Versions Compared

Old Version 16

changes.mady.by.user Ross Philipson

Saved on

compared with

New Version Current

changes.mady.by.user Ross Philipson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
iconNone

Copyright 2015 by Assured Information Security, Inc. Created by Ross Philipson <philipsonr@ainfosec.com>. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

...

https://pivkey.zendesk.com/hc/en-us/categories/200284639-Technical-Support

PIVKeys are an alternative to CAC cards for testing smart card readers. By default the PIVKey is loaded with a Certificate for Card Authentication. The first thing that has to be done is to setup a proper PIN for the card. The instructions here detail that step:

https://pivkey.zendesk.com/hc/en-us/articles/203126729-Getting-Started-with-PIVKey-Management

Also there are instructions for PIV certificate mapping:

https://pivkey.zendesk.com/hc/en-us/articles/203862405-PIV-Certificate-Mapping

There is a step for Default Certificate Mapping but this seems to be unnecessary (it is already done) and this mapping type seems sufficient. At this point the card is ready to use.

PIVKey on Linux

To start with, a few packages need to be installed. This is an example on Debian but similar packages on most distros should exist. This installs the PCSCLite packages for support of CCID compatible readers and tokens which PIVKey is one.

Code Block
languagetext
$ sudo apt-get install libpcsclite1
$ sudo apt-get install libpcsclite-dev
$ sudo apt-get install pcscd
$ sudo apt-get install pcsc-tools

...

A few notes on the instructions:

Updating /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist did not solve all of the problems pcsc_scan had in recognizing the card. The following step makes it happy:

Code Block
languagetext
$ wget http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt --output-document=/home/<your-user>/.cache/smartcard_list.txt

Follow the instructions closely for editing /etc/opensc/opensc.conf.

The location of the library to use in Firefox/Iceweasel is the same on Debian.

Things are working correctly if the following commands are properly displaying the ATR:

Code Block
languagetext
$ pcsc_scan
$ opensc-tool -a
$ piv-tool -c piv --serial

Finally and most importantly, that the PIVKey test website is allowing the PIN based login and then displaying the test results and certificate information correctly:

https://pivkey.com:448

PCSC Middleware

The PCSC packages provide the drivers and middle-ware to allow clients to talk to the smart card device. The drivers are shared libraries in user land and most smart card readers can use libccid. This driver in turn talks to USB devices using libusb. The driver library (or libraries) are loaded by the pcscd daemon. Clients (like the PCSC tools) talk to the daemon to access the cards.

PIVKey on Windows

The first thing to do is to insure the PV USB and Smart Card drivers have loaded correctly. Follow these instructions for this (note PV USB will also create host controller and root hub devices):

https://pivkey.zendesk.com/hc/en-us/articles/203775049-Testing-the-PIVKey-on-the-User-PC

Next install the PIVKey Windows software:

https://pivkey.zendesk.com/hc/en-us/articles/203126279-Installing-the-PIVKey-Administrator-Tools

Once installed, these commands should show information about the card:

Code Block
languagetext
C:\Program Files\PIVKey Administrator\PIVKey Admin Tools\PivKeyTool.exe --listcardid
C:\Program Files\PIVKey Administrator\PIVKey Admin Tools\PivKeyTool.exe --listmd
C:\Program Files\PIVKey Administrator\PIVKey Admin Tools\PivKeyTool.exe --listpiv 

Finally and most importantly, that the PIVKey test website is allowing the PIN based login and then displaying the test results and certificate information correctly:

 https://pivkey.com:448