[eid-applet] unexpected behavior with a secure pin pad reader

382 views
Skip to first unread message

bgillis

unread,
Mar 5, 2012, 3:34:16 AM3/5/12
to eID Applet
Hi Frank,

I've just received a brand new Vasco Digipass 920 card reader for
testing purposes.
http://www.vasco.com/products/digipass/digipass_readers/digipass_850_range/digipass_920.aspx

This model offers a secure pin pad.
It is also the recommended connected card reader model for eID
applications.

Special Features:

* What You See is What You Sign Up to 4-line display,
* Convenient installation leveraging CCID class drivers ,PC/SC
compliant,
* Secure Pin entry PC/SC 2;0 supported,
* Compliant with all ISO 7816 smart cards,
* PKI card supported,
* EMV Level 1.

When I try to use this reader with eID applet (1.0.5.Beta2), I have
not the expected behavior.
As far as I know if the reader offers a pin pad, the applet should not
propose to encode the pin code.
On the contrary, the applet should propose to encode the pin code
through the reader pin pad, shouldn't it ?

Hereby the log messages from the applet...

response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: true
logoff: true
pre-logoff: false
TLS session Id channel binding: false
server certificate channel binding: false
include identity: true
include certificates: true
include address: true
include photo: true
include integrity data: true
require secure smart card reader: false
no PKCS11: false
Detecting eID card...
Detecting eID card...
Scanning card terminal: VASCO DIGIPASS 920 0
eID card detected in card terminal : VASCO DIGIPASS 920 0
Authenticating...
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
selecting key...
computing digital signature...
PIN verification required...
verifying PIN...

As you can see, there are issues with CCID feature recognition.

Should I install anything on my workstation in order to solve these
issues ?
My reader is in fact recognized correctly by my OS (Windows XP SP3
32bit).

Thanks for your assistance,

Bertrand

bgillis

unread,
Mar 5, 2012, 4:06:57 AM3/5/12
to eID Applet
When using https://www.e-contract.be/eid-applet-test/authenticate-secure-reader.jsp

I have slightly different log messages...

eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.5.Beta2
Java version: 1.6.0_31
Java vendor: Sun Microsystems Inc.
OS: Windows XP
OS version: 5.1
OS arch: x86
Web application URL: https://www.e-contract.be/eid-applet-test/authenticate-secure-reader.jsp
Current time: Mon Mar 05 10:05:12 CET 2012
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
SSL session Id mismatch
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: false
pre-logoff: false
TLS session Id channel binding: false
server certificate channel binding: false
include identity: false
include certificates: false
include address: false
include photo: false
include integrity data: false
require secure smart card reader: true
transaction message: null
Detecting eID card...
Detecting eID card...
Scanning card terminal: VASCO DIGIPASS 920 0
eID card detected in card terminal : VASCO DIGIPASS 920 0
Authenticating...
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
Security Error.
error: not a secure reader

Frank Cornelis

unread,
Mar 5, 2012, 6:38:05 AM3/5/12
to eid-a...@googlegroups.com
Hi Bertrand,


Could FedICT also receive such card reader so we can test it out?


Kind Regards,
Frank.

Bertrand GILLIS

unread,
Mar 5, 2012, 6:59:13 AM3/5/12
to eID Applet
Well... you should directly ask Vasco.

They send me a free reader for development/test purposes only.
I have a good contact with them.
So maybe they will accept to send you also a free reader.
Could you send me your contact detail privately ?

I have also submitted this issue to my contact @Vasco.

On Mar 5, 12:38 pm, Frank Cornelis <frank.corne...@fedict.be> wrote:
> Hi Bertrand,
>
> Could FedICT also receive such card reader so we can test it out?
>
> Kind Regards,
> Frank.
>
> On 03/05/2012 09:34 AM, bgillis wrote:
>
>
>
>
>
>
>
> > Hi Frank,
>
> > I've just received a brand new Vasco Digipass 920 card reader for
> > testing purposes.
> >http://www.vasco.com/products/digipass/digipass_readers/digipass_850_...

Frank Cornelis

unread,
Mar 5, 2012, 10:06:31 AM3/5/12
to eid-a...@googlegroups.com
Hi Bertrand,


Thanks.


Kind Regards,
Frank.

bgillis

unread,
Mar 7, 2012, 2:38:55 AM3/7/12
to eID Applet
Hi Frank,

In Windows event viewer, I see this kind of message :
"Smart Card Reader 'VASCO DIGIPASS 920 0' rejected IOCTL 0x313520:
Incorrect function."

Vasco also recommend me to install the Digipass plugin for eID.
http://www.retail.vasco.com/du/install/downloads/software_downloads_for_digipass_for_eid.aspx

Unfortunately, this installation doesn't solve anything.

Moreover I have the same kind of error with eID Viewer (eID Middleware
4.0.0 b7094 or b7163).

Regards,

Bertrand

Frank Cornelis

unread,
Mar 7, 2012, 6:23:29 AM3/7/12
to eid-a...@googlegroups.com
Hi Bertrand,


That's weird. That IOCTL is a standard CCID command to get the feature
list of the card reader. Once I have such reader myself I'll certainly
dig deeper into this issue.

The eID Viewer that ships with the new eID Middleware 4.0 is using the
eID Applet code underneath. So indeed that same trouble will arise over
there.


Kind Regards,
Frank.

Bavo Van den Heuvel CRANIUM BVBA

unread,
Mar 7, 2012, 6:28:20 AM3/7/12
to eid-a...@googlegroups.com
me is testing with this vasco dp 920 too, get same behaviour
I did send a support question to my vasco contact

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To post to this group, send email to eid-a...@googlegroups.com.
To unsubscribe from this group, send email to eid-applet+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.




--
Met vriendelijke groeten,

Bavo Van den Heuvel - CRANIUM BVBA
Wijngaardweg 10A - 3150 Haacht
GSM: +32 476 36 47 80 - SKYPE: beejvoo3150
www.linkedin.com/in/bavovandenheuvel
 
kom kijken 28 maart 12h30: applied privacy => http://goo.gl/XpNaa 
BTW: BE 0830.218.050 - BANK: BE 38 0016 2161 4472
www.cranium.bewww.privacywet.be - www.dataprotectionofficer.be 

bgillis

unread,
Mar 9, 2012, 9:06:39 AM3/9/12
to eid-a...@googlegroups.com
Hi Frank,

It is weird indeed ;-)

Do you have already contact Vasco to ask a DP920 reader ?
It might take about two weeks to receive it (sigh !).

I have already send all the information about this issue to my contact at Vasco.
In order to follow the conversion between you and Vasco, can you add me in CC in all your emails ?
As a matter of fact, I'm very interrested about the cause of this issue and how to address it.

Thanks,

Bertrand
Reply all
Reply to author
Forward
0 new messages