Date: Thu, 17 Feb 2005 22:36:28 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: ports@freebsd.org Subject: Project: pam_smartcard developer request Message-ID: <42150E5C.90409@locolomo.org>
next in thread | raw e-mail | index | archive | help
Hi, I don't know if this is the right list or I should write to current@ or other - please redirect me. At work I am developing on the JavaCard platform which is a java based smart card. I thought I might as well do something usefull also and develop a card based application for authentication. The project: Provide a two-factor (something you have + something you know) authentication module for *BSD. This kind of setup is most interesting for larger networks or campus where a smart card can be combined with ordinary ID. This splits in two: The part that runs on the card (in javacard lingo the JavaCard applet), and the part that runs on the system (in javacard lingo the host/client application). I don't have the knowledge to do the host application, while I can program the card applet. For the host part, this need not be in Java. I think ideas could be borrowed from other pam_* projects, and a backend database or directory server is needed in order to avoid forged cards. If any one is interested in joining such a project reply to me off-list (I'm on the list, but I think this should be coordinated off-list). NOTE: This is not going to be part of my paid work. I am not asking you to do my job for free! Some things I have considered: The card based authentication must not only identify the user but also the card, otherwise an intruder could produce forged cards. Identifying the card is easy because it supports strong cryptography and can hold RSA keys that cannot be retrieved from the card. But the card's public key must be stored centrally. My idea is that when the card is issued, a key pair is created on the card and the public key stored centrally. When the card is inserted the system sends a challenge to the card encrypted with the card's public key. Then the card can only respond if it has the private key. Other problems are: The login session should terminate when the card is removed, this requires a daemon to keep checking the card. The host application must not only support authentication but also issuing of cards. The cards I have are JavaCard 2.1 - this is fine for this project. The problem is to get drivers for the available readers. Driver exists for RedHat Linux but is not yet ported (see pcsc-lite port). However, the implementation will be vendor independent. Copyright: I do not copy code from my work, nor will code go the other way. The copyright will be BSD-type copyright. Code from other projects that impose non-compatible restrictions should not be imported unless these restrictions are removed. Time span: I think the hardest part is the host application, but this is partly because I don't know how to do it :-) For the card part, I believe this can be done before july. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42150E5C.90409>