other device to store configuration!
John Dennis
jdennis at redhat.com
Tue Apr 14 23:08:39 CEST 2009
new conf wrote:
> Hello;
> I realize that my smart card has a non-standard structure (and private
> keys are stored in a table) non structured with pkcs#12 or 15. So I
> have to request it to have that keys.
> I have the commands to do that.
> My question is, it is possible to convert the outputs of th smartcard(
> APDUs in hexadecimal format) to a ".pem" file that my server can request?
>
> please, have you an idea? a suggestions?
You cannot extract private keys from a smartcard. The whole purpose of a
smartcard is to store a private key such that it can't be read directly,
thus the question you're asking is nonsensical. This is why I proposed
the list of questions for you last week, but I get the feeling you
haven't researched them because of the question you're asking. But let
me give you a hint.
The radius server needs it's private key for SSL/TLS handshaking.
Different SSL/TLS implementations store private keys differently.
OpenSSL which is what FreeRADIUS utilizes for it's SSL/TLS
implementation stores keys in pem files. So why do different SSL/TLS
implementations store keys differently than OpenSSL? Because a private
key is gold, once someone has your private key they can impersonate your
server. Thus protecting a private key is critical. Storing a private key
in a file, although commonly done, is a dubious security practice
because anyone with appropriate access can steal your key. Do you want
your private key on backup tapes? You get the idea.
So what can you do such that your private key is never visible to
anyone? One thing you can do is use a smartcard. How does a smartcard
work? In simplest terms your private key is stored on the card. It
*NEVER* leaves the card, the only way someone can be in possesion of
your private key is to be in possession of your smartcard. If the
private key never leaves the card then how does the SSL/TLS
implementation get access to your private key to perform the
cryptographic operations necessary during SSL/TLS handshake? The answer
is it doesn't. What happens instead is that the SSL/TLS impementation
instead asks the smartcard to perform the cryptographic operation using
your key *ON THE CARD* and then return the result. This is one reason
they're called smartcards, they're smart enough to do these things for
you. So what does this mean? It means if you want to use a smart card to
store your private key material your SSL/TLS implementation must know
enough to ask the smart card to perform cryptographic operations instead
of doing the crytographic operation itself using your private key (in a
pem file). The interface for smartcards is PKCS11, this is why I said
you'll need to understand OpenSSL's support for PKCS11. I'm not an
OpenSSL expert so I can't help you on that front. Another question to
consider is if a smartcard will give you adequate performance for your
server load, a different type of hardware based key management might be
more appropriate than using a smartcard for a server. Smartcards are
typically used for "client" authentication and signing where the volume
of cryptographic operations is relatively low.
The following PDF from RSA gives an overview of Cryptographic Smart Cards:
http://www.afina.com.mx/download/docs/rsa/SecurIDSmartCard.pdf
Now do you understand why your question doesn't make any sense?
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list