[tor-dev] adding smartcard support to Tor

Razvan Dragomirescu razvan.dragomirescu at veri.fi
Tue May 24 17:39:15 UTC 2016

Thank you Evan, Donncha,

Regarding 1024-bit RSA support, take a look at
http://www.fi.muni.cz/~xsvenda/jcsupport.html - almost all JavaCard cards
support that.

I'm a Java developer but it looks like I'm going to have to switch to (and
learn) Python for this since almost all Tor utilities appear to only be
maintained in Python (and I don't feel like reinventing the wheel in Java).
We'll see...

Thanks Evan for the .onion links, I'll take a look. I'm still collecting
data, testing hardware, etc. BTW, one of the cheapest options for this is
http://www.ftsafe.com/product/epass/eJavaToken - $12 at
http://javacardos.com/store/smartcard_eJavaToken.php . Unfortunately it has
a bug that prevents OpenPGP from running (something to do with signature
padding, I didn't look much into it). My plan is to write a very small
JavaCard-based applet to load onto the card - that only does RSA key
generation and signing, nothing else. Easy to write and easy to audit.

Thanks again,

Razvan Dragomirescu
Chief Technology Officer
Cayenne Graphics SRL

On Mon, May 23, 2016 at 11:26 PM, Evan Margin <twim at riseup.net> wrote:

> Hello Donncha!
> Donncha Ó Cearbhaill:
> > However his code was integrating with a smartcard at a very low
> > level by sending AT commands manually. I don't think that is the
> > best approach for compatibility.
> >
> > I think a better way would be to interface with the tokens via the
> > PKCS#11 protocol. The majority of smartcards and HSMs implement this
> >  standard and there are compatible implementations available for most
> >  operating systems. The Python pykcs11 module should be a helpful
> > start [1].
> Yeah, interfacing smartcard directly or via GnuPG scdaemon is not the
> best approach. But PKCS#11 in even worse. Much much worse. This standard
> is so huge that noone can implement it right. It raises enterance
> threshold so high that it will be used only by overproprietary entities.
> OpenPGP Card spec is pretty small so that everyone can write code within
> an hour and start to interface with a card. So did I. At least I know
> what's going on under the hood and these transparency and simplicity
> makes this setup more secure.
> --
> Ivan Markin
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160524/f813aec9/attachment.html>

More information about the tor-dev mailing list