Issue with Cryptoflex / e-gate USB token

Hello,

Here's what I tried with a Cryptoflex 32k / e-gate USB
token on my Ubuntu, with OpenSC/OpenCT installed and
configured correctly :

rootgrenouille:~# pkcs15-init -ET
rootgrenouille:~# pkcs15-init -CT -p pkcs15+onepin
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return
for no PIN).
Please enter User unblocking PIN (PUK):
User PIN required.
Please enter User PIN:
iso7816.c:98:iso7816_check_sw: Authentication method
blocked
sec.c:204:sc_pin_cmd: returning with: Authentication
method blocked
pkcs15-lib.c:2833:do_get_and_verify_secret: Failed to
verify PIN (ref=0x1)
Failed to create PKCS #15 meta structure:
Authentication method blocked
rootgrenouille:~#

=> full debug log  <http://pastebin.com/77
4051>

While at the same time, enabling
"/sys/module/usbcore/parameters/usbfs_snoop"
didn't
reveal any USB errors during data transfers (mainly
CONTROL USB packets).

I have got the same issue on Windows 2000, on another
computer, so I'm kind of worried that I somewhat f*ked
up my cards :/ No idea how thought !

Any help would be appreciated 

Cheers,

-- 
Damiano ALBANI



	
 p4.vert.ukl.yahoo.com uncompressed/chunked Tue Aug 29
12:14:26 GMT 2006 
	
		
____________________________________________________________
_______________ 
Découvrez un nouveau moyen de poser toutes vos questions
quelque soit le sujet ! 
Yahoo! Questions/Réponses pour partager vos connaissances,
vos opinions et vos expériences. 
http://fr.answers.yahoo.c
om 

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

the big question is: what is blocked?

if your transport key is blocked, then your card is dead.
with -T you specify to use the default transport key, and
I never saw anyone using a different one, so that should
be fine.

> Here's what I tried with a Cryptoflex 32k / e-gate USB
> token on my Ubuntu, with OpenSC/OpenCT installed and
> configured correctly :

which versions exactly? (dapper default packages?)

> iso7816.c:98:iso7816_check_sw: Authentication method
> blocked
> sec.c:204:sc_pin_cmd: returning with: Authentication
> method blocked
> pkcs15-lib.c:2833:do_get_and_verify_secret: Failed to
> verify PIN (ref=0x1)

the transport key is SC_AUT, "PIN" means CHV is
meant.
so why would you have a CHV (i.e. user pin) on your card
after erasing it?

pkcs15-init -E will (on cryptoflex) only remove structures
opensc created (in the reverse order), it can't remove
other
structures (or in this case a PIN). did you use any other
software with it, and maybe that software created a PIN and
changed permissions on the root folder so that PIN is
required?

if you have a PUK for that PIN and still have the software,
you
should be able to reverse that.

worst case you could play with opensc-explorer and see if
you can
do something like unblock that pin, verify the pin, change
permissions
on MF.

but this is pure theory, and I'm more or less novice in my
knowledge on 
cryptoflex cards, so I might be totaly wrong as well.

last I can say I have a number of users with
cryptoflex/egate and 
haven't gotten another report like this (or it must be that
long ago so 
I don't remember). so in general the cards work very well -
and the 
token worked well, axalto no longer sells them :(
(ok, and the token were a bit fragile...)

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

--- Andreas Jellinghaus <ajdungeon.inka.de> wrote :

> if you have a PUK for that PIN and still have the
software, you
> should be able to reverse that.
> 
> worst case you could play with opensc-explorer and see
if you can
> do something like unblock that pin, verify the pin,
change
> permissions
> on MF.

Ok, I tried with opensc-explorer, verify'ed AUT1 with the
transport
key. And now, I can see these files -- *after* running a
pkcs15-init
-ET :

OpenSC [3F00]> ls
FileID  Type  Size
 0011    wEF    38
 0002    wEF     8
 0000    wEF    23
[3F11]    DF     0
OpenSC [3F00]> cd 3F11
OpenSC [3F00/3F11]> ls
FileID  Type  Size
 0020    wEF   156
 0030    wEF  3980
 0031    wEF  2948
[3F03]    DF     0
[3F04]    DF     0
OpenSC [3F00/3F11]> cd 3F03
OpenSC [3F00/3F11/3F03]> ls
FileID  Type  Size
 0012    wEF   688
 1012    wEF   664
OpenSC [3F00/3F11/3F03]> cd ..
OpenSC [3F00/3F11]> cd 3F04
OpenSC [3F00/3F11/3F04]> ls
FileID  Type  Size
 0012    wEF  1372
 1012    wEF  1324
 
I haven't found documentation on the wiki about which files
OpenSC
stores on card. So could you explain me what are those files
and, more
importantly, if/how.I can delete them safely.

Oh, by the way, I've just remembered that I had installed ID
Ally [1]
on this token I think. That may be the reason why my card is
filled
with data...

Thanks,

[1] htt
p://www.identityalliance.com/identity_ally.php

-- 
Damiano ALBANI


	

	
		
____________________________________________________________
_______________ 
Nouveau : téléphonez moins cher avec Yahoo! Messenger !
Découvez les tarifs exceptionnels pour appeler la France et
l'international.
Téléchargez sur http://fr.messenger.yah
oo.com
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

David, does ID Ally also initialized cryptoflex cards?
using some pkcs#11 lib or with its own code? what kind of
profile could that be?

Damiano wants to use his card with opensc, but I never saw
structures
like this before, so no idea how we can make any use of
them. see below.

Damiano ALBANI wrote:
> Ok, I tried with opensc-explorer, verify'ed AUT1 with
the transport
> key. And now, I can see these files -- *after* running
a pkcs15-init
> -ET :
> 
> OpenSC [3F00]> ls
> FileID  Type  Size
>  0011    wEF    38
>  0002    wEF     8
>  0000    wEF    23
> [3F11]    DF     0
> OpenSC [3F00]> cd 3F11
> OpenSC [3F00/3F11]> ls
> FileID  Type  Size
>  0020    wEF   156
>  0030    wEF  3980
>  0031    wEF  2948
> [3F03]    DF     0
> [3F04]    DF     0
...
> Oh, by the way, I've just remembered that I had
installed ID Ally [1]
> on this token I think. That may be the reason why my
card is filled
> with data...

it is not a pkcs#15 profile, that is all I know (pkcs#15 has
a file 
"2f00" and a directory "5015". no idea
what "3f11" is ...

 > I haven't found documentation on the wiki about which
files OpenSC
 > stores on card. So could you explain me what are those
files and, more
 > importantly, if/how.I can delete them safely.

sorry, I don't have much clue about cryptoflex cards, maybe
someone else
can help. but as far as I know we delete the files and
directories in
the reverse order we create them. guess any other software
needs to do
that too, so you would need to find out what you used for
initializing
this card and use it for erasing it again.

maybe you can create an opensc / pkcs#15 structure on the
card side by 
side with your current structure, but then you won't be able
to use 
those existing keys and certificates etc. and of course
there might not
be enough free space on the card.

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

Hi,

ID Ally shouldn't do anything with a Cryptoflex card
(Cyberflex,  
yes).  libmusclecard once supported Cryptoflex and its
possible there  
is a structure from Axalto / Schlumberger from their
middleware on  
there ....

It should work with the opensc-pkcs11 module assuming the
Cryptoflex  
was personalized using OpenSC.

Can you delete the files in 3F11 using opensc tools ?

Thanks,
Dave




On Sep 27, 2006, at 5:29 PM, Andreas Jellinghaus wrote:

> David, does ID Ally also initialized cryptoflex cards?
> using some pkcs#11 lib or with its own code? what kind
of
> profile could that be?
>
> Damiano wants to use his card with opensc, but I never
saw structures
> like this before, so no idea how we can make any use of
them. see  
> below.
>
> Damiano ALBANI wrote:
>> Ok, I tried with opensc-explorer, verify'ed AUT1
with the transport
>> key. And now, I can see these files -- *after*
running a pkcs15-init
>> -ET :
>> OpenSC [3F00]> ls
>> FileID  Type  Size
>>  0011    wEF    38
>>  0002    wEF     8
>>  0000    wEF    23
>> [3F11]    DF     0
>> OpenSC [3F00]> cd 3F11
>> OpenSC [3F00/3F11]> ls
>> FileID  Type  Size
>>  0020    wEF   156
>>  0030    wEF  3980
>>  0031    wEF  2948
>> [3F03]    DF     0
>> [3F04]    DF     0
> ...
>> Oh, by the way, I've just remembered that I had
installed ID Ally [1]
>> on this token I think. That may be the reason why
my card is filled
>> with data...
>
> it is not a pkcs#15 profile, that is all I know
(pkcs#15 has a file  
> "2f00" and a directory "5015". no
idea what "3f11" is ...
>
> > I haven't found documentation on the wiki about
which files OpenSC
> > stores on card. So could you explain me what are
those files and,  
> more
> > importantly, if/how.I can delete them safely.
>
> sorry, I don't have much clue about cryptoflex cards,
maybe someone  
> else
> can help. but as far as I know we delete the files and
directories in
> the reverse order we create them. guess any other
software needs to do
> that too, so you would need to find out what you used
for initializing
> this card and use it for erasing it again.
>
> maybe you can create an opensc / pkcs#15 structure on
the card side  
> by side with your current structure, but then you won't
be able to  
> use those existing keys and certificates etc. and of
course there  
> might not
> be enough free space on the card.
>
> Regards, Andreas

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

David Corcoran wrote:
> ID Ally shouldn't do anything with a Cryptoflex card
(Cyberflex, yes).  
> libmusclecard once supported Cryptoflex and its
possible there is a 
> structure from Axalto / Schlumberger from their
middleware on there ....

ok, thought so, thanks.

> Can you delete the files in 3F11 using opensc tools ?

I don't think so - opensc doesn't create such a structure,
and
can only delete the structures it created itself.

Damniano:
you could try manualy walking the whole tree and delete
each file and directory in opensc-explorer. but that might
be a lot of work, and I have no clue if it will work out at
all.

sorry.

Good luck.

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

I'll check tomorrow when I get in the office but I don't
think ID  
Ally (currently) will initialize a Cryptoflex.  I guess it
is  
possible though.  He should in reverse order be able to
delete the  
items on the card once validation of the AUT0 then
reinitialize with  
OpenSC.

Thanks,
Dave


On Sep 27, 2006, at 5:47 PM, Andreas Jellinghaus wrote:

> David Corcoran wrote:
>> ID Ally shouldn't do anything with a Cryptoflex
card (Cyberflex,  
>> yes).  libmusclecard once supported Cryptoflex and
its possible  
>> there is a structure from Axalto / Schlumberger
from their  
>> middleware on there ....
>
> ok, thought so, thanks.
>
>> Can you delete the files in 3F11 using opensc tools
?
>
> I don't think so - opensc doesn't create such a
structure, and
> can only delete the structures it created itself.
>
> Damniano:
> you could try manualy walking the whole tree and delete
> each file and directory in opensc-explorer. but that
might
> be a lot of work, and I have no clue if it will work
out at
> all.
>
> sorry.
>
> Good luck.
>
> Regards, Andreas
>

------------------------------------------------------------
------------ 
------------
David Corcoran        corcoran at identityalliance dot com
   Identity Alliance        http://www.identityal
liance.com
   phone: 260-488-3099   fax: 260-488-2455

   Smart Cards, Biometrics, Training, Identity Management
------------------------------------------------------------
------------ 
-------------


_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

On Wed, Sep 27 at 12:18, Damiano ALBANI wrote:
> Ok, I tried with opensc-explorer, verify'ed AUT1 with
the transport
> key. And now, I can see these files -- *after* running
a pkcs15-init
> -ET :
> 
> OpenSC [3F00]> ls
> FileID  Type  Size
>  0011    wEF    38
>  0002    wEF     8
>  0000    wEF    23
> [3F11]    DF     0
> OpenSC [3F00]> cd 3F11
> OpenSC [3F00/3F11]> ls
> FileID  Type  Size
>  0020    wEF   156
>  0030    wEF  3980
>  0031    wEF  2948
> [3F03]    DF     0
> [3F04]    DF     0
> OpenSC [3F00/3F11]> cd 3F03
> OpenSC [3F00/3F11/3F03]> ls
> FileID  Type  Size
>  0012    wEF   688
>  1012    wEF   664
> OpenSC [3F00/3F11/3F03]> cd ..
> OpenSC [3F00/3F11]> cd 3F04
> OpenSC [3F00/3F11/3F04]> ls
> FileID  Type  Size
>  0012    wEF  1372
>  1012    wEF  1324
>  

Let's see if this helps.  The structure looks very similar
to the
Cryptoflex 32K for Windows cards that I've been playing
with.  At
least when they arrive they have the 3F00/3F11 DF on them.

I can erase and init the card with pkcs15-init but when I go
to set the
PINs I get a failure like:

$ pkcs15-init --store-pin --auth-id 01
...
iso7816.c:99:iso7816_check_sw: Incorrect parameters in the
data field
card-flex.c:945:flex_create_file: Card returned error:
Incorrect parameters in APDU
card.c:376:sc_create_file: returning with: Incorrect
parameters in APDU
Failed to store PIN: Incorrect parameters in APDU


The solution I've found is to delete the 3F00/3F11 DF and
some other
files using opensc-explorer.  I've copied out the session
below.

Note my card is different.  There is a file 2F01 the
contents of which
must be preserved as they set the cards ATR.  It was fun
fixing it the
first time I deleted it.  The delete in reverse order
requirement means
you have to delete the file, delete the directory and then
recreate the
file.  Ignore these steps if you don't have a 2F01.


$ opensc-explorer
OpenSC Explorer version 0.11.0
OpenSC [3F00]> verify AUT1 2c:15:e5:26:e9:3e:8a:19
Code correct.
OpenSC [3F00]> ls
FileID  Type  Size
 0011    wEF    38
 0002    wEF     8
 0000    wEF    23
 0005    wEF    40
 0015    wEF  1744
[3F11]    DF     0
 2F01    wEF    10
[5015]    DF  5268
 2F00    wEF   128
OpenSC [3F00]> rm 2F00
OpenSC [3F00]> rm 5015
OpenSC [3F00]> get 2F01 atr.bin
Total of 10 bytes read from 2F01 and saved to atr.bin.
OpenSC [3F00]> rm 2f01
OpenSC [3F00]> rm 3f11
OpenSC [3F00]> rm 0015
OpenSC [3F00]> rm 0005
OpenSC [3F00]> rm 0000
OpenSC [3F00]> create 2F01 10
OpenSC [3F00]> put 2F01 atr.bin
Total of 10 bytes written.
OpenSC [3F00]> ^D

Then you can proceed with the usual opensc card setup which
for me
normally goes:

$ pkcs15-init --erase-card
$ pkcs15-init --create-pkcs15
$ pkcs15-init --store-pin --auth-id 01
$ pkcs15-init --store-private-key newkey.pem --auth-id 01 
        --key-usage sign,decrypt
$ pkcs15-init --store-certificate newcert.pem

-- 
        Bob Dunlop
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

--- Bob Dunlop <bob.dunlopxyzzy.org.uk> wrote :

> 
> The solution I've found is to delete the 3F00/3F11 DF
and some other
> files using opensc-explorer.  I've copied out the
session below.

Thank you all for your advice.
I made some cleaning up on my card and only left 0002
(serial number)
and 0011 (auth) files in 3F00. And now, pkcs15
initialization works
correctly !

Don't know where those additional files came from but it was
the reason
of the failure for sure.

Cheers,

-- 
Damiano ALBANI


	

	
		
____________________________________________________________
_______________ 
Découvrez un nouveau moyen de poser toutes vos questions
quelque soit le sujet ! 
Yahoo! Questions/Réponses pour partager vos connaissances,
vos opinions et vos expériences. 
http://fr.answers.yahoo.c
om 

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user