[SmartcardServices-Users] Store key on NFC tag that is acceptable to sc_auth?

Shawn Geddis geddis at icloud.com
Sat Jan 24 14:54:10 PST 2015 

Henrik,

Your email messages are all referencing the support of hardware (NFC readers and the hardware of the smartcard recognition of the electronics of the smart card), but not the Applet on the card.  Support for communicating correctly with the Applet loaded onto a card is done by a corresponding TokenD.  You do not select the card to use a particular Tokend, but rather you must have installed a TokenD that supports the Applet loaded on the card.  There are many Applet specifications out there, so you need to know what your card is using and install the appropriate TokenD.  Whether you access the card with a generic CCID USB-based smart card reader or a USB-NFC based reader is not the problem you are facing.

Once your particular smart card type is supported by an installed Tokend, then ALL services access and use the card as a dynamic keychain - via keychain services.  No application or service needs to know it is a smart card and simply uses the standard keychain / Sec… APIs available on OS X.  So yes, once you have a supporting Tokend, you could use sc_auth to assign a card to an account for login, but realize that is not the normal method for Smart Card Login on OS X.  You are much better off  using the standard of PKINT which leverages both PKI and your Microsoft AD’s KDC.  

So, before any of us can help you further, we need to know and understand what Card Type (applet loaded on the card) you are using or want to use on your system.


- Shawn
_______________________________________________________________________
Shawn Geddis				  			 
Security and Certifications Engineer, Apple           (geddis at apple.com <mailto:geddis at apple.com>)
SCAP-On-Apple Project/Dev Lead:		             (SCAP-On-Apple.MacOSForge.Org <http://scap-on-apple.macosforge.org/>)
SmartCardServices Project/Dev Lead: 		     (SmartCardServices.MacOSForge.Org <http://smartcardservices.macosforge.org/>)
_______________________________________________________________________

> On Jan 24, 2015, at 4:53 AM, Henrik Brautaset Aronsen <henrik at synth.no> wrote:
> 
> Yoann Gini wrote:
>> 
>> Le 20 janv. 2015 à 20:51, Henrik Brautaset Aronsen <henrik at synth.no <mailto:henrik at synth.no>> a écrit : 
>>> The stock OSX version of pcsctest finds the reader just fine:
>>> 
>>>     $ /usr/bin/pcsctest
>>> 
>>>     Testing SCardEstablishContext    : Command successful.
>>>     Testing SCardGetStatusChange 
>>>     Please insert a working reader   : Command successful.
>>>     Testing SCardListReaders         : Command successful.
>>>     Reader 01: ACS ACR122U 
>> 
>> If the built in pc/sc detect the reader, it’s a good start. It means it’s working on the reader side.
>> 
>> Now you need to look at your cards. Which NFC chipset do you use? And with which TockenD module? 
> 
> The reader says:
> 
> $ /usr/bin/pcsctest
> ...
> Reader 01: ACS ACR122U
> Waiting for card insertion        : Command successful.
> Testing SCardConnect            : Command successful.
> Testing SCardStatus              : Command successful.
> Current Reader Name              : ACS ACR122U
> Current Reader State             : 0x54
> Current Reader Protocol          : 0x0
> Current Reader ATR Size          : 20 (0x14)
> Current Reader ATR Value         : 3B xx xx xx
> 
> The chipset is is a 13.56MHz ISO14443A & NFC Type 2 compliant NTAG216 RFID chipset.   I haven't selected any TokenD module, mostly because I don't know how to.  Any feedback on this is greatly appreciated.
> 
>> Don’t forget that SmartCards aren’t just storage cards, you have a microprocessor and a small system on it to store yours keys and handle the secure communication.
> 
> I realize this.  But according to http://support.apple.com/kb/TA24244 <http://support.apple.com/kb/TA24244> it seems that I can get away with storing a key on the NFC that is accessible with "sc_auth hash".  Does that sound reasonable?
> 
> Cheers,
> Henrik
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150124/3fa3fce1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4457 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150124/3fa3fce1/attachment.p7s>

More information about the SmartcardServices-Users mailing list