Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Wednesday, March 17, 2021

Accessing a lot of smart cards?

In "A lot of readers connected to a computer..." I presented a problem you can have when accessing many USB smart card readers.

It is possible to access a lot of smart cards with a limited number of readers.


Multislots readers

As I explained in the previous article:

One possible solution is to use a CCID reader that can handle many smart cards. The CCID specification defines a feature called "slot". A CCID smart card reader can support up to 256 slots or 256 smart cards.

The number of slots of a CCID reader is available in the bMaxSlotIndex field. See "CCID descriptor statistics: bMaxSlotIndex". Many readers, 92.91% (in 2013 when I wrote the article), only have one slot.

Readers may have 2 or more slots but not all the slots can be used at the same time. The maximum number of slots that are usable at the same time is available in the bMaxCCIDBusySlots field. See "CCID descriptor statistics: bMaxCCIDBusySlots". And 98.82% of the readers (again in 2013) are able to handle only 1 slot at a time.

As of today, only 9 readers (1.53%) have bMaxCCIDBusySlots≥2 so can use 2 or more slots at the same time. But the situation changed since 2013.


8 slots

A smart card reader with 8 slots already exists. It is the sysmoOCTSIM I presented in "sysmoOCTSIM: 8 slots reader". This reader has 8 slots. So you can access 8 smart cards with the same USB device (using only 3 USB endpoints). And more importantly, you can access all the 8 slots at the same time.

192 slots?

Sysmocom also has the project to build the sysmoSIMBANK-96 and sysmoSIMBANK-192 units with 96 and 192 slots, respectively.

One limitation is that you have to use Mini-SIM (2FF) format smart cards. But if you plan to use as many as 192 smart cards maybe you can use the adequate form factor for the smart card.


Multi access performances

Since I have a sysmoOCTSIM reader I wanted to make some performance tests using my usim_read.py Python program I presented in "Reading a SIM card phone book in Python". One benefit of using Python is that the PC/SC Python wrapper is available for GNU/Linux, macOS and Windows. So no need to port or recompile a program.

I wanted to make tests on the reference platform for PC/SC and CCID i.e. Windows. I connect the sysmoOCTSIM reader and... nothing. The Windows CCID driver does not recognize the reader, not even the first slot. I am (again) very disappointed by Windows.

So I will use a Debian GNU/Linux system.

3 independent readers

First I start with 3 independent "normal" USB readers:

With the Cherry reader I get:

$ time ./usim_read.py 1
Available readers:
- Gemalto PC Twin Reader 00 00
- Cherry GmbH CHERRY SECURE BOARD 1.0 [CHERRY SECURE BOARD 1.0] (00000002JS0405948M3DOGKTHA) 01 00
- Gemalto PC Twin Reader 02 00
Using: Cherry GmbH CHERRY SECURE BOARD 1.0 [CHERRY SECURE BOARD 1.0] (00000002JS0405948M3DOGKTHA) 01 00
Select MF
Select DF Telecom
Select EF ADN
Get Response
1: Name: Gilles Georges Aime, phone: 1216240521
2: Name: Lucienne Aimee Bert, phone: 6613167868
[...]
249: Name: Loup Regis Laurent., phone: 6056648470

real	0m6,068s
user	0m0,103s
sys	0m0,038s

A total time of 6.068 seconds.

With the Gemalto reader I get:

$ time ./usim_read.py 0
Available readers:
- Gemalto PC Twin Reader 00 00
- Cherry GmbH CHERRY SECURE BOARD 1.0 [CHERRY SECURE BOARD 1.0] (00000002JS0405948M3DOGKTHA) 01 00
- Gemalto PC Twin Reader 02 00
Using: Gemalto PC Twin Reader 00 00
Select MF
Select DF Telecom
Select EF ADN
Get Response
1: Name: Juliette Claire Fra, phone: 0574007144
2: Name: Luc Nicolas Regis.., phone: 3864760137
[...]
249: Name: Solange Marguerite , phone: 0569846150

real	0m5,564s
user	0m0,093s
sys	0m0,046s

A total time of 5.564 seconds.

The Cherry reader is a bit slower (0.5 s) than the Gemalto reader. This can be explained by the different clock frequencies.
The Gemalto default clock is: dwDefaultClock: 4.000 MHz
The Cherry default clock is: dwDefaultClock: 3.685 MHz

From the CCID driver logs you can see the different communication speeds used.

For the Gemalto reader we have:

00000012 [140389477558016] ifdhandler.c:847:IFDHSetProtocolParameters() Set speed to 250000 bauds

For the Cherry reader we have:

00000012 [140389477558016] ifdhandler.c:847:IFDHSetProtocolParameters() Set speed to 230312 bauds

A difference of 8.5% in clock speed generates a difference of 8.5% in communication baud rate, and a difference of ~9% in execution time.

The Cherry reader has a maximum clock speed of: dwMaximumClock: 14.320 MHz
The Gemalto reader has a maximum clock speed of: dwMaximumClock: 4.000 MHz

So the Cherry reader could be much faster. But the CCID driver does not yet support changing the clock speed. If you are interested by this change please contact me.


Mixing accesses

We now need to be able to run the usim_read.py program in parallel on the 3 readers. One very easy way to do that is to use the make command with this Makefile file:

CMD=./usim_read.py

all: 0.test 1.test 2.test

%.test:
	${CMD} $(@:.test=)

Calling make 0.test will run ./usim_read 0. Calling make will run the 3 targets 0.test, 1.test and 2.test.

By default make will run the 3 targets sequentially. But if you use make -j the 3 executions will be started in parallel.

 

Results

number of readers sequential exe parallel exe
1 5.564s 5.564s
2 11.099s 5.533s
3 17.083s 6.049s

 

As expected the time grows linearly in the sequential execution, but stays constant in the parallel execution.


sysmoOCTSIM

My CCID driver for Unix do support multi-slot readers. But only one slot can be used at the same time. It is a limitation of the driver.

Supporting accesses to 2 or more slots in parallel would imply a change from synchronous USB communication to asynchronous USB communication. That is a possible change but not an easy one.


Results

number of slots sequential exe parallel exe
1 5.126s 5.126s
2 10.273s 10.030s
3 15.321s 14.944s

The performance is a bit better on the sysmoOCTSIM reader (5.126s) than on the Gemalto reader (5.564s). I guess the reader is using a slightly higher clock frequency.

You may note that in the case of parallel execution we have a linear growth. As I explained before only one slot can be used at the same time. So pcsc-lite (the PC/SC resource manager) has to serialize the accesses to the different slots from the different executions.

The parallel execution is a bit more efficient than the sequential execution because part of the execution can be executed in parallel. But not so much.

 

Improving the CCID driver

It is possible to access all the slots at the same time for the sysmoOCTSIM reader. But the CCID driver needs to be updated.

If you need to access lots of SIM format smart card at the same time please contact me.


Conclusion

Connecting many smart cards to a single computer is possible.

You can connect many readers but the USB architecture may limit you. Or you can use one or more multi-slot readers to limit the requirements on the USB bus.

Friday, March 12, 2021

A lot of readers connected to a computer...

I had planed to write about possible issues when connecting many readers and a new request "Connect 54 tokens in a usb hub" gives me the occasion to write this article.

pcsc-lite limitation

By default pcsc-lite is limited to 16 PC/SC readers. It is a known limitation, see "use a list instead of a fixed size array for 16 reader states".

It is easy to change the value of PCSCLITE_MAX_READERS_CONTEXTS from 16 to whatever you want and rebuild pcsc-lite.


libccid limitation

By default my CCID driver also is limited to 16 slots. It is a known limitation, see "use a list instead of a fixed size array for 16 reader states".

It is easy to change the value of CCID_DRIVER_MAX_READERS from 16 to whatever you want and rebuild libccid.


USB hardware limitation

The software limitations are easy to fix. Both pcsc-lite and libccid projects are Free Software for a good reason. You can adapt the software to your needs, within the respect of the software licence.

The problem now is that the hardware is also limited. Thanks to Harald Welte for mentioning this limitation to me. I am not a PC compatible hardware specialist but I found some interesting information.

From https://community.intel.com/t5/Embedded-Intel-Core-Processors/Hardware-limitations-on-USB-endpoints-XHCI/td-p/264556 "Hardware limitations on USB endpoints (XHCI)":

I have spoken to the Linux kernal developers and they state that "Intel Ivy Bridge system xhci host, the 64 endpoint is a hardware limitation."

From https://acroname.com/blog/how-many-usbs-can-i-connect-acroname "Why Can't I Connect More Usb 3.0 Devices To My System?":

The XHCI specification allows for a massive 7,906 enpoints! However, common implementations of the XHCI controllers impose their own limit on the total number of endpoints to 96. The most notorious of these Intel's series 8 architectures. This means that the maximum number of common devices which use 3 endpoints able to be attached to an Intel series 8 XHCI host controller is actually 96 endpoints / 3 endpoints per device = 32 devices. This is a known limitation of Intel-based XHCI controllers.

To make matters worse, USB 3.0 buses live in a strange dual existence with USB 2.0 devices. That is, they live in the similar yet separate tree architecture in parallel with USB 2.0 devices, but they share the same endpoints on XHCI controllers. USB 3.0 devices may implement endpoints on  both the USB 3.0 and 2.0 buses. This will even further reduce the number of devices which can be attached to a single XHCI host controller.

So the real problem is with the USB controller you use.

A CCID device uses 3 endpoints: Bulk IN, Bulk OUT and interrupt. If your xHCI controller can only handle 96 endpoints in total you can use a maximum of 96 / 3 = 32 readers. But I guess your computer do not have 32 USB ports available. So you will use one or more USB hubs. A USB hub consumes 4 or 5 endpoints for itself then you can use even less than 32 readers.

In fact, the limitation to 16 readers in pcsc-lite and libccid is reasonable compared to the hardware limitation of USB controllers.


Possible solutions

Special CCID reader

One possible solution is to use a CCID reader that can handle many smartcards. The CCID specification define a feature called "slot". A CCID smartcard reader can support up to 256 slots or 256 smartcards.

A CCID reader with support of a high number of slot exists. I plan to write about it in another blog article.

 

Enlarge your number of USB ports

Another solution to the hardware limitation may be to add PCI cards with 4 (or more) USB ports.

The description of such PCI card does not indicate the number of additional endpoints supported. So maybe you will find the controller supports even less than 96 endpoints.

 

Conclusion

I regularly get requests to support a "huge" number of smartcard readers. This article will serve as an answer now.

If you have other solutions please share them.

Friday, March 5, 2021

Reader Selection: new field "section", new operator "≠"

In 2015 I presented the service Reader selection in the article "Reader Selection: find the smart card reader you search".

This service allows you to selected specific readers my list of 589 CCID readers.


Field "section"

It is now possible to select readers according to the field "section". This field can have 4 values: supported, shouldwork, unsupported, disabled. It will restrict the search to readers in the selected section.

For example if you want to list all the readers that can do PIN verification (pinpad readers) and that are in the supported list you use https://ccid.apdu.fr/select_readers/?section=supported&features=PIN%20Verification and you will get the 18 (as of now) readers that match these 2 criteria.


Operator "≠"

Previously, the possible operators were:

  • = strict equality (for number or string)
  • ~ match the head of a string
  • ≤ lesser or equal
  • ≥ greater or equal

I added a new operator "≠" for different.

For example if you want to list all the readers that can do PIN verification (pinpad readers) and that are NOT in the supported list you use https://ccid.apdu.fr/select_readers/?section%E2%89%A0supported&features=PIN%20Verification and you will get the 65 (as of now) readers that match these 2 criteria.

 

Combination

As before you can combine more than once the same selection field. If you want to list the pinpad readers that are NOT in the supported list and that are also NOT in the disabled list you use https://ccid.apdu.fr/select_readers/?section%E2%89%A0supported&features=PIN%20Verification&section%E2%89%A0disabled and you get the pinpad readers that are in the shouldwork list OR in the unsupported list.

This "≠" operator is a way to get an OR combination that is otherwise not possible. If you have 4 values A, B, C or D and you want to use (A or B) then you can use (NOT C AND NOT D).


Conclusion

This service is very useful to select readers will a particularity. Of course you need to know what you are looking for.

If you want to know more about each of the USB CCID fields I suggest you have a look at my articles from "CCID descriptor statistics". You will learn what each CCID field is used for.