EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Token ATR

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#6491
Posted: 06/04/2008 06:16:20
by Simone Ferrari (Basic support level)
Joined: 12/03/2007
Posts: 22

Hello,
I am using PKIBlackbox to support various cards/usb tokens.
At the moment the user specified which PKCS11 library to to use each time
but I would like to load the appropriate PKCS11 library automatically.

I know that all cards have an ATR which I could use to determine which library
to use but PKIBlackBox doesn't support obtaining this as it communicates with the hardware only via the PKCS11 interface.

I wanted to know if anyone has done this before, perhaps using CryptoAPIs or if this kind of utility could be added to the PKIBlackBox packagge.

Thanks
Simone
#6542
Posted: 06/10/2008 03:35:57
by Simone Ferrari (Basic support level)
Joined: 12/03/2007
Posts: 22

I found the answer myself. For those of you who are interested, look at this article:

http://cgeers.wordpress.com/2008/02/03/monitoring-a-smartcard-reader

The stuff is in C# but can be adapted to VB.NET or other languages capable of using the Win32 API.

#6543
Posted: 06/10/2008 03:54:41
by Eugene Mayevski (EldoS Corp.)

Thank you for the link. But how will 4-byte-long ATR help you?


Sincerely yours
Eugene Mayevski
#6544
Posted: 06/10/2008 05:06:34
by Simone Ferrari (Basic support level)
Joined: 12/03/2007
Posts: 22

Why 4 bytes?
Check out SCARD_READERSTATE in the MSDN.
The ATR is contained in SCARD_READERSTATE.rgbAtr[36] which, if the array is 0-based and I assume it is, can be up to 37 bytes.
SCARD_READERSTATE.cbAtr indicates how long it actually is so that you can extract only the required bytes.
#6545
Posted: 06/10/2008 05:26:45
by Eugene Mayevski (EldoS Corp.)

Yes, I have misread the comments in the article source code block.
However, the question remains - what information does ATR contain that will help you locate the right PKCS#11 module?
We don't have a smartcard reader at the moment to check, that's why I am asking.


Sincerely yours
Eugene Mayevski
#6546
Posted: 06/10/2008 05:41:59
by Simone Ferrari (Basic support level)
Joined: 12/03/2007
Posts: 22

Well according to my knowledge each manugacturers assigns a different ATR to their various models of cards so using the ATR you know which PKCS#11 module to use.
The ATR is somewhat difficult to obtain so I guess you should try all the cards you are willing to support.

The OpenSC PKCS#11 module for example uses the ATR to configure itself for the specific card being used however I prefer to use the PKCS#11 module created specifically for each card and I load it using PKIBlackBox after having analyzed the ATR.
#6548
Posted: 06/10/2008 07:38:40
by Eugene Mayevski (EldoS Corp.)

Quote
Simone Ferrari wrote:
so using the ATR you know which PKCS#11 module to use.


The question remains: how do you do this matching?


Sincerely yours
Eugene Mayevski
#6549
Posted: 06/10/2008 10:19:43
by Simone Ferrari (Basic support level)
Joined: 12/03/2007
Posts: 22

Well if you know that the Siemens card model XXXX has ATR YYYY and Siemens made the SIXXXX.dll as the PKCS#11 library for that card then for ATR YYYY the PKCS#11 library to use is SIXXXX.dll...







#6550
Posted: 06/10/2008 11:17:29
by Eugene Mayevski (EldoS Corp.)

Thank you. Such approach makes it nearly impossible to have any kind of generalization. I.e. you must check all devices that you can get access to, and then keep the tree of mappings (list won't be enough cause PKCS#11 DLL names can be changed in time).


Sincerely yours
Eugene Mayevski
#6566
Posted: 06/11/2008 01:58:51
by Simone Ferrari (Basic support level)
Joined: 12/03/2007
Posts: 22

Well yes generalization is basically impossible, but if you are developing an application to support a specific set of cards then it's the only way to automatically load the appropriate PKCS#11 module for the inserted card.

By the way, OpenSC does the same and even Windows itself does the same to load the appropriate CSP. With Windows infact when a card is installed certain registry entries have to be written (in the tree of mappings as you called it located at HHLM\Software\Microsoft\Cryptography\Calais\SmartCards) so that Windows knows which CSP to load according to the detected card's ATR.

If the PKCS#11 module name changes over time then I guess your users would need to update your application.

Off cource, such functionality would be pointless to add to PKIBlackBox since it's a generic component, but the article I pointed to could be useful to people developing applications on top of PKIBlackBox.



Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 3799 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!