Objective.
The porpouse of this project is to provide a way to use, store and transport X509 certificates with minimum cost.
Introduction.
One of the major drawbacks of digital signatures is that private keys and certificates cannot be esay carried.
There are a lot of specific devices to transport cryptographic objects, but they arent cheap, and usually
they serve only to this pourpose. The aim of this project is to solve this problem with practically null cost.
In this page, we present the project form a practical point of view; you can read some information, or
you can test the software now. Select the appropiate entry on the table of contents.
What is it?.
This is a software that convert a simple CDROM or an USB flash disk in an authentication tool, capable of
perform authentication with several levels of security, in particular with X509 certificates.
The result is that you carry, with a simple USB "pen drive", all your x509 certificates and use it in a
transparent way.
Who can use it? ^
Anybody can download the software and use it. Restrictions apply only to redistribution.
Software is avaiable for:
- Windows:
- CryptoAPI: IExplorer, Outlook, and any program that uses CryptoAPI,
- PKCS11: Mozilla Firefox,
- Linux and MacOsX (intel): Mozilla Firefox
Phisical supports. ^
Really, any kind of disk is supported. More that types of devices, thre are
format types:
- Clauer files. A file with the name CRYF_XXX.cla leaved in the main
directory of any mounted device (hard disk, CDROM, usb disk, etc.) acts a "clauer
device". XXX represent digits, as 000, 001, etc.
- Clauer partitions. There can be recognized as "clauer
devices" any partition with number 4 and type 105.
Obviously the simpler format is the "
clauer file", as can be handled in a flexible way. But
if used in other devices than CDROMS, it can be accidentally erased by the user. "
Clauer partitions"
implies a disk specific partition, but the result is a device resistant to accidentally improper user manipullation.
In next sections we explain the way "clauer devices" can be created and used on Windows and Linux.
Windows. ^
We understand this section as a tutorial more than a technical reference.
Software.
To start using "
clauer devices" you need to install the software.
Click
here to download the setup and run it!.
You install:
- The operating system (clos) and the update agent.
- The CSP and Store for Windows CryptoAPI.
- The PKCS11 for firefox.
- The managers to create the "clauer devices" and more.
Creating the device.
The device can created and managed using command-line tools that are described
here, but there are two
device managers for Windows to make it easy, one for disks another for files, choose for your convenience.
Creating a "clauer disk".
- Insert an USB flash disk on your system. It will be completelly erased.
- Open the "clauer manager", from Windows start button.
- Follow the wizard.
- Import some PKCS12 (PFX) files to the device.
Now, you have your private keys and certificates in a "hidden" partition. If you open your USB disk
using thw Windows interface, you will find an empty disk. If the data partition gets corrupted, you
can safely reformat it without affect the "
clauer device".
Test.
Open Internet Explorer, select form the
Tools menu, the
Preferences option. Then select
Contents and then
Certificates. Your ceriticates apperar in the list if the "
clauer device" is inserted.
From the Windows start button, install the firefox support (you should ensure that the web page is opened with Firefox).
Then, open the Preferences dialog, Advanced tab, Encryption, View certificates, your certificates
should appear labeled as stored in the "clauer device" device.
Linux. ^
Prebuilt software.
Clauer packages for some Linux distributions are available.
Currently, they include the base software, the command-line utilities, and the integrated firefox manager.
In future updates, they may will include a QT managet for non-Firefox users.
To install a package,
drag and drop it on your Desktop, your package manager will install the required dependencies. An instalation source will be automatically
added to your system, in order to be always updated.
If you are using Firefox, restart it, you will find the pkcs11 module already installed and the clauer
manager installed in the Tools menu. To install the pkcs11 in thunderbird, read here.
Available packages (only i386, contributors are wellcome).
Open software.
If your linux distribution does not match the above ones, to download and install the software, proceed as:
cd /tmp
wget "http://dwnl.nisu.org/dwnl/ClauerLinux-3.0.3.tar.gz/si" \
-O ClauerLinux-3.0.3.tar.gz
tar zxf ClauerLinux-3.0.3.tar.gz
cd ClauerLinux*
./configure
Perhaps some problems appear, please contact with us if they are not trivial.
Note: for 64 bits, use:
./configure --enable-64
Then:
make
su
And, as root:
make install
/etc/init.d/clos start
exit
Now, to install the support for Firefox:
firefox-install-pkcs11.sh
You have installed only the pkcs11 support. Compiling and installing the Firefox
clauer manager is
not a trivial operation. Please
contact with the autor for support.
To install the thunderbird support:
- Start thunderbird.
- From the tools menu, take Javascript console.
- Type (copy+paste):
pkcs11.addmodule("Modulo pkcs11 Clauer", "/usr/local/lib/libpkcs11.so", 0x1<<28, 0);
and press Enter.
If the module is located at /usr/lib, of course type:
pkcs11.addmodule("Modulo pkcs11 Clauer", "/usr/lib/libpkcs11.so", 0x1<<28, 0);
Creating the device.
If you are using Firefox and have the
clauer manager installed on it, from
the
Tools menu you can manage the device and the certificates.
If not, the script called fclauer can do the task of creating an USB "clauer device",
acting as a wizard.
Alternatively you can do it totally by hand, doing:
- Repartition the device with fdisk, creating a partition #1 for data (usually vfat) and
another partition, that must be #4, with special type 105 (dec, 69 hex)
- Create a filesystem on partition #1, something like: mkfs.vfat /dev/sda1.
- Run clmakefs on the partition #4, something like: clmakefs /dev/sda4 mypwd.
The you can import certificates and keys from PKCS12 files, using
climport.
Test.
Open Mozilla / Firefox and use the certificates.
Mac OSX (intel).
Prebuilt sofware including the pkcs11 working on firefox can be obtained
here (Catalonia version).
Currently there is not any manager to create/handle the devices, but prebuilt devices work in Mac.
Command line tools.
Every command has an option (-h) to display help. We describe the commands briefly.
cldel
Allows to delete objects from the device specified by -d. The -l options shows the available devices.
This options are present in almost any of the commands.
Deleting individual blocks is a dangerous oprion (-b num) that must be used carefully, as it can
leave the device in an incoherent status.
To delete certificates and its private keys, use -c num, where num is the number returned
by
clls or
clexport.
clexport
Allows the extraction of a certificate + private key in PKCS12 format.
First, use
-l to list the certificates, then run it with the certificate number as parameter
(i.e
clexport 4 >my.p12).
Also, parameter
-c dumps the entiere device (not in PKCS12). This is usefull for Widows users (that cannot do
a simple unix "cat").
clls
List the objects contained in the
clauer filesystem.
Available options are the usual
-l and
-d, and you can select
the object type using
-t.
clmakefs
Creates a
clauer filesystem.
First parameter is the device name or file name, and second parameter the password.
If file does not exist, can be created using
-s size.
If file already carries a
clauer filesystem,
-i tries to get the identifier.
clpasswd
Used to change the device password, available options are the usual
-l and
-d.
clview
Intuitive device view, shows information about the
clauer filesystem,
and the presumed device owner, extracted form first certificate.
clwblock
Write a block, readed from a file.
fclauer
Only for Linux, acts a wizard for device creation, used to repartition the disk and create the filesystem.
Redistribution. ^
This software is free. It can be used for commercial or non commercial use, but the following basic restrictions apply:
- The software cannot redistributed without permission. This is for stadistic porpouses: to redistribute it, simply contact with us.
- If the software is modified, the copyright cannot be removed, and logotipes must be mantained, although other logotipes can be added.
Misc ^
Windows update agent behaviour.
The update agent runs in background maintaining an icon in the toolbar. It
retrieves from internet (from our web server) four types of events:
- Critical Update. In this case, the user is forced to update in the next 15 days.
- Major release. The user is prompted to update (with a typical Windows XP yellow buble).
- Nigth build. A new version with minor changes is ready.
- Up to date.
The update agent connects automatically every 30 minutes. If it receives events 1 or 2, informs the user.
If receives events 3 or 4, nothing is displayed.
If user connects manually (with menu option), the behaviour is the same except that event 3 is treated
as event 2, so user can download a nigth build.
The update agent has two modes of operation:
- Silent mode (default). The user is informed with a yellow buble, and if he clicks in the buble, the update agent
downloads and installs the software, then the user is again informed about completion.
- Verbose mode. Here, after clicking on the yellow buble, an information window appears. If user press escape,
he can change the notification period and process is interrumpted. If user continues, the update agent downloads
the software, and informs about completion, showing another window, inviting to install. The installation process is again verbose, so user can select
additional modules to be installed.
Human team. ^
The project development has been achieved by several programmers coordinated by te author of this page:
- Paco Aragó (Sept 2008 - ): Firefox components and extensions.
- Mauro Esteve (Ene 2005 - ): USB manager, CD manager, token manager, ClaBlock.
- Rafa Forcada (Dic 2003 - Sep 2005) Old O.S. and low level libraries for Windows.
- Paul Santapau (Oct 2005 - ) O.S. Linux v2, USB formater for Windows & Linux, PKCS11 for Mozilla.
- Juan Segarra (Dic 2003 - ) O.S. Linux v2, LibRT, CSP & Store, and autoupdater for Windows.
The author of this page has created the
clauer device, defined its architecture, and coordinated
the deveolpemnt tasks.