Saturday, July 26, 2014

New PyKCS11 1.3.0 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

See PyKCS11 introduction for more details about PyKCS11.

The changelog is short:
1.3.0 - July 2014, Ludovic Rousseau
  • add Python3 support
After some efforts I also uploaded the package python3-pykcs11 to Debian. It is my first Python3 package.

Wednesday, July 23, 2014

OS X Yosemite BETA and smart cards status


As I did with the previous major versions of Mac OS X Mavericks, Mountain Lion (and Lion) I will list changes in Yosemite BETA regarding the smart card world.


For now only a "public" beta version is available. According to the beta program FAQ:
Is the pre-release software I am installing confidential?
Yes, the pre-release software is Apple confidential information. For example, don’t install the pre-release Apple software on any systems you don't directly control or that you share with others, don’t blog, post screen shots, tweet or publicly post information about the pre-release Apple software, and don't discuss the pre-release Apple software with or demonstrate it to others who are not in the OS X Beta Program. For clarity, if Apple has publicly disclosed technical information about the pre-release software then it is no longer considered confidential.

So I can't tell you much. I will only refer to public documentation from Apple.

New frameworks

From What's New in OS X: OS X Yosemite v10.10

New Frameworks

The following frameworks are new in OS X v10.10:
  • Crypto Token Kit (CryptoTokenKit.framework). The Crypto Token Kit framework provides native support for smart cards, including:
    • Enumerating connected smart card readers and monitoring them for card insertion and removal
    • Transmitting commands and responses to and from smart cards in the reader
    • Supporting new smart card reader hardware

API Differences

From OS X v10.9 to OS X v10.10 API Differences

CryptoTokenKit (Added)

CryptoTokenKit.h (Added)
TKError.h (Added)
Added TKErrorAuthenticationFailed
Added TKErrorCode
Added TKErrorCodeCanceledByUser
Added TKErrorCodeCommunicationError
Added TKErrorCodeCorruptedData
Added TKErrorCodeNotImplemented
Added TKErrorDomain
Added TKErrorObjectNotFound
Added TKErrorTokenNotFound
TKSmartCard.h (Added)
Added TKSmartCard
Added TKSmartCard.allowedProtocols
Added -[TKSmartCard beginSessionWithReply:]
Added TKSmartCard.cla
Added TKSmartCard.context
Added TKSmartCard.currentProtocol
Added -[TKSmartCard endSession]
Added -[TKSmartCard sendIns:p1:p2:data:le:reply:]
Added TKSmartCard.sensitive
Added TKSmartCard.slot
Added -[TKSmartCard transmitRequest:reply:]
Added TKSmartCard.useExtendedLength
Added TKSmartCard.valid
Added TKSmartCardSlot
Added TKSmartCardSlot.ATR
Added -[TKSmartCardSlot makeSmartCard]
Added TKSmartCardSlot.maxInputLength
Added TKSmartCardSlot.maxOutputLength
Added TKSmartCardSlot.name
Added TKSmartCardSlot.state
Added TKSmartCardSlotManager
Added +[TKSmartCardSlotManager defaultManager]
Added -[TKSmartCardSlotManager getSlotWithName:reply:]
Added TKSmartCardSlotManager.slotNames
Added TKSmartCard(APDULevelTransmit)
Added TKSmartCardNoSlot
Added TKSmartCardSlotEmpty
Added TKSmartCardSlotMuteCard
Added TKSmartCardSlotProbing
Added TKSmartCardSlotState
Added TKSmartCardSlotStateEmpty
Added TKSmartCardSlotStateMissing
Added TKSmartCardSlotStateMuteCard
Added TKSmartCardSlotStateProbing
Added TKSmartCardSlotStateValidCard
Added TKSmartCardSlotValidCard
TKSmartCardATR.h (Added)
Added TKSmartCardATR
Added TKSmartCardATR.bytes
Added TKSmartCardATR.historicalBytes
Added -[TKSmartCardATR initWithBytes:]
Added -[TKSmartCardATR initWithSource:]
Added -[TKSmartCardATR interfaceGroupAtIndex:]
Added -[TKSmartCardATR interfaceGroupForProtocol:]
Added TKSmartCardATR.protocols
Added TKSmartCardATRInterfaceGroup
Added TKSmartCardATRInterfaceGroup.TA
Added TKSmartCardATRInterfaceGroup.TB
Added TKSmartCardATRInterfaceGroup.TC
Added TKSmartCardATRInterfaceGroup.protocol
Added TKSmartCardProtocol
Added TKSmartCardProtocolAny
Added TKSmartCardProtocolNone
Added TKSmartCardProtocolT0
Added TKSmartCardProtocolT1
Added TKSmartCardProtocolT15

PCSC

No changes

Crypto Token

So it looks like Apple changed the way to use a smart card (or Crypto Token). I would not be surprised if the CDSA and tokend infrastructures are now removed. CDSA is deprecated since Lion (3 major releases and 3 years ago), see Mac OS X Lion and tokend.

The removal of CDSA and tokend may be effective in Yosemite (or not).

PC/SC

The PC/SC API is still present and had not been modified.

Conclusion

Apple will surprise the smart card world with its new OS Yosemite.

I would say more but I can't because of the NDA. I will post a complete smart card status when Yosemite is released this autumn.

Wednesday, July 2, 2014

CCID descriptor statistics: dwMaxIFSD

Article from the serie "CCID descriptor statistics"

The dwMaxIFSD field is a number value from the USB CCID descriptor: Indicates the maximum IFSD supported by CCID for protocol T=1.

dwMaxIFSD#%
25417669.29 %
2523413.39 %
247166.30 %
0124.72 %
102441.57 %
25631.18 %
140020.79 %
104110.39 %
12310.39 %
204810.39 %
24010.39 %
24810.39 %
4910.39 %
6410.39 %


Some values may look strange or bogus:
  • 0 is used by 5% of readers. It is not a bug for a ICCD device with a T=0 card inside because dwMaxIFSD is only used with a T=1 card.
    Readers with dwMaxIFSD = 0 are:
    • ATMEL AT91SC192192CT-USB ICCD reader
    • ATMEL AT98SC032CT-USB
    • ATMEL VaultIC420 Smart Object
    • ATMEL VaultIC440
    • ATMEL VaultIC460
    • Gemalto Hybrid Smartcard Reader
    • IID AT90S064 CCID READER
    • INSIDE Secure VaultIC 405 Smart Object
    • INSIDE Secure VaultIC 441 Smart Object
    • Inside Secure VaultIC 420 Smart Object
    • Inside Secure VaultIC 440 Smart Object
    • Inside Secure VaultIC 460 Smart Object
    • MYSMART MySMART PAD V2.0
    • SchlumbergerSema SchlumbergerSema Cyberflex Access
    • SecuTech SecuTech Token
    • TianYu CCID Key TianYu CCID SmartKey
    Among them only the MYSMART MySMART PAD V2.0 is bogus with dwMaxIFSD = 0 and dwProtocols = 0x0000 0x0300 (should be 0x0000 0x0003 for T=0 and T=1).
  • The maximum value for dwMaxIFSD is dwMaxCCIDMessageLength - 10.
    Readers with  dwMaxIFSD > dwMaxCCIDMessageLength - 10, so bogus readers, are:
    • Aktiv Co., ProgramPark Rutoken Magistra
    • CCB eSafeLD
    • Feitian bR301
    • Free Software Initiative of Japan Gnuk
    • Gemalto PDT
    • Giesecke & Devrient GmbH Star Sign Card Token 550 (ICCD)
    • OCS ID-One Cosmo Card USB Smart Chip Device
    • Philips Semiconductors JCOP41V221
    • Philips Semiconductors SmartMX Sample
    • Planeta RC700-NFC CCID
    • Yubico Yubikey NEO CCID
    • Yubico Yubikey NEO OTP+CCID

CCID descriptor statistics: dwMaxDataRate

Article from the serie "CCID descriptor statistics"

The dwMaxDataRate field is a number value from the USB CCID descriptor:
Maximum supported ICC I/O data rate in bps
Example: 115.2Kbps is encoded as the integer value 115200. (0001C200h)

dwMaxDataRate#%
412903 bps3814.96 %
9600 bps3312.99 %
344086 bps3011.81 %
344105 bps176.69 %
250000 bps135.12 %
115200 bps114.33 %
500000 bps114.33 %
318280 bps103.94 %
230400 bps83.15 %
344100 bps83.15 %
12643980 bps72.76 %
129032 bps72.76 %
307200 bps72.76 %
10752 bps51.97 %
397024 bps51.97 %
200080 bps31.18 %
312500 bps31.18 %
344068 bps31.18 %
46875 bps31.18 %
847000 bps31.18 %
241936 bps20.79 %
2688 bps20.79 %
333333 bps20.79 %
344064 bps20.79 %
600000 bps20.79 %
825807 bps20.79 %
116129 bps10.39 %
119096 bps10.39 %
125000 bps10.39 %
21504 bps10.39 %
223200 bps10.39 %
23437 bps10.39 %
317591 bps10.39 %
32258 bps10.39 %
412896 bps10.39 %
421052 bps10.39 %
430107 bps10.39 %
589250 bps10.39 %
825806 bps10.39 %
847500 bps10.39 %
848000 bps10.39 %
96774 bps10.39 %
9910 bps10.39 %




We find again the "magic" value of 9600 bps (used by 13% of readers) as with dwDataRate, dwDefaultClock and dwMaximumClock.

The highest value 12643980 is used by 7 readers (3%) and is not a bogus value. This speed of 12.6 Mbps is used by contactless readers, all manufactured by SpringCard. I guess not so may smart cards can communicate with a speed as high as 12.6 Mbps.

CCID descriptor statistics: dwMaximumClock

Article from the serie "CCID descriptor statistics"

The dwMaximumClock field is a number value from the USB CCID descriptor:
Maximum supported ICC clock frequency in KHz. This is an integer value.
Example: 14.32 MHz is encoded as the integer value 14320. (000037F0h)

dwMaximumClock#%
4.000 MHz9437.01 %
8.000 MHz4316.93 %
3.580 MHz3312.99 %
12.000 MHz176.69 %
3.700 MHz103.94 %
4.800 MHz103.94 %
13.560 MHz83.15 %
7.500 MHz62.36 %
4.615 MHz51.97 %
1.500 MHz41.57 %
20.000 MHz31.18 %
3.570 MHz31.18 %
3.600 MHz31.18 %
1.000 MHz20.79 %
3.571 MHz20.79 %
3.692 MHz20.79 %
1024.000 MHz10.39 %
16.000 MHz10.39 %
2.000 MHz10.39 %
3.000 MHz10.39 %
3.685 MHz10.39 %
3.686 MHz10.39 %
3.850 MHz10.39 %
4.714 MHz10.39 %
5.000 MHz10.39 %

We find nearly the same values as for dwDefaultClock (See CCID descriptor statistics: dwDefaultClock):
  • 4.0 Mhz: (37% of readers), 48% of readers have a default clock of 4.0 Mhz
  • 8.0 Mhz: (17%) this is just the double of a default clock of 4.0 Mhz
  • 3.58 Mhz: (13%) same as default clock for 34 readers
  • 12 Mhz: (7%) 3 times the default clock of 4.0 Mhz

The maximum clock speeds are more diverse than the default clock speeds.

If we draw the number of reader per clock frequency we have:

The value 1024 Mhz (1.024 GHz) is, here again, clearly from a bogus reader.

CCID descriptor statistics: dwDefaultClock

Article from the serie "CCID descriptor statistics"

The dwDefaultClock field is a number value from the USB CCID descriptor:
Default ICC clock frequency in KHz. This is an integer value.
Example: 3.58 MHz is encoded as the integer value 3580. (00000DFCh)
This is used in ETU and waiting time calculations. It is the clock frequency used when reading the ATR data.

dwDefaultClock#%
4.000 MHz12348.43 %
4.800 MHz4316.93 %
3.580 MHz3413.39 %
3.700 MHz103.94 %
3.686 MHz83.15 %
4.615 MHz51.97 %
1.500 MHz41.57 %
3.600 MHz41.57 %
2.000 MHz31.18 %
3.570 MHz31.18 %
3.750 MHz31.18 %
1.000 MHz20.79 %
3.000 MHz20.79 %
3.571 MHz20.79 %
3.685 MHz20.79 %
3.692 MHz20.79 %
1024.000 MHz10.39 %
3.850 MHz10.39 %
4.714 MHz10.39 %
5.000 MHz10.39 %


The most common default clock frequencies are:
  • 4.0 Mhz (48% of readers)
  • 4.8 Mhz (17%)
  • 3.58 Mhz (13%)

Note that 3.57 Mhz (used by 3 readers) was the default speed when the reader-host communication was at 9600 bauds using a serial communication port (9600 * 372 = 3,571,200).

Now that the readers are using the USB protocol the 4 Mhz clock speed may be easier to use at the hardware level and not too far from the classic 3.57 Mhz supported by old smart cards.

If we draw the number of reader per clock frequency we have:

The value 1024 Mhz (1.024 GHz) is clearly from a bogus reader.

Friday, June 20, 2014

MUSCLE website migration

After the migration of the MUSCLE mailing list (see MUSCLE list migration) I had to move the MUSCLE web site.

The MUSCLE (Movement for the Use of Smart Card in a Linux Environment) web site used to be at http://www.musclecard.com. Because of issues with the hosting service the web site has been moved to another place at http://pcsclite.alioth.debian.org/musclecard.com/.

The web site at http://pcsclite.alioth.debian.org/musclecard.com/ is just a copy of the old web for the history. I do not plan to update this web site.

History

David Corcoran sent me a backup of the web site. But the backup was incomplete and all the source code archives were missing. That was a problem because, for example, the driver skeleton was missing. In the mean time the hosting service had shutdown the web site. So it was not possible to fetch the archives files anymore.

Thanks to the wayback machine I could find a not so old version (May 2014) of the MUSCLE web site. The source code archive files are available on the wayback machine. So I could copy them to the new http://pcsclite.alioth.debian.org/musclecard.com/ web site.