have smart card management, you have LDAT directories, VPN routers, web browsers, etc.
02:42
So it easily becomes quite complex and not very easy to manage at all.
03:00
So we concentrate on the smart card system. As I said, it's not only that you have a smart card and a smart card reader on your desktop. And in order for it to work, well, you actually have a whole chain. You have a certificate authority in the back end, which is a certificate for your PKI cards, smart cards.
03:23
You have a certificate that has to be transferred somewhere, some way, to the smart card. And that's called enrollment process. And actually, you can use smart card on both ends of this chain. In the left end here, we have a hardware security module for a certificate authority.
03:41
This can either be a 25,000 euro hardware box from SafeNet or U2Make or something, or you can also use a smart card with OpenSC, PKI, and CSLM, please, as well. And on the right side, of course, you have all the thousands or millions of smart cards for users.
04:01
So in the back end, the hardware security module, which can be a smart card, protects the certificate authority's private keys. So it can be copied by someone who breaks into the server. And this requires a life cycle management for this particular token. And you have to have some sort of key ceremony to generate it in a controlled way,
04:26
because it's usually required that this can be audited, at least if it's in a company or a country state. And then on the right-hand side, you have the issuance or provisioning of the users with their usable tokens, which they can actually use to do some online faxing or banking or online booking or whatever.
04:46
And that involves to personalize this smart card, which comes blank, which you have received from Michelle. But you have to personalize it so it actually contains your identity, your certificate.
05:03
And you can do this very fine with a row, just open SC, actually. But then this is then a demonstration of a manual process which contains some steps that you have to do. You can get your, this is actually for if you have a Siemens card office card, you can issue this.
05:22
Once you first initialize the card, you format the card, you create the PTCS15 file structure on the card, and you can init the card with a old PTCS11 slot. You can generate, then you have to generate a key pair in order to have your private and public keys.
05:41
And after this, now you have actually a smart card with keys on it. But in order to be able to use it as an ID, you also need a certificate from the certificate authority. And then you have to use OpenSSL. Next one example, which works with PTCS11, and you generate a certificate request on the file.
06:04
And you take this file and you can copy and paste it into a web page on the certificate authority. And then you can get a certificate from the certificate authority. And then, finally, you can use PTCS15 init to store the certificate on the smart card. And now, finally, you have the smart card that you can use in Firefox, for instance, to do SSL and TLS authentication.
06:29
So you can easily script this for a small business or a group like this, so you can issue smart cards. So that wouldn't be a problem. And there are also companies who wrap this to make their own smart
06:47
card personalization systems to fit with maybe GUIs in Python or something like that. So this is the labor-intensive way.
07:06
In an enterprise or large-scale environment, this is usually not acceptable because they are so cheap, so they want to do everything without manual labor. So then they want to bring in CMS, which, of course, means a lot of things.
07:22
In this context, the CMS is a card management system, not the content management system, not the cryptographic message syntax, but it's a card management system. So those are used by a lot of companies to actually enroll, issue, and manage this lifecycle that I mentioned in the beginning.
07:42
And it also has a lot of integration points. The CMS can integrate with LDAP and legacy systems, too. When you provision a user with their smart card, it's also distributed in the organization to all the systems who are the relying third parties and actually want to receive this ID.
08:05
And if you have a system like this, you usually have several databases. The certificate authority has a database with certificates to manage the certificate, to be able to revoke the certificate and issue revocation lists, etc.
08:23
And the card management system also has a database with ID numbers of the cards, etc. So you can keep track of which person got which I accept, the smart card, etc.
08:42
And there, of course, I mentioned that CMS, if it is the base use of NSE to create your card management system, it wouldn't be rocket science-based. There are plenty of companies who make card management systems. This is just a few examples we have been working with from some time or another.
09:04
You know, Aventra, a Finnish company. ATEEZ, Dutch. Centenaker, Swedish. Gemalto, Ventura, big ones. Part of the management framework here is actually an open source card management system, which is the only open source one.
09:21
Unfortunately, it relies on a proprietary or commercial PQCS 11 library, so it doesn't use OpenSC at least yet. So this is actually, if you talk about this whole chain of using smart cards, this is one area
09:40
where there is a gap of source software, at least to my knowledge, and this is the card management area. And that was actually it. I was very fast, so I am open for questions. And of course, I challenge you to develop a card management system based on OpenSC.
10:08
I have a question. How big is the gap between PrimeKey's current products and the CMS that you would like?
10:22
PrimeKey's products are, PrimeKey's product is this part, so we completed this part. PrimeKey doesn't do anything in this part, so that's it. What do you think is the reason why these sell?
10:44
That we don't do anything? No, no, no, don't do anything, but first of all it's kind of complicated and there is no open source-ish solution. What's the reason for this? I think that one reason, which is partly the reason why we don't do this, is once
11:04
you start doing this, you easily kind of transition here from where we are on the server side. It's very comfortable and nice. You deal with IT staff, which are very confident, etc. When you transition here, you start getting into the real user and Windows desktops, which you don't want to mess with, of course.
11:26
Are you dealing with cards? Exactly, and there are lots of cards which work very differently. There are no good standards for cards, which Martin knows everything about.
11:41
And the mains are very bad. So do you know about the DOCKTAC system? I think I've heard something. That was privately Netscape certificate system, now Red Hat certificate system, and it has been open source, this DOCKTAC.
12:05
I think it should be similar to what's happening here. It's definitely a certificate of 14, the DOCKTAC, that's the old Netscape certificate of 14. But I don't think they're also not in this area.
12:22
Yes, they are. The problem with DOCKTAC is that they're kind of stuck in time. The card support is one or two Java cards, very specific. And as I said, the card issuing is very often protected with cryptographic keys, NDAs, and very binding contracts.
12:45
So it's not really an open platform. They kind of fulfill their needs for their corporate requirements or something like that. You said earlier that it was possible to build an HSM on OpenSC on a smart card, but it's only to protect the root key.
13:08
When you mean HSM, is that an embedded device with a crypto disk, or is this a relational database based on PKCS11 doing complete crypto? Yes, just a hardware crypto device based on PKCS11 who performs the cryptographic operations.
13:29
In this case, HSM would just be a card reader and a smart card. But it's right that the smart card area, which you have to deal with here, has all the different vendors with no open standards.
13:50
Yes, the Java card needs an open standard, but it's very low level, so that's why it's quite complex.
14:01
Right now there are a lot of things on the wire that are quite well standardized, things like that, the issuing and so on. So when you have a large organization, whatever else, you're running chip cards, you can roll them out together with the readers and things like that. So a certain amount of preparatory stuff is almost acceptable there, because if you allow thousands of people,
14:21
that's so expensive that it has to work and you've got to have someone to blame to work. You've got so many people involved in the organization that you would never ever get through all the wires. Now, at that CMS part, that's of course a little bit different, because you have room for a standard and a massive benefit if you have one CMS system where there's a wide range of cards and things like that.
14:44
So if you look at OpenSC today, it covers a pretty wide range effectively. Could you make it more, or is there a way of slicing and dicing the problem a little bit different by lobbing off the whole browser side and saying, well let's only focus on the issuing side. Or somehow find a way of making the issuing protocol supported by open source, and let's tell and leave proprietary in the browser.
15:09
So basically as an interim step to get to this point, is there something pragmatic you can do there, or do you have to solve the whole problem in one pass? I think you can be quite pragmatic and mix and match a little bit. That's not good.
15:24
Where would you draw the line? What problem do you solve? What problem with the CMS do you really have to solve open source, open standard to get the maximum benefit? And what step can you leave a little proprietary knowing that smart cards and the rollout is really expensive? Well, currently I would say where you usually are the most proprietary is on Windows clients.
15:51
While the stuff in the middle can be more or less handled quite easily with open source things. At least that's my current opinion.
16:05
Okay, I think it's time for cigarettes again.