What is a good Smartcard for home use?

20

4

I'm always looking for ways to improve my security in the internet. As I'm also a programmer and somewhat active on InfoSec and Crypto I decided that a smart card is the way to go.

I'm thereby looking for a smart card (or an USB-token) that has the following qualifications:

  • Support for elliptic curve cryptography (256 bits+)
  • Support for RSA (2048 bits+)
  • Storage for at least 10 keys of each of them
  • FIPS 140-2 Level 3 certification (preferred) or high Common Criteria certification (EAL 4+)
  • Should be acquirable for private persons (non-companies)
  • Driver (PKCS#11 / CSP / CNG) support for Windows 7 and Windows 10 (both x64), either directly or via OpenSC.
  • Support for secure key backup and key recovery in case of a disaster (e.g. wrapped key exports along with a way to unwrap on a different physical card)
  • For actual cards: Standard physical interfaces (i.e. no vendor-specific card readers needed)

Non-mandatory points include:

  • Support for custom ECC curves
  • Native support for Curve25519 / Curve448
  • Support for RSASSA-PSS or ECDSA (without the software doing the hashing)
  • For actual cards: Contactless operatibility
  • Low price (< $100 per piece)
  • Qualification for qualified electronic signatures (i.e. legally binding signatures), preferably under german law

SEJPM

Posted 2015-09-12T16:32:27.967

Reputation: 1 003

I'll also add the Athena SCS IDProtect LASER at a later point, once I've finished my testing with it, if you consider buying it: Do note that you can't use hardware-keyboards (e.g. your cardreader's pinpad) with it.SEJPM 2016-06-19T22:11:37.020

I also want as a prereq, the ability to use the crypto API with it.Michael 2016-08-20T06:29:11.110

@Michael That's covered by "driver support".SEJPM 2016-08-20T07:20:58.800

Not necessarily, some products are offered with drivers that are unsigned - a no option for me. @SEJPMMichael 2016-08-20T07:59:42.310

@Michael well, the Gemaltos and the Athenas have signed drivers, only the SC-HSM which actually targets Linux and not Windows doesn't have the proper driver signature.SEJPM 2016-08-20T08:25:03.703

Answers

12

Except for the backup requirements, the Gemalto IDPrime MD seems to fit your requirements. Some caveats:

  • It tops at 2048 bits for RSA; for ECC, it supports only three standard NIST curves (P-256, P-384 and P-521), not custom curves.
  • From experience, at the APDU level, the signature operation is really a command to do a modular exponentiation with the private key; thus, the hardware is compatible with all kinds of RSA (PKCS#1 v1.5, PSS...) but the hashing and padding is done on the host computer.
  • The MD 830 is FIPS 140-2 lvl 3, the MD 840 is EAL 5+. There appears to be no model that is certified for both sides of the Atlantic.
  • The cards are available as standard-sized plastic rectangles, nominally compatible with all standard readers; but you can also get them under the "IDBridge" format which is a USB card reader with a card in it, with a small size.
  • Individual cards can be bought from cryptoshop but it is a bit unclear exactly what you get; there are IDPrime MD and IDPrime .NET cards that use the same packaging, and the latter do not support ECC (only RSA). On the bright side, individual price will be about 20€.
  • The cards are supposed to be reprogrammable with custom applications (in a subset of .NET) but I never tried that and I don't know if it requires extra licenses or things like that. I think that the certifications don't extend to cards which have been reprogrammed.

As for backups, I am ready to assert that you do not want backups for signature keys. In fact, presence of a backup for a signature key can only lower the legal value of a signature (but then, this begs the question of why you would want to sign anything; a signature you generate is a legal weapon pointed back at yourself).

For encryption keys, backups are necessary to avoid data loss, and then there is no really good solution with these cards, if you want private keys to never exist outside of the certified hardware. For personal usage, even for the paranoid, you could arrange a key generation ceremony in which you generate the keys on an offline computer, booted over a CDROM and with no hard disk; the computer would then push the key in 4 or 5 smart cards, which would be so many backups.

Thomas Pornin

Posted 2015-09-12T16:32:27.967

Reputation: 236

1

Note for the interested buyer: A friend actually bought one of these cards and he had massive problems getting it to run properly under Linux, as apparently even the PKCS#11 library didn't compile. Everything worked though apparently under Windows. Other shops with these cards are SmartCardFocus and the Gemalto Webstore.

SEJPM 2016-06-19T21:46:29.010

0

Because I feel that some people may be unsatiesfied with Thomas' recommendation of the Gemalto IDPrime Cards, I wanted to give another option here:

The Smartcard-HSM

  • It offers 1024-2048-bit RSA or up to 320-bit ECC with all NIST and Brainpool curves being pre-loaded and may even support custom curves (although I've got no source for this right now)
  • It supports ECDSA and RSA signatures and allows for SHA-1 based on-card hashing (ECDSA) and for SHA1 /-256 /-384 /-512 based RSA pre-hashing ("PKCS", may be PKCS#1 v1.5)
  • The operating system is CC EAL5+ certified, the chip platform is only EAL2+, the TOE can be found here
  • It ships as a standard card form factor (contact, contactless and dual-interface), as micro SD with secure element and 1GB normal memory and as USB-token
  • The only reseller at the moment is card-o-matic, individual cards will be around 20€ a piece, the tokens will be at around 80€ and more
  • Driver support is available via OpenSC, supporting Windows CAPI and PKCS#11, the device driver (for Windows) is delivered extra and requires disabling driver signature checks for the installation though, the OpenSC PKCS#11 library has its limitations though, for example only one application can access the token at the same time
  • If you have initialized the card with a specific key (called device-key-encryption-key (DKEK)) then you will be able to make key-backups off-card, otherwise not

TL;DR: It may be a bit expensive and a bit unconvenient from time-to-time, and somewhat limited in security level, but if backups, brainpool and / or high CC certification are what you're looking for, this may be the right choice.

SEJPM

Posted 2015-09-12T16:32:27.967

Reputation: 1 003

It should be noted that I contacted the manufacturer concerning the driver signature and he responded that it's not worth it for them because they mainly target Linux and embedded systems and not Windows.SEJPM 2016-08-20T08:15:35.633