[Muscle] Remote connections to pcsc

Douglas E. Engert deengert at anl.gov
Fri Sep 21 12:10:38 PDT 2007 


Shawn Willden wrote:
> On Friday 21 September 2007 09:11:14 am Douglas E. Engert wrote:
>> What are the security implications to doing this?
> 
> In this particular case, I don't care.  Both machines are to be deployed in a 
> secure environment.
> 
> In general, though, I think it also doesn't matter that much. Any reasonable
> secure smart card API (I'm talking about the APDU-level API) must assume that 
> an attacker can get between the card and the reader, or the reader and the
> application. 

Not the ones I have seen. The assumption is the user of the card has physical
control over the reader, and is using the machine in front of him.

> Having a remote reader offers another avenue of attack, but 
> it's not like there aren't plenty to begin with.

Yes there are, but not protecting the stream over the network just introduces another.

> 
> The case where it might matter is when the card is used for user 
> authentication, but a remote reader wouldn't make any sense for that 
> application anyway.
>

Yes it would, That is exactly what the Microsoft RDC can do, let you
login to a remote computer using your smart card.


>> How would the stream be protected? ssh?
> 
> I don't see any value in layering encryption on the stream.  If the data being 
> transmitted is sensitive, it should be encrypted and/or MACed between 
> application and card anyway.  Or are you suggesting that ssh authentication 
> be used to prevent rogue connections to the card? 

Both.

> That might be useful in 
> the general case.  In my case it doesn't matter -- and I'm looking to hack 
> pcsclite to make it suit my needs, not necessarily to add a feature to 
> the "official" pcsclite.
> 

Good luck.

>> There is an Open source version of RDC, rdesktop, but I don't know if it
>> does smart cards.
> 
> There has been some work done on smart card support in rdesktop, but I'm not 
> sure where it is.  Even if it's functional, it doesn't address my situation.
> 
> Thanks,
> 
> 	Shawn.
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Muscle mailing list