Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Thursday, August 22, 2019

Improved security of {muscle,pcsclite,ccid}.apdu.fr websites

I recently discovered the Mozilla Observatory service:
The Mozilla HTTP Observatory is a set of tools to analyze your website and inform you if you are utilizing the many available methods to secure it.

Before

Initially the 3 websites https://muscle.apdu.fr/, https://ccid.apdu.fr/ and https://pcsclite.apdu.fr/ I manage had a very bad score of F or 20/100.

F is is worst score. So I needed to do something to improve the situation and the security a bit.

After

After some configuration of the web server and some minor update of the web pages I now get a score of A+ or 110/100.

If you find something broken on the web sites please tell me. I may have missed something.

Conclusion

I think I could still improve the security. If you have ideas of what to do just tell me.

Monday, August 12, 2019

ISO 7816-4 spy using Wireshark

In a previous blog article "CCID USB spy using Wireshark" I documented how to use Wireshark to analyse USB CCID packets.

It is also possible to continue the packet decoding to show ISO 7816-4 format commands.

Raw USB packets

By default you will get USB packets.



CCID packets

Enable the USBCCID decoder in the Wireshark menu Analyze -> Decode as...
You will then see CCID packets.
But APDUs sent to the reader may be hard to read is you do not decode ISO 7816-4 directly in your head.
All we get here is Data: 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00

ISO 7816 commands

Now enable the ISO 7816 decoder.
And you will see ISO 7816-4 command names.
Here you see that the APDU 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00 is a "Select file" (the second byte, INS byte, is 0xA4)

Limitations

Not all the CCID packets are decoded.

For example the Secure command (0x69) is not (yet) decoded.
Only the first CCID byte is decoded as "Message Type: PC_to_RDR_Secure (0x69)". The remaining of the CCID frame is not decoded. And this command is not easy to decode by hand without the CCID specification.

This CCID Secure command is used with a pinpad reader to make the user enter its PIN code in the pinpad and not on the computer keyboard. See here for a list of pinpad readers working with my CCID driver.
The Secure command uses parameters to set the PIN padding, the messages displayed to the user, the min and max PIN lengths, the validation conditions and some other parameters. Not all pinpad readers support the same set of parameters so the situation is complex.

Windows support

In my previous article "CCID USB spy using Wireshark" I make the USB trace acquisition on a GNU/Linux system.

This time I made the capture on Windows, saved the file on disk (.pcapng format) and used Wireshark on macOS to study the file. Yes, I prefer to NOT use Windows as much as possible.

So whatever the system you are using (GNU/Linux, macOS or Windows, and maybe others) Wireshark can help you.

Conclusion

Wireshark is a very nice tool. I should use it more often to debug issues and understand why a program is working on Windows and not on GNU/Linux. It can be used to do some reverse engineering, especially with complex CCID commands like the Secure command.

Saturday, August 10, 2019

New version of libccid: 1.4.31

I just released a version 1.4.31 of libccid the Free Software CCID class smart card reader driver.

Changes:

1.4.31 - 10 August 2019, Ludovic Rousseau
  • Add support of
    • ACS ACR1252 Reader
    • Aladdin R.D. JaCartaReader
    • Alcor Link AK9563
    • AvestUA AvestKey
    • Avtor SecureToken (idProduct: 0x0020)
    • Bit4id TokenME EVO v2
    • Bit4id miniLector AIR EVO
    • Bit4id miniLector Blue
    • Broadcom Corp 58200 (idProduct: 0x5843)
    • Broadcom Corp 58200 (idProduct: 0x5844)
    • Broadcom Corp 58200 (idProduct: 0x5845)
    • Certgate GmbH ONEKEY ID 2 USB
    • HID Global Crescendo Key 0x0028
    • HID Global Crescendo Key 0x0029
    • HID Global Crescendo Key 0x002B
    • HID Global Crescendo Key 0x002D
    • Identiv SCR3500 C Contact Reader
    • InfoCert WirelessKey
    • NXP PN7462AU CCID
    • Route1 MobiKEY Fusion3
    • SPECINFOSYSTEMS DIAMOND token
  • MacOSX/configure: fix checking error for dynamic library libusb
  • Some minor improvements for debug

Friday, August 9, 2019

PySCard 1.9.9 released

I just released a new version 1.9.9 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:


Changes

1.9.9 (August 2019)
  • Makefile: use twine to upload to pypi.python.org
  • test: fix Exception test on 32-bits CPU
  • test: correctly handle macOS versions older than 10.10