Česká spořitelna is one of the the largest banks in Czech Republic. I am client of this bank for a long time and satisfied with their services. One of the services I am using is an internet-bank (Servis24).
It is web-based and works from Firefox without problem. Only issue for me was SMS confirmation for every transaction – i found that SMS delivery in roaming is not always reliable. Also i dislike password-based authentication. So I decided to order card for certificate.
How to get the card?
I got my card in the local branch. When you are getting the card it already contain PIN and PUK codes, but no certificate installed. It is possible to buy card with cardreader or separately (my choice). Also you will get special code to get certificate.
How it works?
To start working with the card you will need to login to the servis24 using login/password and use certificate manager menu. It will format card, generate private key and create CSR. After this you will be able to request certificate. In my case certificate was ready in about 10 minutes. It is also possible to change PIN in the certificate manager menu.
What is on the card?
I found that it is possible to explore the card because there is PKCS #11 module “\Documents and Settings\Owner\Application Data\CSAS\lib\x86\csep11.dll”. It is possible to use it with OpenSC project.
For example, to list supported cyphers:
pkcs11-tool.exe --module "C:\Documents and Settings\Owner\Application Data\CSAS\lib\x86\csep11.dll" --list-mechanism
RSA-PKCS, sign, verify, wrap, decrypt, other flags=0x20000
RSA-X-509, sign, verify, wrap, decrypt, other flags=0x20000
DES-ECB, wrap, unwrap, encrypt, decrypt, other flags=0x20000
DES-CBC, encrypt, decrypt
DES3-ECB, wrap, unwrap, encrypt, decrypt, other flags=0x20000
DES3-CBC, encrypt, decrypt
It is possible to list objects on the card using –list-objects command:
Object 1, type 5
Certificate Object, type = X.509 cert
label: I.CA Root Certificate 09-2009
Public Key Object; RSA 2048 bits
Data object 4
Certificate Object, type = X.509 cert
Some interesting findings:
- Card contain standard SSL certificate issued by I.CA (První certifikační autorita, a.s. – local Czech certification authority) and I.CA root cert. Certificate valid for 1 year from issue date.
- Label (replaced with XXX) contains card number (printed on card).
- Solution is based on CryptoPlus product from Monet+ a.s.
- Certificate itself is extractable and contain my name, address and email inside. Key usage is specified as “TLS Web Client Authentication, E-mail Protection”.
- Public key is 2048bit length. If used with –login option pkcs11-tool will ask for a pin and will add private key to the list of objects. Key is not extractable (and probably locally-generated).
- It should be possible to use this card for SSH authentication or Email signing/encryption in Windows, because PKCS #11 API seems to be implemented correctly.
- It should be possible to reverse engineer card protocol and re-impement plugin in Linux. Unfortunately its a dead-end, because internet-banking rely on npPKIComponentNPAPI plugin, which is also closed source and implements undocumented API.
- Card ATR is VERY similar to OpenCard – Czech card for public local transport. Reason is very simple – implementation was done by the same company – Monet+ a.s..
For me it is not a big problem to use VirtualBox with this card, but I am very unsatisfied with the chosen method and technology. Instead of relying on standard technologies like PKCS#11 for website authentication and Java applet with PKCS#11 for signing developers re-implemented the wheel. Card itself also contain modified firmware, so i was not able to read it using pkcs15-tool. All middle-ware components are closed-source, without any kind of documentation. I am not trusting “security by obscurity” solutions, so recommending to not leave card in the slot when not in use. Especially if your reader is without pin-pad.