[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login
Shawn Geddis
geddis at apple.com
Fri Jan 21 13:41:52 PST 2011
On Jan 19, 2011, at 2:26 PM, Henry B. Hotz wrote:
> Is there a similar command which can be used to substitute a cert for the Master Password?
>
> Seems silly to protect a single user that way if you can still use a plain old password as a go-around.
Henry,
I want to be sure I did not lose the intent of the original question, so please correct me if I misstate it in anyway -- I will correct it then!
Folks who want all of the in-depth discussion of FileVault, the encrypted storage and usage of keys should take a look at my whitepaper:
Best Practices for Using FileVault
http://images.apple.com/server/macosx/docs/L416842B-US_Best_Practices_for_Using_FileVault_White_Paper-2.pdf
and a related whitepaper...
Best Practices for Data Protection
http://images.apple.com/server/macosx/docs/L416841B-US_Best_Practices_For_Data_Protection_White_Paper-1.pdf
As a short description here.... with a longer one in the FV document noted above...
I believe the reference to a "Master Password" is a bit misleading for IT folks when discussing FileVault. An Encrypted Container / Logical Volume (a.k.a Encrypted Disk Image) storing and protecting a User's Home Directory can be accessed by either of two paths: a) successful entry of User Credentials; or b) Having the FileVault Master Identity (Self-Signed Certificate & corresponding Private Key). The "Master Password" is a simplified method for 'joe/jane user' on their own to access the FileVault Master Identity when s/he is managing the complete system.
Methods of accessing Encrypted Container:
a) User Login 1) Entry of Username/Password at Login
PW -> PBKDF2: Password Based Key Derivation
Derived Key (Symmetric Key) is used to unwrap Data Key (Symmetric Key - AES-128)
Data Key is used to encrypt/decrypt the blocks of the logical volume
b) FileVault Master 2) Escrow of the FV Identity is usually done by IT
Best Practice, ONLY the Public Cert remains in the FileVaultMaster.keychain
IT makes the escrowed Private Key (or simply the escrowed keychain) available during recovery
IT unlocks access to Container and resets User Access Credential or extracts data of interest.
User Keychains can be protected by:
a) Password-based PBKDF2 Key generated from password used for Keychain
User's Default keychain for an account is created using Password used for account at creation time.
b) Smart Card-based Key obtained from Smart Card defined when using "systemkeychain -T token-protected-keychain-name"
-Shawn
__________________________________________________
Shawn Geddis geddis at me.com
Security Consulting Engineer geddis at apple.com
__________________________________________________
MacOSForge Project Lead: Smart Card Services
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo
__________________________________________________
11921 Freedom Drive, Suite 600, Reston VA 20190-5634
> On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
>> Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.
>>
>> How do you do that ?
>>
>> $ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
>>
>>
>> I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this. It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
>>
>> $ systemkeychain
>> Usage: systemkeychain -C [passphrase] # (re)create system root keychain
>> systemkeychain [-k destination-keychain] -s source-keychain ...
>> systemkeychain -T token-protected-keychain-name
>>
>>
>> -Shawn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110121/71742d1c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110121/71742d1c/attachment-0001.bin>
More information about the SmartcardServices-Users
mailing list