Misc PC/SC proposals
IntroductionIn October 2011 I asked on the MUSCLE mailing list (http://musclecard.com/list.html) what changes where expected by the PC/SC workgroup.
Here is a list of the items.
Changes in PC/SC workgroup documentsThe PC/SC workgroup specifications contain a "Revision History" section with a brief description of the changes. It would be even better to have all the changes directly visible within the document.
This can be done using different processes:
PDF with revision marksWhen a new document is provided by the PC/SC workgroup a second document with the changes (compared to the previous version of the document) can be provided. This second document is easy to generate using the "compare" feature of MS Word.
Provide the document in ODF formatIf providing the second document with the changes is too much work for the process another solution is to provide the document in ODF (Open Document Format) format (in addition to the PDF format). With this format it is easy to use, for example, Libre Office and compare two versions of the same specification document.
Provide the document in .DOC formatIf providing the documents in ODF format is too much work for the process another solution is to provide the document in MS .DOC format. I guess the original format of the specification is already .DOC so the only added step is to store the .DOC documents on the PC/SC workgroup web site.
Firewalled pinpadSome pinpad readers implement a firewall. If a PIN Verify command (INS byte 0x20) is sent using
SCardTransmit() the reader will reject it. With a firewalled pinpad the only way to verify a PIN is by using the secure verify PIN feature. The problem is that 2 different readers will return 2 different status word in case of firewall rejection. In the field we already have noted two different Status Word in this case: 0x6985 and 0x6D00.
According to ISO 7816-4 we have:
- Instruction code not supported or invalid
- Command not allowed (further qualification in SW2)
- Conditions of use not satisfied
These values are not really correct. Another problem is that it is hard (or impossible) to know if the error is really a invalid INS code or a rejection by the firewall. Another option it to use an not already used value like 0x6404
- State of non-volatile memory is unchanged (further qualification in SW2)
|Canceled by user
|Too short or too long PIN
The PC/SC workgroup should define the status word (SW1 and SW2) to be reported by the reader in such a case. We propose to use 0x6404.
FEATURE_WRITE_DISPLAYPC/SC v2 part 10 defines
FEATURE_WRITE_DISPLAY. But I could not find how to implement it in the driver at the CCID level. I guess some reader manufacturers have implemented it using CCID proprietary extensions.
- Document how
FEATURE_WRITE_DISPLAYshould or could be implemented at the CCID level
FEATURE_GET_KEYPC/SC v2 part 10 defines
FEATURE_GET_KEY. But I could not find how to implement it in the driver at the CCID level. I guess some reader manufacturers have implemented using CCID proprietary extensions.
- Document how
FEATURE_GET_KEYshould or could be implemented at the CCID level
FEATURE_VERIFY_PIN_STARTPC/SC v2 part 10 defines
FEATURE_VERIFY_PIN_FINISH. But I could not find how to implement it in the driver at the CCID level. I guess some reader manufacturers have implemented using CCID proprietary extensions.
- Document how
FEATURE_VERIFY_PIN_FINISHshould or could be implemented at the CCID level
Unblock PIN featureAdd the possibility to unblock a PIN code using a pinpad. The unblock INS code is 0x2C and defined by TS 51.011 EN (http://www.3gpp.org/ftp/Specs/html-info/51011.htm). Some pinpad reader do not accept INS=0x2C for a VERIFY PIN command.
I propose to accept at least:
|VERIFY command (ISO 7816-4)
|UNBLOCK (3GPP TS 51.011 EN)
- Document the minimum set of INS bytes that a pinpad reader shall accept for a secure verify PIN command.
PIN merge featureAdd a 'pin merge' feature in which: part of the PIN is provided by the application and the other part is entered on the pinpad reader. Some readers already allow this: you just put part of the PIN in the APDU -- but some readers seem to overwrite the APDU's PIN buffer with padding bytes.
For eID cards, it happens that a PUK is split between the citizen and the governement. The examples below come from an eID card with ASCII encoded PINs:
E.g. of a 'PIN unblock without PIN change', in this case you can do an
SCardControl(ctrl-for-FEATURE_VERIFY_PIN_DIRECT , data) with:
data = 1E 1E 02 00 00 00 00 08 04 00 02 01 16 08 00 00 00 00 00 00 0D 00 00 00
00 2C 01 81 08 FF FF FF FF 31 32 33 34 (37 bytes)
So the application provides the last part of the PUK (= "1234" in this case) and the pinpad reader should ask the first part of the PUK to the user and fill it in at the location of the
FF FF FF FF.
So for ASCII and BCD encoded PINs, this trick works on readers that don't write padding bytes to the PIN buffer (i.e. they should not change the
31 32 33 34 into
FF FF FF FF in the above example).
Another example, of a 'PIN unblock with PIN change', in this case you can do an SCardControl(ctrl-for-FEATURE_CHANGE_PIN_DIRECT , data) with
data = 1E 1E 02 00 00 00 08 08 04 03 02 03 16 08 00 00 00 00 00 00 15 00 00 00
00 2C 00 81 10 FF FF FF FF 31 32 33 34 FF FF FF FF FF FF FF FF (45 bytes)
Here again, the first
FF FF FF FF are for the user's part of the PUK, and the last 8 FF bytes are for the new PIN. Same remarks as above apply.
ConclusionPC/SC defines some services at the PC/SC layer. This is fine. But the CCID specification does not provide any documentation or specification for these services.
A documentation is needed so that these services can be implemented in a "class" CCID driver.
Updating the CCID specification may be a difficult task. So I propose to host the documentation in the PC/SC workgroup. I do not ask to add the documentation in an existing document, just to host the documentation in a central place.
One easy solution is to host the CCID level programing manual of readers implementing the solutions we described above.