smart card reset after 5 seconds on Windows

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

smart card reset after 5 seconds on Windows

Vincent Le Toux
Hi,

I just want to share something on which I've lost my day before finding this:
Since Windows 10 (8?) the card is reset if a smart card transaction is inactive for 5 seconds.

Quote: "If a transaction is held on the card for more than five seconds with no operations happening on that card, then the card is reset. Calling any of the Smart Card and Reader Access Functions or Direct Card Access Functions on the card that is transacted results in the timer being reset to continue allowing the transaction to be used."
This timeout was not active on Windows 7.
Not easy to attach a debugger to debug OpenSC with that  ...

regards,
--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: smart card reset after 5 seconds on Windows

Jaroslav Imrich
As a result there are also commercial middleware solutions available out there which display their own PIN dialog during the signing operation and you need to enter your PIN in less then 5 seconds otherwise signing operation fails :)

Regards, Jaroslav


On Sun, Dec 13, 2015 at 7:09 PM, Vincent Le Toux <[hidden email]> wrote:
Hi,

I just want to share something on which I've lost my day before finding this:
Since Windows 10 (8?) the card is reset if a smart card transaction is inactive for 5 seconds.

Quote: "If a transaction is held on the card for more than five seconds with no operations happening on that card, then the card is reset. Calling any of the Smart Card and Reader Access Functions or Direct Card Access Functions on the card that is transacted results in the timer being reset to continue allowing the transaction to be used."
This timeout was not active on Windows 7.
Not easy to attach a debugger to debug OpenSC with that  ...

regards,
--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: smart card reset after 5 seconds on Windows

Douglas E Engert
Sounds like a call to SCardStatus resets the 5 second timer.  Could a thread be added with a 2 second timer to  to keep the transaction  alive?  May not help with debugging.
 


On 12/13/2015 12:42 PM, Jaroslav Imrich wrote:
As a result there are also commercial middleware solutions available out there which display their own PIN dialog during the signing operation and you need to enter your PIN in less then 5 seconds otherwise signing operation fails :)

Regards, Jaroslav


On Sun, Dec 13, 2015 at 7:09 PM, Vincent Le Toux <[hidden email]> wrote:
Hi,

I just want to share something on which I've lost my day before finding this:
Since Windows 10 (8?) the card is reset if a smart card transaction is inactive for 5 seconds.

Quote: "If a transaction is held on the card for more than five seconds with no operations happening on that card, then the card is reset. Calling any of the Smart Card and Reader Access Functions or Direct Card Access Functions on the card that is transacted results in the timer being reset to continue allowing the transaction to be used."
This timeout was not active on Windows 7.
Not easy to attach a debugger to debug OpenSC with that  ...

regards,
--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: smart card reset after 5 seconds on Windows

Ludovic Rousseau
Hello,

I looks like Microsoft added an undocumented registry key to change the 5 seconds delay.

Key CardDisconnectPowerDownDelay in HK_local_machine\software\microsoft\cryptography\calais
The value defines the delay in seconds.

It also looks like this feature is also present in Windows 7 but with a 30 seconds delay.

This is all untested by me. I am not a Windows user.
I think we have Windows experts here that can confirm the use of this registry key.

I don't know why Microsoft decided to to that. Maybe that is a good idea after all.

Regards,

2015-12-13 22:18 GMT+01:00 Douglas E Engert <[hidden email]>:
Sounds like a call to SCardStatus resets the 5 second timer.  Could a thread be added with a 2 second timer to  to keep the transaction  alive?  May not help with debugging.

 


On 12/13/2015 12:42 PM, Jaroslav Imrich wrote:
As a result there are also commercial middleware solutions available out there which display their own PIN dialog during the signing operation and you need to enter your PIN in less then 5 seconds otherwise signing operation fails :)

Regards, Jaroslav


On Sun, Dec 13, 2015 at 7:09 PM, Vincent Le Toux <[hidden email][hidden email]> wrote:
Hi,

I just want to share something on which I've lost my day before finding this:
Since Windows 10 (8?) the card is reset if a smart card transaction is inactive for 5 seconds.

Quote: "If a transaction is held on the card for more than five seconds with no operations happening on that card, then the card is reset. Calling any of the Smart Card and Reader Access Functions or Direct Card Access Functions on the card that is transacted results in the timer being reset to continue allowing the transaction to be used."
This timeout was not active on Windows 7.
Not easy to attach a debugger to debug OpenSC with that  ...

regards,
--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel




--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: smart card reset after 5 seconds on Windows

Martin Paljak-4
On 14/12/15 10:37, Ludovic Rousseau wrote:
> I looks like Microsoft added an undocumented registry key to change the 5
> seconds delay.
>
> Key CardDisconnectPowerDownDelay in
> HK_local_machine\software\microsoft\cryptography\calais
> The value defines the delay in seconds.
>
> It also looks like this feature is also present in Windows 7 but with a 30
> seconds delay.


Wow, this is funny (not encountered yet) but basically this means that
generating longer keys (sometimes takes minute(s)) is not possible
without hacks on Windows, inside a card transaction ?



------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: smart card reset after 5 seconds on Windows

Vincent Le Toux
Long apdu are still been performed but that will be a problem with pin pad sessions.
The workaround for minidriver are called session pin.
You get one with a pin pad then use this session pin for further authentication 

I do not know a card / minidriver which supports it (gemalto Id prime included)

Vincent 

Le lundi 14 décembre 2015, Martin Paljak <[hidden email]> a écrit :
On 14/12/15 10:37, Ludovic Rousseau wrote:
> I looks like Microsoft added an undocumented registry key to change the 5
> seconds delay.
>
> Key CardDisconnectPowerDownDelay in
> HK_local_machine\software\microsoft\cryptography\calais
> The value defines the delay in seconds.
>
> It also looks like this feature is also present in Windows 7 but with a 30
> seconds delay.


Wow, this is funny (not encountered yet) but basically this means that
generating longer keys (sometimes takes minute(s)) is not possible
without hacks on Windows, inside a card transaction ?



------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
<a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;Opensc-devel@lists.sourceforge.net&#39;)">Opensc-devel@...
https://lists.sourceforge.net/lists/listinfo/opensc-devel


--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: smart card reset after 5 seconds on Windows

Douglas E Engert
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx
says: "If a transaction is held on the card for more than five seconds with no operations happening on that card,"

The key phrase is: "with no operations happening on the card"

I would say a pin pad reader prompt is part of the verify command sent to the reader, and thus would be considered an active operation and not timed.
(I believe the the pinpad reader command has its own timeout too.) 
Generating a key on the card should also be considered an active operation on the card.
The card and the reader should be doing the keep alive protocol for this.

I think the point is a transaction SCardBeginTransaction - SCardEndTransaction should not hold the card indefinitely.
The 5 seconds by the middleware should be long enough to get the next command to the card.

Any software prompt for a PIN should be done before starting the transaction to send the verify and crypto operations.

This may be a problem if OpenSC tries to hold the transaction from verify to logoff.
https://github.com/frankmorgner Is this what the "atomic"  changes are doing?

The Microsoft doc also says: "Calling any of the Smart Card and Reader Access Functions or Direct Card Access Functions on the card
 that is transacted results in the timer being reset to continue allowing the transaction to be used".

With FireFox, it calls C_GetSessionInfo every few seconds. If C_GetSessionInfo would force a command to the card
that could keep the session alive.  https://github.com/OpenSC/OpenSC/pull/624
is a step in that direction.


This should be easy to test on W7, if the 30 seconds timer  is set to 5 seconds.
 

On 12/14/2015 3:08 AM, Vincent Le Toux wrote:
Long apdu are still been performed but that will be a problem with pin pad sessions.
The workaround for minidriver are called session pin.
You get one with a pin pad then use this session pin for further authentication 

I do not know a card / minidriver which supports it (gemalto Id prime included)

Vincent 

Le lundi 14 décembre 2015, Martin Paljak <[hidden email]> a écrit :
On 14/12/15 10:37, Ludovic Rousseau wrote:
> I looks like Microsoft added an undocumented registry key to change the 5
> seconds delay.
>
> Key CardDisconnectPowerDownDelay in
> HK_local_machine\software\microsoft\cryptography\calais
> The value defines the delay in seconds.
>
> It also looks like this feature is also present in Windows 7 but with a 30
> seconds delay.


Wow, this is funny (not encountered yet) but basically this means that
generating longer keys (sometimes takes minute(s)) is not possible
without hacks on Windows, inside a card transaction ?



------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
<a moz-do-not-send="true" href="javascript:;" onclick="_e(event, 'cvml', 'Opensc-devel@lists.sourceforge.net')">Opensc-devel@...
https://lists.sourceforge.net/lists/listinfo/opensc-devel


--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com


------------------------------------------------------------------------------


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: smart card reset after 5 seconds on Windows

Vincent Le Toux
My comment about the pin pad is not about the authentication itself but about the fact that you can't cache the pin and that long transaction was a workaround.

Vincent 

Le lundi 14 décembre 2015, Douglas E Engert <[hidden email]> a écrit :
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx
says: "If a transaction is held on the card for more than five seconds with no operations happening on that card,"

The key phrase is: "with no operations happening on the card"

I would say a pin pad reader prompt is part of the verify command sent to the reader, and thus would be considered an active operation and not timed.
(I believe the the pinpad reader command has its own timeout too.) 
Generating a key on the card should also be considered an active operation on the card.
The card and the reader should be doing the keep alive protocol for this.

I think the point is a transaction SCardBeginTransaction - SCardEndTransaction should not hold the card indefinitely.
The 5 seconds by the middleware should be long enough to get the next command to the card.

Any software prompt for a PIN should be done before starting the transaction to send the verify and crypto operations.

This may be a problem if OpenSC tries to hold the transaction from verify to logoff.
https://github.com/frankmorgner Is this what the "atomic"  changes are doing?

The Microsoft doc also says: "Calling any of the Smart Card and Reader Access Functions or Direct Card Access Functions on the card
 that is transacted results in the timer being reset to continue allowing the transaction to be used".

With FireFox, it calls C_GetSessionInfo every few seconds. If C_GetSessionInfo would force a command to the card
that could keep the session alive.  https://github.com/OpenSC/OpenSC/pull/624
is a step in that direction.


This should be easy to test on W7, if the 30 seconds timer  is set to 5 seconds.
 

On 12/14/2015 3:08 AM, Vincent Le Toux wrote:
Long apdu are still been performed but that will be a problem with pin pad sessions.
The workaround for minidriver are called session pin.
You get one with a pin pad then use this session pin for further authentication 

I do not know a card / minidriver which supports it (gemalto Id prime included)

Vincent 

Le lundi 14 décembre 2015, Martin Paljak <<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;martin@martinpaljak.net&#39;);" target="_blank"><a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;martin@martinpaljak.net&#39;);" target="_blank">martin@...> a écrit :
On 14/12/15 10:37, Ludovic Rousseau wrote:
> I looks like Microsoft added an undocumented registry key to change the 5
> seconds delay.
>
> Key CardDisconnectPowerDownDelay in
> HK_local_machine\software\microsoft\cryptography\calais
> The value defines the delay in seconds.
>
> It also looks like this feature is also present in Windows 7 but with a 30
> seconds delay.


Wow, this is funny (not encountered yet) but basically this means that
generating longer keys (sometimes takes minute(s)) is not possible
without hacks on Windows, inside a card transaction ?



------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com


------------------------------------------------------------------------------


_______________________________________________
Opensc-devel mailing list
<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;Opensc-devel@lists.sourceforge.net&#39;);" target="_blank">Opensc-devel@...
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  <a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;DEEngert@gmail.com&#39;);" target="_blank"><DEEngert@...>
 


--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel