[tor-dev] adding smartcard support to Tor

Donncha Ó Cearbhaill donncha at donncha.is
Mon May 23 06:59:55 UTC 2016

Razvan Dragomirescu:
> Hello again,
> I wanted to revisit this subject and actually start writing some code, but
> it looks like Ivan Markin's GitHub account is gone, together with all the
> code there. Ivan, are your modifications to OnionBalance still available
> anywhere?
> Thank you,
> Razvan

Hi Razvan,

I'm the author of OnionBalance, I'm glad to hear that your interested in
implementing smartcard support. It's something that I've wanted to
implement but I haven't got around to it yet.

Unfortunately I don't have a local copy of Ivan's branch. However his
code was integrating with a smartcard at a very low level by sending AT
commands manually. I don't think that is the best approach for

I think a better way would be to interface with the tokens via the
PKCS#11 protocol. The majority of smartcards and HSMs implement this
standard and there are compatible implementations available for most
operating systems. The Python pykcs11 module should be a helpful start [1].

I'm imagining a config file option where a user can specify a service
key as either a file path or a PKCS#11 URI [2].

A few months ago I researched which common smartcards are compatible
with the 1024 bit RSA private keys. It looks like some low cost options
such as the Yubikey 4 now only support 2048 bit and longer keys. It
would be great if someone can find out which hardware we can use with
102 bit hidden service keys!

Let me know if you have any questions. I'm happy to help you implement
this and get it merged.


[1] https://pypi.python.org/pypi/pykcs11
[2] https://tools.ietf.org/html/rfc7512

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160523/1447e6e7/attachment.sig>

More information about the tor-dev mailing list