Smart Cards on macOS (pt.1)

DISCLAIMER: The topic here is personal research. It does not bear any resemblance to things I have worked on in a professional capacity for any employer.

I’m going to be skipping over a LOT of widely available but hard to read info just so you get an overview for this post. Think of this as your primer to computer smart cards.

What’s a smart card?

You’re probably familiar with smart cards already. Every mobile phone that uses the GSM standard has a SIM (subscriber identity module) that allows you the customer to have paid access. The EMV chips visible on your bank cards are another good example of this. For people who live in London, you probably have an Oyster card for Transport for London.

So to go backwards though the list, Oyster cards are a great example of a single use type of card. You can only use it for one specific task. Mobile phone SIM cards are more of a “computer you don’t control” application where they do a specific job, but can also run apps / store data to a certain extent.

There are more in depth examples of how these cards work. The “Shadytel” project talk video from DEFCON 21 gives a good primer on how this specific example works.

This is just the primer: I’m more concerned with smart cards for PKI based authentication on macOS. This isn’t a prevalent technology and to my certain knowledge it’s confined to areas such as the US Government, UK Government and the financial sector. In short, anywhere that needs enhanced security through the use of two factor authentication based on a password pin tied to a certificate on the card.

Security? PKI? Huh?

Ok I’m going to get technical now. This is a pretty esoteric topic so try and bear with me.

Public Key Infrastructure (PKI) is a system that validates a user’s digital identity over a public or private network. It does so by associating a pair of public and private keys with the individual’s identity credentials. These keys are created with a cryptographic algorithm and shared by a certificate authority (CA) that links them to the user’s unique identity. The CA stores this information in a database and issues digital certificates, which include the public key or information about the public keys, in order to verify the user’s identity.

What kind of smart cards are there for computer use?

This is a major issue. The market is pretty fragmented and this has big implications for implementation on macOS, and possibly also iOS too. There is everything from the US Government’s Common Access Card (CAC), with associated standards such as PIV (personal identity verification), PIV-I (interoperable) and PIV-C (compatible) depending on who you are and what you’re cleared for.

These cards all have one thing in common: they have an OS that runs JavaCard. Yes Java. We’ll come back to that.

The list of card standards includes such cards as:

and the list goes on.

JavaCard was created by Sun Microsystems and allows applets to run on the limited resources provided on the smart card itself. JavaCard is open, secure and by everything I’ve read a holy nightmare to program and use.

So that’s a standard for cards and a standard for writing applications for those cards. Let’s discuss how this connects to computers.

The PC/SC Standard

Personal Computer / Smart Card. This is the standard for how your card connects to your computer and is very Windows centric since Microsoft is one of the major contributors to the standard. Microsoft has also consistently supported this standard, which smart card manufacturers have embraced. And yet mysteriously they are not listed on the PC/SC working group member list …

Anyone getting a sinking feeling on the Apple platform, should be.

The .NET connection

Gemalto is the biggest of the companies out there providing smart cards in various format. They recognised that the JavaCard implementation for existing cards wasn’t really good or flexible enough for computer based applications, so they developed a new system and because Microsoft is a big supporter, they based their new OS on the .NET framework.

This allows extensive tie ins with Active Directory Domain Services, Forefront Identity Manager and Certificate Services. This makes life very flexible in Windows environments and the development of card manager applications a lot easier.

The interesting implication is the possibility of card manager application porting to alternative operating systems by the use of Mono frameworks. So far there doesn’t seem to be any development in that direction.

How Apple have historically broken things

Well it started with a forked port of the pcsc-lite libraries, that had a few interesting additions to it. Mostly things like support for system sleep and other things that Apple users tend to do more than Windows/Linux users. They also implemented the “Common Data Security Architecture” which is how everything was designed to fit in with the OS.

And then 10.7 was released and ripped virtually all of this out. There is now skeleton legacy support remaining in 10.11 for the tokend functionality that developers were using to support their products.

Think of this move as a parallel with Apple’s aborted discoveryd replacement for mDNSresponder, only without the backtracking. They’re not going back on this.

As a result while there is legacy support for certain smart card readers, we are now totally reliant on developers (such as Gemalto) producing their own drivers to hook into the OS on the security side of things. We’re also at the point where we need to keep the card reader drivers up to date too.

Some card readers have support built into the OS. This is one of the few times I would highly recommend sourcing the manufacturer’s own drivers.

The Future (or how the pain factor will change)

Apple at WWDC 2016 for the forthcoming (at time of writing) “macOS Sierra”, have introduced an API called “CryptoTokenKit” which is billed as “System Support for Cryptographic Devices” and tied in with their “SecKey” improvements. It also helps unify the security implementation between iOS and macOS.

It’s highly likely that this will totally break the current status quo. Manufacturers and developers will probably have to move away from their dogged support of legacy and deprecated OS functionality towards this new crypto system. Apple is making a big show of how this new system ties into the existing OS security frameworks.

There’s no telling if this will be a huge mess or a lot easier to support.