Windows minidriver and Secure PIN Entry

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows minidriver and Secure PIN Entry

ttaylor
Hello,

I've been a long time user of the opensc project on linux.  Now I'm
trying to use OpenSC on Windows 7.

The reader I'm using is an OmniKey 3821 USB CCID device with an LCD
display and a PIN pad.  Using the opensc PKCS#11 module in applications
such as firefox or thunderbird works great, requiring the card PIN to be
entered on the PIN pad of the reader as desired.

Now I'm looking at using the opensc minidriver to provide access for
applications that use the Windows crpyto API.  After some fiddling
around, I managed to change the driver for my smart card (Gemalto
TOPDLGX4 144k) to the opensc minidriver.  However, when I use an
application that tries to access the card, I'm prompted to enter the PIN
in a Windows dialog rather than the reader PIN pad.

Is there a way to have the external PIN pad be used to enter card PINs
when using the opensc minidriver?

- Tim

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Windows minidriver and Secure PIN Entry

Frank Morgner
The default Windows USB CCID driver does not support secure PIN entry.
You need to get a better driver for your reader. Presumably OmniKey
provides such a driver.

Cheers, Frank.


On Friday, August 24 at 03:03PM, Taylor, Tim wrote:

>
> Hello,
>
> I've been a long time user of the opensc project on linux.  Now I'm
> trying to use OpenSC on Windows 7.
>
> The reader I'm using is an OmniKey 3821 USB CCID device with an LCD
> display and a PIN pad.  Using the opensc PKCS#11 module in applications
> such as firefox or thunderbird works great, requiring the card PIN to be
> entered on the PIN pad of the reader as desired.
>
> Now I'm looking at using the opensc minidriver to provide access for
> applications that use the Windows crpyto API.  After some fiddling
> around, I managed to change the driver for my smart card (Gemalto
> TOPDLGX4 144k) to the opensc minidriver.  However, when I use an
> application that tries to access the card, I'm prompted to enter the PIN
> in a Windows dialog rather than the reader PIN pad.
>
> Is there a way to have the external PIN pad be used to enter card PINs
> when using the opensc minidriver?
>
> - Tim
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

attachment0 (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Windows minidriver and Secure PIN Entry

ttaylor
I have installed the drivers from HID Global for this reader.

The same reader device driver will be used regardless of whether the
PKCS#11 module, or the minidriver is used to interact with the Smart
Card, right?

And as I mentioned when I use the PCKS#11 driver, I'm prompted to enter
my pin on the pinpad.  When I use the opensc minidriver, I'm prompted to
enter my pin in a windows dialog box using the PC keyboard.

Is the opensc minidriver not able to detect and use the pinpad?

- Tim

On Sat, 2012-08-25 at 01:10 +0200, Frank Morgner wrote:

> The default Windows USB CCID driver does not support secure PIN entry.
> You need to get a better driver for your reader. Presumably OmniKey
> provides such a driver.
>
> Cheers, Frank.
>
>
> On Friday, August 24 at 03:03PM, Taylor, Tim wrote:
> >
> > Hello,
> >
> > I've been a long time user of the opensc project on linux.  Now I'm
> > trying to use OpenSC on Windows 7.
> >
> > The reader I'm using is an OmniKey 3821 USB CCID device with an LCD
> > display and a PIN pad.  Using the opensc PKCS#11 module in applications
> > such as firefox or thunderbird works great, requiring the card PIN to be
> > entered on the PIN pad of the reader as desired.
> >
> > Now I'm looking at using the opensc minidriver to provide access for
> > applications that use the Windows crpyto API.  After some fiddling
> > around, I managed to change the driver for my smart card (Gemalto
> > TOPDLGX4 144k) to the opensc minidriver.  However, when I use an
> > application that tries to access the card, I'm prompted to enter the PIN
> > in a Windows dialog rather than the reader PIN pad.
> >
> > Is there a way to have the external PIN pad be used to enter card PINs
> > when using the opensc minidriver?
> >
> > - Tim
> >
> > _______________________________________________
> > opensc-devel mailing list
> > [hidden email]
> > http://www.opensc-project.org/mailman/listinfo/opensc-devel
> >
>
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Windows minidriver and Secure PIN Entry

Douglas E. Engert


On 9/5/2012 4:32 PM, Taylor, Tim wrote:

> I have installed the drivers from HID Global for this reader.
>
> The same reader device driver will be used regardless of whether the
> PKCS#11 module, or the minidriver is used to interact with the Smart
> Card, right?
>
> And as I mentioned when I use the PCKS#11 driver, I'm prompted to enter
> my pin on the pinpad.  When I use the opensc minidriver, I'm prompted to
> enter my pin in a windows dialog box using the PC keyboard.
>
> Is the opensc minidriver not able to detect and use the pinpad?


With the PKCS#11 OpenSC calls pcsc_detect_readers and this calls
the detect_reader_features.

With the minidriver, the Microsoft code passes in the handles of
open connections to PC/SC, and pcsc_detect_readers is not called,
so no special features get detected.

It might be possible call the pcsc_reader_features from the minidriver
but it would require some code changes and testing.



>
> - Tim
>
> On Sat, 2012-08-25 at 01:10 +0200, Frank Morgner wrote:
>> The default Windows USB CCID driver does not support secure PIN entry.
>> You need to get a better driver for your reader. Presumably OmniKey
>> provides such a driver.
>>
>> Cheers, Frank.
>>
>>
>> On Friday, August 24 at 03:03PM, Taylor, Tim wrote:
>>>
>>> Hello,
>>>
>>> I've been a long time user of the opensc project on linux.  Now I'm
>>> trying to use OpenSC on Windows 7.
>>>
>>> The reader I'm using is an OmniKey 3821 USB CCID device with an LCD
>>> display and a PIN pad.  Using the opensc PKCS#11 module in applications
>>> such as firefox or thunderbird works great, requiring the card PIN to be
>>> entered on the PIN pad of the reader as desired.
>>>
>>> Now I'm looking at using the opensc minidriver to provide access for
>>> applications that use the Windows crpyto API.  After some fiddling
>>> around, I managed to change the driver for my smart card (Gemalto
>>> TOPDLGX4 144k) to the opensc minidriver.  However, when I use an
>>> application that tries to access the card, I'm prompted to enter the PIN
>>> in a Windows dialog rather than the reader PIN pad.
>>>
>>> Is there a way to have the external PIN pad be used to enter card PINs
>>> when using the opensc minidriver?
>>>
>>> - Tim
>>>
>>> _______________________________________________
>>> opensc-devel mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>
>>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Windows minidriver and Secure PIN Entry

Martin Paljak-4
In reply to this post by ttaylor
On Thu, Sep 6, 2012 at 12:32 AM, Taylor, Tim <[hidden email]> wrote:
> Is the opensc minidriver not able to detect and use the pinpad?
At the moment, no.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Windows minidriver and Secure PIN Entry

Douglas E. Engert
In reply to this post by Douglas E. Engert
On 9/5/2012 5:17 PM, Douglas E. Engert wrote:

>
>
> On 9/5/2012 4:32 PM, Taylor, Tim wrote:
>> I have installed the drivers from HID Global for this reader.
>>
>> The same reader device driver will be used regardless of whether the
>> PKCS#11 module, or the minidriver is used to interact with the Smart
>> Card, right?
>>
>> And as I mentioned when I use the PCKS#11 driver, I'm prompted to enter
>> my pin on the pinpad.  When I use the opensc minidriver, I'm prompted to
>> enter my pin in a windows dialog box using the PC keyboard.
>>
>> Is the opensc minidriver not able to detect and use the pinpad?
>
>
> With the PKCS#11 OpenSC calls pcsc_detect_readers and this calls
> the detect_reader_features.
>
> With the minidriver, the Microsoft code passes in the handles of
> open connections to PC/SC, and pcsc_detect_readers is not called,
> so no special features get detected.
>
> It might be possible call the pcsc_reader_features from the minidriver
> but it would require some code changes and testing.

What version of OpenSC are your using?

On What Windows OS?

Looking closer the reader-pcsc.c in github has two sets of code, one
for normal pcsc used by PKCS#11 and one for cardmod i.e. minidriver,
that check for reader features for the pin pad.

http://msdn.microsoft.com/en-us/windows/hardware/gg487500.aspx

Version 6 says External PINs for PIN PAD are new.
Vista and later.

Version 7 Talks about External PINs.
Windows 7 and later.

So the code may be there. A trace might be helpful.

>
>
>
>>
>> - Tim
>>
>> On Sat, 2012-08-25 at 01:10 +0200, Frank Morgner wrote:
>>> The default Windows USB CCID driver does not support secure PIN entry.
>>> You need to get a better driver for your reader. Presumably OmniKey
>>> provides such a driver.
>>>
>>> Cheers, Frank.
>>>
>>>
>>> On Friday, August 24 at 03:03PM, Taylor, Tim wrote:
>>>>
>>>> Hello,
>>>>
>>>> I've been a long time user of the opensc project on linux.  Now I'm
>>>> trying to use OpenSC on Windows 7.
>>>>
>>>> The reader I'm using is an OmniKey 3821 USB CCID device with an LCD
>>>> display and a PIN pad.  Using the opensc PKCS#11 module in applications
>>>> such as firefox or thunderbird works great, requiring the card PIN to be
>>>> entered on the PIN pad of the reader as desired.
>>>>
>>>> Now I'm looking at using the opensc minidriver to provide access for
>>>> applications that use the Windows crpyto API.  After some fiddling
>>>> around, I managed to change the driver for my smart card (Gemalto
>>>> TOPDLGX4 144k) to the opensc minidriver.  However, when I use an
>>>> application that tries to access the card, I'm prompted to enter the PIN
>>>> in a Windows dialog rather than the reader PIN pad.
>>>>
>>>> Is there a way to have the external PIN pad be used to enter card PINs
>>>> when using the opensc minidriver?
>>>>
>>>> - Tim
>>>>
>>>> _______________________________________________
>>>> opensc-devel mailing list
>>>> [hidden email]
>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>
>>>
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Windows minidriver and Secure PIN Entry

ttaylor
On Thu, 2012-09-06 at 15:06 -0500, Douglas E. Engert wrote:

> > With the PKCS#11 OpenSC calls pcsc_detect_readers and this calls
> > the detect_reader_features.
> >
> > With the minidriver, the Microsoft code passes in the handles of
> > open connections to PC/SC, and pcsc_detect_readers is not called,
> > so no special features get detected.
> >
> > It might be possible call the pcsc_reader_features from the minidriver
> > but it would require some code changes and testing.
>
> What version of OpenSC are your using?
>
> On What Windows OS?
>
> Looking closer the reader-pcsc.c in github has two sets of code, one
> for normal pcsc used by PKCS#11 and one for cardmod i.e. minidriver,
> that check for reader features for the pin pad.
>
> http://msdn.microsoft.com/en-us/windows/hardware/gg487500.aspx
>
> Version 6 says External PINs for PIN PAD are new.
> Vista and later.
>
> Version 7 Talks about External PINs.
> Windows 7 and later.
>
> So the code may be there. A trace might be helpful.

I'm on Windows 7, fully patched.

"opensc-tool -i" returns:
opensc 0.12.2 [Microsoft 1600]
Enabled features:pcsc openssl zlib

- Tim
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Windows minidriver and Secure PIN Entry

Douglas E. Engert
To the list:
The minidriver has code to test for reader features to be able to use
a PIN PAD reader. Someone added that code.  Could they please respond
to this thread?

I would suspect that the calling applications also need to be updated,
and this may be the problem.

Is there a minidriver application that can be used with a PIN PAD reader?
If so what is it and what reader was used?

On 9/7/2012 9:33 AM, Taylor, Tim wrote:

> On Thu, 2012-09-06 at 15:06 -0500, Douglas E. Engert wrote:
>
>>> With the PKCS#11 OpenSC calls pcsc_detect_readers and this calls
>>> the detect_reader_features.
>>>
>>> With the minidriver, the Microsoft code passes in the handles of
>>> open connections to PC/SC, and pcsc_detect_readers is not called,
>>> so no special features get detected.
>>>
>>> It might be possible call the pcsc_reader_features from the minidriver
>>> but it would require some code changes and testing.
>>
>> What version of OpenSC are your using?
>>
>> On What Windows OS?
>>
>> Looking closer the reader-pcsc.c in github has two sets of code, one
>> for normal pcsc used by PKCS#11 and one for cardmod i.e. minidriver,
>> that check for reader features for the pin pad.
>>
>> http://msdn.microsoft.com/en-us/windows/hardware/gg487500.aspx
>>
>> Version 6 says External PINs for PIN PAD are new.
>> Vista and later.
>>
>> Version 7 Talks about External PINs.
>> Windows 7 and later.
>>
>> So the code may be there. A trace might be helpful.
>
> I'm on Windows 7, fully patched.
>
> "opensc-tool -i" returns:
> opensc 0.12.2 [Microsoft 1600]
> Enabled features:pcsc openssl zlib
>
> - Tim
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Windows minidriver and Secure PIN Entry

ttaylor
I was the OP of this thread.  I've tried the following applications:
- certutil (specifically "certutil -SCInfo" to examine card contents)
- Outlook 2010 (sending signed emails)

With both of these, I'm prompted to enter my card PIN in a Windows
dialog box, rather than on the readers pin pad.

I'm using an OmniKey 3821 reader which has a pin pad.

- Tim

On Mon, 2012-09-10 at 09:56 -0500, Douglas E. Engert wrote:

> To the list:
> The minidriver has code to test for reader features to be able to use
> a PIN PAD reader. Someone added that code.  Could they please respond
> to this thread?
>
> I would suspect that the calling applications also need to be updated,
> and this may be the problem.
>
> Is there a minidriver application that can be used with a PIN PAD reader?
> If so what is it and what reader was used?
>
> On 9/7/2012 9:33 AM, Taylor, Tim wrote:
> > On Thu, 2012-09-06 at 15:06 -0500, Douglas E. Engert wrote:
> >
> >>> With the PKCS#11 OpenSC calls pcsc_detect_readers and this calls
> >>> the detect_reader_features.
> >>>
> >>> With the minidriver, the Microsoft code passes in the handles of
> >>> open connections to PC/SC, and pcsc_detect_readers is not called,
> >>> so no special features get detected.
> >>>
> >>> It might be possible call the pcsc_reader_features from the minidriver
> >>> but it would require some code changes and testing.
> >>
> >> What version of OpenSC are your using?
> >>
> >> On What Windows OS?
> >>
> >> Looking closer the reader-pcsc.c in github has two sets of code, one
> >> for normal pcsc used by PKCS#11 and one for cardmod i.e. minidriver,
> >> that check for reader features for the pin pad.
> >>
> >> http://msdn.microsoft.com/en-us/windows/hardware/gg487500.aspx
> >>
> >> Version 6 says External PINs for PIN PAD are new.
> >> Vista and later.
> >>
> >> Version 7 Talks about External PINs.
> >> Windows 7 and later.
> >>
> >> So the code may be there. A trace might be helpful.
> >
> > I'm on Windows 7, fully patched.
> >
> > "opensc-tool -i" returns:
> > opensc 0.12.2 [Microsoft 1600]
> > Enabled features:pcsc openssl zlib
> >
> > - Tim
> > _______________________________________________
> > opensc-devel mailing list
> > [hidden email]
> > http://www.opensc-project.org/mailman/listinfo/opensc-devel
> >
> >
>
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Windows minidriver and Secure PIN Entry

Douglas E. Engert


On 9/10/2012 4:09 PM, Taylor, Tim wrote:
> I was the OP of this thread.  I've tried the following applications:
> - certutil (specifically "certutil -SCInfo" to examine card contents)
> - Outlook 2010 (sending signed emails)

I was requesting the author of the minidriver mods that added the PIN PAD
support to respond, to how they tested the mod (if at all) and what
PINPAD reader(s) were tested with (if at all.)

I don't think it was me :)

>
> With both of these, I'm prompted to enter my card PIN in a Windows
> dialog box, rather than on the readers pin pad.
>
> I'm using an OmniKey 3821 reader which has a pin pad.
>
> - Tim
>
> On Mon, 2012-09-10 at 09:56 -0500, Douglas E. Engert wrote:
>> To the list:
>> The minidriver has code to test for reader features to be able to use
>> a PIN PAD reader. Someone added that code.  Could they please respond
>> to this thread?
>>
>> I would suspect that the calling applications also need to be updated,
>> and this may be the problem.
>>
>> Is there a minidriver application that can be used with a PIN PAD reader?
>> If so what is it and what reader was used?
>>
>> On 9/7/2012 9:33 AM, Taylor, Tim wrote:
>>> On Thu, 2012-09-06 at 15:06 -0500, Douglas E. Engert wrote:
>>>
>>>>> With the PKCS#11 OpenSC calls pcsc_detect_readers and this calls
>>>>> the detect_reader_features.
>>>>>
>>>>> With the minidriver, the Microsoft code passes in the handles of
>>>>> open connections to PC/SC, and pcsc_detect_readers is not called,
>>>>> so no special features get detected.
>>>>>
>>>>> It might be possible call the pcsc_reader_features from the minidriver
>>>>> but it would require some code changes and testing.
>>>>
>>>> What version of OpenSC are your using?
>>>>
>>>> On What Windows OS?
>>>>
>>>> Looking closer the reader-pcsc.c in github has two sets of code, one
>>>> for normal pcsc used by PKCS#11 and one for cardmod i.e. minidriver,
>>>> that check for reader features for the pin pad.
>>>>
>>>> http://msdn.microsoft.com/en-us/windows/hardware/gg487500.aspx
>>>>
>>>> Version 6 says External PINs for PIN PAD are new.
>>>> Vista and later.
>>>>
>>>> Version 7 Talks about External PINs.
>>>> Windows 7 and later.
>>>>
>>>> So the code may be there. A trace might be helpful.
>>>
>>> I'm on Windows 7, fully patched.
>>>
>>> "opensc-tool -i" returns:
>>> opensc 0.12.2 [Microsoft 1600]
>>> Enabled features:pcsc openssl zlib
>>>
>>> - Tim
>>> _______________________________________________
>>> opensc-devel mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>
>>>
>>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel