Smart Card Testing
Copyright 2015 by Assured Information Security, Inc. Created by Ross Philipson <philipsonr@ainfosec.com>. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
PIVKey
The PIVKey smart card home is here:
They follow the PIV standard found here:
http://www.smartcardalliance.org/publications-a-comparison-of-piv-piv-i-and-civ-credentials/
And they can be easily purchased, e.g. from here:
http://www.amazon.com/gp/product/B00SJV2CNK?psc=1&redirect=true&ref_=oh_aui_detailpage_o02_s00
The documentation can be found here:
https://pivkey.zendesk.com/hc/en-us/categories/200284639-Technical-Support
PIVKeys are an alternative to CAC cards for testing smart card readers. By default the PIVKey is loaded with a Certificate for Card Authentication. The first thing that has to be done is to setup a proper PIN for the card. The instructions here detail that step:
https://pivkey.zendesk.com/hc/en-us/articles/203126729-Getting-Started-with-PIVKey-Management
Also there are instructions for PIV certificate mapping:
https://pivkey.zendesk.com/hc/en-us/articles/203862405-PIV-Certificate-Mapping
There is a step for Default Certificate Mapping but this seems to be unnecessary (it is already done) and this mapping type seems sufficient. At this point the card is ready to use.
PIVKey on Linux
To start with, a few packages need to be installed. This is an example on Debian but similar packages on most distros should exist. This installs the PCSCLite packages for support of CCID compatible readers and tokens which PIVKey is one.
$ sudo apt-get install libpcsclite1 $ sudo apt-get install libpcsclite-dev $ sudo apt-get install pcscd $ sudo apt-get install pcsc-tools
The OpenSC packages are also needed:
$ sudo apt-get install opensc
The main instructions are here:
https://pivkey.zendesk.com/hc/en-us/articles/203578629-PIVKey-on-Linux
A few notes on the instructions:
Updating /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist did not solve all of the problems pcsc_scan had in recognizing the card. The following step makes it happy:
$ wget http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt --output-document=/home/<your-user>/.cache/smartcard_list.txt
Follow the instructions closely for editing /etc/opensc/opensc.conf.
The location of the library to use in Firefox/Iceweasel is the same on Debian.
Things are working correctly if the following commands are properly displaying the ATR:
$ pcsc_scan $ opensc-tool -a $ piv-tool -c piv --serial
Finally and most importantly, that the PIVKey test website is allowing the PIN based login and then displaying the test results and certificate information correctly:
PCSC Middleware
The PCSC packages provide the drivers and middle-ware to allow clients to talk to the smart card device. The drivers are shared libraries in user land and most smart card readers can use libccid. This driver in turn talks to USB devices using libusb. The driver library (or libraries) are loaded by the pcscd daemon. Clients (like the PCSC tools) talk to the daemon to access the cards.
PIVKey on Windows
The first thing to do is to insure the PV USB and Smart Card drivers have loaded correctly. Follow these instructions for this (note PV USB will also create host controller and root hub devices):
https://pivkey.zendesk.com/hc/en-us/articles/203775049-Testing-the-PIVKey-on-the-User-PC
Next install the PIVKey Windows software:
https://pivkey.zendesk.com/hc/en-us/articles/203126279-Installing-the-PIVKey-Administrator-Tools
Once installed, these commands should show information about the card:
C:\Program Files\PIVKey Administrator\PIVKey Admin Tools\PivKeyTool.exe --listcardid C:\Program Files\PIVKey Administrator\PIVKey Admin Tools\PivKeyTool.exe --listmd C:\Program Files\PIVKey Administrator\PIVKey Admin Tools\PivKeyTool.exe --listpiv
Finally and most importantly, that the PIVKey test website is allowing the PIN based login and then displaying the test results and certificate information correctly: