On 09/08/2014 10:03 AM, Ludovic Rousseau wrote:
2014-09-08 9:30 GMT+02:00 Umberto Rustichelli <[email protected]>:
Dear all, I do not know if this is the right place to ask but I think it is
the only place where the best experience with smart cards is shared.
Hello,
Maybe the best would be to contact the smart card manufacturer or reseller.
Much easier said than done... we tried!!!
I'll try harder, sigh!
I'm recently struggling with some issues when using smart cards for massive
signatures production where massive means a few millions consecutive
signatures for each card (what you wouldn't do to meet the absurd customers'
demand!)...
I think it is irrelevant but let me point out that this applies to cards
from two different vendors and with 2 different (USB) card readers; the
environment can handle up to 98 smart cards (yes, I changed a few parameters
in header files) but just 14 are connected. In production, only one card
type (InCard 34v2 common used in Italy) and only one reader type are used.
To make it short, does anybody know of any predictable limit that can cause
failures (after "many" signatures the *cards disconnect*, one by one) among
the following:
- cards cannot reliably work for more than N signatures
...I know that RAM in cards should work well for N * 10^5
write operations, considering that some writing operations
may be involved when signing, that can be an issue and
would point to chip wearing?
- some counters in the PCSC / CCID code that may be
troublesome after a number of operations (honestly,
I found none but I'm not an expert here)?
- any known issue with smart card drivers, in the specific case
the proprietary InCard driver? The SW involved is
pcsc-lite, cccid, (OpenSC) pkcs11_engine for OpenSSL
and, of course, the driver itself
Did anybody try such massive use of cards?
Please help if you have any experience to share on this or point me to some
documents or forum that can be more appropriate.
I guess the problem is more with EEPROM [1] and not RAM of the smart card.
Accordiong to Wikipedia a typical EEPROM supports 1 million of
read/write/erase cycles. So I am not surprised that you get errors
after a few millions signatures.
Is still EEPROM in use? Shouldn't it be Flash now?
I'm not familiar with the industry.
Anyway, that is the direction I was pointing to.
But is EEPROM or flash used during signature operations (or the involved
communitaction operations)?
pcsc-lite and the libccid driver do not have counters that could
produce an error.
The smart card may have a signature counter and certainly have a
ratification counter for the PIN code. If the PIN needs to be
presented before each signature then the PIN counter will be updated
twice for each signature.
The session stays open and the PIN is erased from my SW memory as soon
as it is opened, for security reasons, so I suppose there is no PIN
transfer involved.
Do you get an error message from the smart card?
Do the smart card just become mute?
At least in a couple of cases, the PKCS11 driver error is just
error:8000A006:Vendor defined:PKCS11_rsa_sign:Function failed:p11_ops.c:131
which doesn't help much.
In my experience, PKCS11 errors are rarely useful when operations are
fine but all of a sudden they fail.
Anyway, the smart cards becomes mute and usually (but not always) the
log fills with
c:333:EHStatusHandlerThread() Error communicating to: Gemplus GemPC Key
(147D0FB0) 06 00
so the communication is definitely lost.
--
dott. ing. Umberto Rustichelli
www.GT50.org - Roma
Mobile +39 335 129 65 80
_______________________________________________
Pcsclite-muscle mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
