[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] Any chance to support Portable Symmetric Key Con
From: |
Jean-Michel Pouré - GOOZE |
Subject: |
Re: [OATH-Toolkit-help] Any chance to support Portable Symmetric Key Container (PSKC) seed format |
Date: |
Mon, 24 Sep 2012 09:56:57 +0200 |
Dear Simon,
> I've been thinking about PSKC and trying to figure out what it would
> mean to support it in OATH Toolkit. I can imagine the following:
Thanks for looking at it.
> * Library functions to read and parse PSKC files and iterate through the
> data and extract the fields.
>
> * Tool to parse PSKC files and print the content in a human friendly
> way.
>
> * Tool to protect encrypt/decrypt PSKC files, according to section 6 in
> RFC 6030. There are several ways here, and it isn't clear what would
> be best to do.
>
> What functionality is interesting?
IMHO PSKC is useful for key provisioning (2nd option).
A small tool in the tradition of Unix would be nice to compute a PSKC
file a display/manipulate a seed. Then we can use a simple batch script
to manipulate /etc/users.oath.
Of course, another approach would be that /etc/users.oath references the
PSKC file. It would allow to store the seed securely on server.
But ... IMHO most vendors are using Radius protocol to store seeds
securely. So modifying /etc/users.oath may be a lot of work when
FreeRadius is able to do the work in conjunction with LDAP.
A customer recently explained that he was using FreeRadius with a custom
python script to manage OATH authentication. But I believe this is a
custom work and is not available to the public. oathtool could do the
trick also and I am trying to understand how to use it with FreeRadius.
For all these reasons, I believe a small utility would do the trick for
provisioning. This can be a first approach.
The ultimate solution would be an ePass2003 token on server, with
Freeradius and LDAP. The ePass2003 can be found here:
http://www.gooze.eu/epass-2003
On FreeRadius startup, the user would need to enter a PIN code to unlock
the seed encryption key in memory. This would really enhance the
security.
So the roadmap could be:
1) Provide a small PSKC utility.
2) Work on a FreeRadius HOWTO with customs scripts to integrate
OATHtoolkit with FreeRadius, with little glue as possible.
3) Work on a more advanced version secured by a crypto stick like the
ePass2003. But I believe that even that can be managed by a custom
script in the Unix tradition.
Kind regards,
Jean-Michel POURE
--
GOOZE - http://www.gooze.eu
High quality cryptographic tools
for GNU/Linux, Mac OS X and Windows
including the FEITIAN PKI card
POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France
Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90
Registry: FR 527 672 448 00018 - VAT: FR54527672448
ID PGP/GPG: 084F2584
smime.p7s
Description: S/MIME cryptographic signature