Menu
▾
▴
Re: [Opensc-devel] smart card reset after 5 seconds on Windows
|
From: Vincent Le T. <vin...@my...> - 2015-12-14 15:45:51
|
My comment about the pin pad is not about the authentication itself but about the fact that you can't cache the pin and that long transaction was a workaround. Vincent Le lundi 14 décembre 2015, Douglas E Engert <dee...@gm...> a écrit : > > https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx > says: "If a transaction is held on the card for more than five seconds > with no operations happening on that card," > > The key phrase is: "with no operations happening on the card" > > I would say a pin pad reader prompt is part of the verify command sent to > the reader, and thus would be considered an active operation and not timed. > (I believe the the pinpad reader command has its own timeout too.) > Generating a key on the card should also be considered an active operation > on the card. > The card and the reader should be doing the keep alive protocol for this. > > I think the point is a transaction SCardBeginTransaction - > SCardEndTransaction should not hold the card indefinitely. > The 5 seconds by the middleware should be long enough to get the next > command to the card. > > Any software prompt for a PIN should be done before starting the > transaction to send the verify and crypto operations. > > This may be a problem if OpenSC tries to hold the transaction from verify > to logoff. > https://github.com/frankmorgner Is this what the "atomic" changes are > doing? > > The Microsoft doc also says: "Calling any of the Smart Card and Reader > Access Functions > <https://msdn.microsoft.com/en-us/library/windows/desktop/aa380141%28v=vs.85%29.aspx> > or Direct Card Access Functions > <https://msdn.microsoft.com/en-us/library/windows/desktop/aa375369%28v=vs.85%29.aspx> > on the card > that is transacted results in the timer being reset to continue allowing > the transaction to be used". > > With FireFox, it calls C_GetSessionInfo every few seconds. If > C_GetSessionInfo would force a command to the card > that could keep the session alive. > https://github.com/OpenSC/OpenSC/pull/624 > is a step in that direction. > > > This should be easy to test on W7, if the 30 seconds timer is set to 5 > seconds. > > > On 12/14/2015 3:08 AM, Vincent Le Toux wrote: > > Long apdu are still been performed but that will be a problem with pin pad > sessions. > The workaround for minidriver are called session pin. > You get one with a pin pad then use this session pin for further > authentication > > I do not know a card / minidriver which supports it (gemalto Id prime > included) > > Vincent > > Le lundi 14 décembre 2015, Martin Paljak < > <javascript:_e(%7B%7D,'cvml','ma...@ma...');> > ma...@ma... > <javascript:_e(%7B%7D,'cvml','ma...@ma...');>> a écrit : > >> On 14/12/15 10:37, Ludovic Rousseau wrote: >> > I looks like Microsoft added an undocumented registry key to change the >> 5 >> > seconds delay. >> > >> > Key CardDisconnectPowerDownDelay in >> > HK_local_machine\software\microsoft\cryptography\calais >> > The value defines the delay in seconds. >> > >> > It also looks like this feature is also present in Windows 7 but with a >> 30 >> > seconds delay. >> >> >> Wow, this is funny (not encountered yet) but basically this means that >> generating longer keys (sometimes takes minute(s)) is not possible >> without hacks on Windows, inside a card transaction ? >> >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > -- > -- > Vincent Le Toux > > My Smart Logon > www.mysmartlogon.com > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing lis...@li... <javascript:_e(%7B%7D,'cvml','Ope...@li...');>https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > Douglas E. Engert <DEE...@gm...> <javascript:_e(%7B%7D,'cvml','DEE...@gm...');> > > -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
