With GNU POC you can manage passwords on smartcards (only I2C memory cards at the moment). Every entry on the card consits of a password and a description, which gives information about the password. All data is stored encrypted on the card. Thus it's impossible for someone to get the passwords, when he/she finds/steals the card. poc makes use of the CT-API library (http://www.linuxnet.com/smartcard/ctapi/ctapi.html) to access cards. So you'll need a CT-API library to use poc. I use the CT-API library by Carlos Prados (http://www.geocities.com/cprados) for TOWITOKO readers. poc was developed under Debian GNU/Linux. It migh work on other *IX systems as well. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. POC is free software and distributed under the terms of the GNU General Public License. Installation

Installing poc is easy. Unpack the archive, change to the correct directory and type: ./configure make If everything works fine, you can execute make install make install-docs (optional) to install the binary and poc's manpage. Note: Normally only root can access com-ports. So you have to explicit allow people to read and write to the ports, by adding them to the appropiate group. Invocation

COMMANDS [-s | --save-password] Save a password: First you will be asked for a password and a description of the password. After that you have to enter the card's key. You'll see "Password saved.", if everything worked. Otherwise an error message will be printed. [-r DESCRIPTION | --remove-password=DESCRIPTION] Remove a password: You'll be asked to enter the card's key. If everything worked and poc removed a password you'll see "Password removed." [-l DESCRIPTION | --list-password=DESCRIPTION] List a password: You'll be asked to enter the card's key. If a description is found, which matches the given one, poc will print the password and the corresponding description. [-f | --format-card] Format a card: You have to enter the size of the card and confirm the card's formatting. [-c | --change-cardkey] Change the card's key: You'll be asked for the current key and then for the new key. [--backup=FILE] Backup a card: A backup of the card's memory will be made to "FILE". [--restore=FILE] Restore a backuped card: "FILE" is an image of a backuped card. It will be written to the card. You are responsible for a card with enough size to hold the backuped image. poc does not check whether the card has sufficient size or not.

OPTIONS [--cipher=CHIPER] Selecting a cipher: This option allows you to change the cipher which will be used for encryption. You can choose between "AES" and "BLOWFISH". By default poc will use AES for encryption. If you want to use BLOWFISH instead of AES, but don't want to specify it every time you invoke poc, you can set the environment variable "POC_CIPHER" to avoid it. (if you are using the bash: "export POC_CIPHER=BLOWFISH") [--security=LEVEL] Selecting the security level: You can choose which security level to use. There are two available "1" and "2". If you select "1" a 192 bit key will be used for encryption. And if you select "2" a 256 bit key will be used. As well as for the cipher selection you can set an environment variable for the security level selection. The variable is "POC_SL" and must be set to "1" or "2". [-p NUM | --port=NUM] Set the comport where the card reader is installed: This let's you specify where to find the card reader. NUM can be 1...4. Upgrade from 1.0 to 1.1

*** You cannot use cards which have been made with 1.0 with 1.1 *** List all passwords: poc -l all > FILE NOTE: FILE should be not readable by other users! Format the card: poc -f And then add all password again. How does POC work?

Format of the card's memory The first 2 byte of the card contain the card's size. Byte 3 and 4 contain the data size (the data size is the number of bytes of the data area which are used.) From the 5'th byte starts the data area, which is the area of the card where the passwords+descriptions are stored. The data area is encrypted. Encryption The encryption key entered by the user is hashed using Tiger (192 bit key), or SHA-2 (256 bit key). In the next step this hashed key is passed to the ciphers key-scheduleing function. And finally the data area is encrypted using one of the ciphers in OFB mode. (Take a look at http://home.ecn.ab.ca/~jsavard/crypto/co0409.htm for a description of different block cipher modes.) Contact

If you have suggestions or want to report bugs mail to bug-poc@gnu.org . If you want to contact me, you can mail to henning@crackinghacking.de .