other device to store configuration!
hello to all; I have a question.. and i hope I'll have a reply or an idea!! If I have to store my files of configuration (eap, keys, randoms, dh..) in a usb device, have you an idea: how can I configure my freeradius? thanks you for your help!
Hi,
I have a question.. and i hope I'll have a reply or an idea!! If I have to store my files of configuration (eap, keys, randoms, dh..) in a usb device, have you an idea: how can I configure my freeradius?
Under Linux, you use a USB device by mounting it into the filesystem. I.e. the files on your USB device have a proper path. Use that path as option to --with-sysconf-dir=... so that FreeRADIUS will take its config from there. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
*thank you Stefan, * *Use that path as option to --with-sysconf-dir=* that means, when compiling the radius at installation? *to Ivan Kalik:* * Best advice - don't do that!!! Certificates are *much* safer on a server than on a USB device - what are you going to do if someone walks off with it?* :) yesss I'm with your advice, but if the usb device is a smartcard, it becoms other thing.. the problem is that I must understand what are the inpout/output of this device to reach it and extract the information.. ouuf, lonng road!! :(
On 2/4/09 21:03, new conf wrote:
*thank you Stefan, *
/Use that path as option to --with-sysconf-dir=/
that means, when compiling the radius at installation?
Yes, when you run the configure script.
*to Ivan Kalik:* / Best advice - don't do that!!! Certificates are *much* safer on a server than on a USB device - what are you going to do if someone walks off with it?/
:) yesss I'm with your advice, but if the usb device is a smartcard, it becoms other thing.. the problem is that I must understand what are the inpout/output of this device to reach it and extract the information.. ouuf, lonng road!! :(
Mount it on the file system, then specify the mount point with ./configure --with-sysconf-dir=/mnt/<usb> Like Stefan suggested.
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
new conf wrote:
*thank you Stefan, *
/Use that path as option to --with-sysconf-dir=/
that means, when compiling the radius at installation?
*to Ivan Kalik:* / Best advice - don't do that!!! Certificates are *much* safer on a server than on a USB device - what are you going to do if someone walks off with it?/
:) yesss I'm with your advice, but if the usb device is a smartcard, it becoms other thing.. the problem is that I must understand what are the inpout/output of this device to reach it and extract the information.. ouuf, lonng road!! :(
You can't just mount a smartcard as a mass storage device and access key data, that would defeat the entire purpose of a smartcard. Managing keys on a smartcard is one of the problems PKCS11 was developed to address (I believe you'll also need a driver specific to the smartcard that PKCS11 will load, your smartcard vendor can provide this for you). OpenSSL has some type of support for PKCS11, exactly what I'm not sure, but that's the direction you want to head, learn how to configure OpenSSL for PKCS11. Armed with that information you'll be able to ascertain if the current OpenSSL support in FreeRADIUS is sufficient to pass that configuration information down to OpenSSL when it initializes (this might very well require a code change). -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Thank you Arran for trying to help me.. :) Effectively John.. to be able to access the smartcard, I use PCSC lite tool... but the language to communicate is "low level" I'll see about PKCS11 + OpenSSL *Armed with that information you'll be able to ascertain if the current OpenSSL support in FreeRADIUS is sufficient to pass that configuration information down to OpenSSL when it initializes (this might very well require a code change).* You mean that anyway, I'll have to change the code?! I'm so grateful!
new conf wrote:
Effectively John.. to be able to access the smartcard, I use PCSC lite tool... but the language to communicate is "low level" I'll see about PKCS11 + OpenSSL pscs-lite uses PKCS11 to access the smartcard. I don't think you understand the relationship between all the components yet. Start with:
1) why am I using a smart card? 2) how does a smartcard protect key data? 3) where do cryptographic operations occur? 4) where is my key data located? 5) what key data does the freeradius server need access to and at what time? 6) how will the freeradius server get access to the key data when it needs it? If you can answer these questions your search for the solution will be much more directed. and here's a good one you can't forget to ask: 7) what is the physical security of my freeradius server with the smart card inserted? also don't forget to consider: 8) Will you pin protect the key data on the card and where will you locate the pin? Can you tolerate rouge processes utilizing the key data on the card if the card is not pin protected or the pin is stored on disk? If the card is pin protected and you don't store the pin on disk can you tolerate the need for an administrator being physically present to unlock the card upon restart? -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Thank you John for your structured questions.. the question that follows is nearly the response for the previous! ..I'm able to reply to all, except the sixth one.. I'll do it :)
Hello; I realize that my smart card has a non-standard structure (and private keys are stored in a table) non structured with pkcs#12 or 15. So I have to request it to have that keys. I have the commands to do that. My question is, it is possible to convert the outputs of th smartcard( APDUs in hexadecimal format) to a ".pem" file that my server can request? please, have you an idea? a suggestions? thank youuuuuu W.
new conf wrote:
Hello; I realize that my smart card has a non-standard structure (and private keys are stored in a table) non structured with pkcs#12 or 15. So I have to request it to have that keys. I have the commands to do that. My question is, it is possible to convert the outputs of th smartcard( APDUs in hexadecimal format) to a ".pem" file that my server can request?
please, have you an idea? a suggestions? You cannot extract private keys from a smartcard. The whole purpose of a smartcard is to store a private key such that it can't be read directly, thus the question you're asking is nonsensical. This is why I proposed the list of questions for you last week, but I get the feeling you haven't researched them because of the question you're asking. But let me give you a hint.
The radius server needs it's private key for SSL/TLS handshaking. Different SSL/TLS implementations store private keys differently. OpenSSL which is what FreeRADIUS utilizes for it's SSL/TLS implementation stores keys in pem files. So why do different SSL/TLS implementations store keys differently than OpenSSL? Because a private key is gold, once someone has your private key they can impersonate your server. Thus protecting a private key is critical. Storing a private key in a file, although commonly done, is a dubious security practice because anyone with appropriate access can steal your key. Do you want your private key on backup tapes? You get the idea. So what can you do such that your private key is never visible to anyone? One thing you can do is use a smartcard. How does a smartcard work? In simplest terms your private key is stored on the card. It *NEVER* leaves the card, the only way someone can be in possesion of your private key is to be in possession of your smartcard. If the private key never leaves the card then how does the SSL/TLS implementation get access to your private key to perform the cryptographic operations necessary during SSL/TLS handshake? The answer is it doesn't. What happens instead is that the SSL/TLS impementation instead asks the smartcard to perform the cryptographic operation using your key *ON THE CARD* and then return the result. This is one reason they're called smartcards, they're smart enough to do these things for you. So what does this mean? It means if you want to use a smart card to store your private key material your SSL/TLS implementation must know enough to ask the smart card to perform cryptographic operations instead of doing the crytographic operation itself using your private key (in a pem file). The interface for smartcards is PKCS11, this is why I said you'll need to understand OpenSSL's support for PKCS11. I'm not an OpenSSL expert so I can't help you on that front. Another question to consider is if a smartcard will give you adequate performance for your server load, a different type of hardware based key management might be more appropriate than using a smartcard for a server. Smartcards are typically used for "client" authentication and signing where the volume of cryptographic operations is relatively low. The following PDF from RSA gives an overview of Cryptographic Smart Cards: http://www.afina.com.mx/download/docs/rsa/SecurIDSmartCard.pdf Now do you understand why your question doesn't make any sense? -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
I m Ok that the whole point of using a smart card is that we can't extract keys.. I learned that OPENSSL using the API pkcs#11 must communication with a middleware called openSC that really comunicate with the card.. the problem is that opensc, do not understand the structure of card if it is non standard ( exple pkcs#15). SO: 1- I should write an emulation driver that will create a structure ( similar to pkcs#15) in host memory to allow the middleware to know the structure ( exple: ID/path of keys) 2- I should write a driver card to make opensc doing basic commands, such as sign data with that key(if needed ) -> the outputs will be understood by openssl. I'm thinking about another solution: why not creating a new module ( in place of eap-tls) that freeradius will use to apply eap-tls via "APDU outputs" of card instead of openssl. client must have the same structure of messages to send! *Another question to consider is if a smartcard will give you adequate performance for your server load, a different type of hardware based key management might be more appropriate than using a smartcard for a server. Smartcards are typically used for "client" authentication and signing where the volume of cryptographic operations is relatively low. *if i will be able to connect one card, i will use many cards to connect with server to optimize the performences and the access to the data.. can you give me an exemple of other hardware key management usable for that aim?! thanks a lot!
participants (4)
-
Arran Cudbard-Bell -
John Dennis -
new conf -
Stefan Winter