DOCSLIB.ORG

STORK Work Item 3.2.5 Eid OSS Middleware

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
STORK Work Item 3.2.5 Eid OSS Middleware STORK Work Item 3.2.5 eID OSS Middleware Status Final Author(s): M. Preliteiro (PT-MULTICERT), T. Zefferer (AT_TUG) Partner(s) contributing: AT-TUG, PT-MULTICERT Abstract: Within this work item, a minimal-footprint open source and open specification middleware approach has been developed, implemented, and analysed. Therefore, several relevant technologies have been investigated first in order to find a solution that satisfies the requirements of a minimal-footprint middleware approach. Based on the results of these investigations an appropriate middleware architecture has been developed that mainly relies on the Java Applet technology. In order to proof the functionality of the proposed architecture, a demonstrator has been implemented that follows the developed design. Finally, a security analysis of the implemented demonstrator has been carried out in order to evaluate the level of security that can be provided by the proposed middleware architecture. It turned out that the Java Applet based approach is capable to provide a comparable level of security as installation-based middleware solutions. Project funded by the European Community under the ICT Policy Support Programme Copyright by the STORK-eID Consortium Work Item 3.2.5: eID OSS Middleware 09 November 2009 Table of Contents ABBREVIATIONS .......................................................................................................................... 4 1 INTRODUCTION .................................................................................................................... 5 1.1 OBJECTIVES ............................................................................................................................ 5 1.2 DESCRIPTION OF WORK.......................................................................................................... 5 2 INVESTIGATION OF POSSIBLE MIDDLEWARE ARCHITECTURES ............................ 6 2.1 INTRODUCTION ....................................................................................................................... 6 2.2 INVESTIGATION OF RELEVANT TECHNOLOGIES ..................................................................... 6 2.2.1 TECHNOLOGIES OVERVIEW............................................................................................... 6 2.2.1.1 CRYPTOGRAPHIC SERVICE PROVIDERS (CSP) ........................................................ 6 2.2.1.2 CRYPTOGRAPHY API: NEXT GENERATION (CNG) ................................................. 7 2.2.1.3 PKCS#11 ................................................................................................................ 7 2.2.1.4 PC/SC ..................................................................................................................... 8 2.2.1.5 ACTIVEX ................................................................................................................. 9 2.2.1.6 JAVA APPLETS....................................................................................................... 10 2.2.1.7 JAVASCRIPT .......................................................................................................... 10 2.2.1.8 ADOBE FLASH ....................................................................................................... 11 2.2.1.9 MICROSOFT SILVERLIGHT..................................................................................... 12 2.2.1.10 .NET...................................................................................................................... 13 2.2.1.11 OPENSC ................................................................................................................ 14 2.2.2 COMPARISON OF COMPETING TECHNOLOGIES ............................................................... 14 2.2.2.1 SMART-CARD ABSTRACTION TECHNOLOGIES...................................................... 15 2.2.2.2 BROWSER-BASED TECHNOLOGIES ........................................................................ 15 2.2.3 TECHNOLOGICAL SYNERGIES AND ARCHITECTURAL SOLUTIONS .................................. 16 2.2.3.1 ACTIVEX AND CSP/CNG ...................................................................................... 16 2.2.3.2 ACTIVEX / JAVASCRIPT AND PKCS#11 ............................................................... 17 2.2.3.3 ACTIVEX/JAVASCRIPT AND OPENSC ................................................................... 18 2.2.3.4 ACTIVEX ............................................................................................................... 18 2.2.3.5 JAVA APPLET AND CSP/CNG ............................................................................... 18 2.2.3.6 JAVA APPLET AND PKCS#11 ................................................................................ 19 2.2.3.7 JAVA APPLET AND OPENSC .................................................................................. 20 2.2.3.8 JAVA APPLET ........................................................................................................ 20 2.3 INVESTIGATION OF POSSIBLE MINIMAL-FOOTPRINT MW-ARCHITECTURES ....................... 21 2.3.1 REQUIREMENTS OF A MINIMAL-FOOTPRINT MIDDLEWARE ARCHITECTURE ................. 21 2.3.1.1 PLATFORM INDEPENDENCY .................................................................................. 21 2.3.1.2 BROWSER INDEPENDENCY .................................................................................... 21 2.3.1.3 NUMBER OF COMPONENTS TO BE INSTALLED ...................................................... 21 2.3.2 EXAMINATION OF POSSIBLE SOLUTIONS ........................................................................ 21 2.3.3 DESIGN OF A MINIMAL-FOOTPRINT MIDDLEWARE ARCHITECTURE ............................... 22 2.4 SUMMARY ............................................................................................................................ 23 STORK-eID Consortium Page 2 of 39 Work Item 3.2.5: eID OSS Middleware 09 November 2009 3 PROOF OF CONCEPT OF A MINIMAL-FOOTPRINT MIDDLEWARE ......................... 25 3.1 INTRODUCTION ..................................................................................................................... 25 3.2 GENERAL ARCHITECTURE OF THE MIDDLEWARE DEMONSTRATOR .................................... 25 3.3 PROVIDED FEATURES OF THE MIDDLEWARE DEMONSTRATOR ........................................... 25 4 SECURITY ANALYSIS OF A MINIMAL-FOOTPRINT MIDDLEWARE ....................... 29 4.1 INTRODUCTION ..................................................................................................................... 29 4.2 ARCHITECTURE OF THE MINIMAL-FOOTPRINT MIDDLEWARE ............................................. 29 4.2.1 GENERAL MIDDLEWARE ARCHITECTURE ....................................................................... 29 4.2.2 PARTICIPATING ENTITIES ................................................................................................ 30 4.2.2.1 USER ..................................................................................................................... 31 4.2.2.2 ONLINE APPLICATION OPERATOR ........................................................................ 31 4.2.2.3 MIDDLEWARE SERVER OPERATOR ....................................................................... 31 4.2.2.4 APPLET PROVIDER ................................................................................................ 31 4.3 SECURITY ANALYSIS OF THE MINIMAL-FOOTPRINT ARCHITECTURE ................................... 32 4.3.1 POSSIBLE ATTACKS ......................................................................................................... 32 4.3.2 OPERATION MODE “VISUALISATION BY APPLET” .......................................................... 32 4.3.3 OPERATION MODE “VISUALISATION BY SERVER”.......................................................... 33 4.3.4 IMPLICATIONS ON THE CURRENT IMPLEMENTATION ...................................................... 34 4.4 COMPARISON TO INSTALLATION-BASED APPROACHES ....................................................... 34 4.5 SUMMARY ............................................................................................................................ 35 5 CONCLUSIONS .................................................................................................................... 37 REFERENCES ............................................................................................................................... 38 STORK-eID Consortium Page 3 of 39 Work Item 3.2.5: eID OSS Middleware 09 November 2009 Abbreviations APDU Application Protocol Data Unit API Application Programming Interface CAPI Cryptographic Application Programming Interface CIL Common Intermediate Language CLR Common Language Runtime CNG Cryptography API: Next Generation COM Component Object Model CSP Cryptographic Service Providers DES Data Encryption Standard DF Directory File DLL Dynamic Link Library DOM Document Object Model EF Elementary File eID Electronic Identity HTML HyperText Markup Language IDE Integrated Development Environment IE Internet Explorer IT Information Technology JRE Java Runtime Environment JVM Java Virtual Machine MS Microsoft NSA National Security Agency OLE Object Linking and Embedding OS Operating System OSS Open Source and Open Specification PC/SC Personal Computer / Smart Card PDF Portable Document Format PHP PHP: Hypertext Preprocessor PKCS Public Key Cryptography Standards RSA Rivest Shamir Adleman RTMP Real Time Messaging Protocol S/MIME Secure / Multipurpose Internet
Load more

Recommended publications
  • THE FUTURE of SCREENS from James Stanton a Little Bit About Me
    THE FUTURE OF SCREENS From james stanton A little bit about me. Hi I am James (Mckenzie) Stanton Thinker / Designer / Engineer / Director / Executive / Artist / Human / Practitioner / Gardner / Builder / and much more... Born in Essex, United Kingdom and survived a few hair raising moments and learnt digital from the ground up. Ok enough of the pleasantries I have been working in the design field since 1999 from the Falmouth School of Art and onwards to the RCA, and many companies. Ok. less about me and more about what I have seen… Today we are going to cover - SCREENS CONCEPTS - DIGITAL TRANSFORMATION - WHY ASSETS LIBRARIES - CODE LIBRARIES - COST EFFECTIVE SOLUTION FOR IMPLEMENTATION I know, I know, I know. That's all good and well, but what does this all mean to a company like mine? We are about to see a massive change in consumer behavior so let's get ready. DIGITAL TRANSFORMATION AS A USP Getting this correct will change your company forever. DIGITAL TRANSFORMATION USP-01 Digital transformation (DT) – the use of technology to radically improve performance or reach of enterprises – is becoming a hot topic for companies across the globe. VERY DIGITAL CHANGING NOT VERY DIGITAL DIGITAL TRANSFORMATION USP-02 Companies face common pressures from customers, employees and competitors to begin or speed up their digital transformation. However they are transforming at different paces with different results. VERY DIGITAL CHANGING NOT VERY DIGITAL DIGITAL TRANSFORMATION USP-03 Successful digital transformation comes not from implementing new technologies but from transforming your organisation to take advantage of the possibilities that new technologies provide.
    [Show full text]
  • Red Hat Enterprise Linux 8 Security Hardening
    Red Hat Enterprise Linux 8 Security hardening Securing Red Hat Enterprise Linux 8 Last Updated: 2021-09-06 Red Hat Enterprise Linux 8 Security hardening Securing Red Hat Enterprise Linux 8 Legal Notice Copyright © 2021 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
    [Show full text]
  • Web Browser Access to Cryptographic Hardware
    Universidade do Minho Escola de Engenharia Leonel João Fernandes Braga Web Browser Access to Cryptographic Hardware Outubro de 2012 Universidade do Minho Escola de Engenharia Leonel João Fernandes Braga Web Browser Access to Cryptographic Harware Tese de Mestrado Mestrado em Engenharia Informática Trabalho realizado sob orientação de Doutor Vítor Francisco Fonte Supervisão na empresa de Engenheiro Renato Portela Outubro de 2012 Acknowledgments I could not conclude this work without acknowledge all the support, time, and understanding of all the people who have been around me during this phase and during my journey of life. I am sure that without them everything would be much more difficult, and the success would be harder to achieve. First of all, I want to thank to my supervisor Professor Victor Fonte for being so helpful and supportive. His guidance certainly improved my work and my knowledge as well. I want also to thank to Engenheiro Renato Portela from MULTICERT for enlightening me when I was more doubtful. A special thanks to MULTICERT for letting me enrol in this project: it made me grow professionally and enhanced my knowledge. I want also to thank the Firebreath community for clarifying all the doubts I had. Congrat- ulations for your great work as well. In this context, there is one person to whom I could not be more grateful: Pedro, thank you for your help and patience, even when I had lots of questions. I am also grateful for the discussions I had with Pedro and Ulisses: they gave me lots of ideas of how I could improve my work.
    [Show full text]
  • Adobe Spry and Dreamweaver ADOBE SPRY and DREAMWEAVER (SUP)
    Adobe Spry and Dreamweaver ADOBE SPRY AND DREAMWEAVER (SUP) The Adobe Spry Framework for Ajax (Spry v.1.6.1 is the latest release of Spry) Spry is a JavaScript-base framework that enables the rapid development of Ajax-powered web pages. Ajax is technology. It is a term commonly used to define a group of interrelated web development techniques used on the client-side to create interactive web applications. Spry uses JavaScript, but acts like an extension of HTML and CSS (so anyone with HTML and CSS can use it). Spry can be used with both client-side and server-side technologies. • Spry is implemented as a set of JavaScript libraries. To add Spry to your page, the user includes the JavaScript library that contains the Spry features as needed, and then deploys that JavaScript file to the web site along with other page. • Spry has three basic components: Spry Data, Spry Widgets and Spry Effects. They can be used together or independently of one another. • No browser plug-ins or server-side modules are required for Spry to work. • Dreamweaver CS4 has features that ease the development of Spry pages but Spry itself is completely tool independent. Any code editor can be used to develop Spry pages (Dreamweaver, Visual Studio, Notepad…). Sidebar AJAX Other Frameworks similar to Spry: Google, Yahoo, jQuery, MooTools, Dojo, etc Spry provides developers with easy to implement tools (Spry Data, Spry Widgets and Spry Effects) Widgets examples Validation widgets Menu Bars (Vertical and Horizontal) Sliding Panels Tooltip Effects examples Show/Hide: Fade
    [Show full text]
  • Bring Your Own Token to Replace Traditional Smart Cards
    White paper Cisco Public Bring Your Own Token to Replace Traditional Smart Cards This case study discusses implementing a Bring Your Own Token (BYOT) solution with support for self-provisioning and management options to enable users to provision digital identities used for strong authentication and signing. Abstract Smart cards are a good way to enable strong authentication to enterprise network and applications because they provide identification, authentication, and the ability to store cryptographic key information on a card using the embedded microchip and memory. Enterprises can provision smart cards with a digital identity, in the form of a X509 certificate uniquely associated with a user, to enable smart card login to servers and mutual TLS authentication to services. Traditionally, hybrid cards that provide both the proximity card and smart card functionalities are used for this purpose so that users can have a single card for facility access and strong authentication to IT servers or applications. There are some limitations and challenges with using a single card as both proximity and smart card. Proximity cards can generally preprovision in bulk because the association of the user identity to the proximity ID can be done after the card is assigned to a user. But for the smart card, the X509 certificates provisioned to the smart cards contain the user information that must be known at provisioning time. This slows down the provisioning process. There are also other challenges related to issuing temporary replacement cards for lost cards. This white paper describes the Cisco solution to replace traditional hybrid smart cards with a Bring Your Own Token (BYOT) model, to overcome the limitations and challenges with traditional smart card solutions.
    [Show full text]
  • Developer's Guide ● Using the Conscriptus Web API
    Conscriptus Developers Guide Pages: 39 Version: 1.0 Issued: 2008-08-30 Author: Andrei Ivanov [email protected] Yakutsk Copyright © 2007-2008, Andrei Ivanov. All rights reserved. mailto:[email protected] Important notice: Author(s) makes no warranty for the use of its products and assumes no responsibility for any errors which may appear in this document nor does it make a commitment to update the information contained herein. Described products are not intended for use in medical, life saving or life sustaining applications. Author(s) assumes no liability for applications assistance, customer’s applications or product designs, software performance, or infringement of patents. Author(s) retains the right to make changes to these specifications at any time, without notice. All trademarks mentioned in this document or Web site are the property of their respective owners. Date: 08/30/2008 Page 3 of 39 Conscriptus Developers Guide - Conscriptus appointment timesheet time sheduler History of changes 2008/01/08 First release 2008/06/04 Group manipulation added Summary Этот документ описывает необходимые и рекомендуемые действия по настройке рабочего окружения среды разработчика приложения MeetUp, может быть полезна как справочник по выполнению некоторых операций и содержит такую полезную информацию, как информацию о размещении файлов. Definitions and Abbreviations ADO Microsoft ActiveX Database Objects ® library BDE Borland Database Engine® library GUI Graphical user interface IDE интегрированная среда разработки LUW ОС Linux®, Unix® or Microsoft Windows® RAD rapid application development SDI single document interface VCL Borland Visual Component Library® User Software application user Scope Cellphone application to assist persons assign a meeting at the suitable place and time according to their location and time sheet.
    [Show full text]
  • Learning PHP, Mysql, and Javascript
    Learning PHP, MySQL, and JavaScript Robin Nixon Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo Learning PHP, MySQL, and JavaScript by Robin Nixon Copyright © 2009 Robin Nixon. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://my.safaribooksonline.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Andy Oram Indexer: Ellen Troutman Zaig Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Nancy Kotary Interior Designer: David Futato Proofreader: Kiel Van Horn Illustrator: Robert Romano Printing History: July 2009: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Learning PHP, MySQL, and JavaScript, the image of sugar gliders, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc., was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information con- tained herein. TM This book uses RepKover™, a durable and flexible lay-flat binding. ISBN: 978-0-596-15713-5 [M] 1246467361 Table of Contents Preface .
    [Show full text]
  • HTML5 HTML5 Designing Rich Internet Applications
    HTML5 HTML5 DESIGNING RICH INTERNET APPLICATIONS MATTHEW DAVID AMSTERDAM • BOSTON • HEIDELBERG • LONDON • NEW YORK • OXFORD PARIS • SAN DIEGO • SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Focal Press is an imprint of Elsevier Focal Press is an imprint of Elsevier 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK © 2010 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the Publisher. Details on how to seek permission, further information about the Publisher's permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
    [Show full text]
  • NEAR EAST UNIVERSITY Faculty of Engineering
    NEAR EAST UNIVERSITY Faculty of Engineering Department of Computer Engineering AUTO GALLERY MANAGEMENT SYSTEM Graduation Project COM 400 Student: Ugur Emrah CAKMAK Supervisor : Assoc. Prof. Dr. Rahib ABIYEV Nicosia - 2008 ACKNOWLEDGMENTS "First, I would like to thank my supervisor Assoc. Prof. Dr. Rahib Abiyev for his invaluable advice and belief in my work and myself over the course of this Graduation Project.. Second, I would like to express my gratitude to Near East University for the scholarship that made the work possible. Third, I thank my family for their constant encouragement and support during the preparation of this project. Finally, I would like to thank Neu Computer Engineering Department academicians for their invaluable advice and support. TABLE OF CONTENT ACKNOWLEDGEMENT i TABLE OF CONTENTS ii ABSTRACT iii INTRODUCTION 1 CHAPTER ONE - PHP - Personal Home Page 2 1.1 History Of PHP 2 1.2 Usage 5 1.3 Security 6 1 .4 Syntax 7 1.5 Data Types 8 1.6 Functions 9 1.7 Objects 9 1.8 Resources 10 1.9 Certification 12 1 .1 O List of Web Applications 12 1.11 PHP Code Samples 19 CHAPTER TWO - MySQL 35 2.1 Uses 35 2.2 Platform and Interfaces 36 2.3 Features 37 2.4 Distinguishing Features 38 2.5 History 40 2.6 Future Releases 41 2.7 Support and Licensing .41 2.8 Issues 43 2.9Criticism 44 2.10 Creating the MySQL Database 45 2.11 Database Code of a Sample CMS 50 CHAPTER THREE - Development of Auto Gallery Management System 72 CONCLUSION 77 REFERENCES 78 APPENDIX 79 ii ABSTRACT Auto Gallery Management System is a unique Content Management System which supports functionality for auto galleries.
    [Show full text]
  • Temario Oposicións Informática
    TEMARIO OPOSICIÓNS INFORMÁTICA GRUPO A1 - ESCALA DE SISTEMAS E TECNOLOXÍA DA INFORMACIÓN TEMA 32. APLICACIÓNS DE INTERNET ENRIQUECIDAS (RIA). Esta obra foi publicada abertamente pola Egap atopándose cunha licenza de Recoñecemento- CompartirIgual 2.0 España de Creative Commons. Para ver unha copia da licenza visite: http://creativecommons.org/licenses/by-sa/3.0/es Autor: Juan Marcos Filgueira Gomis Juan Marcos Filgueira Gomis 1 TEMA 32. APLICACIÓNS DE INTERNET ENRIQUECIDAS (RIA). 32.1 INTRODUCIÓN E CONCEPTOS 32.2 AJAX 32.3 RIA PARA MULTIMEDIA E ANIMACIÓNS 32.4 OUTRAS TECNOLOXÍAS RIA 32.5 ESQUEMA 32.6 REFERENCIAS 32.1 INTRODUCIÓN E CONCEPTOS As aplicacións de Internet enriquecidas ou RIA (en inglés Rich Internet Applications), son un conxunto de tecnoloxías que buscan achegar as interfaces das aplicacións web ás das aplicacións de escritorio dotándoas de novas funcionalidades, de aí a riqueza, e axilizando aspectos como as recargas de datos. Por norma xeral precisan dun framework, compoñente adicional ou plug-in no navegador que permitan a súa interpretación. Nas aplicacións RIA a maior parte da comunicación faise de maneira asíncrona en comunicacións transparentes ao usuario que evitan gran parte das recargas de páxinas para realizar actualizacións de datos. Fronte a estas vantaxes no tocante á usabilidade en canto a mellora das funcionalidades e actualizacións de datos a principal desvantaxe será a accesibilidade da páxina para usuarios que presenten dificultades de acceso á información na web. Moitas destas tecnoloxías pertencen ao mundo do software propietario atopando gran dependencia respecto das compañías que as desenvolven. As principais tecnoloxías atópanse nas plataformas Flash, Flex e AIR de Adobe, Silverlight de Microsoft, OpenLaszlo, incontables frameworks AJAX e Javascript, e outras tecnoloxías como as xa maduras, Applets e Java WebStart e as emerxentes como XUL, JavaFX, GWT ou Bindows.
    [Show full text]
  • Using Cryptographic Hardware to Secure Applications
    Using Cryptographic Hardware to Secure Applications BRUCE MOMJIAN This presentation explains how to use cryptographic hardware in client applications. https://momjian.us/presentations Creative Commons Attribution License Last updated: July, 2021 1/99 Outline 1. Openssh configuration 2. OpenPGP configuration 3. OpenPGP usage 4. PIV vs OpenPGP 5. Postgres usage 6. Database encryption scope 7. Private key storage options 8. Conclusion 2/99 1. Openssh Configuration # host does not allow password authentication $ ssh [email protected] Permission denied (publickey). # can also use ssh-keygen -D opensc-pkcs11.so -e # use the PIV AUTH key’’ (1) $ pkcs15-tool --read-ssh-key 1 --output ssh.pub Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00 Please enter PIN [PIV Card Holder pin]: $ cat ssh.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBrGGJqMxb… $ sudo sh -c ’cat ssh.pub >> ˜postgres/.ssh/authorized_keys’ $ rm ssh.pub $ ssh -I ‘‘$OPENSC’’ [email protected] Enter PIN for ’PIV_II (PIV Card Holder pin)’: Last login: Wed Aug 16 22:52:21 2017 from momjian.us $ id uid=109(postgres) gid=117(postgres) groups=117(postgres),111(ssl-cert) 3/99 Add PKCS#11 Provider for a Host $ cp ˜/.ssh/config ˜/.ssh/config.orig # OPENSC set previously $ echo " > Host momjian.us > PKCS11Provider $OPENSC" >> ˜/.ssh/config # -I not needed $ ssh [email protected] Enter PIN for ’PIV_II (PIV Card Holder pin)’: Last login: Fri Aug 18 15:23:09 2017 from momjian.us $ https://ef.gy/hardening-ssh 4/99 Use ssh-agent To Avoid Repeated PIN Entry # restore config file since
    [Show full text]
  • Advanced Authentication 6.3 Device Service Installation Guide
    Advanced Authentication 6.3 Device Service Installation Guide December 2019 Legal Notices For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/. Copyright © 2021 NetIQ Corporation, a Micro Focus company. All Rights Reserved. 2 Contents About this Book 5 1 System Requirements 7 Supported Card Readers and Cards. 8 Supported Devices for PKI . 8 Supported Fingerprint Readers . 9 Fingerprint . 9 Windows Hello. .11 2 Installing and Upgrading Device Service 13 Installing Device Service on Windows. .13 Installing Device Service on Linux . .14 Installing Device Service on Ubuntu and Debian (deb package) . .14 Installing Device Service on openSUSE and SUSE . .15 Installing Device Service on Fedora, CentOS, RHEL. .15 Upgrading Device Service on Linux . .16 Upgrading Device Service on Ubuntu and Debian (deb package) . .16 Upgrading Device Service on openSUSE (rpm package). .16 Upgrading Device Service on Fedora (rpm package) . .16 Installing Device Service on Mac . .17 3 Configuring Device Service 19 Apple Touch ID . .19 Configuring the Apple Touch ID . .19 Card Settings . .20 Configuring the Card Settings . .20 Configuring the Virtual Machine for Working of the RF IDeas Readers . .22 Device Authentication Setting . .22 Facial Recognition . .23 Fingerprint Settings. .24 Configuring Multiple Fingerprint Reader Modes . .25 Configuring the Fingerprint Settings . .26 PKI Settings . .27 Configuring the PKI Device . .27 Configuring e-Token PRO. .28 Configuring the YubiKey PKI . .29 Configuring OpenSC. .31 Configuring Gemalto Smart Card with Advanced Authentication . .32 Performing Bulk Replacement of Configuration File . .34 Configuring the Security Settings.
    [Show full text]