2010/6/10 Emanuele Pucciarelli <e...@acm.org>: > Hello Jean-Michel, > >> Do you have any information on the work involved to add some HID >> protocol to OpenSC. Is HID protocol standard or would any solution be >> proprietary? > > Just trying to add my 2 cents: I am aware of tokens that expose a USB > hub with more than one device connected to it. Specifically, one or > more mass storage units and one or more HID devices. The mass storage > units are seen by the system as standard units, while the HID device > gives access to a card reader through a proprietary protocol. > > The advantage of this solution should be that, on many operating > systems, you can access the card reader without elevated privileges > and without having to install any drivers – just use the userland > software provided on the storage unit. Of course, security-wise I tend > to see that more as a disadvantage; the first thing that comes to my > mind is a drive-by download that can sniff your card transactions and > use your token without the need for any special privilege.
The advantage of using a HID interface instead of CCID is that, on Windows, any user application can talk to a HID device without installing a driver. With a CCID interface and an old Windows (before Vista I think) you have to install a CCID driver and then you need to have the administrative access rights for that. Vendors are dreaming of a world of zero-install (no admin rights needed) and zero-footprint (no files copied on the hard disk). You just plug your device and you can use it (using autorun). On GNU/Linux it is different. The kernel HID driver will use the device and you need to be root to disconnect the device from the HID driver and use it the way you want. > What seems unlikely to me is mass storage encryption directly on the > device: I would guess that you need expensive hardware (at least, > expensive compared to ordinary smart cards) to perform decent > encryption at reasonable bitrates for a mass storage device, but I'm > not knowledgeable on this front and I certainly stand ready to be > corrected! Doing AES in hardware is not expensive and is fast. > It would still be possible to add a HID reader module to OpenSC, but > you would need an OS-specific lower layer and a reader-specific upper > layer, and either get precise specs from the vendor or go through > quite a bit of reverse engineering. I can't tell about this device in particular. The other HID device I am aware of is using the CCID protocol over HID. The problem is not with OpenSC but with OpenCT or a pcsc-lite driver to talk to a HID interface (using whatever protocol is used over the HID channel). Bye -- Dr. Ludovic Rousseau _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
