みなさんこんにちは。まずは、明日のライトニングトークを選びたいと思います。では、ダイキーとデイキーのスマートカーをお話しします。こんにちは、みなさん。このトークは、スマートカーの新たな使用機を紹介します。そして、プラクティカルインプリメンテーションを紹介します。このトークは、5つのトピックを紹介します。まず、スマートカーを紹介します。そして、リモートキーを紹介します。そして、リモートキーを紹介します。そして、デモを紹介します。そして、インプリメンテーションのディテールを紹介します。そして、このプロジェクトの未来のプランスをお話しします。このトークはスマートカーではありません。スマートカーは、小さなデバイスで、コンピューティングの力を持つ、クリプトグラフィックのオペレーション、エンクリプションやデクリプション、サイメトリッキーやアルゴリズムのプロジェクトを使って、デジタルのシューニッシャーも作っています。そして、クリプトオペレーションを使うと、セークレットディッピカーのさらな覚悟があります。その中の中の记念結果について、明確によるシューニッシュやディテールでオブジェクトリアリック的なスタートクを必要にしています。スマートカーも、普通のオールダーはバンキングカーズや ナッショナルアイデンティーカーズのようなものが必要ですスマートカーズは実際に作られていますがスペシャルデバイスが必要となりますカードリーダーはスマートカーズに閉じることができますこの形でスマートカーズは、ユビキーやネットキーなどのようなものが必要ですスマートカーズのインプルメンテーションはスマートカーズのようなものですスマートカーズはコンピューティングに閉じていますレイクの本の極限のスマートカーズの記用信面をつけておりませんこの記憶はスマートカーズの中で先鋭いスペシャルに閉じていました also all the operations that require private keys can happen in the smart card itself itselfso yeah that means users don't need to access the smart carddon't need to access the private key directlyso basically the application does not need to keep the private key information in the running processor file systems or memory so this is a typical example of how smart card is used in computer systemsthis is certificate based authentication through PAN module that can connect to smart cardso first the application requires first application requests authentication to the PANplugable authentication module on Linux then some of the PAN module requests the certificate to the smart cardthen it verifies certificate and request the smart card to generate some digital signatures to the given input dataand then the PAN module verifies signature and then the finally authentication completesso this is all happens in single computer systems so there is no network access is allowedbut in these days we often want to use smart cards in a remote machine so that is basically application is running in a data center on some virtual machinebut want to use smart card attached to the local system because you don't want to leak some private keys into the remote systemso it could be usefulso yes so I can show you some demo about actually doing this scenarioso I'm actually attaching one token to this laptop so if I type this command I can list the attached smart card tokensso this one is actually hardware smart cardsso you can list the stored object like certificate inside itbut it is only a public object so there are some private key object visible but it cannot be exportedyou can test some signature generation with the token you can use this commandso it can compute the signature inside the token with the stored private keyso it is a local casesso now we can export this access to the remote machineso first you need to launch a server that is running some unique domain serverbasically now this smart card access is exported to the server running at this addressso you can attach some programs to this socket to access this smart card tokenOP SSH has an option to forward the unique domain socket into a remote machinethat is called minus Rso you can easily forward this socket into a remote machineso I'm running virtual machine inside this machineso I'm trying to log in to thereso I'm now on the remote machineyou can see I'm using different user name hereand different user ID says this oneand yesso now you can access the forwarded socket with a dedicated modulebut by default the remote system doesn't have any tokens attachednotice so there are two tokens are attachedbut they are actually a certificate storeso it cannot have any authentication functions therebut if I provide a client side moduleyou can access this token through the unique domain socketso it is remotely accessible nowand you can also use this in sudo sessionso first clear the cache and run some commandso smart card authentication happens thereand yes you can use the authentication with sudo systemso it is cached nowso that's itso it is a demonstrationand it is a very simple use caseonly for authenticationbut I think it has some other potential use casessometimes we want to run some TLS-based serveron the remote machineyeson the remote machineyes that's a good pointso there needs to be some treatmentor adding some kind of two-factor authenticationthat intercepts the PIN input in the client sideand so that the PIN input can only happen in the local machineso it is not implemented but it is on the planso anywayso other use cases are using it inTLS serverbasically TLS server needs a private keyon the same machinebut sometimes we want to run TLS server in a remote machinein that case this flooding of the remotecould be usefulalso another use case issigning some artifacts of the CI machinebecause build machines in CItypically located in other placesso in that casewe need to transfer some keys to the serverand then do signingbut it can be more securely done with this approachso let's look into the implementationso basically it is done by three stepsfirst define the protocolthat serializes smart card access into the network trafficand then the protocolthen expose the protocolat the Unix domain socketand then as you seeas you saw beforewe can forward it with SSHso for the protocolwe have a common interfacecalled pkcs11that is actually a CI library APIimplemented by several smart card driversfor open source ones there is OpenSCsmart card vendors have proprietary driversbasically they define a set of functionsand the caller of this librarycan deal open the libraryand call the symbolsso the protocol is basically a simple serializationof pkcs11 function callsso we don't need somewe don't need high performanceso it is a very simple serializationthat is we assign the index to each functionsthat is if we for this examplesee find object in ithave call id 26and then it followed bysegnature of the function callthat is basically based on the busbut it has some predefined typesthat is sometimes attributemechanismsthat is kind of structuresit is also serialized inusual big indian mannerlike thisso the implementation is actually donein software called p11kitthat is a portable libraryprovidesunified access to smart cardsthat can access tousually there are several tokenscan be attached to machinesin that case the usercould have opened each driver modulein pkcs11but p11kit hasoffered some aggregation functionsof the pkcs11so we can usesmart card tokenswithout worrying aboutmulti-ratingor something like thatit also providesfeature to identifythe objects onsmart card tokenthat is based on some URI basedso basically the implementationis look like thisit is a full picture of the forwardingso basically we run the p11kit serverit is now part of p11kitthat createsthat's the creator endpointto access smart cards through p11kitand thenyou can just forward it to the remote machineand there is a dedicated client module therethat is called pkcs11 clientso you can access smart cards through itso there are someconfiguration neededbut yeahit could be simplified butso basically you need to generateca key and certificateand generate users' key pair on smart cardand certificate for authenticationon local hostand same setupneeded in remote hostso yeahthis projectactually just startedso there are a lot of rooms toimprovementso basicallythe command lineis not so ideal to usewe need towrite a lot of typingso I would like to automatethrough integratingopen ssh or systemdyesand also it doesn't workdoesn't currently work with windows clientso there is some supportfor windows clientin open sourceso we can perhapsintegrate it in that project as welland alsoas someone pointedthere are some security implicationsso we probablywould like to add some access controlto the smart cardon the remote hostsometimes we don't want to exportthe specific private keyto the serverso in that case we canprovide somewe can provide a mechanismto make it invisible read onlyso we can disallowsome certain operationsand protectthe p-input in theremote hostalso I would like toim sure it is possiblebut it would be goodthe protocolcould be standardisedin that casethat would helpintegration of other softwareso that's allquestionsyou know the parameterso it's ait's a white starbut yessee find it it's not a good exampleso like seesignsorry I don'tremember the interface buttonyou have codethat specifically understandsRSA and ECCor do youtry to serialiseserialise the parametersfor those justseeking to mention itI thinkat least all themechanisms known to thep11kit can be serialisedin the current implementationso it isit serialise those parametersit does understand the mechanismand the internal parametersyou have to serialiseserialise the parametersthe spice project very wellthe spice projectwas doingwastrying tomake your local cardaccessibleas a cardas a virtual cardsoそのコードはPKC11のモジュールで話していましたが、PKC11APIのエスポーティングはありませんでした。PKC11APIのエスポーティングはありませんでしたが、PKC11APIのエスポーティングはありませんでした。PKC11APIのエスポーティングはありませんでしたが、PKC11APIのエスポーティングはありませんでした。PKC11APIのエスポーティングはありませんでした。ご視聴ありがとうございました。