Security mechanisms can be defined in the following ways “something you know”, “something you have” and “something you are”.
Passwords are something you know
PKI cards/tokens are something you have
Biometrics is something you are
The problem I have with biometrics is you can’t change the tokens, and this can be bad for a number of reasons. For example, some new cars come with a biometric reader so they can claim they are harder to steal, but as one proud new owner found out it just makes criminals hurt you more, so now he doesn’t have a car and he has one less finger, that’s right, they stole his car and cut off his finger as well!
My preference lies with something you have, that is PKI hardware, which in most cases also requires a PIN, which is something you know, which adds up to 2 factor authentication. The beauty of this system is that the PIN and the card by themselves are useless, having the card by itself is useless because if you get the PIN wrong 3 times the cards will lock themselves to prevent brute force attacks, and of course the PIN by itself is pointless.
And so begins my epic tale of getting PKI hardware to work with Linux, and the difficulty I encountered highlighting one of the many reasons PKI hasn’t taken off in a big way.
This week I met up with a nice gentlemen, who happened to be the distributor for Gemplus products in Australia/New Zealand, and was kind enough to give me a few of their products for evaluation purposes. I believe others have also managed to get evaluation kit from Aladdin as well, check the main mailing list archive for details on that.
In any case this was my first look at any kind of PKI based hardware, and as per usual for Linux driver support and integration between applications leave a lot to be desired, but the lack of coherent documentation was an even bigger headache.
Read on for more
I was given a Gemplus Twin USB reader to play with, I was given a few cards when I went to Usenix last year, as well as 2 more cards that came with this reader. So I throw the Gemplus Xpresso 32K pro java based card into the reader and plug the reader into the nearest USB port and start installing packages on my Ubuntu Linux desktop.
The reader was found and appeared to work perfectly, and so I tried to initialise the PKI card, but this was my first stumbling block, not only do you need drivers for the card readers, the cards themselves need drivers as well, and I still haven’t managed to work out how to utilise 3 out of the 4 cards I have!
Eventually I find what I did with the cards I was given last year, since I didn’t have a reader the cards were pretty much door stops, I shove the java card in and it also fails, I find out later java card support in Linux is poor at best. Next up the GemSAFE PKI card, which thankfully happens to work perfectly and without needing to change a thing. So far so good.
Next came the daunting task of trying to figure out a way of having a private key generated and CAcert signed certificate onto the card, so I loaded the OpenSC plugin into Firefox, and made numerous attempts to utilise the built in key generation and CSR sending functionality, which failed abysmally each and every time.
I eventually settled for using the pkcs15-init tool generate a key and using the OpenSC module for OpenSSL tool I was able to finally have a CSR, but this left me with another problem, how to get a signed certificate from the CAcert website. So I hacked up the CAcert website to allow me to paste the certificate directly into the browser, similar to the way server certificates are done (for all those of you paranoid enough to want that feature because you don’t trust browsers it now exists!).
To my utter shock and disbelief the certificate was actually generated first time with no problems from our website at all, which was the first thing to go right first time!
So now I had a shiny CAcert signed certificate and it was quite simple to import that onto the card. I then went on to find out that Thunderbird now saw the key/certificate and was able to sign/encrypt/decrypt emails. Firefox also saw the key pair and was able to do certificate based authentication to the website, it was interesting that the moment I pulled the card from the reader the website was no longer being authenticated against so I put it back in the reader and it went on as if nothing had happened, which is a great security feature as far as I’m concerned, which means if you are walking away from your computer you just yank the PKI card and off you go!
Now I was getting into the swing of things I started reading up what else this could be used for, and as far as I can see virtually every password based system can now go bye bye, I’ve since setup my laptop to do console login and I only need to type the username and the card pin, not a password, which also works for xscreensaver for when it kicks in to automatically protect my laptop when I walk away and forget to manually lock it.
The icing on the cake was being able to do remote SSH authentication, this is a little tricky, in part due to the current design of SSH and getting it to prompt for the PIN for your card you need to run the ssh-agent, then load it with your PIN via ssh-add and finally you are able to do remote authentication from PKI based devices.
All up it turned out to be a rewarding experience, even if a little bit difficult to work out in the first place, because now I can set really strong passwords and don’t need to remember them except in case of a last resort and loose my PKI card or something along those lines.
I also went to the trouble of writing up step by step guides in the hope that it will save others from the same pitfalls I suffered and also to stimulate the uptake of PKI hardware as it’s a MUCH better idea then using passwords, because you need “something you have” as well as “something you know” rather then just “something you know” in the case of passwords.
As a side note, we’re contemplating distributing cards, readers and tokens and would appreciate feedback if people would like to buy these, at present they come out about US$45 + postage, although we’re trying to get them cheaper with a bulk buy.