Nisu - UJI

The clauer project.

Incomplete

May 2006

by Manuel Mollar
mm at nisu.org

Contents.

  1. Objective.
  2. Introduction.
  3. What is it?.
  4. Who can use it?
  5. Phisical supports.
  6. Windows.
    1. Software.
    2. Creating the device.
      1. Creating a "clauer disk".
    3. Test.
  7. Linux.
    1. Prebuilt software.
    2. Open software.
    3. Creating the device.
    4. Test.
  8. Mac OSX (intel).
  9. Command line tools.
    1. cldel
    2. clexport
    3. climport
    4. clls
    5. clmakefs
    6. clpasswd
    7. clview
    8. clwblock
    9. fclauer
  10. Redistribution.
  11. Misc
    1. Windows update agent behaviour.
  12. Human team.
  13. Contact.

Objective.

The porpouse of this project is to provide a way to use, store and transport X509 certificates with minimum cost.

Introduction.

One of the major drawbacks of digital signatures is that private keys and certificates cannot be esay carried.
There are a lot of specific devices to transport cryptographic objects, but they arent cheap, and usually they serve only to this pourpose. The aim of this project is to solve this problem with practically null cost.

In this page, we present the project form a practical point of view; you can read some information, or you can test the software now. Select the appropiate entry on the table of contents.

What is it?.

This is a software that convert a simple CDROM or an USB flash disk in an authentication tool, capable of perform authentication with several levels of security, in particular with X509 certificates.
The result is that you carry, with a simple USB "pen drive", all your x509 certificates and use it in a transparent way.

Who can use it? ^

Anybody can download the software and use it. Restrictions apply only to redistribution.
Software is avaiable for:
  • Windows:
    • CryptoAPI: IExplorer, Outlook, and any program that uses CryptoAPI,
    • PKCS11: Mozilla Firefox,
  • Linux and MacOsX (intel): Mozilla Firefox

Phisical supports. ^

Really, any kind of disk is supported. More that types of devices, thre are format types:
  • Clauer files. A file with the name CRYF_XXX.cla leaved in the main directory of any mounted device (hard disk, CDROM, usb disk, etc.) acts a "clauer device". XXX represent digits, as 000, 001, etc.
  • Clauer partitions. There can be recognized as "clauer devices" any partition with number 4 and type 105.
Obviously the simpler format is the "clauer file", as can be handled in a flexible way. But if used in other devices than CDROMS, it can be accidentally erased by the user. "Clauer partitions" implies a disk specific partition, but the result is a device resistant to accidentally improper user manipullation.

In next sections we explain the way "clauer devices" can be created and used on Windows and Linux.

Windows. ^

We understand this section as a tutorial more than a technical reference.

Software.

To start using "clauer devices" you need to install the software.
Click here to download the setup and run it!.

You install:

  • The operating system (clos) and the update agent.
  • The CSP and Store for Windows CryptoAPI.
  • The PKCS11 for firefox.
  • The managers to create the "clauer devices" and more.

Creating the device.

The device can created and managed using command-line tools that are described here, but there are two device managers for Windows to make it easy, one for disks another for files, choose for your convenience.
Creating a "clauer disk".
  • Insert an USB flash disk on your system. It will be completelly erased.
  • Open the "clauer manager", from Windows start button.
  • Follow the wizard.
  • Import some PKCS12 (PFX) files to the device.
Now, you have your private keys and certificates in a "hidden" partition. If you open your USB disk using thw Windows interface, you will find an empty disk. If the data partition gets corrupted, you can safely reformat it without affect the "clauer device".

Test.

Open Internet Explorer, select form the Tools menu, the Preferences option. Then select Contents and then Certificates. Your ceriticates apperar in the list if the "clauer device" is inserted.

From the Windows start button, install the firefox support (you should ensure that the web page is opened with Firefox). Then, open the Preferences dialog, Advanced tab, Encryption, View certificates, your certificates should appear labeled as stored in the "clauer device" device.

Linux. ^

Prebuilt software.

Clauer packages for some Linux distributions are available. Currently, they include the base software, the command-line utilities, and the integrated firefox manager. In future updates, they may will include a QT managet for non-Firefox users.

To install a package, drag and drop it on your Desktop, your package manager will install the required dependencies. An instalation source will be automatically added to your system, in order to be always updated.

If you are using Firefox, restart it, you will find the pkcs11 module already installed and the clauer manager installed in the Tools menu. To install the pkcs11 in thunderbird, read here.

Available packages (only i386, contributors are wellcome).

Open software.

If your linux distribution does not match the above ones, to download and install the software, proceed as:
	cd /tmp
	wget "http://dwnl.nisu.org/dwnl/ClauerLinux-3.0.3.tar.gz/si" \
	   -O ClauerLinux-3.0.3.tar.gz
	tar zxf ClauerLinux-3.0.3.tar.gz
	cd ClauerLinux*
	./configure
Perhaps some problems appear, please contact with us if they are not trivial.
Note: for 64 bits, use:
	./configure --enable-64
Then:
	make
	su
And, as root:
	make install
	/etc/init.d/clos start
	exit
Now, to install the support for Firefox:
	firefox-install-pkcs11.sh
You have installed only the pkcs11 support. Compiling and installing the Firefox clauer manager is not a trivial operation. Please contact with the autor for support.

To install the thunderbird support:

  • Start thunderbird.
  • From the tools menu, take Javascript console.
  • Type (copy+paste):
    pkcs11.addmodule("Modulo pkcs11 Clauer", "/usr/local/lib/libpkcs11.so", 0x1<<28, 0);
    and press Enter. If the module is located at /usr/lib, of course type:
    pkcs11.addmodule("Modulo pkcs11 Clauer", "/usr/lib/libpkcs11.so", 0x1<<28, 0);

Creating the device.

If you are using Firefox and have the clauer manager installed on it, from the Tools menu you can manage the device and the certificates.

If not, the script called fclauer can do the task of creating an USB "clauer device", acting as a wizard.

Alternatively you can do it totally by hand, doing:

  • Repartition the device with fdisk, creating a partition #1 for data (usually vfat) and another partition, that must be #4, with special type 105 (dec, 69 hex)
  • Create a filesystem on partition #1, something like: mkfs.vfat /dev/sda1.
  • Run clmakefs on the partition #4, something like: clmakefs /dev/sda4 mypwd.
The you can import certificates and keys from PKCS12 files, using climport.

Test.

Open Mozilla / Firefox and use the certificates.

Mac OSX (intel).

Prebuilt sofware including the pkcs11 working on firefox can be obtained here (Catalonia version). Currently there is not any manager to create/handle the devices, but prebuilt devices work in Mac.

Command line tools.

Every command has an option (-h) to display help. We describe the commands briefly.

cldel

Allows to delete objects from the device specified by -d. The -l options shows the available devices. This options are present in almost any of the commands.
Deleting individual blocks is a dangerous oprion (-b num) that must be used carefully, as it can leave the device in an incoherent status.
To delete certificates and its private keys, use -c num, where num is the number returned by clls or clexport.

clexport

Allows the extraction of a certificate + private key in PKCS12 format.
First, use -l to list the certificates, then run it with the certificate number as parameter (i.e clexport 4 >my.p12).
Also, parameter -c dumps the entiere device (not in PKCS12). This is usefull for Widows users (that cannot do a simple unix "cat").

climport

clls

List the objects contained in the clauer filesystem. Available options are the usual -l and -d, and you can select the object type using -t.

clmakefs

Creates a clauer filesystem.
First parameter is the device name or file name, and second parameter the password.
If file does not exist, can be created using -s size.
If file already carries a clauer filesystem, -i tries to get the identifier.

clpasswd

Used to change the device password, available options are the usual -l and -d.

clview

Intuitive device view, shows information about the clauer filesystem, and the presumed device owner, extracted form first certificate.

clwblock

Write a block, readed from a file.

fclauer

Only for Linux, acts a wizard for device creation, used to repartition the disk and create the filesystem.

Redistribution. ^

This software is free. It can be used for commercial or non commercial use, but the following basic restrictions apply:
  • The software cannot redistributed without permission. This is for stadistic porpouses: to redistribute it, simply contact with us.
  • If the software is modified, the copyright cannot be removed, and logotipes must be mantained, although other logotipes can be added.

Misc ^

Windows update agent behaviour.

The update agent runs in background maintaining an icon in the toolbar. It retrieves from internet (from our web server) four types of events:
  1. Critical Update. In this case, the user is forced to update in the next 15 days.
  2. Major release. The user is prompted to update (with a typical Windows XP yellow buble).
  3. Nigth build. A new version with minor changes is ready.
  4. Up to date.
The update agent connects automatically every 30 minutes. If it receives events 1 or 2, informs the user. If receives events 3 or 4, nothing is displayed.
If user connects manually (with menu option), the behaviour is the same except that event 3 is treated as event 2, so user can download a nigth build.

The update agent has two modes of operation:

  • Silent mode (default). The user is informed with a yellow buble, and if he clicks in the buble, the update agent downloads and installs the software, then the user is again informed about completion.
  • Verbose mode. Here, after clicking on the yellow buble, an information window appears. If user press escape, he can change the notification period and process is interrumpted. If user continues, the update agent downloads the software, and informs about completion, showing another window, inviting to install. The installation process is again verbose, so user can select additional modules to be installed.

Human team. ^

The project development has been achieved by several programmers coordinated by te author of this page:
  • Paco Aragó (Sept 2008 - ): Firefox components and extensions.
  • Mauro Esteve (Ene 2005 - ): USB manager, CD manager, token manager, ClaBlock.
  • Rafa Forcada (Dic 2003 - Sep 2005) Old O.S. and low level libraries for Windows.
  • Paul Santapau (Oct 2005 - ) O.S. Linux v2, USB formater for Windows & Linux, PKCS11 for Mozilla.
  • Juan Segarra (Dic 2003 - ) O.S. Linux v2, LibRT, CSP & Store, and autoupdater for Windows.
The author of this page has created the clauer device, defined its architecture, and coordinated the deveolpemnt tasks.

Contact. ^

For any improvement, contact with the technical project coordinator.
To be involved in the software redistribution, please contact with the Vicerectorat d'Assumptes Econòmics i Serveis en Xarxa.

Related topics.

Select Style - Legal