Friday, February 5, 2016

PySCard 1.9.2 released

I just released a new official version 1.9.2 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:


1.9.2 (February 2016)
  • Fix toBytes regression
  • Fix installation using pip
  • improve pydoc documentation
  • user-guide.rst: use real sample codes
  • minor improvements

I forgot to announce the previous version 1.9.1 on the blog.

1.9.1 (September 2015)
  • Create a new version so that the upload to Pypi does _not_ contain the swig generated files.

Remaining problem

The versions 1.9.1 and 1.9.2 were supposed to fix  a problem when the software is installed using pip. But the problem is still present ☹.

The best way, for now, to install the software from source code is to use:
$ cd pyscard-1.9.2
$ python install

Wednesday, February 3, 2016

ATR statistics: TS, initial character

Article from the series "ATR statistics"

TS: initial character

The ISO 7917-3 specification is not public. So I can't copy/paste part of the text. I will use Wikipedia instead.

From Wikipedia

Initial character TS

The initial character TS encodes the convention used for encoding of the ATR, and further communications until the next reset. In direct [resp. inverse] convention, bits with logic value ‘1’ are transferred as a High voltage (H) [resp. a Low voltage (L)]; bits with logic value ‘0’ are transferred as L [resp. H]; and least-significant bit of each data byte is first (resp. last) in the physical transmission by the card.
For  direct   convention, TS is (H) L H H L H H H L L H (H) and encodes the byte ‘3B’.
For inverse convention, TS is (H) L H H L L L L L L H (H) and encodes the byte ‘3F’.
[ (H) represents the idle (High, Mark) state of the I/O line. The 8 data bits are shown in italic. ]
Bits in bytes following TS in the ATR, and further communications until the next reset, are numbered 1st to 8th from low-order to high-order, and their value noted 0 or 1, regardless of the chronological order and electrical representation, defined by TS. The bit following the 8 data bits in these bytes is an even parity bit, that is such that there's an even number of ‘1’ bits (H or L according to the direct or inverse convention defined by TS) among the 8 data bits and the parity bit.
TS also allows the card reader to confirm or determine the ETU, as one third of the delay between the first and second H-to-L transition in TS. This is optional, and the principal definition of ETU in the ATR of standard-compliant asynchronous Smart Cards is 372 periods of the clock received by the card

This first byte is used to indicate how bits and bytes are encoded at the electrical level: direct or inverse convention.

This choice has no impact on performances. As you can see, the vast majority of cards (94%) are using the direct convention (0x3B).

0x3B194593.87 %
0x3F1276.13 %

Wednesday, January 27, 2016

New PyKCS11 1.3.2 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

See PyKCS11 introduction for more details about PyKCS11.

1.3.2 - January 2016, Ludovic Rousseau
  • Add wrappers for C_Verify, C_WrapKey, C_UnwrapKey
  • PKCS#11 definitions: sync with Cryptoki version 2.30
  • Generate CKM[CKM_VENDOR_DEFINED+x] values on the fly
  • Fix use of a pinpad reader CKF_PROTECTED_AUTHENTICATION_PATH
  • lots of small fixes
  • Setup call make to build pykcs11_wrap.cpp using SWIG
  • Fix build on Windows
  • Small bugs fixed

I also noticed that I forgot to blog about the previous version: 1.3.1

1.3.1 - October 2015, Ludovic Rousseau
  • PKCS#11 definitions: sync with Cryptoki version 2.30
  • Add user type CK_CONTEXT_SPECIFIC
  • Fixes #9, incorrect assignment of pParameter for CK_MECHANISMs.
  • CKA_DERIVE is a CK_BBOOL and not byte array
  • Add digest() and encrypt method to Session class
  • Add samples:
    • key-pair generation
    • key-pair generation + certificate import
    • printing public key modulus
    • computing signature
  • small bugs fixed

Saturday, January 23, 2016

ATR statistics: ATR list growth

Article from the series "ATR statistics"

Evolution of the number of ATRs

Since 2002 I add new ATRs in the ATR list, ATRs submitted by users of my tools: ATR_analysis and Smart card ATR parsing. I wanted to know how regularly I did that over the lifetime of the project (more than 14 years now).

I now have 2098 ATR entries in my list.


I am really surprised by the linearity of the curve.

The curve does not start at 0 ATR because the first versions of the list were stored in CVS Version Control System (I then used Subversion and now GIT). It looks like I lost the CVS history when I moved to Subversion in 2009.

The linear correlation equation is (according to Numbers): y = 6.308e-6 x - 940.4
That is a progression of 6.308x10-6 ATR per second, or 0.54 ATR per day, or 3.8 ATR per week, or 199 ATR per year.

The coefficient of determination R2 is equal to 0.996 (very close to 1) so the linear approximation is quiet good.


The progression may stay constant as new smart cards, with new ATRs, are continuously delivered to users by smart card providers.

Maybe this data is a good indication of the health of the smart card industry? What do you think?

ATR list study

Since 2002 I maintain a list of ATR (Answer-to-Reset). The idea is to identify a smart card given its ATR.

The project started as a Perl script (ATR_analysis from the pcsc-tools project), then moved into a Python script ( from parseATR sub-project of pyscard-contrib) and is now a online web application: Smart card ATR parsing.

I now have 2098 ATRs in my list and I think it is time to make some statistics.


This article is a meta article (as I did with "CCID descriptor statistics") and contains only pointers to other articles:
  • ATR list growth
  • TS - Initial character
  • T0 - Format byte
  • TA1 - Global, encodes Fi and Di
  • TB1 - Global, deprecated
  • TC1 - Global, encodes N
  • TD1 - Structural, encodes Y2 and T
  • TA2 - Global, specific mode byte
  • TB2 - Global, deprecated
  • TC2 - Specific to T=0
  • TD2 - Structural, encodes Y3 and T
  • TA3
  • TB3
  • TC3
  • TD3
  • TA4
  • TB4
  • TC4
  • TD4
  • Historical bytes - Historical bytes (optional)
  • TCK - Check byte TCK (conditional)


You can read the Wikipedia pages about Answer-to-Reset and ISO 7816.

Or you can pay 178 CHF (162 €) to buy and read the ISO 7816-3 document (the price is the same for a PDF version or a printed version on dead trees).

Yes, I find it stupid to have to pay to read standards. Luckily the Internet is build upon free (as in free beer) Request for Comments (RFC) from The Internet Engineering Task Force (IETF®) and not ISO protocols. But that is not the subject of this article.

Tuesday, January 19, 2016

PyKCS11 repository has moved

PyKCS11 is the Python wrapper above a PKCS#11 library. I presented it in "PyKCS11 introduction"

New location

I moved the PyKCS11 Mercurial repository in a team repository.
The new repository is now at:


  1. Create a new local repository using the new URL.
    $ hg clone
  2. Apply your local changes, if any.

Sunday, January 10, 2016

New version of libccid: 1.4.22

I just released a version 1.4.22 of libccid the Free Software CCID class smart card reader driver.

1.4.22 - 10 January 2016, Ludovic Rousseau
  • Add support of
    • Aktiv Rutoken PINPad 2
    • Aladdin R.D. JC-WebPass (JC600)
    • Aladdin R.D. JCR-770
    • Aladdin R.D. JaCarta
    • Aladdin R.D. JaCarta Flash
    • Aladdin R.D. JaCarta LT
    • Aladdin R.D. JaCarta U2F (JC602)
    • Athena ASEDrive IIIe Combo Bio PIV
    • Athena ASEDrive IIIe KB Bio PIV
    • GEMALTO CT1100
    • GEMALTO K1100
    • Hitachi, Ltd. Hitachi Biometric Reader
    • Hitachi, Ltd. Hitachi Portable Biometric Reader
    • Nitrokey Nitrokey Storage
    • Thursby Software Systems, Inc. TSS-PK7
    • Thursby Software Systems, Inc. TSS-PK8
  • Patch for Microchip SEC1110 reader on Mac OS X (card events notification)
  • Patch for Cherry KC 1000 SC (problem was with a T=1 card and case 2 APDU)
  • Fix support of FEATURE_MCT_READER_DIRECT for the Kobil mIDentity visual reader
  • Set timeout to 90 sec for PPDU (Pseudo APDU) commands. This change allows the use of a Secure Verify command sent as a PPDU through SCardTransmit().
  • Fix a crash when reader reader initialization failed
  • Fix initialization bug with Gemalto Pinpad reader on Mac OS X
  • Some minor bugs fixed