 And this will be non-technical and okay I will try to ask the audience one single question you all know this kind of card which is a credit card and in Europe we all have them every one of us and here is another type of card which is this one that we call crypto card but it can do a lot more like manage your identity sign and connect to VPS okay how many of you know well are using or no people who are using this kind of card okay and how many of you have had never used them oh in fact it appears that in in in a large public very few people are using crypto cards maybe you're your developers so I missed a little bit my presentation but I mean this is in my opinion an issue and one of the one of the goal here is to try to understand how we could better integrate crypto hardware into various environments and how we could improve usability because this is important that people want to buy this kind of cards that you can find very easily you can use them so actually I'm in a short presentation around a short presentation on hardware and standards to basically show the two kinds of hardware that we have crypto and what what we call one-time passwords these are little little devices with a button and you press and you obtain so first maybe I will give it to the audience so that you can have a look at this during the presentation okay and I will also discuss and try to present very briefly the the open SC library okay but this will be very short and I will present the the the states of integration and operating system and applications but I will not present everything I will do something very short then again after my presentation I will go in the audience and we'll try to give free crypto tools to the others so if you already have a good crypto tool maybe try to leave the crypto tools for others okay and and also we'll stand in the back and if you want more information you have a laptop I can initialize the crypto tool with you and show you how it works okay so let's go hardware and standards basically a lot of companies say okay we we offer USB tokens but the USB token is basically a small reader PCSC reader with crypto chip okay okay if if you already use these crypto tools then you know why you always should use hardware devices because these devices are kept to preserve a secret it's not possible to to open the chip or try to read inside the chip to have access to the RSI key it has protection it's it's nearly impossible if you try to to open and read using special tools then the then the the chip will destroy itself okay also the power of this tool is that it is able to to compute the secrets and to do the authentication or encryption and encryption work without displaying the RSA secret okay one a very important issue is that when when you use a crypto stick or a spot card then you have them with you and they're like the keys of your cars if you lose them you know that there's there's there's a problem okay that's that's that's very important in the definition of these tools is that they're so small either to to be on your on your keys or to be in your wallet okay okay so basically there are there are two standards there is a standard for radius which is PCIC and this is the PCSC working group which is working in it okay which which defined first the the interaction and then there is the RSA company which which has set up various PKCS various PKCS interfaces and the main are PCCS 11 and then 15 15 is is the way that information is stored in car and 11 is the way that you discuss with the device so this is the second type of of of security tool it is not exactly a crypto tool because the definition of a crypto tool by law is that you have access to the to the chip for example if you have a video decoder inside inside a video machine or or or a dish machine that it's not considered a crypto tool because there's there's there's a chip but this chip cannot be accessed and you cannot interact with the chip and also vendors that I discussed with made statistics about users using small cards and they discovered that 30% of users were never able to configure their their operating system to use small cards so they decided to work on a little degraded security devices that in fact computer secret there's a secret inside and by pressing the button you will generate a series of password but this kind of of security device is is vulnerable to manning the middle attack means that if you have this kind of of security device and you generate a password for example to log on your your bank account if you receive an email which says okay log on because there's there's a problem if you press the button and there's a manning the middle attack your password maybe maybe caught but it's a huge progress upon traditional password strategies also it's very cheap to buy and there is no contact with the with the interface of the computer so you so you don't have to to configure drivers and you don't have to learn the people how to use this this device and it's very similar to the way that people live and remember passwords okay so it's it's really complementary and based on the level of security that you need you may implement one of those okay and there are two there are two main RFCs the first one is for is even based based it means that when you press the button then your password is always valid it's valid until you use it so if you press the button in the morning and you come back in the evening and you connect to your computer will work so they they also then worked on an extension of this protocol which is a TTP which is time-based there's a time frame from 30 seconds to 60 seconds and you have to connect during the 60 seconds and our tokens show a little display and you know that you have 60 seconds to so also people fear that the tokens may lose the time because you notice on computers that the time needs to be synchronized so most servers allow to synchronize the tokens so it's not a real problem and these tokens are designed to work for years pressing 70 times a day so they can be pressed 100,000 times without losing synchronization so it's pretty it's a pretty interesting tool but it's not a crypto tool a lot of companies will say we provide two-factor OTP because it's a two-factor device yes but it's not crypto device because you cannot make any an encryption okay when you use an operating system you must deliver a promise you promise something to the user if you go to to a cash machine but the promise is that when you put the car inside of it will give you some money okay that's a promise so when people use this kind of tool to connect to the computers they have in fact in but it's my opinion you know there are two promises the first promise is to be able to connect to your computer a lot of people consider that well this is really private information it the computer can be stolen it's important to be able to cut the second one is to be able to manage your identity this includes signing emails accessing to encrypted websites remote authentication etc etc okay so I was wondering in my own opinion why so few people in the large public use this crypto for cards no I'm not going to lie and say yeah a lot of people use it well this technology has been around for 30 years it should be an every computer but it's not so so I try to to compare the state of integration in in Windows Vista macOS and no limits but to present something very very easy Windows has has support for PKCS it means that it's Windows is able to read PKCS 11 and 15 cards it says before this protocol but it does that in an abstraction layer this light uses kind of a loop is a library called the win win win as card they say we support it they support it through their library so a lot of a lot of third party software like for example ice whistle or other software are not supported by default so vendors like fashion who produces this card offer proprietary PKCS 11 libraries and one of the goals of OpenSC is to offer a free library to access to to to use PKCS 11 also OpenSC is working in a Windows a full Windows CSP driver so it's already in SVM it's working it's getting better and soon you will be able to use a full free solution under Windows this will be that will be kind of a revolution okay also I told you that that there was a promise it was to be able to log on the problem with Windows is that's to able to be able to log on you need a Windows server 2003 server so you need to invest a lot of money as a result the market is shrinking the market is not very well developed so I made an example of screenshots of a tool called Marsfart logon that tries to fill this gap that's very nice you can have a look at software and try to develop something similar for the new Linux which is you had this small car logon button here you click your card is configured or it's not if you've just bought this card on a shop for a few few euros then you just insert the card and you can and you can configure it you can either create your own certificates you can use an existing certificate you can import one that's very easy and then in the end you'll be able to log but when you will be able to log you will also be able to change the pin code so it's completely integrated for the for the end user and it makes things very easily okay this is just an example now as for no Linux we have now a very good framework which is well two frameworks which which has which which are PCSC muscle framework this is the way that we that the readers are recognized now we're focusing more on CCID subsystem because it's it's like SCSC for for this board or SATA it's very very common so all readers are compatible and we also provide a pkc 11 library and this library will will be able to discuss without this small car okay the spot and the spot card will will act as a representative now about the promise to connect of course Linux has spam so there are two possibilities pan p11 pan pkc s11 you can even connect to LDAP SSH cable those mappers you can have those mappers means that you can connect over a network to a shared server and measure identity on an end work it's very very advanced but there is no there is no real no end user feature that the laws like smart log out to log in very easily okay that's not a problem that's for my voice it's a complete it's awesome very special they decided to say okay we were going to develop our own PCSC muscle interface they took it like that they applied patches and they tried to to make it their own at the same time they developed a framework called token okay but now let's have a look at this connection promise like I said it's terrible to sell you enter smart card log on macOS 6 and you you have a technical data and this that's this HP is to read correction this is only for macro 6 10.4 which is basically dead for 10.5 and 6 you can actually do it pretty easily because our users tried to do it and were not able to do it but they have the idea is that like on the window side they they they have us another instruction library so it's also possible to have open SC of a macOS so that you have a complete framework on windows macOS okay okay now let's have a look at applications as I said in the beginning but this is my opinion people using crypto tools are not very common maybe developers or hackers but not not your brother and your mother and your friends so most of the time crypto crypto features are kind of hidden I will show you just three examples and this will be the end of our presentation because you feel they have been developed but in the end they have been added after other features that were based on software crypto and we know that software crypto is not the same as hardware crypto it's not as reliable this is the example of putty putty you know have millions of users and if you want to to use a smart card that's quite difficult to me maybe one day to understand how to set it up you have to go here first you need to download a special version of putty which is called putty pack then in the special version that has not been updated for maybe two years you go to this pkcl 11 and you click there and after you click you'll have to put your library after you put the library then you have the token info and then you can have the level of your card you click open and I think it will ask you for the pin code but you see it's not the way that end users will ever adopt crypto I think they will never adopt it if you compare with a newer version of PCSC it's automatically through hot it's through hot I think it's you're able to detect that there was an insert and then you can do an action and you don't have to to configure all this kind of things okay so there's a in the case of putty okay SSH clients they have had the patch for crypto for maybe four or five years they never implemented it then a guy implemented his own crypto library to use SSH it's the same problem of course it's a command line so but you you have to add the library but when you stop using it you have to put D for delete it means that when you unplug it you have to say afterwards before you unplug you have to delete but SSH should be able if the library doesn't respond to run delete itself and this is the kind of of issue that you have on nearly every software that makes it very difficult so I hope the SSH developer is not a long is not here I'm not doing a flame war you know I'm not sure I'm just showing you what what kind of drawbacks in my opinion stop the market from growing a lot okay Firefox ice whistle it's the same we could imagine that Firefox under windows or Linux could detect detect the library itself well it's very well hidden you have to look for security devices you all know that then you add the what pkcs library you have to configure it then you have to maybe log in or when you go to SSH you're automatically logging but it's it's it's kind of complicated for for any users especially in companies or in a large organization where people are not software developers okay so as a conclusion it's it's my conclusion is that we have a very good framework now which is co-open SC it works under all platforms will soon be available even for a CSP driver will provide a windows driver I don't know it it will be a mini CSP but it will deliver a large number of features but the integration lacks in my opinion a better usability okay and I hope that this is why we are all here is to discuss is to organize a discussion and try to to understand how we can improve things and so that you can start contributing to open SC but to help you start contributing we offer free free even free free token free also open or free smart cars to people interested usually we do that on the website but today I will offer you I will come to you and offer you some hardware if you need some otherwise I will offer it to other people so thank you for listening