Comments (5)
That is already available with Match-On-Card support in the SmartCard-HSM. See the KeyXentic KX 906 token that has an embedded secure element with the SmartCard-HSM applet and 1-to-1 fingerprint matching.
@frankmorgner can probably also talk about the GoID card, that has an embedded fingerprint sensor.
Technology is available, but market demand is low.
from opensc.
That is already available with Match-On-Card support in the SmartCard-HSM. See the KeyXentic KX 906 token that has an embedded secure element with the SmartCard-HSM applet and 1-to-1 fingerprint matching.
@frankmorgner can probably also talk about the GoID card, that has an embedded fingerprint sensor.
Technology is available, but market demand is low.
I'm aware that there are card specific technologies available. But I'm more thinking about a vendor agnostic approach that utilizes things like Windows Hello for Business and Conditional Based Access to un-lock the smart card with biometrics.
from opensc.
So you want the user to authenticate towards a trusted server, that in turn authenticates against the card ?
Then you need some challenge response protocol between the card and the server, so that no sensitive information gets lost while the server authenticates against the card.
We use TA from BSI TR-03110 for that, which has an EC key on the server that signs a challenge generated by the card. In a large application we use that in addition to the user PIN to ensure, that the card is only used in the designated security environment. But server authentication could also be the sole or alternate authentication method.
from opensc.
So you want the user to authenticate towards a trusted server, that in turn authenticates against the card ?
Correct. The server needs to support OAuth2 because I want to utilize Entra ID Conditional Based Access.
Then you need some challenge response protocol between the card and the server, so that no sensitive information gets lost while the server authenticates against the card.
That would indeed the best approach, but as stated above, I could live with saving the PIN in a TPM chip, if the chip is inside a trusted computer.
We use TA from BSI TR-03110 for that, which has an EC key on the server that signs a challenge generated by the card. In a large application we use that in addition to the user PIN to ensure, that the card is only used in the designated security environment. But server authentication could also be the sole or alternate authentication method.
This is probably not card agnostic, is it? I would need a solution working with CardOS cards but which ideally would work with any card.
from opensc.
If you don't want to use some integrated solution (e.g. GoID card as described above), you are left with stacking and combining different technologies.
What is wrong with the process you have depicted (other than you should do it all-local rather than involving some shady web component)? The same process is used locally for some demo Windows Credential Providers, which are storing and recovering the user's (encrypted) password for login instead of a smart card PIN.
from opensc.
Related Issues (20)
- pkcs11-tool should provide an option to get slot information as pkcs11-uri HOT 1
- pkcs11-tool: extend for printing the PKCS#11 URI for the objects
- Support D-Trust Card 5.1 (Std. RSA CardOS6.0) with CAN HOT 20
- Compilation error HOT 3
- SmartCard-HSM DKEK share error "error generating random number failed with transmit failed" HOT 1
- Chrome / Chromium crashes HOT 3
- crash in pcsc_transmit -> sc_apdu_log -> sc_hex_dump HOT 1
- Recursion too deep in piv_card_reader_lock_obtained HOT 12
- asymmetric key encryption in pkcs11 module does not work
- Use ccache to speed up CI builds
- Windows certificate caching in GIDS HOT 2
- OpenSC + Smartcard-HSM + secp521r1 + OpenSSH = signing failed for ECDSA "secp521r1": error in libcrypto HOT 12
- Unable to generate RSA key using piv-tool HOT 6
- OpenSC Minidriver with PIVApplet + ECC keys on Win11: error on slot 9c - public key does not match private key HOT 28
- MacOS S/MIME Outlook or Mail.app no certificates on Yubikey smartcard detected HOT 17
- OpenSC build for macOS M1 Pro HOT 10
- OpenSC 0.25.1 + SmartCard-HSM 3.6 + brainpoolP256t1 = `point is not on curve` HOT 3
- RSA padding in release 0.25.1 HOT 3
- French eID - reading HOT 1
- OpenSC Minidriver Does Not Display the Second Key Container of JPKI Card When certutil -scinfo Is Executed HOT 30
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.