Menu
▾
▴
opensc-devel
|
From: Vincent Le T. <vin...@my...> - 2015-12-13 18:09:22
|
Hi, I just want to share something on which I've lost my day before finding this: Since Windows 10 (8?) the card is reset if a smart card transaction is inactive for 5 seconds. Quote: "If a transaction is held on the card for more than five seconds with no operations happening on that card, then the card is reset. Calling any of the Smart Card and Reader Access Functions or Direct Card Access Functions on the card that is transacted results in the timer being reset to continue allowing the transaction to be used." source: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx This timeout was not active on Windows 7. Not easy to attach a debugger to debug OpenSC with that ... regards, -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
|
From: Jaroslav I. <jar...@gm...> - 2015-12-13 18:42:47
|
As a result there are also commercial middleware solutions available out there which display their own PIN dialog during the signing operation and you need to enter your PIN in less then 5 seconds otherwise signing operation fails :) Regards, Jaroslav On Sun, Dec 13, 2015 at 7:09 PM, Vincent Le Toux < vin...@my...> wrote: > Hi, > > I just want to share something on which I've lost my day before finding > this: > Since Windows 10 (8?) the card is reset if a smart card transaction is > inactive for 5 seconds. > > Quote: "If a transaction is held on the card for more than five seconds > with no operations happening on that card, then the card is reset. Calling > any of the Smart Card and Reader Access Functions or Direct Card Access > Functions on the card that is transacted results in the timer being reset > to continue allowing the transaction to be used." > source: > https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx > > This timeout was not active on Windows 7. > Not easy to attach a debugger to debug OpenSC with that ... > > regards, > -- > -- > Vincent Le Toux > > My Smart Logon > www.mysmartlogon.com > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Douglas E E. <dee...@gm...> - 2015-12-13 21:26:21
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Sounds like a call to SCardStatus resets the 5 second timer. Could
a thread be added with a 2 second timer to to keep the transaction
alive? May not help with debugging.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 12/13/2015 12:42 PM, Jaroslav Imrich
wrote:<br>
</div>
<blockquote
cite="mid:CAB...@ma..."
type="cite">
<div dir="ltr">As a result there are also commercial middleware
solutions available out there which display their own PIN dialog
during the signing operation and you need to enter your PIN in
less then 5 seconds otherwise signing operation fails :)<br>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Regards, Jaroslav<br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Dec 13, 2015 at 7:09 PM,
Vincent Le Toux <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:vin...@my..."
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:vin...@my...">vin...@my...</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>Hi,<br>
<br>
</div>
I just want to share something on which I've lost my
day before finding this:<br>
</div>
Since Windows 10 (8?) the card is reset if a smart
card transaction is inactive for 5 seconds.<br>
<br>
</div>
Quote: "If a transaction is held on the card for more
than five seconds with no operations happening on that
card, then the card is reset. Calling any of the Smart
Card and Reader Access Functions or Direct Card Access
Functions on the card that is transacted results in the
timer being reset to continue allowing the transaction
to be used."
<div>
<div>
<div>
<div>
<div>source: <a moz-do-not-send="true"
href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx"
target="_blank">https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx</a><br>
<br>
</div>
<div>This timeout was not active on Windows 7.<br>
</div>
<div>Not easy to attach a debugger to debug
OpenSC with that ...<br>
</div>
<div><br>
</div>
<div>regards,<span class="HOEnZb"><font
color="#888888"><br>
-- <br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">
<div>
<div>--<br>
Vincent Le Toux<br>
<br>
My Smart Logon<br>
<a moz-do-not-send="true"
href="http://www.mysmartlogon.com/"
target="_blank">www.mysmartlogon.com</a></div>
</div>
</font></span></div>
</div>
</div>
</div>
</div>
<br>
------------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Opensc-devel mailing list<br>
<a moz-do-not-send="true"
href="mailto:Ope...@li...">Ope...@li...</a><br>
<a moz-do-not-send="true"
href="https://lists.sourceforge.net/lists/listinfo/opensc-devel"
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
|
From: Ludovic R. <lud...@gm...> - 2015-12-14 08:38:18
|
Hello, I looks like Microsoft added an undocumented registry key to change the 5 seconds delay. Key CardDisconnectPowerDownDelay in HK_local_machine\software\microsoft\cryptography\calais The value defines the delay in seconds. It also looks like this feature is also present in Windows 7 but with a 30 seconds delay. This is all untested by me. I am not a Windows user. I think we have Windows experts here that can confirm the use of this registry key. I don't know why Microsoft decided to to that. Maybe that is a good idea after all. Regards, 2015-12-13 22:18 GMT+01:00 Douglas E Engert <dee...@gm...>: > Sounds like a call to SCardStatus resets the 5 second timer. Could a > thread be added with a 2 second timer to to keep the transaction alive? > May not help with debugging. > > > > > On 12/13/2015 12:42 PM, Jaroslav Imrich wrote: > > As a result there are also commercial middleware solutions available out > there which display their own PIN dialog during the signing operation and > you need to enter your PIN in less then 5 seconds otherwise signing > operation fails :) > > Regards, Jaroslav > > > On Sun, Dec 13, 2015 at 7:09 PM, Vincent Le Toux < > <vin...@my...>vin...@my...> wrote: > >> Hi, >> >> I just want to share something on which I've lost my day before finding >> this: >> Since Windows 10 (8?) the card is reset if a smart card transaction is >> inactive for 5 seconds. >> >> Quote: "If a transaction is held on the card for more than five seconds >> with no operations happening on that card, then the card is reset. Calling >> any of the Smart Card and Reader Access Functions or Direct Card Access >> Functions on the card that is transacted results in the timer being reset >> to continue allowing the transaction to be used." >> source: >> https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx >> >> This timeout was not active on Windows 7. >> Not easy to attach a debugger to debug OpenSC with that ... >> >> regards, >> -- >> -- >> Vincent Le Toux >> >> My Smart Logon >> www.mysmartlogon.com >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing lis...@li...://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > Douglas E. Engert <DEE...@gm...> <DEE...@gm...> > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > -- Dr. Ludovic Rousseau |
|
From: Martin P. <ma...@ma...> - 2015-12-14 08:42:50
|
On 14/12/15 10:37, Ludovic Rousseau wrote: > I looks like Microsoft added an undocumented registry key to change the 5 > seconds delay. > > Key CardDisconnectPowerDownDelay in > HK_local_machine\software\microsoft\cryptography\calais > The value defines the delay in seconds. > > It also looks like this feature is also present in Windows 7 but with a 30 > seconds delay. Wow, this is funny (not encountered yet) but basically this means that generating longer keys (sometimes takes minute(s)) is not possible without hacks on Windows, inside a card transaction ? |
|
From: Vincent Le T. <vin...@my...> - 2015-12-14 09:09:09
|
Long apdu are still been performed but that will be a problem with pin pad sessions. The workaround for minidriver are called session pin. You get one with a pin pad then use this session pin for further authentication I do not know a card / minidriver which supports it (gemalto Id prime included) Vincent Le lundi 14 décembre 2015, Martin Paljak <ma...@ma...> a écrit : > On 14/12/15 10:37, Ludovic Rousseau wrote: > > I looks like Microsoft added an undocumented registry key to change the 5 > > seconds delay. > > > > Key CardDisconnectPowerDownDelay in > > HK_local_machine\software\microsoft\cryptography\calais > > The value defines the delay in seconds. > > > > It also looks like this feature is also present in Windows 7 but with a > 30 > > seconds delay. > > > Wow, this is funny (not encountered yet) but basically this means that > generating longer keys (sometimes takes minute(s)) is not possible > without hacks on Windows, inside a card transaction ? > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... <javascript:;> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
|
From: Douglas E E. <dee...@gm...> - 2015-12-14 15:03:15
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<a class="moz-txt-link-freetext" href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx">https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx</a><br>
says: "If a transaction is held on the card for more than five
seconds with no operations happening on that card,"<br>
<br>
The key phrase is: "with no operations happening on the card"<br>
<br>
I would say a pin pad reader prompt is part of the verify command
sent to the reader, and thus would be considered an active operation
and not timed.<br>
(I believe the the pinpad reader command has its own timeout too.)
<br>
Generating a key on the card should also be considered an active
operation on the card. <br>
The card and the reader should be doing the keep alive protocol for
this.<br>
<br>
I think the point is a transaction SCardBeginTransaction -
SCardEndTransaction should not hold the card indefinitely. <br>
The 5 seconds by the middleware should be long enough to get the
next command to the card.<br>
<br>
Any software prompt for a PIN should be done before starting the
transaction to send the verify and crypto operations. <br>
<br>
This may be a problem if OpenSC tries to hold the transaction from
verify to logoff.<br>
<a class="moz-txt-link-freetext" href="https://github.com/frankmorgner">https://github.com/frankmorgner</a> Is this what the "atomic" changes
are doing? <br>
<br>
The Microsoft doc also says: "Calling any of the <a
href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa380141%28v=vs.85%29.aspx">Smart
Card and Reader Access Functions</a> or <a
href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa375369%28v=vs.85%29.aspx">Direct
Card Access Functions</a> on the card<br>
that is transacted results in the timer being reset to continue
allowing the transaction to be used".<br>
<br>
With FireFox, it calls C_GetSessionInfo every few seconds. If
C_GetSessionInfo would force a command to the card<br>
that could keep the session alive.
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/pull/624">https://github.com/OpenSC/OpenSC/pull/624</a><br>
is a step in that direction. <br>
<br>
<br>
This should be easy to test on W7, if the 30 seconds timer is set
to 5 seconds. <br>
<br>
<br>
<div class="moz-cite-prefix">On 12/14/2015 3:08 AM, Vincent Le Toux
wrote:<br>
</div>
<blockquote
cite="mid:CAO...@ma..."
type="cite">Long apdu are still been performed but that will be a
problem with pin pad sessions.
<div>The workaround for minidriver are called session pin.</div>
<div>You get one with a pin pad then use this session pin for
further authentication </div>
<div><br>
</div>
<div>I do not know a card / minidriver which supports it (gemalto
Id prime included)</div>
<div><br>
</div>
<div>Vincent <br>
<br>
Le lundi 14 décembre 2015, Martin Paljak <<a
moz-do-not-send="true" href="mailto:ma...@ma..."><a class="moz-txt-link-abbreviated" href="mailto:ma...@ma...">ma...@ma...</a></a>>
a écrit :<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On 14/12/15
10:37, Ludovic Rousseau wrote:<br>
> I looks like Microsoft added an undocumented registry key
to change the 5<br>
> seconds delay.<br>
><br>
> Key CardDisconnectPowerDownDelay in<br>
> HK_local_machine\software\microsoft\cryptography\calais<br>
> The value defines the delay in seconds.<br>
><br>
> It also looks like this feature is also present in
Windows 7 but with a 30<br>
> seconds delay.<br>
<br>
<br>
Wow, this is funny (not encountered yet) but basically this
means that<br>
generating longer keys (sometimes takes minute(s)) is not
possible<br>
without hacks on Windows, inside a card transaction ?<br>
<br>
<br>
<br>
------------------------------------------------------------------------------<br>
_______________________________________________<br>
Opensc-devel mailing list<br>
<a moz-do-not-send="true" href="javascript:;"
onclick="_e(event, 'cvml',
'Ope...@li...')">Ope...@li...</a><br>
<a moz-do-not-send="true"
href="https://lists.sourceforge.net/lists/listinfo/opensc-devel"
target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a><br>
</blockquote>
</div>
<br>
<br>
-- <br>
--<br>
Vincent Le Toux<br>
<br>
My Smart Logon<br>
<a moz-do-not-send="true" href="http://www.mysmartlogon.com/"
target="_blank">www.mysmartlogon.com</a><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
|
From: Vincent Le T. <vin...@my...> - 2015-12-14 15:45:51
|
My comment about the pin pad is not about the authentication itself but about the fact that you can't cache the pin and that long transaction was a workaround. Vincent Le lundi 14 décembre 2015, Douglas E Engert <dee...@gm...> a écrit : > > https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx > says: "If a transaction is held on the card for more than five seconds > with no operations happening on that card," > > The key phrase is: "with no operations happening on the card" > > I would say a pin pad reader prompt is part of the verify command sent to > the reader, and thus would be considered an active operation and not timed. > (I believe the the pinpad reader command has its own timeout too.) > Generating a key on the card should also be considered an active operation > on the card. > The card and the reader should be doing the keep alive protocol for this. > > I think the point is a transaction SCardBeginTransaction - > SCardEndTransaction should not hold the card indefinitely. > The 5 seconds by the middleware should be long enough to get the next > command to the card. > > Any software prompt for a PIN should be done before starting the > transaction to send the verify and crypto operations. > > This may be a problem if OpenSC tries to hold the transaction from verify > to logoff. > https://github.com/frankmorgner Is this what the "atomic" changes are > doing? > > The Microsoft doc also says: "Calling any of the Smart Card and Reader > Access Functions > <https://msdn.microsoft.com/en-us/library/windows/desktop/aa380141%28v=vs.85%29.aspx> > or Direct Card Access Functions > <https://msdn.microsoft.com/en-us/library/windows/desktop/aa375369%28v=vs.85%29.aspx> > on the card > that is transacted results in the timer being reset to continue allowing > the transaction to be used". > > With FireFox, it calls C_GetSessionInfo every few seconds. If > C_GetSessionInfo would force a command to the card > that could keep the session alive. > https://github.com/OpenSC/OpenSC/pull/624 > is a step in that direction. > > > This should be easy to test on W7, if the 30 seconds timer is set to 5 > seconds. > > > On 12/14/2015 3:08 AM, Vincent Le Toux wrote: > > Long apdu are still been performed but that will be a problem with pin pad > sessions. > The workaround for minidriver are called session pin. > You get one with a pin pad then use this session pin for further > authentication > > I do not know a card / minidriver which supports it (gemalto Id prime > included) > > Vincent > > Le lundi 14 décembre 2015, Martin Paljak < > <javascript:_e(%7B%7D,'cvml','ma...@ma...');> > ma...@ma... > <javascript:_e(%7B%7D,'cvml','ma...@ma...');>> a écrit : > >> On 14/12/15 10:37, Ludovic Rousseau wrote: >> > I looks like Microsoft added an undocumented registry key to change the >> 5 >> > seconds delay. >> > >> > Key CardDisconnectPowerDownDelay in >> > HK_local_machine\software\microsoft\cryptography\calais >> > The value defines the delay in seconds. >> > >> > It also looks like this feature is also present in Windows 7 but with a >> 30 >> > seconds delay. >> >> >> Wow, this is funny (not encountered yet) but basically this means that >> generating longer keys (sometimes takes minute(s)) is not possible >> without hacks on Windows, inside a card transaction ? >> >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > -- > -- > Vincent Le Toux > > My Smart Logon > www.mysmartlogon.com > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing lis...@li... <javascript:_e(%7B%7D,'cvml','Ope...@li...');>https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > Douglas E. Engert <DEE...@gm...> <javascript:_e(%7B%7D,'cvml','DEE...@gm...');> > > -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X