Monday, August 12, 2019

ISO 7816-4 spy using Wireshark

In a previous blog article "CCID USB spy using Wireshark" I documented how to use Wireshark to analyse USB CCID packets.

It is also possible to continue the packet decoding to show ISO 7816-4 format commands.

Raw USB packets

By default you will get USB packets.



CCID packets

Enable the USBCCID decoder in the Wireshark menu Analyze -> Decode as...
You will then see CCID packets.
But APDUs sent to the reader may be hard to read is you do not decode ISO 7816-4 directly in your head.
All we get here is Data: 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00

ISO 7816 commands

Now enable the ISO 7816 decoder.
And you will see ISO 7816-4 command names.
Here you see that the APDU 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00 is a "Select file" (the second byte, INS byte, is 0xA4)

Limitations

Not all the CCID packets are decoded.

For example the Secure command (0x69) is not (yet) decoded.
Only the first CCID byte is decoded as "Message Type: PC_to_RDR_Secure (0x69)". The remaining of the CCID frame is not decoded. And this command is not easy to decode by hand without the CCID specification.

This CCID Secure command is used with a pinpad reader to make the user enter its PIN code in the pinpad and not on the computer keyboard. See here for a list of pinpad readers working with my CCID driver.
The Secure command uses parameters to set the PIN padding, the messages displayed to the user, the min and max PIN lengths, the validation conditions and some other parameters. Not all pinpad readers support the same set of parameters so the situation is complex.

Windows support

In my previous article "CCID USB spy using Wireshark" I make the USB trace acquisition on a GNU/Linux system.

This time I made the capture on Windows, saved the file on disk (.pcapng format) and used Wireshark on macOS to study the file. Yes, I prefer to NOT use Windows as much as possible.

So whatever the system you are using (GNU/Linux, macOS or Windows, and maybe others) Wireshark can help you.

Conclusion

Wireshark is a very nice tool. I should use it more often to debug issues and understand why a program is working on Windows and not on GNU/Linux. It can be used to do some reverse engineering, especially with complex CCID commands like the Secure command.

Saturday, August 10, 2019

New version of libccid: 1.4.31

I just released a version 1.4.31 of libccid the Free Software CCID class smart card reader driver.

Changes:

1.4.31 - 10 August 2019, Ludovic Rousseau
  • Add support of
    • ACS ACR1252 Reader
    • Aladdin R.D. JaCartaReader
    • Alcor Link AK9563
    • AvestUA AvestKey
    • Avtor SecureToken (idProduct: 0x0020)
    • Bit4id TokenME EVO v2
    • Bit4id miniLector AIR EVO
    • Bit4id miniLector Blue
    • Broadcom Corp 58200 (idProduct: 0x5843)
    • Broadcom Corp 58200 (idProduct: 0x5844)
    • Broadcom Corp 58200 (idProduct: 0x5845)
    • Certgate GmbH ONEKEY ID 2 USB
    • HID Global Crescendo Key 0x0028
    • HID Global Crescendo Key 0x0029
    • HID Global Crescendo Key 0x002B
    • HID Global Crescendo Key 0x002D
    • Identiv SCR3500 C Contact Reader
    • InfoCert WirelessKey
    • NXP PN7462AU CCID
    • Route1 MobiKEY Fusion3
    • SPECINFOSYSTEMS DIAMOND token
  • MacOSX/configure: fix checking error for dynamic library libusb
  • Some minor improvements for debug

Friday, August 9, 2019

PySCard 1.9.9 released

I just released a new version 1.9.9 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:


Changes

1.9.9 (August 2019)
  • Makefile: use twine to upload to pypi.python.org
  • test: fix Exception test on 32-bits CPU
  • test: correctly handle macOS versions older than 10.10

Wednesday, June 26, 2019

GnuPG and PC/SC conflicts

GnuPG

" GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications. "

GnuPG provides support of smart card using the OpenPGP application in the card or token. See "How to use the Fellowship Smartcard" for more details.

PC/SC

PC/SC (defined by the PC/SC workgroup) is the "standard" way to access smart cards and smart card readers.

pcsc-lite is a Free Software implementation of the PC/SC standard often used in Unix systems.
pcscd is a daemon, part of pcsc-lite, accessing the smart card readers.

The problem

By default GnuPG has its own way to access smart cards with the help of the scdaemon helper process.

If you use GnuPG and also PC/SC on the same system you may have problems.

scdaemon get access

If scdaemon is started before pcscd then the smart card reader will not be available at the PC/SC level.
In pcscd logs you get the error:
ccid_usb.c:653:OpenUSBByName() Can't claim interface 1/12: LIBUSB_ERROR_BUSY

pcscd get access

If pcscd is started before scdaemon then the smart card will not be available at the GnuPG level.
You get the error:
$ gpg --card-status 
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

It is becoming a FAQ (Debian bug #925312, github issue) so I decided to document possible solutions.

The solutions

Remove pcscd from your system

The obvious solution to avoid the conflict is to remove one of the two participants.
If you use your smart card only with GnuPG then you can remove pcscd entirely.

But if you have pcscd installed it may be for a good reason. You may want/need to use PC/SC for other applications.

Tell GnuPG to use PC/SC

Another solution is to make GnuPG and pcscd collaborate to work together.
Luckily it is possible to do that using the scdaemon option --disable-ccid

From the documentation:
--disable-ccid


Disable the integrated support for CCID compliant readers. This allows falling back to one of the other drivers even if the internal CCID driver can handle the reader. Note, that CCID support is only available if libusb was available at build time.

With this option scdaemon will use PC/SC to talk to the smart card and the conflict is solved.

It is possible to tell scdaemon to always use this option by editing the scdaemon configuration file. By default it is ~/.gnupg/scdaemon.conf and it should contain the line:
disable-ccid

If you try to make it work be sure to kill any running scdaemon process so that it is restarted with the new option.

Conclusion

I don't know if the problem comes from pcscd or from GnuPG.

The good news is that there is a solution.

Saturday, June 15, 2019

https://www.pcscworkgroup.com/ is back

After few days the PC/SC work group web site is available again.
https://www.pcscworkgroup.com/

One week ago in "http://www.pcscworkgroup.com is gone" I announced that the website was dead. It has now resurrected.

PC/SC specifications copies

I will keep my PC/SC specifications copies at https://muscle.apdu.fr/www.pcscworkgroup.com/ just in case the official web site disappears again.

WHQL test cards

It is now also possible to order the "PC/SC Test Card Set V2.0" from https://www.pcscworkgroup.com/product/pcsc-test-card-set-v2-0/.
The price is $1000 for 5 cards.

I am not sure I will buy some sets just to speculate on the death again of the PC/SC website. 😏

Monday, June 10, 2019

PC/SC workgroup and WHQL test cards

PC/SC work group

The PC/SC work group was not only used for updating and distributing the PC/SC specification. It was also the reseller of a set of smart cards used by the WHQL process.

WHQL

WHQL is Windows Hardware Quality Labs. I am not a Windows user (and even less an expert) so I may be wrong here.

It looks like that smart card reader drivers need to go through the WHQL process to be signed by Microsoft and accepted by Windows systems.
The WHQL process for smart card reader driver required the use of a specific set of cards. This set of cards was sold by the PC/SC work group.

Test cards set

Since the PC/SC work group is now dead (see "http://www.pcscworkgroup.com is gone") it is no more possible to buy such cards set.

The Internet archive service do not have a copy of the "Test Cards" or "Test Cards Ordering" pages. I never used such test cards for my own use. I don't know what the procedure was to order such a Test Cards set.

Solution

I can't help here.
The best I can think of is to contact Microsoft so they provide the Test Cards set themselves or change the WHQL process to use something else.

Maybe some company that have one (or more) complete Test Cards set can rent the set for a good amount of money. If the set is rare it should be expensive (supply and demand). Why don't I have such set myself? 😀

Friday, June 7, 2019

http://www.pcscworkgroup.com is gone

Since a few days/weeks the web site http://www.pcscworkgroup.com is no more available (HTTP Error 404).
This web site hosted the PC/SC specification. This specification is implemented as WinSCard API for Windows and pcsc-lite on Unix.

PC/SC is the standard way to access smart card readers and smart cards from a Windows of Unix system.
See "PC/SC sample in different languages" for some examples.

Last days

The death of the web site was not announced on any PC/SC mailing list I know.

The latest meeting of the PC/SC members was in December 2016.
The latest email I received from the pcscmembers mailing list was in January 2018.
 
I guess the group went out of money (not enough paying members) and the company managing the website and meetings (at a very high price) just stopped providing services.

The PC/SC specification are mature enough, or PC/SC members just moved to something else?
It is important to note that Windows never implemented the latest version of PC/SC v2 part 10 (to support pinpad readers in the Windows CCID driver for example). So working on a specification that is not implemented by the major provider is somewhat useless.

Web site copies

The web site was still available the 9th of January 2019 and it has been archived by the Internet Archive (Wayback Machine) at https://web.archive.org/web/20190109211601/https://www.pcscworkgroup.com/

The specification files are also available from the Internet Archive at https://web.archive.org/web/20170904222045/https://www.pcscworkgroup.com/specifications/download/

PC/SC specifications copies

I decided to host a copy of the PC/SC specification documents on https://muscle.apdu.fr/www.pcscworkgroup.com/.
I used the copies I made for my own use. But now that the official web site is down I make them public.

Conclusion

It is sad to see a website to disappear silently with no warnings.
If you have other PC/SC public documents you want to share just tell me.