[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login

Henry B. Hotz hotz at jpl.nasa.gov
Fri Jan 21 15:56:14 PST 2011 

First, thanks for the document pointers!  I remember you giving a verbal overview of that stuff many years ago at a WWDC, and I've been trying to find the info recently with incomplete success.

My general intent is to address these concerns:  1) In an enterprise setting using FileVault you need a way for the enterprise to gain access to the vault independent of the normal user's credentials.  2) The security of the enterprise's access credentials should be at least as good as the user's.  3) If the user's access to the vault requires a smart card that will never export its private key, then so should the enterprise's access (e.g. the FileVault Master).

Assuming my logic above is perfect and admits no alternatives ;-) then what one needs is a way to use a recovery smart card as FileVaultMaster.keychain.  I suspect it's easy to create a keychain file with the public key, but without the private key of the recovery smart card.  That keychain file could be installed as the FileVaultMaster.keychain file for normal use.  

I think the one missing piece is how to use the recovery smart card to actually do a recovery.  Is there a file path for the card that could be used in the security and hdiutil commands?

Am I off base or unclear anywhere?

On Jan 21, 2011, at 1:41 PM, Shawn Geddis wrote:

> On Jan 19, 2011, at 2:26 PM, Henry B. Hotz wrote:
>> Is there a similar command which can be used to substitute a cert for the Master Password?
>> 
>> Seems silly to protect a single user that way if you can still use a plain old password as a go-around.
> 
> Henry,
> 
> I want to be sure I did not lose the intent of the original question, so please correct me if I misstate it in anyway -- I will correct it then!
> 
> Folks who want all of the in-depth discussion of FileVault, the encrypted storage and usage of keys should take a look at my whitepaper:  
> 
> Best Practices for Using FileVault 
> http://images.apple.com/server/macosx/docs/L416842B-US_Best_Practices_for_Using_FileVault_White_Paper-2.pdf
> 
> and a related whitepaper...
> 
> Best Practices for Data Protection
> http://images.apple.com/server/macosx/docs/L416841B-US_Best_Practices_For_Data_Protection_White_Paper-1.pdf
> 
> 
> As a short description here.... with a longer one in the FV document noted above...
> 
> I believe the reference to a "Master Password" is a bit misleading for IT folks when discussing FileVault.  An Encrypted Container / Logical Volume (a.k.a Encrypted Disk Image) storing and protecting a User's Home Directory can be accessed by either of two paths:  a) successful entry of User Credentials; or b) Having the FileVault Master Identity (Self-Signed Certificate & corresponding Private Key).  The "Master Password" is a simplified method for 'joe/jane user' on their own to access the FileVault Master Identity when s/he is managing the complete system.
> 
> Methods of accessing Encrypted Container:
> 	a) User Login		1) Entry of Username/Password at Login 
> 							PW -> PBKDF2: Password Based Key Derivation
> 							Derived Key (Symmetric Key) is used to unwrap Data Key (Symmetric Key - AES-128)
> 							Data Key is used to encrypt/decrypt the blocks of the logical volume
> 
> 	b) FileVault Master	2) Escrow of the FV Identity is usually done by IT
> 							Best Practice, ONLY the Public Cert remains in the FileVaultMaster.keychain
> 							IT makes the escrowed Private Key (or simply the escrowed keychain) available during recovery
> 							IT unlocks access to Container and resets User Access Credential or extracts data of interest.
> 
> User Keychains can be protected by:
> 	a) Password-based	PBKDF2 Key generated from password used for Keychain
> 						User's Default keychain for an account is created using Password used for account at creation time.
> 
> 	b) Smart Card-based	Key obtained from Smart Card defined when using "systemkeychain -T token-protected-keychain-name"
> 
> 
> 
> -Shawn
> __________________________________________________
> Shawn Geddis				  			   geddis at me.com
> Security Consulting Engineer                              geddis at apple.com
> __________________________________________________
> MacOSForge Project Lead:                           Smart Card Services                                                        
> 	Web:	http://smartcardservices.macosforge.org/
> 	Lists:	http://lists.macosforge.org/mailman/listinfo
> __________________________________________________
> 
> 
> 11921 Freedom Drive, Suite 600, Reston VA  20190-5634
> 
>> On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
>>> Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.  
>>> 
>>> How do you do that ?
>>> 
>>> $ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
>>> 
>>> 
>>> I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this.  It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
>>> 
>>> $ systemkeychain
>>> Usage: 	systemkeychain -C [passphrase]  # (re)create system root keychain
>>> 		systemkeychain [-k destination-keychain] -s source-keychain ...
>>> 		systemkeychain -T token-protected-keychain-name
>>> 
>>> 
>>> -Shawn
> 
> 
> 
> 
> 
> 
> 

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the SmartcardServices-Users mailing list