Translation(s): English - Français - Italiano
This page provides hints on how to use Smartcard (also known as chip card, or integrated circuit card (ICC)) under Debian.
Overview
- A smartcard architecture is quite complicated and it is not currently possible to mix-and-match any random combination of cards and readers in a plug-and-play manner. All cards, readers and software are not interchangeable.
- By carefully selecting the right combination of smart cards and card readers, a fully functional system can be implemented with Debian
There are two main types of solution on Debian, the OpenPGP based cards or the PKCS#11 style cards. This page describes the PKCS#11 style cards.
OpenPGP cards are a special type of card that are designed for use with GnuPG. For the GnuPG use-case (signing email), they are easy to use and therefore quite popular - however, to use a card for general purpose activities such as web authentication, VPN and disk encryption, they may not be satisfactory.
However, GnuPG can also use regular PKCS#11 cards with the help of OpenSC and the [https://sites.google.com/site/alonbarlev/gnupg-pkcs11|GnuPG PKCS#11 project]]
Smartcards have their own internal software and operating systems. This software is rarely free software within the principles of the [http://www.debian.org/social_contract|Debian Free Software Guidelines] - however, the software on the Debian system is completely free. By definition, a smartcard is a secure device and the software can not be changed at will. Some vendors provide binary (closed source) drivers for Linux, but it is not always necessary to use these drivers. In the best cases, it is possible to build working solutions without using any non-free or binary artifacts from the vendor, except for those in the card itself.
Some common cards
- Here are some common cards that are available through online shops
Each has some gotchas - see the OpenSC wiki (supported hardware list) for details
Vendor |
Card |
Bits (RSA) |
Card operating system |
Initializable with OpenSC |
Purchasing/online shop |
Aventra |
MyEID |
2048 |
?JavaCard |
Yes |
|
Feitian |
FTCOS / PK-01C |
2048 |
|
Yes |
http://www.gooze.eu/feitian-pki-free-software-developer-card Free card offer |
Aladdin |
eToken PRO |
2048 |
?JavaCard |
? |
|
Athena SCS |
IDProtect Laser |
4096 |
|
|
[http://www.cryptoshop.com/athena-idprotect-laser.html?___store=english&___from_store=default] |
ACS |
ACOS5-64 |
4096 |
|
|
[http://www.smartcardfocus.com/shop/ilp/id~630/ACOS5_64/p/index.shtml] |
Applications
- Authentication
- Data Encryption
- Signing
Supported Hardware
This list is not exhaustive. It's essentially here so people can find it : there are no modules for those devices... just pure userland.
Interface |
ID |
Description |
Driver |
USB |
03F0:0824 |
HP USB Smartcard Reader |
|
USB |
03F0:1024 |
HP USB Smart Card Keyboard |
|
USB |
0416:3815 |
Winbond |
|
USB |
046a:0005 |
Cherry XX33 |
|
USB |
046A:0010 |
Cherry SmartBoard XX44 |
|
USB |
046a:0010 |
Cherry XX44 |
|
USB |
046A:002D |
Cherry SmartTerminal XX44 |
|
USB |
046a:002D |
Cherry ST1044U |
|
USB |
046a:003E |
Cherry SmartTerminal ST-2XXX |
|
USB |
046A:005B |
Cherry SmartBoard XX1X |
|
USB |
0471:040F |
Philips JCOP41V221 |
|
USB |
047B:020B |
Silitek SK-3105 |
|
USB |
04B9:1206 |
SafeNet IKey4000 |
|
USB |
04B9:1400 |
SafeNet IKey4000 |
|
USB |
04E6:5111 |
SCM SCR 331-DI |
|
USB |
04E6:5113 |
SCM SCR 333 |
|
USB |
04E6:5115 |
SCM SCR 335 |
|
USB |
04E6:5116 |
SCM SCR 3310 |
|
USB |
04E6:5117 |
SCM SCR 3320 |
|
USB |
04E6:5119 |
SCM SCR 3340 ExpressCard54 |
|
USB |
04E6:511A |
SCM SCR 3310 NTTCom |
|
USB |
04E6:511C |
Axalto Reflex USB v3 |
|
USB |
04E6:511D |
SCM SCR 3311 |
|
USB |
04E6:5120 |
SCM SCR 331-DI NTTCom |
|
USB |
04E6:5121 |
SCM SDI 010 |
|
USB |
04E6:5410 |
SCM SCR 355 |
|
USB |
04E6:E001 |
SCM SCR 331 |
|
USB |
04E6:E003 |
SCM SPR 532 |
|
USB |
0529:030b |
Aladdin Pro, eToken R1 v3.1.3.x |
|
USB |
0529:050c |
Aladdin Pro, eToken Pro v4.1.5.x |
|
USB |
0529:0514 |
Aladdin Pro, eToken Pro v4.2.5.4 |
|
USB |
058F:9520 |
Alcor Micro AU9520 |
|
USB |
067b:2303 |
Towitoko Chipdrive USB |
#libtowitoko2 broken in Debian and Ubuntu |
USB |
072F:9000 |
ACS ACR38U |
|
USB |
072f:90cc |
ACS ACR 38U-CCID |
|
USB |
073D:0007 |
Eutron CryptoIdentity |
|
USB |
073D:0008 |
Eutron CryptoIdentity |
|
USB |
073D:0B00 |
Eutron Digipass 860 |
|
USB |
073D:0C00 |
Eutron SIM Pocket Combo |
|
USB |
073D:0C01 |
Eutron Smart Pocket |
|
USB |
076B:1021 |
OmniKey CardMan 1021 |
|
USB |
076B:1021 |
OMNIKEY CardMan 1021 |
|
USB |
076B:3021 |
OmniKey CardMan 3121 |
|
USB |
076B:3021 |
OMNIKEY CardMan 3x21 |
|
USB |
076B:3621 |
OmniKey CardMan 3621 |
|
USB |
076B:3621 |
OMNIKEY CardMan 3621 |
|
USB |
076B:3821 |
OmniKey CardMan 3821 |
|
USB |
076B:3821 |
OMNIKEY CardMan 3821 |
|
USB |
076B:4321 |
OmniKey CardMan 4321 |
|
USB |
076b:4321 |
OMNIKEY CardMan 4321 |
|
USB |
076B:5121 |
OmniKey CardMan 5121 |
|
USB |
076B:5121 |
OMNIKEY CardMan 5x21 |
|
USB |
076B:5125 |
OmniKey CardMan 5125 |
|
USB |
076B:5125 |
OMNIKEY CardMan 5x25 |
|
USB |
076B:5321 |
OmniKey CardMan 5321 |
|
USB |
076B:5321 |
OMNIKEY CardMan 5x21 |
|
USB |
076B:6622 |
OmniKey CardMan 6121 |
|
USB |
076B:6622 |
OMNIKEY CardMan 6121 |
|
USB |
076b:A011 |
USB CCID Smart Card Reader Keyboard |
|
USB |
076b:A012 |
USB CCID Smart Card Reader Keyboard |
|
USB |
076b:A021 |
USB CCID Smart Card Reader |
|
USB |
076B:A022 |
Teo by Xiring |
|
USB |
076B:A022 |
USB CCID Smart Card Reader |
|
USB |
076B:C101 |
OMNIKEY CardMan 5x21 |
|
USB |
0783:0003 |
C3PO LTC31 |
|
USB |
0783:0006 |
C3PO LTC31 |
|
USB |
0783:0007 |
C3PO TLTC2USB |
|
USB |
0783:0008 |
C3PO LTC32 USBv2 with keyboard support |
|
USB |
0783:0009 |
C3PO KBR36 |
|
USB |
0783:0010 |
C3PO LTC32 |
|
USB |
0783:9002 |
C3PO TLTC2USB |
|
USB |
08E6:0430 |
GemPC430 |
|
USB |
08E6:0432 |
GemPC432 |
|
USB |
08E6:0435 |
GemPC435 |
|
USB |
08E6:1359 |
VeriSign Secure Storage Token |
|
USB |
08E6:2202 |
Gemplus Gem e-Seal Pro |
|
USB |
08E6:3437 |
Gemplus GemPC Twin |
|
USB |
08E6:3438 |
Gemplus GemPC Key |
|
USB |
08E6:3478 |
Gemplus GemPC Pinpad |
|
USB |
08E6:3479 |
Gemplus GemCore POS Pro |
|
USB |
08E6:3480 |
Gemplus GemCore SIM Pro |
|
USB |
08E6:34EC |
Gemplus GemPC Express |
|
USB |
08E6:4433 |
Gemplus GemPC433 SL |
|
USB |
08E6:8000 |
Smart Enterprise Guardian |
|
USB |
08E6:ACE0 |
Verisign Secure Token |
|
USB |
0973:0003 |
SchlumbergerSema Cyberflex Access |
|
USB |
0982:0007 |
Covadis Alya |
|
USB |
0982:0008 |
Covadis Vega |
|
USB |
09BE:0002 |
SmartEpad |
|
USB |
09C3:0008 |
ActivCard USB Reader 2.0 |
|
USB |
09C3:0013 |
ActivCard USB Reader 3.0 |
|
USB |
09C3:0014 |
Activkey Sim |
|
USB |
0B81:0200 |
id3 CL1356D |
|
USB |
0B81:0220 |
id3 CL1356A HID |
|
USB |
0b97:7762 |
O2 Micro Oz776 |
|
USB |
0b97:7772 |
O2 Micro Oz776 |
|
USB |
0BF8:1005 |
FSC SCR Keyboard USB 2A |
|
USB |
0BF8:1005 |
Fujitsu Siemens SmartCard Keyboard USB 2A |
|
USB |
0BF8:1006 |
FSC SCR USB 2A |
|
USB |
0BF8:1006 |
Fujitsu Siemens SmartCard USB 2A |
|
USB |
0C4B:0300 |
Reiner-SCT cyberJack pinpad(a) |
|
USB |
0D46:3001 |
KOBIL KAAN Base |
|
USB |
0D46:3002 |
KOBIL KAAN Advanced |
|
USB |
0d46:3003 |
KOBIL KAAN SIM III |
|
USB |
0d46:3010 |
KOBIL EMV CAP - SecOVID Reader III |
|
USB |
0d46:4000 |
KOBIL mIDentity |
|
USB |
0d46:4001 |
KOBIL mIDentity |
|
USB |
0DC3:1004 |
Athena ASE IIIe |
|
USB |
0DC3:1102 |
Athena ASEDrive IIIe KB |
|
USB |
0DF6:800A |
Sitecom USB simcard reader MD-010 |
|
USB |
1059:000C |
GnD CardToken 350 |
|
USB |
1059:000D |
GnD CardToken 550 |
|
USB |
15E1:2007 |
RSA SecurID |
|
USB |
17EF:1003 |
Lenovo Integrated Smart Card Reader |
|
USB |
19E7:0002 |
Charismathics token |
|
USB |
1A44:0001 |
Vasco DP905 |
|
USB |
1A74:6354 |
OCS ID-One Cosmo Card |
|
USB |
1B0E:1078 |
Blutronics Bludrive II CCID |
|
USB |
1C34:7124 |
Pro-Active CSB6 Ultimate |
|
USB |
1CF0:0001 |
Validy TokenA sl vt |
|
USB |
413c:2100 |
Dell keyboard SK-3106 |
|
USB |
413c:2101 |
Dell smart card reader keyboard |
Drivers
libccid
A generic driver for USB CCID (Chip/Smart Card Interface Devices) driver and ICCD (Integrated Circuit(s) Card Devices). See the USB's CCID and ICCD specifications from the USB working group.
gnupg-ccid
GnuPG has its own in-stock CCID driver which directly communicates the reader by libusb. It only supports readers which have capability of auto configuration.
See GnuPG/CCID_Driver for detail.
Note that GnuPG also support readers through PC/SC-lite.
Omnikey (pcsc-omnikey)
OMNIKEY CardMan CCID (ifdokrfid)
Package: pcsc-omnikey
OMNIKEY CardMan RFID (ifdokccid)
Package: pcsc-omnikey
Advanced Card Systems
Package: libacr38u
ACS USB CCID smart card readers
Package: libacsccid1
Athena SCS (Smartcard Solutions)
Package: libasedrive-usb
AKS - Aladdin Knowledge Systems
Package: libetoken
Gemplus SA
Package: libgempc430
Towitoko GMBH
Package: libtowitoko2
MuscleCard Applet PlugIn
Aladdin eToken PRO
Not supported device
Only supported devices are listed above (because the status of such device can change so quickly).
Exception : Some vendor are selling multiple different hardware device under the same product name (!)... In such case, we try to list such unsupported version(s) with the tag #not-supported.