OpenSC Support Reaches Beta Status
UPDATE: OpenSC version 0.13 and newer contains this patch and supports the Crypto Stick.
Thanks to dozents of sponsors we raised Euro 2000 to patch OpenSC for full Crypto Stick (and OpenPGP Card) support. In particular we would like to thank Kicktipp GmbH and OpenDNSSEC AB for their donations. We asked MBM to perform the development and after more than three months of hard work the patch is available and already merged into OpenSC's staging branch. We expect it will be in OpenSC's next stable release.
What is PKCS#11?
PKCS#11 is a standardized application interface (API) between cryptographic (usually hardware) tokens and software applications. PKCS#11-compatible applications and hardware tokens can work together. The advantage of PKCS#11 support is that applications don't need to integrate with specific hardware devices but to support a single interface only. However, hardware devices can't support PKCS#11 directly but a specific software driver is necessary to enable PKCS#11. OpenSC is such one.
For e-mail and data encryption two competing standards exist: OpenPGP and S/MIME / X.509. Naturally the Crypto Stick works pretty well with OpenPGP and the GnuPG application in particular. It can store three OpenPGP keys for authentication, encryption and signing. A less known feature of the Crypto Stick is the capability to store (and use) one X.509 certificate. This feature can be used with GnuPG version 2 (the gpgsm tool) and now with OpenSC as well.
What does the new OpenSC-support mean for me?
Peter Koch's PKCS#11 driver already enabled the usage of PKCS#11 compatible application with the Crypto Stick. It works well for Linux, Windows and MacOS X.But OpenSC is the open source PKCS#11 framework which is part of most Linux distributions but is also available for Windows and MacOS X. With the available patch it is now possible to use OpenSC as a PKCS#11 driver more easily on Linux. In addition OpenSC is a MiniDriver for Windows and contains tools to administrate the Crypto Stick.
Now you can use the following applications with the Crypto stick, for instance:
- TrueCrypt storage encryption: TrueCrypt is a popular application to encrypt hard disks and other storages for Linux, Windows and MacOS X. Instead of passwords now the Crypto Stick can be used as a key to the encrypted storages. More information...
- Firefox web browser: Other than with passwords, some web sites (http://www.crypto-stick.com/en/certificate-authentication) allow users to login via client certificates which provides a better security. Please note that Firefox can't generate new certificates on the Crypto Stick directly.
- Thunderbird e-mail client: In addition to the OpenPGP-based e-mail encryption, the X.509-based S/MIME format can be used as well. S/MIME is more popular among enterprises and usually requires the user certificate to be issued by a certificate authority (CA). Some CAs offer such a certificate for free (e.g. StartSSL, and also to mention the community project CAcert) others charge a small annually fee.The S/MIME support is built into Thunderbird (and most other e-mail clients as well) out of the box.
- Other popular PKCS#11-compatible applications are the SSH clients PuTTY / KiTTY, OpenVPN, IPSec implementation strongSwan for instance. For more infomration, look out for the mentioning of "PKCS#11" at the applications page.
- Thanks to marschap, OpenSC will also contain a new command line tool to allow managing Crypto Sticks with OpenSC directly. This includes reading and writing user information on the device, generating or importing keys and certificates. More information...
How to use it?
UPDATE: OpenSC version 0.13 and newer contains this patch and supports the Crypto Stick. We very much welcome you testing it! Here you find information how to use OpenSC's command line tools. Please feel free to write additional instructions e.g. how to use it with particular applications.
Add new comment