Sunday, May 13, 2018

ATR statistics: TB3 - Global after T=15 in TDi–1

Article from the series "ATR statistics".

TB3 - Global after T=15 in TDi–1


For T=1 protocol the first TBi encodes Block Waiting Integer and Character Waiting Integer. The high nibble encodes BWI. The low nibble encodes CWI.

For T=15 protocol TBi the coding is defined in the document ETSI TS 102 221 V10.0.0 (2011-12) chapter "6.3.3 Global Interface byte"

TB3#%
156575.53 %
0x4528813.90 %
0x55381.83 %
0x47231.11 %
0x5D211.01 %
0x43180.87 %
0x40170.82 %
0x75140.68 %
0x65110.53 %
0x4290.43 %
0x5890.43 %
0x7D80.39 %
0x4D70.34 %
0x9F70.34 %
0xA050.24 %
0x3540.19 %
0x1530.14 %
0x3430.14 %
0x5730.14 %
0x3720.10 %
0x4420.10 %
0x4920.10 %
0x5220.10 %
0x6720.10 %
0x2410.05 %
0x4110.05 %
0x5310.05 %
0x5910.05 %
0x6310.05 %
0x6910.05 %
0x6D10.05 %
0x7310.05 %
0x9E10.05 %

T=1 protocol

The list above is not really informative since both BWI and CWI are coded in the same byte.

BWI


BWI#%
434973,01 %
57315,27 %
7224,60 %
6163,35 %
391,88 %
961,26 %
120,42 %
210,21 %


CWI


CWI#%
5 343 72 %
1336 8 %
7 30 6 %
3 18 4 %
0 15 3 %
2 10 2 %
8 9 2 %
4 6 1 %
155 1 %
9 4 1 %
1 1 0 %
141 0 %


T=15 protocol

I my list I have only 5 cards with a TB3 for T=15. They all have the value TB3 = 0xA0 for "UICC-CLF interface supported as defined in TS 102 613".

Sunday, April 15, 2018

New version of pcsc-tools: 1.5.3

I just released a new version of pcsc-tools, a suite of tools for PC/SC.

The main changes are for the pcsc_scan command.

Changes:
1.5.3 - 15 April 2018, Ludovic ROUSSEAU
  • 253 new ATRs
  • pcsc_scan (thanks to Pascal J. Bourguignon):
    • add -v argument (default) for verbose
    • add -q argument for quiet
    • add -r argument to display the reader list
    • allow to use Control-C to break execution

Thursday, April 12, 2018

New PyKCS11 1.5.2 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction".

Changes:

1.5.2 - April 2018, Ludovic Rousseau
  • Fix initPin()
  • add tests for initPin(), setPin(), initToken()

Friday, March 30, 2018

New PyKCS11 1.5.1 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction".

Changes:

1.5.1 - March 2018, Ludovic Rousseau
  • Fix "pip install"

Monday, March 26, 2018

New PyKCS11 1.5.0 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction".

Changes:

1.5.0 - March 2018, Ludovic Rousseau
  • Python 3: use strings instead of binary buffers for CK_UTF8CHAR PKCS#11 types. The behaviour is now the same as with Python 2
  • allow non string PIN values (binary PIN) for login(), initToken(), initPin(), setPin()
  • fix support of RSA PKCS PSS mechanism
    The mechanism object now uses a parameter "mechanism" instead of hard coding the mechanism value to CKM_RSA_PKCS_PSS.
  • add support of Python 2.7 on Windows
  • add AppVeyor configuration (automatic Windows builds)
  • ckbytelist: remove possibility to give a initial size
  • samples/getinfo: do not list the mechanisms by default
  • samples/events:
    • do not list the mechanisms by default
    • add support of pinpad readers
  • some minor improvements

Windows

If you are a Windows user and you want binary packages then please work on the AppVeyor configuration:

Sunday, March 18, 2018

MUSCLE web sites moved to .apdu.fr

With the decommissioning of alioth.debian.org I had to move the web site to a new place.


Update your bookmarks.

I also upgraded the HTML pages to Boostrap 4.0.

Please report any issue you may find.

Thursday, March 1, 2018

Level 1.5 smart card support on macOS

In a previous article "Level 1 smart card support on Mac OS X" I described some simple commands to check if the smart card stack is working correctly on a macOS system.

By re-reading the presentation "Working with Smart Cards: macOS and Security" by Richard Purves I discovered a new command.

I already knew "system_profiler SPUSBDataType" to list the USB devices. I mentioned it in "Level 1 smart card support on Mac OS X" to check the USB reader is seen by the system. But system_profiler provides a better command for smart cards.

SPSmartCardsDataType

system_profiler has another very interesting command: system_profiler SPSmartCardsDataType

Clean macOS installation

Example 1:
$ system_profiler SPSmartCardsDataType
SmartCards:

    Readers:

      #01: Cherry KC 1000 SC (ATR:<3b7f9600 00803180 65b08441 3df612ff fe829000>)

    Reader Drivers:

      #01: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)

    Tokend Drivers:

    SmartCard Drivers:

      #01: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)

    Available SmartCards (keychain):

    Available SmartCards (token):


You get a lot of useful information:
  1. list of smart card readers
  2. list of installed reader drivers
  3. list of tokend drivers
  4. list of smart card drivers
  5. available smart cards (keychain)
  6. available smart cards (token)

What you can see in my example:
  • I use a Cherry KC 1000 SC reader. A card is inserted in the reader and you see the ATR.
  • by default Apple provides a CCID driver
  • by default Apple provides a PIV CryptoTokenKit token to support Personal Identity Verification cards

Using SafeNet Authentication Client

Example 2:
$ system_profiler SPSmartCardsDataType 
SmartCards:

    Readers:

      #01: Gemalto PC Twin Reader (ATR:<3b7f9600 00803180 65b08503 00ef120f fe829000>)

    Reader Drivers:

      #01: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)
      #02: com.SafeNet.eTokenIfdh:9.0.0.0 (/Library/Frameworks/eToken.framework/Versions/A/aks-ifdh.bundle)
      #03: com.gemalto.ifd-bccid:1.0 (/usr/local/libexec/SmartCardServices/drivers/ifd-bccid.bundle)
      #04: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/local/libexec/SmartCardServices/drivers/ifd-ccid-SafeNet-eToken5300.bundle)
      #05: (null):(null) (/Library/Frameworks/eToken.framework/Versions/A/ikey-ifdh.bundle)

    Tokend Drivers:

      #01: com.Safenet.eTokend:9.0 (/Library/Frameworks/eToken.framework/Versions/A/eTokend.tokend)

    SmartCard Drivers:

      #01: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)
      #02: com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:1.0 (/Library/Frameworks/eToken.framework/Versions/A/SafeNet Authentication Client.app/Contents/PlugIns/PKCS11 Token.appex)

    Available SmartCards (keychain):

        com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:9A522A4489DFA3DE:

          #01: Kind: private RSA 2048-bit, Certificate: <1cc4a99c 25e2b4eb 381850d2 e8e7a9a8 8d258b31>, Usage: Sign Decrypt Unwrap 
          #02: Kind: private RSA 2048-bit, Certificate: <425fa8c1 27ad75a1 aec73183 2b053b41 38befe7f>, Usage: Sign Decrypt Unwrap 
          #03: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap 
          #04: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap 
          #05: Kind: private RSA 2048-bit, Certificate: <31fde547 b4ca58d4 7b6231c2 62730efd 8c7538a1>, Usage: Sign Derive Decrypt Unwrap 

    Available SmartCards (token):

        com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:9A522A4489DFA3DE:

          #01: Kind: private RSA 2048-bit, Certificate: <1cc4a99c 25e2b4eb 381850d2 e8e7a9a8 8d258b31>, Usage: Sign Decrypt Unwrap 
          #02: Kind: private RSA 2048-bit, Certificate: <425fa8c1 27ad75a1 aec73183 2b053b41 38befe7f>, Usage: Sign Decrypt Unwrap 
          #03: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap 
          #04: Kind: private RSA 2048-bit, Certificate: <31fde547 b4ca58d4 7b6231c2 62730efd 8c7538a1>, Usage: Sign Derive Decrypt Unwrap 
          #05: Certificate <1a222d8f 7458d082 d413fbdb 40c85f56 f48def63>


In this second example I installed SAC (SafeNet Authentication Client) from Gemalto. You can see some differences:
  • more reader drivers are installed
  • a tokend driver is installed
  • another SmartCard (Crypto Token Kit or CTK) driver is installed 
  • the card inserted in the reader is available in the keychain

Conclusion

This command provides information of a higher level that pcsctest.
You know what drivers (for readers and for cards) are installed.