Assignment 4 : More Applet Programming - SSH/Smartcard Integration

SSH/Smartcard Integration
2/20/2000, Naomaru Itoi (itoi@eecs.umich.edu)
Revised 3/9/2000
Revised 11/6/2000

In this assignment, you are to learn integration of card side and host side programming by implementing a SSH client with smartcard. You are asked to write a Java applet to perform RSA decryption, and to modify the SSH client to call the card. Problem Description
The following steps do not have to be carried out in this order.

Install SSH
Copy /afs/engin.umich.edu/class/w00/eecs598/002/software/src/src/ssh-1.2.27.tar.gz to your directory, configure, compile and install on your operating system (Solaris 2.6, RedHat 6.1, or OpenBSD 2.6).
Generate a public / private key pair, place the public key on your home directory in iceaxe.
Use sample binary /afs/engin.umich.edu/class/w00/eecs598/002/software/bin/(OS name)/ssh to print out your private key with -K option (e.g., ssh -K login.umich.edu).
Caution

Make sure to copy your public key (.ssh/identity.pub) into .ssh/authorized_keys in the host you want to log in.
For example, I generated a key pair on prom.engin, therefore prom has my private key (identity) and my public key (identity.pub) in ~/.ssh. I copied the public key to soso.eecs:~/.ssh/authorized_keys.
prom% ./ssh -K soso.eecs.umich.edu setting printKey flag... ------------printing key p: ... q: ... 1/p mod q: ... dp: ... dq: ... n: ... ----------------------printing key done
Card initialization
Write your private key to the card with jR command in pay.
Caution

Note that jR command writes the private key to a key number 0x10. When you load this key in your applet by setKeyInstance(), you have to specify this number.
Write your n of the public key to the file 3f.00/73.68 (sh) on card by sending create APDU and write binary APDU from pay. It should look like this:
% pay> jR (private key (p, q, 1/p mod q, dp, dq) from ssh -K) % pay> f 3f.00 /* create file "sh" */ % pay> ic f0 E0 00 00 10 01 00 73 68 02 01 00 00 FF 00 00 00 00 00 00 00 /* select */ % pay> f 73.68 /* write to "sh" */ % pay> ic f0 d6 00 00 80 (public key (n) from ssh -K)
ssh modification
- Add -s option to enable smartcard authentication.
- Identify RSA decryption operation in ssh. Replace it with a call to smartcard. Implement the equivalent functionality on the card.
- Identify the part reading n from a private key file. Replace it with a call to smartcard. Implement the equivalent functionality on the card.
Now your ssh client (with -s option) should let you log on to iceaxe (or whatever) without typing the password.
Caution
- Large integers are represented by a data structure called MP_INT on SSH, and its byte order is different from one on Cyberflex Access. Use functions in /afs/engin.umich.edu/u/i/t/itoi/eecs598/software/ssh_sc.c to convert MP_INT on SSH to/from buffer on Cyberflex.

Reference

Schlumberger Cyberflex Access Programming Guide
/afs/engin.umich.edu/class/w00/eecs598/002/software/src/example/Wallet.java
You may reuse it.
Textbook
ISO 7816-4 spec
sc7816 library API (/afs/engin.umich.edu/class/w00/eecs598/002/software/src/sc7816/README)
source files in /afs/engin.umich.edu/class/w00/eecs598/002/software/src/sc7816.
You may reuse them.

Congratulation, assignment 4 is done. As always, send questions to smartcards@umich.edu. If you are interested in doing more, talk to us. Good luck. :)

Assignment 4 : More Applet Programming - SSH/Smartcard Integration

SSH/Smartcard Integration 2/20/2000, Naomaru Itoi (itoi@eecs.umich.edu) Revised 3/9/2000 Revised 11/6/2000

SSH/Smartcard Integration
2/20/2000, Naomaru Itoi (itoi@eecs.umich.edu)
Revised 3/9/2000
Revised 11/6/2000