Menu
▾
▴
Re: [Opensc-devel] smart card reset after 5 seconds on Windows
|
From: Douglas E E. <dee...@gm...> - 2015-12-14 15:03:15
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<a class="moz-txt-link-freetext" href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx">https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx</a><br>
says: "If a transaction is held on the card for more than five
seconds with no operations happening on that card,"<br>
<br>
The key phrase is: "with no operations happening on the card"<br>
<br>
I would say a pin pad reader prompt is part of the verify command
sent to the reader, and thus would be considered an active operation
and not timed.<br>
(I believe the the pinpad reader command has its own timeout too.)
<br>
Generating a key on the card should also be considered an active
operation on the card. <br>
The card and the reader should be doing the keep alive protocol for
this.<br>
<br>
I think the point is a transaction SCardBeginTransaction -
SCardEndTransaction should not hold the card indefinitely. <br>
The 5 seconds by the middleware should be long enough to get the
next command to the card.<br>
<br>
Any software prompt for a PIN should be done before starting the
transaction to send the verify and crypto operations. <br>
<br>
This may be a problem if OpenSC tries to hold the transaction from
verify to logoff.<br>
<a class="moz-txt-link-freetext" href="https://github.com/frankmorgner">https://github.com/frankmorgner</a> Is this what the "atomic" changes
are doing? <br>
<br>
The Microsoft doc also says: "Calling any of the <a
href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa380141%28v=vs.85%29.aspx">Smart
Card and Reader Access Functions</a> or <a
href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa375369%28v=vs.85%29.aspx">Direct
Card Access Functions</a> on the card<br>
that is transacted results in the timer being reset to continue
allowing the transaction to be used".<br>
<br>
With FireFox, it calls C_GetSessionInfo every few seconds. If
C_GetSessionInfo would force a command to the card<br>
that could keep the session alive.
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/pull/624">https://github.com/OpenSC/OpenSC/pull/624</a><br>
is a step in that direction. <br>
<br>
<br>
This should be easy to test on W7, if the 30 seconds timer is set
to 5 seconds. <br>
<br>
<br>
<div class="moz-cite-prefix">On 12/14/2015 3:08 AM, Vincent Le Toux
wrote:<br>
</div>
<blockquote
cite="mid:CAO...@ma..."
type="cite">Long apdu are still been performed but that will be a
problem with pin pad sessions.
<div>The workaround for minidriver are called session pin.</div>
<div>You get one with a pin pad then use this session pin for
further authentication </div>
<div><br>
</div>
<div>I do not know a card / minidriver which supports it (gemalto
Id prime included)</div>
<div><br>
</div>
<div>Vincent <br>
<br>
Le lundi 14 décembre 2015, Martin Paljak <<a
moz-do-not-send="true" href="mailto:ma...@ma..."><a class="moz-txt-link-abbreviated" href="mailto:ma...@ma...">ma...@ma...</a></a>>
a écrit :<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On 14/12/15
10:37, Ludovic Rousseau wrote:<br>
> I looks like Microsoft added an undocumented registry key
to change the 5<br>
> seconds delay.<br>
><br>
> Key CardDisconnectPowerDownDelay in<br>
> HK_local_machine\software\microsoft\cryptography\calais<br>
> The value defines the delay in seconds.<br>
><br>
> It also looks like this feature is also present in
Windows 7 but with a 30<br>
> seconds delay.<br>
<br>
<br>
Wow, this is funny (not encountered yet) but basically this
means that<br>
generating longer keys (sometimes takes minute(s)) is not
possible<br>
without hacks on Windows, inside a card transaction ?<br>
<br>
<br>
<br>
------------------------------------------------------------------------------<br>
_______________________________________________<br>
Opensc-devel mailing list<br>
<a moz-do-not-send="true" href="javascript:;"
onclick="_e(event, 'cvml',
'Ope...@li...')">Ope...@li...</a><br>
<a moz-do-not-send="true"
href="https://lists.sourceforge.net/lists/listinfo/opensc-devel"
target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a><br>
</blockquote>
</div>
<br>
<br>
-- <br>
--<br>
Vincent Le Toux<br>
<br>
My Smart Logon<br>
<a moz-do-not-send="true" href="http://www.mysmartlogon.com/"
target="_blank">www.mysmartlogon.com</a><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
