  GNU POC
  Henning Koester, henning@crackinghacking.de
  V1.2, Wed May 16 16:06:46 CEST 2001

  This document describes how to use GNU POC (Passwords On Card).
  ______________________________________________________________________

  Table of Contents


  1. Introduction
  2. Installation
  3. Invocation
  4. Upgrade from 1.0 to 1.1
  5. How does POC work?
  6. Contact


  ______________________________________________________________________

  11..  IInnttrroodduuccttiioonn

  With GNU POC you can manage passwords on smartcards (only I2C memory
  cards at the moment). Every entry on the card consits of a password
  and a description, which gives information about the password. All
  data is stored encrypted on the card. Thus it's impossible for someone
  to get the passwords, when he/she finds/steals the card.

  poc makes use of the CT-API library
  _(_h_t_t_p_:_/_/_w_w_w_._l_i_n_u_x_n_e_t_._c_o_m_/_s_m_a_r_t_c_a_r_d_/_c_t_a_p_i_/_c_t_a_p_i_._h_t_m_l_) to access cards.
  So you'll need a CT-API library to use poc. I use the CT-API library
  by Carlos Prados _(_h_t_t_p_:_/_/_w_w_w_._g_e_o_c_i_t_i_e_s_._c_o_m_/_c_p_r_a_d_o_s_) for TOWITOKO
  readers.

  poc was developed under Debian GNU/Linux. It migh work on other *IX
  systems as well.

  This program is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  General Public License for more details.

  POC is free software and distributed under the terms of the GNU
  General Public License.


  22..  IInnssttaallllaattiioonn

  Installing poc is easy. Unpack the archive, change to the correct
  directory and type:


       ./configure
       make


  If everything works fine, you can execute


  make install
  make install-docs (optional)


  to install the binary and poc's manpage.

  Note: Normally only root can access com-ports. So you have to explicit
  allow people to read and write to the ports, by adding them to the
  appropiate group.


  33..  IInnvvooccaattiioonn

  COMMANDS


     [-s | --save-password]
        _S_a_v_e _a _p_a_s_s_w_o_r_d_: First you will be asked for a password and a
        description of the password. After that you have to enter the
        card's key. You'll see "Password saved.", if everything worked.
        Otherwise an error message will be printed.


     [-r DESCRIPTION | --remove-password=DESCRIPTION]
        _R_e_m_o_v_e _a _p_a_s_s_w_o_r_d_: You'll be asked to enter the card's key. If
        everything worked and poc removed a password you'll see
        "Password removed."


     [-l DESCRIPTION | --list-password=DESCRIPTION]
        _L_i_s_t _a _p_a_s_s_w_o_r_d_: You'll be asked to enter the card's key. If a
        description is found, which matches the given one, poc will
        print the password and the corresponding description.


     [-f | --format-card]
        _F_o_r_m_a_t _a _c_a_r_d_: You have to enter the size of the card and
        confirm the card's formatting.


     [-c | --change-cardkey]
        _C_h_a_n_g_e _t_h_e _c_a_r_d_'_s _k_e_y_: You'll be asked for the current key and
        then for the new key.


     [--backup=FILE]
        _B_a_c_k_u_p _a _c_a_r_d_: A backup of the card's memory will be made to
        "FILE".


     [--restore=FILE]
        _R_e_s_t_o_r_e _a _b_a_c_k_u_p_e_d _c_a_r_d_: "FILE" is an image of a backuped card.
        It will be written to the card. You are responsible for a card
        with enough size to hold the backuped image. poc does not check
        whether the card has sufficient size or not.


  OPTIONS


     [--cipher=CHIPER]
        _S_e_l_e_c_t_i_n_g _a _c_i_p_h_e_r_: This option allows you to change the cipher
        which will be used for encryption. You can choose between "AES"
        and "BLOWFISH". By default poc will use AES for encryption. If
        you want to use BLOWFISH instead of AES, but don't want to
        specify it every time you invoke poc, you can set the
        environment variable "POC_CIPHER" to avoid it.  (if you are
        using the bash: "export POC_CIPHER=BLOWFISH")


     [--security=LEVEL]
        _S_e_l_e_c_t_i_n_g _t_h_e _s_e_c_u_r_i_t_y _l_e_v_e_l_: You can choose which security
        level to use. There are two available "1" and "2". If you select
        "1" a 192 bit key will be used for encryption. And if you select
        "2" a 256 bit key will be used.  As well as for the cipher
        selection you can set an environment variable for the security
        level selection. The variable is "POC_SL" and must be set to "1"
        or "2".


     [-p NUM | --port=NUM]
        _S_e_t _t_h_e _c_o_m_p_o_r_t _w_h_e_r_e _t_h_e _c_a_r_d _r_e_a_d_e_r _i_s _i_n_s_t_a_l_l_e_d_: This let's
        you specify where to find the card reader. NUM can be 1...4.


  44..  UUppggrraaddee ffrroomm 11..00 ttoo 11..11

  _*_*_* _Y_o_u _c_a_n_n_o_t _u_s_e _c_a_r_d_s _w_h_i_c_h _h_a_v_e _b_e_e_n _m_a_d_e _w_i_t_h 11..00 with 11..11 ***

  List all passwords:


       poc -l all > FILE


  NOTE: FILE should be not readable by other users!

  Format the card:


       poc -f


  And then add all password again.


  55..  HHooww ddooeess PPOOCC wwoorrkk??


     FFoorrmmaatt ooff tthhee ccaarrdd''ss mmeemmoorryy
        The first 2 byte of the card contain the card's size. Byte 3 and
        4 contain the data size (the data size is the number of bytes of
        the data area which are used.) From the 5'th byte starts the
        data area, which is the area of the card where the
        passwords+descriptions are stored. The data area is encrypted.


     EEnnccrryyppttiioonn
        The encryption key entered by the user is hashed using Tiger
        (192 bit key), or SHA-2 (256 bit key). In the next step this
        hashed key is passed to the ciphers key-scheduleing function.
        And finally the data area is encrypted using one of the ciphers
        in OFB mode.
        (Take a look at _h_t_t_p_:_/_/_h_o_m_e_._e_c_n_._a_b_._c_a_/ _j_s_a_v_a_r_d_/_c_r_y_p_t_o_/_c_o_0_4_0_9_._h_t_m
        for a description of different block cipher modes.)


  66..  CCoonnttaacctt

  If you have suggestions or want to report bugs mail to bug-poc@gnu.org
  .

  If you want to contact me, you can mail to henning@crackinghacking.de
  .