[Pcsclite-muscle] HELP! Any experience on smart card chip wearing?
Umberto Rustichelli
umberto.rustichelli
Mon Sep 8 01:46:44 PDT 2014
On 09/08/2014 10:03 AM, Ludovic Rousseau wrote:
> 2014-09-08 9:30 GMT+02:00 Umberto Rustichelli <umberto.rustichelli at gt50.org>:
>> Dear all, I do not know if this is the right place to ask but I think it is
>> the only place where the best experience with smart cards is shared.
> Hello,
> Maybe the best would be to contact the smart card manufacturer or reseller.
Much easier said than done... we tried!!!
I'll try harder, sigh!
>> I'm recently struggling with some issues when using smart cards for massive
>> signatures production where massive means a few millions consecutive
>> signatures for each card (what you wouldn't do to meet the absurd customers'
>> demand!)...
>>
>> I think it is irrelevant but let me point out that this applies to cards
>> from two different vendors and with 2 different (USB) card readers; the
>> environment can handle up to 98 smart cards (yes, I changed a few parameters
>> in header files) but just 14 are connected. In production, only one card
>> type (InCard 34v2 common used in Italy) and only one reader type are used.
>>
>> To make it short, does anybody know of any predictable limit that can cause
>> failures (after "many" signatures the *cards disconnect*, one by one) among
>> the following:
>>
>> - cards cannot reliably work for more than N signatures
>> ...I know that RAM in cards should work well for N * 10^5
>> write operations, considering that some writing operations
>> may be involved when signing, that can be an issue and
>> would point to chip wearing?
>>
>> - some counters in the PCSC / CCID code that may be
>> troublesome after a number of operations (honestly,
>> I found none but I'm not an expert here)?
>>
>> - any known issue with smart card drivers, in the specific case
>> the proprietary InCard driver? The SW involved is
>> pcsc-lite, cccid, (OpenSC) pkcs11_engine for OpenSSL
>> and, of course, the driver itself
>>
>> Did anybody try such massive use of cards?
>> Please help if you have any experience to share on this or point me to some
>> documents or forum that can be more appropriate.
> I guess the problem is more with EEPROM [1] and not RAM of the smart card.
>
> Accordiong to Wikipedia a typical EEPROM supports 1 million of
> read/write/erase cycles. So I am not surprised that you get errors
> after a few millions signatures.
Is still EEPROM in use? Shouldn't it be Flash now?
I'm not familiar with the industry.
Anyway, that is the direction I was pointing to.
But is EEPROM or flash used during signature operations (or the involved
communitaction operations)?
> pcsc-lite and the libccid driver do not have counters that could
> produce an error.
> The smart card may have a signature counter and certainly have a
> ratification counter for the PIN code. If the PIN needs to be
> presented before each signature then the PIN counter will be updated
> twice for each signature.
The session stays open and the PIN is erased from my SW memory as soon
as it is opened, for security reasons, so I suppose there is no PIN
transfer involved.
> Do you get an error message from the smart card?
> Do the smart card just become mute?
At least in a couple of cases, the PKCS11 driver error is just
error:8000A006:Vendor defined:PKCS11_rsa_sign:Function failed:p11_ops.c:131
which doesn't help much.
In my experience, PKCS11 errors are rarely useful when operations are
fine but all of a sudden they fail.
Anyway, the smart cards becomes mute and usually (but not always) the
log fills with
c:333:EHStatusHandlerThread() Error communicating to: Gemplus GemPC Key
(147D0FB0) 06 00
so the communication is definitely lost.
--
dott. ing. Umberto Rustichelli
www.GT50.org - Roma
Mobile +39 335 129 65 80
More information about the pcsclite-muscle
mailing list