

Ask HN: Why aren't there cheap, available smartcards? - superuser2

Smartcards have a huge security advantage - namely, that the key can never be stolen, only used. Additionally, there is a widely interoperable PKCS#11 standard supported by everything from Firefox to OpenSSH to perform encryption, digital signatures, and identity verification on smart cards.<p>Knowing all of this, I thought, why not try to set up smart card infrastructure on my Linux VPSes? There are hundreds of cheap readers on the market with tons of positive Amazon reviews, after all.<p>But no. They&#x27;re all for the military CAC&#x2F;PIV infrastructure, and while you can just buy blank PIV-compatible cards, <i>you can&#x27;t provision them with keys</i> unless you buy proprietary vendor-specific Windows software. There&#x27;s an abandonware open-source project called OpenSC which tries to hack together provisioning support for some cards, but many on its list of Supported Devices are no longer sold. Those that are are from strange European websites with prices in Euro including VAT.<p>There&#x27;s Yubikey, but the ones with smart card functionality are $50. And Yubikey appears to be the only game in town.<p>What gives? Why won&#x27;t someone sell me a cheap smart card I can provision for myself or a small organization?
======
superuser2
So it turns out the story is less grim: you can buy a blank JavaCard [0] and
use GlobalPlatformPro [1] to load arbitrary applets. You can load gpgapplet,
isoApplet, MuscleApplet, or any other JavaCard crypto software you like. This
will be then be compatible with client-side software like OpenSC [2], at which
point you get generic PKCS#11 or GPG functionality from it.

You can get FIPS 140-2 Level 3 cards for, like, $11.

Apparently there is some difficulty in correctly unlocking the card for applet
loading,

[0]
[https://github.com/martinpaljak/GlobalPlatformPro/tree/maste...](https://github.com/martinpaljak/GlobalPlatformPro/tree/master/docs/JavaCardBuyersGuide)
[1]
[https://github.com/martinpaljak/GlobalPlatformPro](https://github.com/martinpaljak/GlobalPlatformPro)

I'll let you know how it goes :).

------
jlgaddis
There are. I have a few sitting here on my desk (and one in my wallet) that I
bought for my personal use a few years ago. Honestly, it was a pain in the ass
to figure out how to get all the pieces to work together, but I finally
managed to load an applet and get it working.

I bought a few cards from each of several vendors and _one_ vendor had cards
that I was able to make work (the others were mostly proprietary). I can try
to dig up where I got them from if you're interested -- shoot me an e-mail if
so.

------
wmf
You kind of answered yourself: there's no usable infrastructure, thus no
volume, thus high prices, thus infrastructure doesn't get created. Except...
U2F now exists and you can buy the dongle for $18 at Amazon.

