Problem in Smart Card Simulator step 8 #1838
Comments
|
I think I had also problems to make the simulation working with some current Java in my computer and in more modern CI images. The CI is running old Ubuntu 14.04, which works fine. You can try to run it in some older VM/Container. |
|
I need to run it on Windows 10. When I replace Javac with Java it's working. but not sure it's proper way |
|
|
|
Thanks , so as I understand |
|
Windows Logon? Can you clarify what you are trying to do? Usually the cert and key are on a smart card, in the position of the user. Storing it on the machine you want to login it defeats the purpose of 2 factor authentication as if the machine or a backup are stolen the key could be compromised with out you knowledge vs a lost or stolen smart card. |
|
I want to simulate physical card by Virtual Smart Card. So I need to store the certificate on card, and through the windows logon screen, authenticate the user and unlock the windows. Should be doable by these applets, right? |
|
Maybe. WinLogin is done under the LSA, with no current windows user. So the virtual smart card would have to be running and accessible to the LSA. lsa-authentication would be a good place to start. Good luck. |
|
Thanks for your response. But as I know Windows has built-in Credential Provider for Smart Card which read the certificate on Card and authenticate. So if I could link the Certificate with Virtual Smart Card, then could easily unlock the Windows. Currently I get the below error when try to logon by Virtual Smart Card: Thanks |
|
For debugging windows login, the |
|
smart-card-architecture has a nice diagram showing all pieces to login. You would have to get the virtual smartcard Java process running either during the login or before. This maybe what you are looking for: But also says: |
|
Thanks @dengert & @Jakuje , I already tested with TPM & Windows Hello which are working fine, but the problem I need for Windows 7, however TPM only supported by Windows 8.1 + and for Windows Hello I need to do some changes in AD which I don't allow. Virtual Smart Card is the only solution which I have. I already tested the Certificate with Physical Smart Card and was working properly so want to do exactly same Virtual Smart Card |
|
Windows 7? Or depending on your security requirements, would buying a padlock for the computer case and using a real smart card/reader in a internal USB port within the case work for you? More or less equivalent security to TPM.
|
|
Thanks @dengert , I will try that link. Unfortunately I cannot add any devices or change any configuration, they won't allow me. they already had physical smart card but they want to unlock windows remotely by virtual smart card. So the master has a Physical Smart Card and want to remote to the some workstation which running virtual smart card reader and unlock the windows by Smart Card on master machine. We already implemented the code to create session and communication between Master & Client. So just need to pass the certificate from Physical Smart Card and store it in Client Virtual Smart Card |
|
That sounds like Windows Remote Desktop Connection (RDC). The client machine (your master) with the user and smart card can access the remote machines (your some workstations). This is done at the PCSC level. To the remote machine it looks like the smart card is plugged in locally . So login is the same as if the smart card was plugged into in locally. The smart card PIN never goes over the network. If your use a smart card reader with a PIN pad, it never goes into the local host either. What you appear to be doing is using the PIN as a password that gets sent over the network to unlock a virtual smart card. something just does not sound right to me doing it that way. PKI is all about proving the position of the private key on the smart card either plugged in locally or over the network. Start the Remote Desktop Connection and look at local resources. There you will see "Smart cards for Windows Hello for Business" as one of the resources. If I remember correctly Windows 7 has RDC with smart card support. If these machines are in a Windows Domain, you could take advantage of smart card login to AD that then uses Kerberos under the covers to authenticate to other remote machines. |
|
No I don't want to send the PIN through the network. I just want to initialize the Virtual Smart Card on Client and user manually type PIN in logon screen in remote machine. I want to send the Certificate through the network and store it on Virtual Card (I'm not sure possible). I already did with Windows Hello , but unfortunately their policy doesn't allow me to set up Windows Hello For Business on their network. So have to find the alternative solution |
|
Good luck with ever you choose. |
|
Except the OpenPGP, all applets listed on the wiki page are capable of performing Windows Logon, i.e.
GIDS and PIV don't even require OpenSC to be used (though personalization still requires external tools). If I read the above comments right, then the original problem with To debug your current problem with using your simulated smart card use the following in a terminal: |
|
Thanks @frankmorgner. I just solved by replacing |
|
I fixed the instructions. Thanks for verifying that. I do not think it is possible to accomplish what you are trying to do. The thing that does login is not the certificate, but the private key and its signature. Certificate is just an accompanying structure that helps with the pairing to the user account. With SC simulator, you can create full-fledged smart card, load the certificate in it, but all of that would be useless you would load also the private key into that, but normally, you can not read that key out of the existing smart card so it could be used for authentication on the remote host. The only possibility would be to modify the applets to provide the signatures using the existing remote card, but that would be some additional work. What I read, you need to set up some smart card forwarding on pcsc level (I think this is supported by virtual smart card project too), but I think that this would prevent you from using the smart card in the host system. This is exactly the same problem we were solving when creating libcacard. But as it is used now, it has two limitations: It is emulating CAC card, which is not supported in default windows driver (it is in OpenSC though) and it is wired to the hosts through spice protocol and through qemu emulated CCID device so integrating it with your application will require some wiring. |
|
I tried GIDS applet and when I ran
Also I tried to import the pfx on card, but when I run |
Thanks @Jakuje , I don't have any experience with PCSC. need to read more about it. Also I'm not much familiar with Java, I usually coding with C#, C++. The problem is I am in tight deadline, so looking for quickest solution. |
|
Hmm, there are a lot of possible paths to explore... From the applets above, I'd try https://github.com/arekinath/PivApplet, which can be easily administrated with the Yubico-tools to import private keys and to detect bad configurations. You can then test the PIV applet with OpenSC, e.g. In any case, you should think about the security considerations mentioned above... But, as usual, what kind of technical or organizational measures you should/need to apply, depends on your use case. I still don't know why you want to setup your logon with a virtual smart card, instead of, a username/password, for example. |
|
Thanks @frankmorgner , That's the project requirement and it's not our choice. Even they didn't accept Custom Credential Provider. They want the Administrator able to logon to all Work Stations in same network by Virtual Smart Card. Also when I run |
|
@vletoux as a frequent OpenSC contributer, maybe you would like to comment on this Issue. From what I have sent @Peymanmi by private e-mail, I believe that smart card login to non-AD workstations including Windows 7 could be addressed by eidauthenticate and you are the author of both EIDAuthenticate User Documentation and EIDAuthenticate Functional Documentation |
|
Yes, EiDAuthenticate does address smart card logon on stand alone computer. |
|
Sorry guys, I guess I didn't explain properly. All machine are running on same network and under same AD. The network administrator wants to logon to all clients machine in same AD by Virtual Smart Card. So admin use different physical smart card in master machine and remote to any client belong same network(AD), and just enter the PIN in Windows Logon Screen, and unlock the windows. Hope could explain clear this time. Thanks |
|
@Peymanmi the ant configuration was added recently; the easiest workaround is to simply remove them. I've done this here: https://github.com/frankmorgner/PivApplet |
Thanks @frankmorgner , I will try it |
|
Thanks @frankmorgner, I could run step 6 to 9 for PIVApplet. But when I try to initialise the card I get this error:
|
|
looks like you have configured the Pipe reader only. please try the following |
|
then start the PIV simulation in a second terminal |
|
(you need to restart the computer so that the driver's configuration gets loaded) |
|
I updated the .ini file and restarted the windows. while run step 8 get following error:
|
|
I just realized that the wiki is based on JCardSim's reader implementation, which indeed uses the pipe reader. So you have two options:
(This is what you had before. It uses a pipe in the local file system for I/O between card and reader) Then start
Sorry for the confusion. |
Thanks for quick response. I rollback the .ini file and again ran step 6 to 9 (include step 8 - start jcardsim-3.0.4-SNAPSHOT.jar with the PIV apple). But still have problem when run
|
|
Could you try |
Still same error, when I user --verbose option return:
|
|
Looks like it uses the single tick for matching. Using just the beginning of the string should be enough, try |
Thanks works fine with
|
|
Looks like you're almost there, just importing certificate and key is missing. Please try reading either the man page or the examples... |
Sure, thanks |
|
Note, that yubico-piv-tool is actually abandoned and Yubikey Manager should be used (you need to configure a Yubikey's ATR to JCardSim's config file). |
How can I find the Yubikey's ATR? I think I already found it, should be available through this link https://developers.yubico.com/PIV/Introduction/Yubico_extensions.html |
|
I guess should change step 9 as well for Yubikey, shall I?:
|
|
Closing this issue due to inactivity. Please re-open the ticket if more input is available. |
Can you explain what you meant by "I already did it with windows hello"? Were you able to send windows hello pin through network and were you able to login to the remote machine? |
Hi,
I tried to setup the Smart Card Simulation
But I get error in step 8
javac -classpath jcardsim-3.0.4-SNAPSHOT.jar;IsoApplet\src com.licel.jcardsim.remote.BixVReaderCard jcardsim_isoapplet.cfgthe error message is:
error: Class names, 'com.licel.jcardsim.remote.BixVReaderCard,jcardsim_isoapplet.cfg', are only accepted if annotation processing is explicitly requested 1 errorThanks in advance
The text was updated successfully, but these errors were encountered: