SHA-1, Smart Cards and CTK

Finally I get some CTK drivers for the cards I work with. Hurriedly throw them at the two test devices I have, upgrade works, fresh install works … ah disable the old TokenD drivers to make sure, plug the card in. Ok the supplied software shows a card present, that’s a good sign … open up Keychain Access, nothing there … that’s good … fire up Terminal and start accessing sc_auth using the CTK based options …


Ok, start playing with the NoMAD PKI beta I have.


Joel Rennich at Orchard & Grove supplied me with demo copies of nomad-pkinit command line and his other GUI tool that works with CTK based cards. Let’s try those.



Cue frenzied research to figure out what’s going on.

I eventually after much Googling find the developer pages for CryptoTokenKit on Apple. The relevant page is here:

Apple has decided that CTK only supports what they consider to be secure certificates. In this case it’s certs encrypted with the following algorithms:

  1. Elliptic Curve Signature Digest of at least 256bit key size.
  2. RSA Signature Digest PSS or Signature Digest PKCS1v15 2048, 3072 or 4096bit key size.

I’m not going to say what I found but basically it wasn’t that. My recommendation to you all in high security environments that with this news, all the browser stuff going on (see my post here) is that you get your certificate authority running SHA256 or better and deploy out from there. I don’t think it’s ever been more important.