15635
Comment: Update CCID driver upstream URL
|
← Revision 62 as of 2022-06-30 05:41:02 ⇥
15999
adding 0bda devices from script's output
|
Deletions are marked like this. | Additions are marked like this. |
Line 176: | Line 176: |
||USB||0BDA:0169||Generic USB2.0-CRW||[[#libccid]]|| ||USB||0BDA:0161||MSI !StarReader SMART||[[#libccid]]|| ||USB||0BDA:0165||Generic Smart Card Reader Interface||[[#libccid]]|| ||USB||0BDA:0169||Generic USB2.0-CRW||[[#libccid]]|| ||USB||0BDA:0161||MSI !StarReader SMART||[[#libccid]]|| ||USB||0BDA:0165||Generic Smart Card Reader Interface||[[#libccid]]|| |
Translation(s): English - Français - Italiano
This page provides hints on how to use Smartcard (also known as chip card, or integrated circuit card (ICC)) under Debian.
Smartcards are used with cryptographic keys to ensure that their private half is never on any hard disk or other general storage device, and therefore that it cannot possibly be stolen (because there's only one possible copy of it). Most physical key "dongles" also implement a chip card interface device (CCID) and so can be used as smartcards, even though you can never remove the smartcard from the "reader".
Contents
Overview
- A smartcard architecture is quite complicated and it is not currently possible to mix-and-match any random combination of cards and readers in a plug-and-play manner. All cards, readers and software are not interchangeable.
- By carefully selecting the right combination of smart cards and card readers, a fully functional system can be implemented with Debian
There are two main types of solution on Debian, the OpenPGP based cards or the PKCS#11 style cards. This page describes the PKCS#11 style cards.
OpenPGP cards are a special type of card that are designed for use with GnuPG. For the GnuPG use-case (signing email), they are easy to use and therefore quite popular - however, to use a card for general purpose activities such as web authentication, VPN and disk encryption, they may not be satisfactory.
However, GnuPG can also use regular PKCS#11 cards with the help of OpenSC and the GnuPG PKCS#11 project
Smartcards have their own internal software and operating systems. This software is rarely free software within the principles of the Debian Free Software Guidelines - however, the software on the Debian system is completely free. By definition, a smartcard is a secure device and the software can not be changed at will. Some vendors provide binary (closed source) drivers for Linux, but it is not always necessary to use these drivers. In the best cases, it is possible to build working solutions without using any non-free or binary artifacts from the vendor, except for those in the card itself.
Choosing algorithms and key sizes
- RSA is the traditional algorithm
- Keys shorter than 2048 bits are considered insecure
- Most cards support a maximum of 2048 bits
- Some people feel that is not sufficient
- Elliptic Curve Cryptography (ECC) is a more modern algorithm
- key sizes are shorter (e.g. 256 bit ECC is similar in strength to 3072 bit RSA)
- it uses less CPU than RSA
- however, some old clients (e.g. Windows XP) don't support it
- even modern applications are struggling to catch up, e.g. it is not in the stable versions of GnuPG or GnuPG v2.0 in Debian.
- Smart card vendors are showing a preference for supporting ECC in future projects:
- Due to the shorter key length (uses less memory)
- Lower CPU overhead / faster operation on the chip in the card
- Considered more secure
- US NIST endorsing ECC
- Consequently, for those who want RSA 4096 on smart cards, it is recommended to also consider using ECC
For those with an RSA preference, Some comments on the debate over using 2048 or 4096 bits
Some common cards
- Here are some common cards that are available through online shops
Each has some gotchas - see the OpenSC wiki (supported hardware list) for details
- Finding smart card vendors in a web search, typical keywords to use are: "7816" "4096" "rsa" "smartcard"
Vendor |
Card |
Bits (RSA) |
Card operating system |
Initializable with OpenSC |
Purchasing/Online shop |
ACS |
ACOS5-64 |
4096 |
|
|
|
Aladdin |
eToken PRO |
2048 |
JavaCard |
? |
|
Aventra |
2048 |
JavaCard |
Yes |
||
Crypto Stick |
4096 |
Yes |
|||
Feitian |
ePass2003 |
2048 |
Feitian proprietary |
||
Feitian |
FTCOS / PK-01C |
2048 |
|
Yes |
http://www.gooze.eu/feitian-pki-free-software-developer-card Free card offer |
g10 Code |
OpenPGP SmartCard V2 |
4096 |
Yes |
Floss Shop OpenPGP Card v2.1 |
|
Gemalto (formerly Schlumberger/Axalto) |
Cryptoflex (and eGate) |
|
|
|
|
Gemalto |
PIV card |
2048 |
|
|
|
Gemalto |
IDcore |
2048 |
JavaCard |
|
|
Yubico |
YubiKey NEO |
2048 |
JavaCard |
|
|
Yubico |
4096 |
JavaCard |
|
||
ZeitControl |
BasicCard |
4096 |
BasicCard |
|
Applications
- Authentication
- Data Encryption
- Signing
See this list of sample applications for Linux.
Supported Hardware
This list is not exhaustive. It's essentially here so people can find it : there are no modules for those devices... just pure userland.
Interface |
ID |
Description |
Driver |
USB |
03F0:0824 |
HP USB Smartcard Reader |
|
USB |
03F0:1024 |
HP USB Smart Card Keyboard |
|
USB |
0416:3815 |
Winbond |
|
USB |
046a:0005 |
Cherry XX33 |
|
USB |
046a:0010 |
Cherry XX44 |
|
USB |
046a:002D |
Cherry ST1044U |
|
USB |
046a:003E |
Cherry SmartTerminal ST-2XXX |
|
USB |
046A:005B |
Cherry SmartBoard XX1X |
|
USB |
0471:040F |
Philips JCOP41V221 |
|
USB |
047B:020B |
Silitek SK-3105 |
|
USB |
04B9:1206 |
SafeNet IKey4000 |
|
USB |
04B9:1400 |
SafeNet IKey4000 |
|
USB |
04E6:5111 |
SCM SCR 331-DI |
|
USB |
04E6:5113 |
SCM SCR 333 |
|
USB |
04E6:5115 |
SCM SCR 335 |
|
USB |
04E6:5116 |
SCM SCR 3310 |
|
USB |
04E6:5117 |
SCM SCR 3320 |
|
USB |
04E6:5119 |
SCM SCR 3340 ExpressCard54 |
|
USB |
04E6:511A |
SCM SCR 3310 NTTCom |
|
USB |
04E6:511C |
Axalto Reflex USB v3 |
|
USB |
04E6:511D |
SCM SCR 3311 |
|
USB |
04E6:5120 |
SCM SCR 331-DI NTTCom |
|
USB |
04E6:5121 |
SCM SDI 010 |
|
USB |
04E6:5410 |
SCM SCR 355 |
|
USB |
04E6:E001 |
SCM SCR 331 |
|
USB |
04E6:E003 |
SCM SPR 532 |
|
USB |
0529:030b |
Aladdin Pro, eToken R1 v3.1.3.x |
|
USB |
0529:050c |
Aladdin Pro, eToken Pro v4.1.5.x |
|
USB |
0529:0514 |
Aladdin Pro, eToken Pro v4.2.5.4 |
|
USB |
058F:9520 |
Alcor Micro AU9520 |
|
USB |
067b:2303 |
Towitoko Chipdrive USB |
#libtowitoko2 broken in Debian and Ubuntu |
USB |
072F:9000 |
ACS ACR38U or ACR38T |
|
USB |
072f:90cc |
ACS ACR 38U-CCID |
|
USB |
073D:0007 |
Eutron CryptoIdentity |
|
USB |
073D:0008 |
Eutron CryptoIdentity |
|
USB |
073D:0B00 |
Eutron Digipass 860 |
|
USB |
073D:0C00 |
Eutron SIM Pocket Combo |
|
USB |
073D:0C01 |
Eutron Smart Pocket |
|
USB |
076B:1021 |
OmniKey CardMan 1021 |
|
USB |
076B:3021 |
OmniKey CardMan 3121 |
|
USB |
076B:3621 |
OmniKey CardMan 3621 |
|
USB |
076B:3821 |
OmniKey CardMan 3821 |
|
USB |
076B:4321 |
OmniKey CardMan 4321 |
|
USB |
076B:5121 |
OmniKey CardMan 5121 |
|
USB |
076B:5125 |
OmniKey CardMan 5125 |
|
USB |
076B:5321 |
OmniKey CardMan 5321 |
|
USB |
076B:6622 |
OmniKey CardMan 6121 |
|
USB |
076B:A022 |
Teo by Xiring |
|
USB |
0783:0003 |
C3PO LTC31 |
|
USB |
0783:0006 |
C3PO LTC31 |
|
USB |
0783:0007 |
C3PO TLTC2USB |
|
USB |
0783:0008 |
C3PO LTC32 USBv2 with keyboard support |
|
USB |
0783:0009 |
C3PO KBR36 |
|
USB |
0783:0010 |
C3PO LTC32 |
|
USB |
0783:9002 |
C3PO TLTC2USB |
|
USB |
08E6:0430 |
GemPC430 |
|
USB |
08E6:0432 |
GemPC432 |
|
USB |
08E6:0435 |
GemPC435 |
|
USB |
08E6:1359 |
VeriSign Secure Storage Token |
|
USB |
08E6:2202 |
Gemplus Gem e-Seal Pro |
|
USB |
08E6:3437 |
Gemplus GemPC Twin |
|
USB |
08E6:3438 |
Gemplus GemPC Key |
|
USB |
08E6:3478 |
Gemplus GemPC Pinpad |
|
USB |
08E6:3479 |
Gemplus GemCore POS Pro |
|
USB |
08E6:3480 |
Gemplus GemCore SIM Pro |
|
USB |
08E6:34EC |
Gemplus GemPC Express |
|
USB |
08E6:4433 |
Gemplus GemPC433 SL |
|
USB |
08E6:8000 |
Smart Enterprise Guardian |
|
USB |
08E6:ACE0 |
Verisign Secure Token |
|
USB |
0973:0003 |
SchlumbergerSema Cyberflex Access |
|
USB |
0982:0007 |
Covadis Alya |
|
USB |
0982:0008 |
Covadis Vega |
|
USB |
09BE:0002 |
SmartEpad |
|
USB |
09C3:0008 |
ActivCard USB Reader 2.0 |
|
USB |
09C3:0013 |
ActivCard USB Reader 3.0 |
|
USB |
09C3:0014 |
Activkey Sim |
|
USB |
0B81:0200 |
id3 CL1356D |
|
USB |
0B81:0220 |
id3 CL1356A HID |
|
USB |
0b97:7762 |
O2 Micro Oz776 |
|
USB |
0b97:7772 |
O2 Micro Oz776 |
|
USB |
0BDA:0169 |
Generic USB2.0-CRW |
|
USB |
0BDA:0161 |
MSI StarReader SMART |
|
USB |
0BDA:0165 |
Generic Smart Card Reader Interface |
|
USB |
0BDA:0169 |
Generic USB2.0-CRW |
|
USB |
0BDA:0161 |
MSI StarReader SMART |
|
USB |
0BDA:0165 |
Generic Smart Card Reader Interface |
|
USB |
0BF8:1005 |
Fujitsu Siemens SmartCard Keyboard USB 2A |
|
USB |
0BF8:1006 |
Fujitsu Siemens SmartCard USB 2A |
|
USB |
0C4B:0300 |
Reiner-SCT cyberJack pinpad(a) |
|
USB |
0D46:3001 |
KOBIL KAAN Base |
|
USB |
0D46:3002 |
KOBIL KAAN Advanced |
|
USB |
0d46:3003 |
KOBIL KAAN SIM III |
|
USB |
0d46:3010 |
KOBIL EMV CAP - SecOVID Reader III |
|
USB |
0d46:4000 |
KOBIL mIDentity |
|
USB |
0d46:4001 |
KOBIL mIDentity |
|
USB |
0DC3:1004 |
Athena ASE IIIe |
|
USB |
0DC3:1102 |
Athena ASEDrive IIIe KB |
|
USB |
0DF6:800A |
Sitecom USB simcard reader MD-010 |
|
USB |
1059:000C |
GnD CardToken 350 |
|
USB |
1059:000D |
GnD CardToken 550 |
|
USB |
15E1:2007 |
RSA SecurID |
|
USB |
17EF:1003 |
Lenovo Integrated Smart Card Reader |
|
USB |
19E7:0002 |
Charismathics token |
|
USB |
1A44:0001 |
Vasco DP905 |
|
USB |
1A74:6354 |
OCS ID-One Cosmo Card |
|
USB |
1B0E:1078 |
Blutronics Bludrive II CCID |
|
USB |
1C34:7124 |
Pro-Active CSB6 Ultimate |
|
USB |
1CF0:0001 |
Validy TokenA sl vt |
|
USB |
413c:2100 |
Dell keyboard SK-3106 |
|
USB |
413c:2101 |
Dell smart card reader keyboard |
Drivers
libccid
A generic driver for USB CCID (Chip/Smart Card Interface Devices) driver and ICCD (Integrated Circuit(s) Card Devices). See the USB's CCID and ICCD specifications from the USB working group.
Package: libccid
gnupg-ccid
GnuPG has its own in-stock CCID driver which directly communicates the reader by libusb. It only supports readers which have capability of auto configuration.
See GnuPG/CCID_Driver for details.
Note that GnuPG also support readers through PC/SC-lite.
Advanced Card Systems
Package: libacr38u
ACS USB CCID smart card readers
Package: libacsccid1
Athena SCS (Smartcard Solutions)
Package: libasedrive-usb
AKS - Aladdin Knowledge Systems
Package: libetoken
Gemplus SA
Package: libgempc430
Towitoko GMBH
Package: libtowitoko2
MuscleCard Applet PlugIn
Aladdin eToken PRO
Unsupported devices
Only supported devices are listed above (because the status of such devices can change so quickly).
Exception : Some vendors are selling multiple different hardware devices under the same product name (!)... In such case, we try to list such unsupported version(s) with the tag #not-supported.