Assignment 4 : More Applet Programming - SSH/Smartcard Integration
SSH/Smartcard Integration
2/20/2000, Naomaru Itoi (itoi@eecs.umich.edu)
Revised 3/9/2000
Revised 11/6/2000
In this assignment, you are to learn integration of card side and host
side programming by implementing a SSH client with smartcard. You are
asked to write a Java applet to perform RSA decryption, and to modify
the SSH client to call the card.
Problem Description
The following steps do not have to be carried out in this order.
- Install SSH
Copy
/afs/engin.umich.edu/class/w00/eecs598/002/software/src/src/ssh-1.2.27.tar.gz
to your directory, configure, compile and install on your operating
system (Solaris 2.6, RedHat 6.1, or OpenBSD 2.6).
- Generate a public / private key pair, place the public key on
your home directory in iceaxe.
- Use sample binary
/afs/engin.umich.edu/class/w00/eecs598/002/software/bin/(OS name)/ssh
to print out your private key with -K option (e.g., ssh
-K login.umich.edu).
Caution
Make sure to copy your public key (.ssh/identity.pub) into
.ssh/authorized_keys in the host you want to log in.
For example, I generated a key pair on prom.engin, therefore prom has
my private key (identity) and my public key (identity.pub) in ~/.ssh.
I copied the public key to soso.eecs:~/.ssh/authorized_keys.
prom% ./ssh -K soso.eecs.umich.edu
setting printKey flag...
------------printing key
p:
...
q:
...
1/p mod q:
...
dp:
...
dq:
...
n:
...
----------------------printing key done
- Card initialization
Write your private key to the card with jR command in
pay.
Caution
Note that jR command writes the private key to a key number
0x10. When you load this key in your applet by
setKeyInstance(), you have to specify this number.
Write your n of the public key to the file
3f.00/73.68 (sh) on card by sending create APDU and write
binary APDU from pay. It should look like this:
% pay> jR
(private key (p, q, 1/p mod q, dp, dq) from ssh -K)
% pay> f 3f.00
/* create file "sh" */
% pay> ic f0 E0 00 00 10
01 00 73 68 02 01 00 00 FF 00 00 00 00 00 00 00
/* select */
% pay> f 73.68
/* write to "sh" */
% pay> ic f0 d6 00 00 80
(public key (n) from ssh -K)
- ssh modification
- Add -s option to enable smartcard authentication.
- Identify RSA decryption operation in ssh.
Replace it with a call to smartcard. Implement the equivalent
functionality on the card.
- Identify the part reading n from a private key file.
Replace it with a call to smartcard. Implement the equivalent
functionality on the card.
Now your ssh client (with -s option) should let you log on to
iceaxe (or whatever) without typing the password.
Caution
- Large integers are represented by a data structure called
MP_INT on SSH, and its byte order is different from
one on Cyberflex Access. Use functions in
/afs/engin.umich.edu/u/i/t/itoi/eecs598/software/ssh_sc.c to
convert MP_INT on SSH to/from buffer on
Cyberflex.
Reference
- Schlumberger
Cyberflex Access Programming Guide
-
/afs/engin.umich.edu/class/w00/eecs598/002/software/src/example/Wallet.java
You may reuse it.
- Textbook
- ISO 7816-4 spec
- sc7816 library API
(/afs/engin.umich.edu/class/w00/eecs598/002/software/src/sc7816/README)
- source files in
/afs/engin.umich.edu/class/w00/eecs598/002/software/src/sc7816.
You may reuse them.
Congratulation, assignment 4 is done. As always, send questions to
smartcards@umich.edu. If you are interested in doing more, talk to
us. Good luck. :)