[aklug] Re: Common Access Cards - Technical Aspects

From: Christopher Howard <choward@indicium.us>
Date: Mon Jun 28 2010 - 12:32:30 AKDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/28/2010 11:13 AM, James Zuelow wrote:
> ----Original Message----

> I might be wrong, but I don't think that the cards
> will allow you to save ALL of the security tokens
> available to the card. So Christopher can't just
> clone the card onto disk and use that to script
> downloads at 3AM when nobody is there.
>

I don't know if cloning the card is possible. If it is, that raises some
interesting questions... But what I am uncertain about: When the CAC
card is inserted to the reader for Safari to use, are the private and
public keys actually downloaded into Keychain? If they aren't, that
would mean that some of the encryption process would have to be done on
the card itself, right?

- From what I've read so far, it seems that the CACs do actually have
encryption co-processors built-in. But I was under the impression that
the encryption co-processors were simply meant to initially generate the
private/public key pairs.

(Though, even that doesn't quite make sense to me, because the
specifications document I read indicates that the private/public key
pair has to be "securely transmitted" to some government database. So
why go to the expense of creating the keys hidden on the card if the
keys have to leave the card anyway...?)

> He should be able to script access to the card so
> that his users can put the card into the reader=20
> and run a script to grab their downloads without
> having to go to each page individually. I can
> see how that would be useful and disireable. But
> It won't work if the card isn't inserted into a
> reader.
>

Yeah, that's what we want.

> At least I hope not, or the whole concept of a
> CAC is broken. :)
>

> James Zuelow=
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>

- --
Christopher Howard
http://indicium.us
http://theologia.indicium.us

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwpBt4ACgkQQ5FLNdi0BcXK0wCfYRsU46SB8yPTeIOKr8JPMLb9
iG8An12WvNGFB0SLKtoQdonGMCaeraVv
=XjVA
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Jun 28 12:32:40 2010

This archive was generated by hypermail 2.1.8 : Mon Jun 28 2010 - 12:32:40 AKDT