[SmartcardServices-Users] Storing Keychain data

Shawn Geddis geddis at me.com
Fri Mar 2 22:22:05 PST 2012 

Since I Manage the Smart Card Services Project and have been supporting Smart Cards on OS X for many years now, please allow me to attempt to clear up your confusion and some misinformation that has been shared on this thread.

I think the best way to address this and ensure complete coverage is to take your points one at a time along with responses you received and comment accordingly....

> On Feb 18, 2012, at 1:05 PM, SB Tech wrote:
> Hi,
> I looked into using a Smart Card for authentication purposes in my SOHO, but came away disappointed by its interaction with Keychain Access.  Specifically, because it took the top position in the Keychain list, it assumed the Login keychain's duties;

I think you may be confused between what you are seeing and what is actually happening on your system with respect to Smart Cards, Keychains generically and specifically your Login Keychain.

Keychain Access is a tool for the viewing and manipulation of Credential Stores a.k.a. “Keychains" and their contents.

Smart Cards are abstracted into OS X's Credential Stores (Keychains) which appear as a dynamic keychain — they come and go with the insertion and removal of the card.  The Keychain Entry you see in Keychain Access List represents the Smart Card while the main panel will reveal the contents of the smart card (Certificates and Keys).  Smart Card(s) appear at the top of the Keychain Access List.

> but because I was unable to store passwords directly on the Smart Card (eg. wifi passwords) I found myself having to authenticate a second time, to the Login keychain.

You would not be able to store new security tokens (ie. passwords) on the Smart Card, since by design they are managed by Card Management Systems external to your own computer.  Smart Cards are a protected container for your corporate provisioned X.509 Identities and usual also includes some personal content included by the issuer.  The Smart Card Keychain is separate from your Login Keychain.  A Login keychain is created when any user account is created on the OS X system and stored inside the user’s account path — 
	/Users/<user>/Library/Keychains/login.keychain 

If you are using a Smart Card to login to your computer, the “login.keychain” would simply be another keychain for you that would of course need to be unlocked to store/retrieve any private information (ie. passwords, private keys, etc.).  

The Default keychain is any user's keychain configured to be, well, the default keychain.  This means that anytime information needs to be added (such as the automatic gleaning of certificates from signed email messages you receive in Mail) those items are added to that keychain without interrupting the user (as long as it is unlocked).  The Default Keychain can be assigned to any USER keychain other than a Smart Card (hardware tokend) and is set initially to be the automatically created “login.keychain”.  You know which keychain is set as the Default keychain because its name appears in BOLD within the Keychain Access Keychain List.


>  In the meantime, there was no automatic authentication of login services such as connecting to wifi or mounting of secure disk images.

If you wanted authentication to any service such as Wifi, you would need to configure the Wifi authentication to use an identity from your Smart Card.  Once you would authenticate at the Login window, your Smart Card would remain unlocked (until you pull the card or your lock the screen) and used for the wi-fi authentication without further interaction by you.  You would configure WiFi to use 802.1X using EAP-TLS.


> So, my question is: how does one go about using a Smart Card to store Keychain Access-specific data, so that the Smart Card “dynamic keychain" can more fully perform the functions required on login?

Keychain Access-specific data ?  Again, I think you have a misunderstanding of what you are trying to do and what technology is used for.  A “Dynamic Keychain” is not something you configure or alter or need to modify.  It simply means that the Keychain appears and can be used when the smart card is inserted in the reader and recognized and disappears when the card is removed from the reader — hence “dynamic”.  Other than that, there is nothing you need to think of with respect to “Dynamic Keychain”.  A “Dynamic Keychain” does not mean it is used for Login.  You are confusing the fact that you want to Log into your computer with your Smart Card with the fact that the Smart Card just happens to be a “Dynamic Keychain”.  What “Keychain Access-specific data" are you thinking you need to place on the card ?

> At the moment, I'm not concerned with any particular Smart Card or software solution, I'm more interested in knowing whether it’s actually possible.

Smart Cards have been used for both Login and authentication on OS X for many years now.  



Then you followed up ... on the FedTalk List with...
> It turns out I left out some crucial information: the scenario below regards logging into computers using a Smart Card.  


Yes, this was a major omission, but one I think we all assumed you meant anyway.  Smart Cards have been used for both Login and authentication on OS X for many years now, so that is not in question.  

> Given this information, can anyone using such a method enlighten me on how they get round the kludge of the Smart Card dynamic keychain displacing the Login keychain?

“Kludge” ?  Again, I think there is a misunderstanding of how smart cards work and also what and how Keychains work on OS X.  I would refer you to my earlier comments about what a Dynamic Keychain is and using a Smart Card to Login to your computer.  I can have many Smart Cards attached to my OS X system at any one time and all of them appear as Dynamic Keychains, but you would only login with one of them.



On Feb 29, 2012, at 11:09 AM, SB Tech wrote:
> If you don't mind, I'm going to quote from Apple's "Mac OS X Security Configuration For Mac OS X Version 10.6 Snow Leopard" document: 

[snip] 

> This encouraged me to believe that the behaviour I was seeing, regarding my Smart Card displacing my Login keychain, was both normal and expected behavior.  

A Smart Card does not displace a Login Keychain.

> So, how exactly does your Smart Card interact with Keychain Access?  Does it appear at all in the list of Keychains?  

As stated earlier, Keychain Access is a Tool for manipulating Keychains (typically but not limited to file-based keychains), but you are getting confused with Keychain Access and Your Smart Card being used for Login.  Under normal conditions, you would not even need to look at Keychain Access.

> If not, perhaps there's a low-level setting I can toggle to prevent it appearing.

Might be better to forget Keychain Access is there for your current purposes.  It seems to be the rot cause of your confusion.


On Feb 29, 2012, at 11:33 AM, SB Tech wrote:
> I assume you're referring to the following line:
> 
> > They can be treated as other keychains on the user’s computer, with the limitation that users can’t add other secure
> > objects.
> 
> I would respond: what's the point of adding the Smart Card to keychain access if it cannot store Keychain Access-recognized objects?

Smart Cards are “listed” in Keychain Access to give you the ability of viewing the contents of the card, reseting the PIN, setting Identity Preferences, etc.  “Smart Cards as Keychains” is the core reason that ANY Application that leverages the Keychain APIs can utilize a Smart Card without even needing to know it is a Smart Card or performing complex communication with the card.  Applications just communicate to any and all Keychains via the Keychain APIs.

>  Because it seemed such a ludicrous thing to implement, I assumed that, "can’t add other secure objects," simply referred to Keychain Access.

You started this thread out by asking about the use of Smart Cards.  It can be quite daunting to people new to them, but it does require an understanding that one significant security benefit of a Smart Card is that the end user cannot modify the contents of the card.  It is personalized using a Card Management System (CMS) by authorized administrators who are granted the ability to issue Smarts Cards and the Identities on them.  If you really want/need to use Smart Card for Login, you will want to spend some time learning more about the significant infrastructure necessary to issue and manage them.  There are many proprietary Smart Cards, but you are best served by looking to a CMS that would allow you to issue PIV compliant cards (there are actually multiple variants of PIV dependent on say who is issuing the card - ie. US Government Agency).

>  I presumed that it might be possible to add Keychain Access-compatible objects using another method.

What Keychain Access-compatible objects are you thinking of ?  Passwords ?  Private Keys ? Internet Passwords, Web Form Passwords, etc. ?  Again, think of a Smart Card as a “Read Only” Keychain.  This is a characteristic of Smart Cards, not just of Smart Cards as Keychains on OS X.

> I'm a lay user, considering Smart Cards for a SOHO, not a government IT professional.  Clearly I'm missing some vital reason why the Smart Card should show up as a Dynamic Keychain.  I'd be grateful if someone could explain this to me.

Are you sure you want/need to use a Smart Card ?  What characteristics or capabilities were you looking for that lead you to Smart Cards ?


- Shawn
________________________________________
Shawn Geddis   
Security Consulting Engineer 
Apple Enterprise Division

On Feb 29, 2012, at 12:55 PM, Paul Nelson wrote:

> The main reason is so you can use it to log into web servers that require two factor authentication.  Smart cards are mainly used in the industry to store a X509 cert plus the private key that goes with it.  The combination of these provides you with a "digital identity" that has advantages over using a password.
> 
> Two browsers for the Mac can make use of these:  Safari and Chrome.
> 
> I think that you would be fine if you simply change your login keychain password to match the PIN on your smart card, then think of your smart card as physical key that you can't make a copy of and give to someone else.
> Be aware that you will probably make the password for your login keychain weaker by doing this.  Apple has some hooks to encrypt and decrypt your login keychain, but they are very obscure and I don't think they work with a master key in case your smart card is destroyed.
> 
> The infrastructure on a Mac is still not ready to do much more that this.
> 
> Paul Nelson
> Thursby Software Systems, Inc.
> 
>> 
>> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20120303/b91a262b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4360 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20120303/b91a262b/attachment-0001.bin>

More information about the SmartcardServices-Users mailing list