Re: Problems accessing ActivIdentity USB SIM under Gentoo Linux 64 bit on Intel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok, whilst I delve into understanding the protocols and stuff, I have attached a couple of more files, which may, or may not, be helpful to others who are more familiar with the protocol.
I plan on trying to understand what is going on, but it may take me while...

These are outputs from my Intel 64 bit Gentoo, as described in earlier posts.

The files are as follows :-

Inspect_pcscd_output.txt.gz : this file contains the debug output of pcscd, run as follows

    strace -tt -x -s128  "${pcscd_root}"/pcscd -fad

Unfortunately, strace does not seem to follow threads - I tried using ltrace but that seems to be even worse.

Inspect_pkcs11_output.txt.gz : this file contains the debug output of pkcs11_inspect, run as follows :-

   pkcs11_inspect debug

USB_Capture.txt.gz : this is a capture of the RAW USB traffic to and from the ActivIdentity USB SIM. This was achieved by enabling usbmon and debugfs in the linux kernel and following the documentation as described in /usr/src/linux/Documentation/usb/usbmon.txt

I have included in the USB_Capture.txt.gz a description of the columns of the capture.

I plugged the USB key into a bus that has no other devices to keep things nice and simple.

USB_Capture_Against_WinXP.txt.gz : This is a capture of the exact same ActivIdentity key, in the same USB hub, being connected to a VirtualBox VM containing Windows XP Pro. The capture shows a connect/disconnect/reconnect and finally, a successful authentication. This may provide some capability to compare a working stream against a non-working stream.


I hope this proves useful.


...Lyall


On Fri, Feb 4, 2011 at 1:41 AM, Jennings, Jared L CTR USAF AFMC 46 SK/CCI <jared.jennings.ctr@xxxxxxxxxxxx> wrote:
> What do I need to do to assist/diagnose this problem?
>
> I know C but don't know the protocols.

If you can contrive to connect to an XP box directly from a Linux box
using rdesktop -r scard, you can watch what ActivIdentity is saying to
the card by running pcscd with the -adf switches. Comparing the traffic
with traffic captured while CoolKey is trying to talk to the card can be
instructive.

You can replay sessions you've captured, and say your own things to the
card, using scriptor, a perl script by Ludovic Rousseau.

I don't have wide experience with smartcard protocols, but ISO 7816-4
has been useful to me in deciphering most of my smartcard traffic:
<http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4.aspx>

For U.S. federal government issued smartcards, the Government Smartcard
Interoperability Standard (GSC-IS, NIST Interagency Report 6887,
<http://csrc.nist.gov/publications/nistir/nistir-6887.pdf>) is helpful.


> and the USB SIM sits there being accessed constantly, as though it's
> retrying frequently, whereas, when used locally (on the remote VM),
> it's a couple of accesses and it's done.

My experience is that XP and ActivIdentity just talk to the smartcard
all the time. Blah, blah, blah. Who knows if the traffic actually
relates to what you're personally trying to do.

> Bottom line, I am not entirely convinced that the Software provided by
> ActivIdentity works reliably given the USB data is transported across
a
> network, introducing timing delays.

In my forays with scriptor, my smartcard didn't care how fast I issued
commands. It was kind of like a telnet session, but typing individual
bytes in hex instead of letters. I'd be surprised to see something
timing-critical.


_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel



--
...Lyall

Attachment: Inspect_pcscd_output.txt.gz
Description: GNU Zip compressed data

Attachment: Inspect_pkcs11_output.txt.gz
Description: GNU Zip compressed data

Attachment: USB_Capture.txt.gz
Description: GNU Zip compressed data

Attachment: USB_Capture_Against_WinXP.txt.gz
Description: GNU Zip compressed data

_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Women]

  Powered by Linux