other device to store configuration!

John Dennis jdennis at redhat.com
Tue Apr 14 23:08:39 CEST 2009


new conf wrote:
> Hello;
> I realize that my smart card has a non-standard structure (and private 
> keys are stored in a table) non structured with pkcs#12 or 15. So I 
> have to request it to have that keys.
> I have the commands to do that.
> My question is, it is possible to convert the outputs of th smartcard( 
> APDUs in hexadecimal format) to a ".pem" file that my server can request?
>
> please, have you an idea? a suggestions?
You cannot extract private keys from a smartcard. The whole purpose of a 
smartcard is to store a private key such that it can't be read directly, 
thus the question you're asking is nonsensical. This is why I proposed 
the list of questions for you last week, but I get the feeling you 
haven't researched them because of the question you're asking. But let 
me give you a hint.

The radius server needs it's private key for SSL/TLS handshaking. 
Different SSL/TLS implementations store private keys differently. 
OpenSSL which is what FreeRADIUS utilizes for it's SSL/TLS 
implementation stores keys in pem files. So why do different SSL/TLS 
implementations store keys differently than OpenSSL? Because a private 
key is gold, once someone has your private key they can impersonate your 
server. Thus protecting a private key is critical. Storing a private key 
in a file, although commonly done, is a dubious security practice 
because anyone with appropriate access can steal your key. Do you want 
your private key on backup tapes? You get the idea.

So what can you do such that your private key is never visible to 
anyone? One thing you can do is use a smartcard. How does a smartcard 
work? In simplest terms your private key is stored on the card. It 
*NEVER* leaves the card, the only way someone can be in possesion of 
your private key is to be in possession of your smartcard. If the 
private key never leaves the card then how does the SSL/TLS 
implementation get access to your private key to perform the 
cryptographic operations necessary during SSL/TLS handshake? The answer 
is it doesn't. What happens instead is that the SSL/TLS impementation 
instead asks the smartcard to perform the cryptographic operation using 
your key *ON THE CARD* and then return the result. This is one reason 
they're called smartcards, they're smart enough to do these things for 
you. So what does this mean? It means if you want to use a smart card to 
store your private key material your SSL/TLS implementation must know 
enough to ask the smart card to perform cryptographic operations instead 
of doing the crytographic operation itself using your private key (in a 
pem file). The interface for smartcards is PKCS11, this is why I said 
you'll need to understand OpenSSL's support for PKCS11. I'm not an 
OpenSSL expert so I can't help you on that front. Another question to 
consider is if a smartcard will give you adequate performance for your 
server load, a different type of hardware based key management might be 
more appropriate than using a smartcard for a server. Smartcards are 
typically used for "client" authentication and signing where the volume 
of cryptographic operations is relatively low.

The following PDF from RSA gives an overview of Cryptographic Smart Cards:

http://www.afina.com.mx/download/docs/rsa/SecurIDSmartCard.pdf

Now do you understand why your question doesn't make any sense?

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




More information about the Freeradius-Users mailing list