Thanks to Stan Borbat for the following:
This example uses utilities from the OpenSC project
See also PyKCS11
I create a 256 byte secret AES key or such. I encrypt it with one of the four RSA public keys available on the card. Then I can store the resulting secret alongside of the encrypted drive or whatever else needs offline authentication. Only the private key embedded in the smart card can then be used to derive that secret given that a user is able to authenticate with the smart card. I put together a proof of concept that seems to work. Now it's a matter of figuring out of this is at all usable in practice.
#!/bin/bash
# Requires the opensc and openssl packages on Ubuntu
SECRET="256byte.dat" # Sample secret data that must be exactly 256 bytes.
PIN="123456" # Smart card pin
KID="01" # 01 and 02 work on PIV cards
echo "== Extracting the public certificate '$KID' from the smart card"
pkcs15-tool --read-certificate $KID > /tmp/sc-cert.crt
echo "== Extracting the public key from the certificate"
openssl x509 -in /tmp/sc-cert.crt -pubkey -noout > /tmp/sc-cert.key
echo "== Encrypting a secret the smart card's public key =="
openssl rsautl -in $SECRET -raw -encrypt -pubin -inkey /tmp/sc-cert.key -out not-secret.dat
#########################################
# not-secret.dat can now be distributed #
#########################################
echo "== Decrypting with the smart card (sign with card's private key)"
pkcs15-crypt --key $KID --pin $PIN --sign --input not-secret.dat -o secret.dat
echo "== Comparing original secret with a decrypted one"
diff $SECRET secret.dat
echo "== Cleaning up =="
rm secret.dat
Comments
0 comments
Article is closed for comments.