Re: [OATH-Toolkit-help] Any chance to support Portable Symmetric Key Container (PSKC) seed format

[Jean-Michel Pouré - GOOZE]

Dear Simon,

> I've been thinking about PSKC and trying to figure out what it would
> mean to support it in OATH Toolkit.  I can imagine the following:

Thanks for looking at it.

> * Library functions to read and parse PSKC files and iterate through the
>   data and extract the fields.
> 
> * Tool to parse PSKC files and print the content in a human friendly
>   way.
> 
> * Tool to protect encrypt/decrypt PSKC files, according to section 6 in
>   RFC 6030.  There are several ways here, and it isn't clear what would
>   be best to do.
> 
> What functionality is interesting?

IMHO PSKC is useful for key provisioning (2nd option).

A small tool in the tradition of Unix would be nice to compute a PSKC
file a display/manipulate a seed. Then we can use a simple batch script
to manipulate /etc/users.oath.

Of course, another approach would be that /etc/users.oath references the
PSKC file. It would allow to store the seed securely on server.

But ... IMHO most vendors are using Radius protocol to store seeds
securely. So modifying /etc/users.oath may be a lot of work when
FreeRadius is able to do the work in conjunction with LDAP.

A customer recently explained that he was using FreeRadius with a custom
python script to manage OATH authentication. But I believe this is a
custom work and is not available to the public. oathtool could do the
trick also and I am trying to understand how to use it with FreeRadius.

For all these reasons, I believe a small utility would do the trick for
provisioning. This can be a first approach.

The ultimate solution would be an ePass2003 token on server, with
Freeradius and LDAP. The ePass2003 can be found here:
http://www.gooze.eu/epass-2003

On FreeRadius startup, the user would need to enter a PIN code to unlock
the seed encryption key in memory. This would really enhance the
security.

So the roadmap could be:
1) Provide a small PSKC utility.
2) Work on a FreeRadius HOWTO with customs scripts to integrate
OATHtoolkit with FreeRadius, with little glue as possible.
3) Work on a more advanced version secured by a crypto stick like the
ePass2003. But I believe that even that can be managed by a custom
script in the Unix tradition.

Kind regards,
Jean-Michel POURE
-- 

                      GOOZE - http://www.gooze.eu
                   High quality cryptographic tools 
                  for GNU/Linux, Mac OS X and Windows
                     including the FEITIAN PKI card
     POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France
       Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90
         Registry: FR 527 672 448 00018 - VAT: FR54527672448
                          ID PGP/GPG: 084F2584

smime.p7s
Description: S/MIME cryptographic signature