[SmartcardServices-Users] Store key on NFC tag that is acceptable to sc_auth?

Shawn Geddis geddis at icloud.com
Sun Jan 25 12:34:47 PST 2015 

> On Jan 25, 2015, at 8:08 AM, Henrik Brautaset Aronsen <henrik at synth.no <mailto:henrik at synth.no>> wrote:
> On 24 Jan 2015, at 23:54, Shawn Geddis <geddis at icloud.com <mailto:geddis at icloud.com>> wrote:
>> 
>> Your email messages are all referencing the support of hardware (NFC readers and the hardware of the smartcard recognition of the electronics of the smart card), but not the Applet on the card.  
> 
> This is just a rewritable NFC tag with about 800 bytes of rewriteable memory [1].  It's not interfaced with a smartcard, so I guess an applet is not available in my case.   
> 
>> Once your particular smart card type is supported by an installed Tokend, then ALL services access and use the card as a dynamic keychain - via keychain services.  No application or service needs to know it is a smart card and simply uses the standard keychain / Sec… APIs available on OS X.  So yes, once you have a supporting Tokend, you could use sc_auth to assign a card to an account for login, but realize that is not the normal method for Smart Card Login on OS X.  You are much better off  using the standard of PKINT which leverages both PKI and your Microsoft AD’s KDC.  
> 
> I opted for the simple hash authentication mechanism, since it looked like the simplest way to achieve my goal.  It would just require a field on my user's authentication_authority property containing the hash.
> 
>> So, before any of us can help you further, we need to know and understand what Card Type (applet loaded on the card) you are using or want to use on your system.
> 
> I really appreciate all the help I'm receiving!  But maybe logging into OSX with an NFC tag is not achievable?
> 
> Henrik
> 
> [1] http://www.nxp.com/documents/data_sheet/NTAG213_215_216.pdf <http://www.nxp.com/documents/data_sheet/NTAG213_215_216.pdf>


Henrik,

> This is just a rewritable NFC tag with about 800 bytes of rewriteable memory [1].  It's not interfaced with a smartcard, so I guess an applet is not available in my case.   


A TokenD can be written to communicate with just about any type of device or technology.  Sorry if I implied otherwise.  My reference to Applet was because the vast majority of Smart Cards/Readers in use, particularly on OS X, are those used for PKI and are applet based.  Any developer, however, can create a TokenD that communicates with any technology — an NFC tag, an HSM, a key FOB, etc… 

Looking at content from your original email message:
17/01/15 21:04:28,005 com.apple.SecurityServer[71]: reader ACS ACR122U: state changed 16 -> 34
17/01/15 21:04:30,066 com.apple.SecurityServer[71]: token in reader ACS ACR122U cannot be used (error 229)
17/01/15 21:04:33,567 com.apple.SecurityServer[71]: reader ACS ACR122U: state changed 32 -> 18

The second line shows that no currently installed TokenD responded to the SmartCardServices layer that it could recognize and communicate with the current token recognized after the event “token Insertion” (card insertion) took place.  If you develop a TokenD to respond with success after probing the Token, you would then have a TokenD which would remain loaded until the “token removal” (card removal) event was recognized.  

If you are going to be doing the development yourself or you are helping someone else do the development, you might want to look at the source code in the repository for say  "PIV” (for PIV.tokend) inside the tokend Xcode Project and start with the probe function to understand how the "score” determines which TokenD “wins” and remains loaded/communicating with the ‘token’.  Please keep in mind the open source licensing requirements.

It is possible to do what you want *IF* you develop or have someone else develop the corresponding TokenD to support the devices (ie. NXP NTAG) you wish to use.

Hope this helps to explain the environment better and give you guidance as to how to proceed.

- Shawn
_______________________________________________________________________
Shawn Geddis				  			 
Security and Certifications Engineer, Apple            (geddis at apple.com <mailto:geddis at apple.com>)
SCAP-On-Apple Project/Dev Lead:		             (SCAP-On-Apple.MacOSForge.Org <http://scap-on-apple.macosforge.org/>)
SmartCardServices Project/Dev Lead: 		     (SmartCardServices.MacOSForge.Org <http://smartcardservices.macosforge.org/>)
_______________________________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150125/b4497f65/attachment.html>

More information about the SmartcardServices-Users mailing list