|
|
@ -10,48 +10,47 @@ Scdrand - Extract random numbers from a smartcard |
|
|
|
Scdrand obtains up to 256 bytes of random data from a ISO7816-compliant |
|
|
|
smartcard and adds them to the kernel entropy pool. |
|
|
|
|
|
|
|
It uses Scdaemon to send a GET CHALLENGE to the smartcard. As per |
|
|
|
It uses Scdaemon to send a `GET CHALLENGE` to the smartcard. As per |
|
|
|
ISO 7816-4, the smartcard replies with random bytes, which Scdrand then |
|
|
|
sends to the Linux kernel entropy pool through the RNDADDENTROPY ioctl |
|
|
|
call on /dev/random. |
|
|
|
call on `/dev/random`. |
|
|
|
|
|
|
|
Since that call requires root privileges, scdrand is installed with the |
|
|
|
setuid bit set. To mitigate risks associated with running as root, the |
|
|
|
program forks itself at startup and only the child retains the root |
|
|
|
privileges needed to write to /dev/random. The parent process, in charge |
|
|
|
of communicating with the smartcard, then runs with the privileges on |
|
|
|
the calling user. |
|
|
|
privileges needed to write to `/dev/random`. The parent process, in |
|
|
|
charge of communicating with the smartcard, then runs with the |
|
|
|
privileges on the calling user. |
|
|
|
|
|
|
|
|
|
|
|
Scdtotp - Generate time-based OTP from an OpenPGP smartcard |
|
|
|
----------------------------------------------------------- |
|
|
|
Scdtotp uses an OpenPGP smartcard as a poor man’s one-time password |
|
|
|
generator token. It generates time-based one-time password (TOTP) |
|
|
|
as per RFC 6238, based on a key it expects to find in the private |
|
|
|
data object of the inserted OpenPGP smartcard. |
|
|
|
generator token. It generates time-based one-time password (TOTP) as per |
|
|
|
[RFC 6238](http://tools.ietf.org/html/rfc6238), based on a key it |
|
|
|
expects to find in the private data object of the inserted OpenPGP |
|
|
|
smartcard. |
|
|
|
|
|
|
|
Note that contrary to a true password generator token, the key cannot |
|
|
|
remain only on the smartcard, it has to be sent to the computer so |
|
|
|
that scdtotp can derive the password from it. Thus it cannot provide |
|
|
|
the same level of security. |
|
|
|
|
|
|
|
The key must be stored as an otpauth:// URI as specified in |
|
|
|
<https://code.google.com/p/google-authenticator/wiki/KeyUriFormat>, |
|
|
|
The key must be stored as an `otpauth://` URI as specified in [Google |
|
|
|
Authenticator’s wiki](https://code.google.com/p/google-authenticator/wiki/KeyUriFormat), |
|
|
|
e.g.: |
|
|
|
|
|
|
|
otpauth://totp/alice@example.org?secret=KIMEFUAW4SRW |
|
|
|
otpauth://totp/alice@example.org?secret=KIMEFUAW4SRW |
|
|
|
|
|
|
|
where the “secret” parameter is the Base32-encoded key. This format |
|
|
|
where the _secret_ parameter is the Base32-encoded key. This format |
|
|
|
allows to specify also the non-secret parameters of the TOTP |
|
|
|
algorithm: |
|
|
|
|
|
|
|
– the HMAC algorithm to use: "&algorithm=mac", where “mac” can be |
|
|
|
“sha1” (default), “sha256”, or “sha512”; |
|
|
|
|
|
|
|
– the time period: "&period=N", where N is expressed in seconds |
|
|
|
(30 seconds by default); |
|
|
|
|
|
|
|
– the number of digits to output: "&digits=N" (defaults to 6). |
|
|
|
- the HMAC algorithm to use: `&algorithm=mac`, where _mac_ can be `sha1` |
|
|
|
(default), `sha256`, or `sha512`; |
|
|
|
- the time period: `&period=N`, where _N_ is expressed in seconds (30 |
|
|
|
seconds by default); |
|
|
|
- the number of digits to output: `&digits=N` (defaults to 6). |
|
|
|
|
|
|
|
All of these parameters may be overridden by command line options. |
|
|
|
|
|
|
@ -60,7 +59,7 @@ Copying |
|
|
|
------- |
|
|
|
Scdtools is distributed under the terms of the GNU General Public |
|
|
|
License, version 3 or higher. The full license is included in the |
|
|
|
COPYING file of the source distribution. |
|
|
|
[COPYING file](COPYING) of the source distribution. |
|
|
|
|
|
|
|
|
|
|
|
Homepage and contact |