Project: pam_smartcard developer request

Erik Norgaard norgaard at
Thu Feb 17 13:36:34 PST 2005


I don't know if this is the right list or I should write to current@ or
other - please redirect me.

At work I am developing on the JavaCard platform which is a java based
smart card. I thought I might as well do something usefull also and
develop a card based application for authentication.

The project: Provide a two-factor (something you have + something you
know) authentication module for *BSD. This kind of setup is most
interesting for larger networks or campus where a smart card can be
combined with ordinary ID.

This splits in two: The part that runs on the card (in javacard lingo
the JavaCard applet), and the part that runs on the system (in javacard
lingo the host/client application).

I don't have the knowledge to do the host application, while I can
program the card applet. For the host part, this need not be in Java. I 
think ideas could be borrowed from other pam_* projects, and a backend 
database or directory server is needed in order to avoid forged cards.

If any one is interested in joining such a project reply to me off-list
(I'm on the list, but I think this should be coordinated off-list).

NOTE: This is not going to be part of my paid work. I am not asking you 
to do my job for free!

Some things I have considered:

The card based authentication must not only identify the user but also
the card, otherwise an intruder could produce forged cards.

Identifying the card is easy because it supports strong cryptography and 
can hold RSA keys that cannot be retrieved from the card. But the card's 
public key must be stored centrally.

My idea is that when the card is issued, a key pair is created on the
card and the public key stored centrally. When the card is inserted the
system sends a challenge to the card encrypted with the card's public
key. Then the card can only respond if it has the private key.

Other problems are: The login session should terminate when the card is 
removed, this requires a daemon to keep checking the card.

The host application must not only support authentication but also
issuing of cards.

The cards I have are JavaCard 2.1 - this is fine for this project. The
problem is to get drivers for the available readers. Driver exists for
RedHat Linux but is not yet ported (see pcsc-lite port). However, the
implementation will be vendor independent.

Copyright: I do not copy code from my work, nor will code go the other way.

The copyright will be BSD-type copyright. Code from other projects that
impose non-compatible restrictions should not be imported unless these
restrictions are removed.

Time span: I think the hardest part is the host application, but this is
partly because I don't know how to do it :-) For the card part, I
believe this can be done before july.

Cheers, Erik

Ph: +34.666334818                           web:
S/MIME Certificate:
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

More information about the freebsd-ports mailing list