[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login

Shawn Geddis geddis at apple.com
Fri Jan 21 13:41:52 PST 2011


On Jan 19, 2011, at 2:26 PM, Henry B. Hotz wrote:
> Is there a similar command which can be used to substitute a cert for the Master Password?
> 
> Seems silly to protect a single user that way if you can still use a plain old password as a go-around.

Henry,

I want to be sure I did not lose the intent of the original question, so please correct me if I misstate it in anyway -- I will correct it then!

Folks who want all of the in-depth discussion of FileVault, the encrypted storage and usage of keys should take a look at my whitepaper:  

Best Practices for Using FileVault 
http://images.apple.com/server/macosx/docs/L416842B-US_Best_Practices_for_Using_FileVault_White_Paper-2.pdf

and a related whitepaper...

Best Practices for Data Protection
http://images.apple.com/server/macosx/docs/L416841B-US_Best_Practices_For_Data_Protection_White_Paper-1.pdf


As a short description here.... with a longer one in the FV document noted above...

I believe the reference to a "Master Password" is a bit misleading for IT folks when discussing FileVault.  An Encrypted Container / Logical Volume (a.k.a Encrypted Disk Image) storing and protecting a User's Home Directory can be accessed by either of two paths:  a) successful entry of User Credentials; or b) Having the FileVault Master Identity (Self-Signed Certificate & corresponding Private Key).  The "Master Password" is a simplified method for 'joe/jane user' on their own to access the FileVault Master Identity when s/he is managing the complete system.

Methods of accessing Encrypted Container:
	a) User Login		1) Entry of Username/Password at Login 
							PW -> PBKDF2: Password Based Key Derivation
							Derived Key (Symmetric Key) is used to unwrap Data Key (Symmetric Key - AES-128)
							Data Key is used to encrypt/decrypt the blocks of the logical volume

	b) FileVault Master	2) Escrow of the FV Identity is usually done by IT
							Best Practice, ONLY the Public Cert remains in the FileVaultMaster.keychain
							IT makes the escrowed Private Key (or simply the escrowed keychain) available during recovery
							IT unlocks access to Container and resets User Access Credential or extracts data of interest.

User Keychains can be protected by:
	a) Password-based	PBKDF2 Key generated from password used for Keychain
						User's Default keychain for an account is created using Password used for account at creation time.

	b) Smart Card-based	Key obtained from Smart Card defined when using "systemkeychain -T token-protected-keychain-name"



-Shawn
__________________________________________________
Shawn Geddis				  			   geddis at me.com
Security Consulting Engineer                              geddis at apple.com
__________________________________________________
MacOSForge Project Lead:                           Smart Card Services                                                        
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
__________________________________________________


11921 Freedom Drive, Suite 600, Reston VA  20190-5634

> On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
>> Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.  
>> 
>> How do you do that ?
>> 
>> $ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
>> 
>> 
>> I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this.  It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
>> 
>> $ systemkeychain
>> Usage: 	systemkeychain -C [passphrase]  # (re)create system root keychain
>> 		systemkeychain [-k destination-keychain] -s source-keychain ...
>> 		systemkeychain -T token-protected-keychain-name
>> 
>> 
>> -Shawn








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110121/71742d1c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110121/71742d1c/attachment-0001.bin>


More information about the SmartcardServices-Users mailing list