Smartcard Authentication

Certificate Authentication

The smartcards discussed here can hold digital certificates (x.509) and corresponding private keys. The private key cannot be read from the card, but it can be used by the card itself for signing and decryption of data.

Ths enables use of what is known as two-factor authentication: the user not only possesses the smartcard, he or she can also prove the knowledge of the smartcard PIN by signing data using the private key stored on the smartcard.

Smartcard Readers

Smartcards are accessed via smartcard readers, using either a contact or contactless interface. The IGEL Third Party Database lists the readers that are supported by the Linux firmware.

PC/SC Resource Manager

The PC/SC Resource Manager is a common Application Programming Interface (API) that is available on Windows and Linux operating systems. It provides a standardized way for applications to handle smartcards and readers.

The PC/SC Resource Manager is active by default in the Linux-based firmware and can be controlled via the Activate PC/SC Daemon parameter on IGEL Setup > Devices > Smartcard > PC/SC or IGEL Setup > Security > Smartcard > PC/SC or IGEL Setup > Security > Smartcard > Services (depending on the firmware version).

Smartcard Middleware

In order to provide a generalized interface to different types of smartcard hardware there is an additional software layer called smartcard middleware.

There are different types of middleware:

Some of the smartcard authentication methods require smartcard middleware to be installed on the thin client. The following modules are available as of IGEL Linux 10.04.100:

• Gemalto SafeNet
• cryptovision sc/interface
• Gemalto IDPrime
• Athena IDProtect
• A.E.T.SafeSign
• Secmaker Net ID
• Coolkey
• OpenSC
• TCOS3 (IGEL Linux v5 only)

  For information on how to use the Coolkey cryptographic library with a firmware older than IGEL Linux 10.04.100, please refer to the FAQ Using a Custom PKCS#11 Library.

_____