SECURITY Emailing with smartcards

Uit Gentoo Linux Wiki

Ga naar: navigatie, zoeken
This article is part of the Security series.

Inhoud

[bewerken] Intro

S/Mime with smartcards such as the now enrolled national digital ID cards

Using a smartcard has advantages such as the secret keys being a lot better protected. The card also has usually (simplish) self destruction methods and is close to tamperproof unless in real professional hands. Most of the states have already rolled out national digital ID cards or will in the next couple years. The CAs are proper and the level of trust with the national systems are clearly superior to the puny self generated pgp key stuff most of the people have used in the past. The state certificates that the one holding the card *is* legally bindingly the person. With self created keys and certificates there can't be as solid trust, period. These id cards are usually not email address dependant and are good for secure login (via cross certifications etc), contents securing and naturally communications.

There are several ways to get proper and secure S/Mime email signing and encryption to work. Basically you need

  1. Drivers for your reader
  2. A middleware software
  3. Email software.

I will give here a rough outline how the things work.

[bewerken] Driver part

Get PC/SC drivers for your smartcard reader. If you don't have a reader already, the USB models are the best. For instance Omnikey 2020 is just fine. Compile and install the kernel module.

If your vendor does not provide proper drivers, an other option is to check wether the OpenCT has a support your reader. Pcsc-lite might also have a universal support for your reader. Please consult the documentation of those projects for more help.

[bewerken] pcsc-lite

Install pcsc-lite. The gentoo Portage provided pcsc-lite package might do but it also might be way too ancient to work. linuxnet.com has a link from where you can get a proper CVS version. Consult the packages documentation on the installing and start the service.

[bewerken] Testing

Test the pcsc-lite with the provided test tools. The tools should see the card inserted and removed - if that happens, you are go for the actual use!

[bewerken] Opensc

Install Opensc. It's quite straightforward. opensc.org is quite helpful on the matter.

[bewerken] Applications

There are a few ways to get the final email program to work. The easiest to use is the Mozilla's mail application or Thunderbird since in security features they are ~5 years ahead the other email applications. All you have to do is to load the pkcs#11 module and select the certificate to be used. The pkcs#11 module is usually around /usr/lib/pkcs11/opensc-pkcs11.so or so. Do not forget to add your CA to the trusted ones!

An other way is to figure out how gpg can use pkcs#11 modules. I have heard that it can but not have looked into it more since gpg is just extra bloat.

Afkomstig van de Nederlandstalige Gentoo Wiki, het vrije Gentoo handboek. "http://nl.gentoo-wiki.com/SECURITY_Emailing_with_smartcards"
Persoonlijke instellingen
Andere talen