OsEID smart card & OsEID token

OsEID tries to support all features which are available in commercial card [MyEID]. Thanks to that, no special software/drivers is needed for commonly used operating systems. For Windows, Linux and Mac OS opensource project [OpenSC] can be used as driver for OsEID card.

OsEID disadvantages to MyEID card (mechanical)

OsEID disadvantages to MyEID card applet version 4.X:

(These functionalities are not supported by MyEID driver in OpenSC up to 0.18, perhaps OsEID will support these functions in future)

experimental = feature is supported by OsEID card, but original MyEID card function can work differently. There is no enough information in MyEID applet reference manual 2.1.4/2/2.3.0 and no OpenSC implementation to test all functions.

OsEID disadvantages to MyEID card, applet version below 3.5:

(MyEID in version below 3.5 does not support EC cryptography)

For a comparison, here is table showing the execution time of RSA decrypt operation (time in seconds) for MyEID cards, and OsEID card/token (with exponent blinding turned on):

Times in this table are higher then times given in Features section, because here the time is summary of all operations that OpenSC runs on card, e.g. card identification, reading PKCS#15 files, reading public key.

MyEID (3.3.3) card seems to be slower in filesystem operations, listing all card objects by pkcs15-tool -D command run in 2.8 second for 5 RSA keys on card. OsEID card runs the same command, the same set of keys in 1.9 second. If only one key is installed in MyEID card, pkcs15-tool -D command need 2.5 seconds, but OsEID card/token need only 0.7/0.6 sec.

Time depends on card reader, USB utilization etc.

MyEID with two keys installed, OsEID with four keys installed. Both cards allow the same communication speed - 312500 bits/s for 5MHz readers, for tests 4.8 MHz reader was used (opensc 0.21.0)

As You can see, raw time is significant better for MyEID card, but whole ECC operation time is comparable for MyEID and OsEID card.

There is no support for secp384r1 and secp521r1 in MyEID 4.0.1 card. OsEID card/token results:

OsEID benefits to MyEID card:

Whole project is published in good faith and is to be used for educational purposes only, however, amateur/hobby usage is also possible. When you decide to use this project in other way, keep in mind all drawbacks. Particularly take care that the card may be damaged and you may lose access to devices, that need authentication with card. Please, consider creating backup card/backup access for this situation. AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE OF CARD READERS, COMPUTER EQUIPMENTS OR DATA LOSS/DATA LEAKAGE! USE AT YOUR OWN RISK ONLY! Please read information about RSA and ECC security in this manual.

Code is licensed by GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007. Please read Licence.txt in code root directory. [GPL]

128,192 and 256 bit multiplication source files were originally public domain (Authors: Michael Hutter and Peter Schwabe, Version: 2014-07-25, downloaded from http://mhutter.org/research/avr/ ), but have been modified for OsEID project (to allow run this code in interrupt enabled environment, and to improve speed). I decided to release this modified version under the GPL.

Before using the card, microcontroller must be programmed with card operation system. You need hex file card.hex that is available in download section. To load hex file into AVR128DA32 microcontroller, you need programmer tool with programmer software. AVR128DA uses UPDI interface, description of UPDI can be found in AVR128DA documentation but lot information can be found on internet, for example https://microchipdeveloper.com/atmelice:updi

Another open source software inclusive hardware description can be found at https://github.com/mraardvark/pyupdi or https://github.com/popovec/upditool

If you decide to use ATmega128 microcontroller, you can found information about programming at http://www.nongnu.org/avrdude/. Programmer hardware overview can be found at http://www.ladyada.net/learn/avr/programmers.html. You can learn more about programming AVR microcontrollers on internet, a good website to start is https://learn.adafruit.com/introducing-trinket/programming-with-avrdude.

At this point the familiarity with programming AVR microcontrollers through UPDI/ISP is assumed.

Your card already includes UPDI/ISP connector but in different format as normal Microchip/Atmel ISP6 or ISP10 connectors. Mapping microcontroller pins to card contact pads and to standard Microchip ISP6 can be found in the tables below.

It is recommended to make simple adapter from AVR ISP6 connector to CARD contact pads. You need a smart card connector and a ribbon cable with IDC connector with 6 pins. Alternatively, if your programmer already contains ribbon cable with 6 pin female IDC connector, you need 6 pin male IDC connector. Make sure to create adapter with correct pinout as described in tables above.

Of course, you can use two 6 pins IDC connectors - one for ATmega ISP and one for AVR128DA UPDI programmer. You can use TTL to USB convertor as UPDI programmer, then 3 pins connector is enough.

You can buy it from here:

http://www.tme.eu/en/details/116b-dboa-r/card-connectors/attend/116b-dbo0-r02/
http://www.tme.eu/en/details/fc06150-s/ribbon-cables-with-idc-connectors/amphenol/
http://www.tme.eu/en/details/09185066324/idc-connectors/harting/

Carefully connect the cable to the relevant contact pads of smart card connector. Connect this adapter to AVR programmer, insert new card into smart card connector and you can upload firmware into your card.

Programming AVR128DA microcontroller:

fuse 1/BODCFG: 0x00
fuse 2/OSCCFG: 0x00
fuse 5/SYSCFG0: 0xC0
fuse 6/SYSCFG1: 0x00
fuse 7/CODESIZE: 0x80
fuse 8/BOOTSIZE: 0x80

Then upload card.hex file into microcontroller FLASH.

Lock the device by programming LOCK to value 0

Example for upditool:

Example for pyupdi

Programming ATmega128 microcontroller:

It is recommended to program microcontroller fuses first:

Extended fuses: 0xFF
High fuses: 0xD9
Low fuses: 0x04

Then upload card.hex and at last step is programming lock bits:

Lock bits: 0xFC

Example for avrdude and avrispmkII programmer:

Your card is ready for use now.

You can use source files to build card.hex. Development is tested on DEBIAN 10. You need gcc-avr, binutils-avr, avr-libc, make, srecord and avrdude package. For programming AVR128DA32 device, pyupdi or upditool is needed to (from github). You need to unpack OsEID tarball. Makefiles located in src subdirectory are used to compile and program the card. Card serial number is derived from AVR128DA serial number or for ATmega128 serial number is is automatically generated from actual time/date.

for AVR128DA based card (upditool programmer):

for Atmega128 based card:

In year 2006, the standard ISO 7816 changed the definition of Vpp pad. This pad is no longer used for programming voltage. If you use newer reader (produced after 2006), card may work, or fail in this reader. If your OsEID card does not working in your card reader, Vpp pad on card must be isolated from reader. This can be done by stick self-adhesive tape on Vpp pad.

Known issue: Alcor Micro AU9560 USB reader - OsEID card (AVR128DA or Atmega128 based) is not working in this reader without Vpp pad isolation.

Only partial information here, schematics, PCB and list of components is in Appendix D. It is assumed that only a skilled technician will try to build this device.

The fastest way to test the functionality of the card is by launching program pcsc_scan :

Insert card into reader. If the card is recognized, similar message is displayed:

Press CTRL-C break pcsc_scan and you can go to configure OpenSC package.

If your OpenSC version is 0.20.0 or above, OsEID card is automatically recognized. For older versions you need do some changes in configuration.

Configure OpenSC package: edit /etc/opensc/opensc.conf

or if you use windows C:\Program Files\OpenSC Project\OpenSC\opensc.conf

add new [ATR] for OsEID card and OsEID token in app default section:

If your OpenSC version is 0.20 or newer, and your using OsEID card with firmware 20190102 or older, you need one more configuration directive in /etc/opensc/opensc.conf in app default section:

It is recommended that you install oseid profile files into OpenSC profile directory (usually /usr/share/opensc/). Profile files for different versions of OpenSC can be found in download directory.

After this configuration step, you can use opensc-explorer, pkcs15-init, pkcs15-tool, pkcs11-tool and other software to personalize your OsEID card.

If you plan to use OsEID card in Win 10 (for example in EDGE browser etc.) you need install OpenSC package

OpenSC version 0.22.0-rc1 functionality with OsEID card has been tested in WIN 10, certutil command is fully functional and TLS client auth in EDGE browser is working.

To use OsEID card, with minidriver, you need to update your registry file. Please use OsEID.reg file from download section. Here example used for opensc 0.22.0-rc1:

For 32 bit OpenSC version on 64 bit system there is small change in minidriver path:

After personalizing your card, you need to use certutil -scinfo command in windows command prompt to import certificates from card into windows certificate store. After successful import of certificates, you can browse personal certificates by certmgr and/or certlm command.

On linux/windows with installed OpenSC package You can use opensc-explorer to browse files on Your new card:

There exists only one file on card. This is file with ID 3F00 - master file (MF). Card security system (PIN/PUK codes) are inactive for now.

or better way, determine OpenSC version by running

Then use oseid profile with the same version as OpenSC (for example 0.20):

(Warning, this operation is really slow, may run about 3 minutes but in some cases over 30 minutes for 1024 bit key, generating 2048 bit key take about 45 minutes but in some cases several hours.)

First read possible keys, select proper key id for sign (in example 121212)

Another example for sign with EC key:

You can use OsEID-tool software (available in tools section, only linux version). This software is designed to simplify some tasks on OsEID card (can be used with MyEID card too). Implemented functions:

OsEID is smart card with cryptography support, realized in amateur conditions. It consist of one integrated circuit (microcontroller Microchip/Atmel ATmega 128) and PCB (printed circuit board). No more components are needed.

OsEID smart card supports both RSA cryptography and Elliptic curve cryptography. DES and AES ciphers are supported too. It is (partially *) compatible with ISO 7816 specifications. Card support PKCS15 structure, RSA up to 2048 bits and NIST elliptic curves (192,256,384 and 521 bits).

It is designed to emulate Aventra MyEID card in universal microcontroller. No special driver is needed for use in Linux/Windows.

OsEID is hobby/amateur smart card, MyEID is professional card. OsEID come with open source firmware in well known, easily accessible and inexpensive microcontroller.

The card can not be bought, You have to make it. (Read documentation chapter Making OsEID card)

New versions are published on https://sourceforge.net/projects/oseid This is a primary site, code is available in tarball (all sources, firmware files compiled from sources in HEX format, and PDF version of doc).

Same site can be reached at https://oseid.sourceforge.io

OsEID is also available on github - https://github.com/popovec/oseid

OsEID development track all changes in OpenSC MyEID driver. All changes in OpenSC thats affect correct functions of OsEID card are examined and a update is uploaded into https://github.com/popovec/oseid. You usually need these updates only if you use development versions of OpenSC.

HTTP online doc is available on https://popovec.github.io/OsEID

AVR128DA32 is 8 bit CPU and runs at low frequency (about 27MHz). The chip has only 8x8 bit multiplier, no special acceleration units for RSA and ECC, as it is in the world of commercial cards.

You can contact me (author) by email <popovec.peter@gmail.com>

Card is always waiting for 5 bytes (header):

CLA, INS, P1,P2 and P3 bytes are transmitted to card. P3 byte is used to inform card about optional command body or requested size of returned data. What exactly P3 represent (command body or response length) is determined from INS byte.

Header is transmitted, then reader is waiting for procedure byte from card. If this procedure byte is not received until some time, card reader reject card as unresponsive.

How procedure byte is processing is described in ISO7816-3/10.3.3 table 11. If procedure byte is 0x60 (NULL), card reader only extend working time and is waiting for new procedure byte. This is used by card to inform card reader that more time is needed for processing message. This prevent rejecting card as unresponsive.

If 0x6X or 0x9X is received as procedure byte, this is handled as SW1 (status word), then whole status word (and next byte SW2) is returned to application.

If card reader receives INS (or INS negated, but this in not used in OsEID), card reader send rest of APDU to card (or receives data from card). Another values in procedure byte are not allowed.

From ISO7816-3/10.3.1: It is assumed that the card and the interface device know a priori the direction of transfer… How this can be fulfilled ?

T1 protocol uses packet oriented transport to and from card. For details about this, please read ISO7816-3/11. APDU is splitted into I frames and then reassembled in card back to original APDU. State machine for this can be found in opensource project [CCIDusb], in directory src/towitoko/ and src/openct/proto-t1.c. Reverse joining of I frames can be found in OsEID sources, in file targets/xmega128a4u/ccid.c. Of course, response APDU is splitted in card and reassembled in reader/host.

If command APDU uses short case 4 (described above), reader must support at minimal transport for 4+1+255+1 = 261 bytes.

If command APDU uses extended case 4, then minimal transport size is 4+3+256+2 = 265 bytes, and for maximal Lc 4+3+65535+2 = 65544 bytes.

Transport of responses must support 65536+2 bytes.

OsEID token integrated CCID reader allow transport of 271 bytes in one transport (dwMaxCCIDMsgLen = 271). CCID header need 10 bytes overhead, then maximal message length is 261 bytes. Because I frames are chained, there is no limitation in transport of extended APDU over T1 protocol, T0 is limited - max 255 bytes in DATA field.

In this documentation APDU - TPDU mapping is described for all commands (T0 protocol). Bytes CLA, INS, P1, P2 from APDU is mapped to TPDU without change, byte P3 in TPDU is mapped to Lc or Le field of APDU.

APDUs CASE 3S/E and 4S/E can be chained. CLA must be set 0x10 for any chained APDU and last APDU in chain must have CLA = 0. For any APDU in chain with CLA 0x10 Le field is ignored. Only Le field from last APDU in chain (CLA=0) is used. OsEID allows to chain CLASS 3S with CASE 3E or 4S/4E APDUs. Detail about APDU chaining can be found in ISO7816-4/5.1.1.1

Warning, OsEID for now does not have support for signalizing card capabilities (ISO7816-4/8.1.1.2.7) and because this, APDU chaining is not signalized.

Selection mechanism manages current DF and current EF. If EF is selected, parent DF is set as current DF.

(CASE 1S, CASE 2S, CASE 3S, CASE 4S)

TPDU: - P3 - in range 0..0xff, corresponding to DATA field length

APDU: - Lc corresponding to DATA field length - Data length corresponding to Lc - Le maximal size of response

Select file is controlled by P1, P2 parameters. There are several P1, P2 valid combinations. For some of combinations Lc != 0 and data field must contain specific data

For rest of commands P2 is 0 or 0x0c:

If select command failed, last correctly selected file remains selected.

MyEID difference: MyEID (according MyEID reference manual 2.1.4) does not support values 1,2,3 for P1. MyEID does not support P2 = 0x0c. MyEID uses T1 protocol, FCI is always returned even Le is not present in APDU (tested on MyEID 3.3.3/4.0.1).

(CASE 3S)

TPDU: - P3 - in range 18..255, corresponding to DATA field length

APDU: - Lc corresponding to DATA field length 18..255 - DATA length corresponding to Lc - Le empty

Data must contain File Control Parameters (FCP) information.

First byte (0x62) represents FCP tag, second byte represents sum of length of all tags in structure. The rest of structure is formed by TLV items. TLV items order doesn’t matter. TLV item with the same TAG value overwrites previous item with the same tag except TAG 0x80 and 0x81, these tags are mutually exclusive and can not be repeated.

only the first byte is used, rest is ignored.

allowed values:

Any value can be orred with value 0x40, this mark file as shareable.

BEWARE! filetype 0x23 is not used by original MyEID card. In future, MyEID card may use the 0x23 filetype to different purposes. OsEID project will then change secp256k1 key marking to another filetype or move marking into Proprietary Information field.

You can found more information about key file in PUT DATA and GENERATE PUBLIC KEY PAIR command.

Example apdu

Create working EF with transparent structure, ID 2233, size 511, security attributes set to 01 1F FF:

Responses

(CASE 1, in future CASE 3S)

TPDU: - P3 - 0

APDU: - Lc - 0 - DATA not present - Le - empty

The DELETE FILE command does removing of file. File must be selected by SELECT command before calling DELETE FILE command. If DF is selected, whole subtree of DF is deleted too. Before deletion of file, access condition is checked. After file delete operation a parent DF of deleted file is selected.

If subtree operation is requested, there is no check if some DF in subtree is marked by proprietary flag as undeletable. Only current DF proprietary flag is checked.

For completeness, ETSI TS 102 222 V7.0.0 (2006-08): Data field can be used to specify file ID for delete operation, in this case length of data field (Lc) is set to 2, and field ID is in data field. This is not supported by OsEID card for now.

Responses

(CASE 1, in future CASE 3S)

TPDU: - P3 - 0

APDU: - Lc 0 - DATA empty - Le empty

The ERASE BINARY command fills selected transparent EF with 0xff value. Start of fill is selectable by P1, P2 parameters. P1 represent bits 14..8, P2 represent bit 7..0 of offset. End of fill area is not selectable, file is filled up to end.

Responses

ISO7816-4/7.2.7 allow Lc=2, and in data field end of fill area in file can be specified. OsEID does not allow Lc=2 for now.

(CASE 3S)

APDU:

The UPDATE BINARY command updates data in selected transparent EF. Start of update is selectable by P1, P2 parameters. P1 represents bits 14..8, P2 represents bit 7..0 of offset. Lc represents number of updated bytes.

Responses

(CASE 2S)

APDU:

The READ BINARY command reads data from selected transparent EF (file type 0x01). Start of read is selectable by P1, P2 parameters. P1 represents bits 14..8, P2 represents bits 7..0 of offset. For Le=0, 256 bytes are to be read;

Warning: if Le > 256 (extended APDU) Le is clamped by card to 256

If Le is 0 (Ne = 256), up to 256 bytes is to be read from offset in P1,P2 to end of file. For Le != 0, 0x6282 response is generated if offset + Le is over file end.

Responses

(CASE 2S)

P2 for global functions:

All get file list operations are limited to list maximum 128 files.

(CASE 3S)

This command generates RSA/ECC keys. This command operates on current selected file. Key type and size is determined from selected file. If file type/size does not match allowed key length for cipher, operation fails.

RSA key generation APDU:

(CASE 4S)

P1,P2=0, this indicate proprietary format of data field (ISO7816-8).

RSA key for now uses fixed public exponent 65537. For RSA key, user can set Lc to 0 or set Lc and data field with this public exponent:

All three formats are identical. First format does not define public exponent, the card then uses default public exponent. If Lc is not 0, data field contain ASN1 formatted data for public exponent. Only value 65537 is accepted.

Data field is ASN1 formatted, 0x30 is SEQUENCE indicator, and value 0x02 or 0x81 is used as "public exponent" tag. (ASN.1 uses 0x02 as tag for INTEGER, MyEID 2.1.4 manual defines here tag 0x02 too. OpenSC 0.17 send 0x81 here, OsEID for now allows both values).

If key is successfully generated, key file is filled with key data and card returns public modulus.

ECC key generation APDU:

(CASE 4S)

This APDU is same as specified in MyEID reference manual 2.1.4. As you can see, there is no information about key size or OID of cipher. Only one way to detect number of key bits exists - key file size. If you need to generate ECC key on card, key file size in bytes must match key length in bits.

APDU returns public key in format: 0x86 - TAG 0xXX - LEN (or 0x81, LEN for 521 bit key) 0x04 - uncompressed indicator 0xXX .. 0xXX - X coordinate of public key 0xXX .. 0xXX - Y coordinate of public key

It is surprising that MyEID does not use for example OID of curve in the DATA section to specify the key absolutely precisely. OsEID may in future use proprietary APDU thats allows to specify OID of curve in data field, but if OpenSC does not support this information, this feature is for now not interesting.

Files and directories on card are protected by access flags. If file operation is protected by access flag, access flag can deny or allow operation on file.

PIN create is allowed only before using ACTIVATE APPLET command.

(CASE 3S)

This command activates card security mechanism of card, all access conditions become active.

Difference to MyEID: MyEID needs applet [AID] in Data field, P1 must be set to 4 and P2 to 0. Applet AID must be set to A000000063504B43532D3135. MyEID card allow activation only if PIN corresponding to MF recreation access condition is already initialized, otherwise card return SW1,2 = 0x6985 (Conditions not satisfied). OsEID always allow activation. If PIN that allow recreation of MF is not initialized, there is no possibility to erase the activated card (only way for reuse activated card is reprogramming card CPU).

(CASE 3S)

P1 structure: X1h - set security environment X2h - store security environment X3h - restore security environment X4h - erase security environment

Any other value RFU (ISO7816-4, Table 78)

P2 value is used to determine Control Reference Template in data field.

Any other value RFU (ISO7816-4, Table 79)

OsEID allow only limited set of P1/P2 values:

If P2 != 0 there is Lc != 0, LE = 0 and corresponding template must be filled in data field.

Data field represents concatenated Tag Len Value objects.

OsEID supports only small set of algorithm reference

For LEN = 10, OID of cryptographics mechanism in data field (not supported in OsEID)

ID is used to select the file which contains the key for the next security operation. This file is selected by same way as SELECT operation with P1 = 2 (DF can not be selected here). If file is not selectable, operation return Conditions not satisfied return code (0x6985). This operation does not affect current selected file selected by previous SELECT command.

Any other length is not supported by OsEID (More about referencing in ISO7816-4, 5.3.1.2)

Tag 83h is for key file with symmetric key, 84h for file with asymmetric key. Not used, must not be present. Reference for key in keyfile. If present, only value 0 is correct.

TAG 83h or 84, LEN 2 Tag 83h is used here for ID of target file for UNWRAP operation. File is searched in same way as for tag 0x81.

From ISO 7816-4 terminology for 0x83/0x84 tag: 0x83: reference for a secret key (direct use), or reference of a public key or qualifier of reference data 0x84: reference for computing a session key or reference of a private key

Set initialization vector. Must not be present. If not present, then initialization vector is undefined. Length from 1 to 16 bytes.

In future, for length = 0, previous IV +1 is to be used. Beware, OsEID functions with symmetric keys is still experimental.

Minimal template must have tag 0x80 and tag 0x81.

(CASE 2S WRAP operation) (CASE 3S UNWRAP operation) (CASE 4S/E encipher, decipher, sign)

Before security operation correct security environment must be set. Access condition must allow use of selected key file.

Command uses key file defined by SET SECURITY ENVIRONMENT command. Actually selected file by SELECT command is not affected by this operation.

More types of security operations exists:

MyEID as described in reference manual 2.1.4 does not support RSA 2048 raw sign operation, but this operation is identical to raw decipher operation. Please use OpenSC version from git, there is already fix that allows raw 2048 bit signature. https://github.com/OpenSC/OpenSC/commit/deab9cce73377f973d2020ab5ab7adc302018bf6 OpenSC 0.18.0 already contain this patch.

APDU chaining is available in OsEID card, for 2048 raw signature this transport is preferred. (MyEID from version 4.5.X allow use of APDU chaining too).

+ Alternatives not supported by OsEID:

+ Alternatives not supported by OsEID:

APDU chaining is available in OsEID card, for 2048 decipher operation this transport is preferred. (MyEID from version 4.5.X allow use of APDU chaining too).

+ Alternatives not supported by OsEID:

Rest of commands are not supported by OsEID:

(CASE 4S)

This command is used to provide ECDH operation. Before calling this command, correct security environment must be set and key file must be selected.

Lc - correspond to length of data field Data - peer public key in format: 0x7c, Lc-2 0x85 Lc-4 0x04 point_data Here: 0x7c is Dynamic Authentication Template tag 0x85 public key in data field 0x04 uncompressed key indicator

In addition to tag 0x85 tag 0x80 (Witness tag) is allowed with an arbitrary length. This tag is ignored for now.

Card returns shared secret derived from private key in selected file and public key provided in APDU. Technically, this operation does a point multiplication and X coordinate of calculated point is returned.

For more info, please read OsEID-tool - ECDH operation.

(CASE 2S)

Le - number of requested random data (1..255)

Card return 1..255 bytes of random data.

Please read appendix Random generator implementation about random number generator.

Return values: - 0x9000 - All OK - 0x6f00 - if number of requested bytes is zero.

Note: In future here comes more P1/P2 values, thats allow us to authenticate by challenge/response. There is consideration about requested number of random data bytes, for Le=0, 256 bytes of random data may be returned.

*PUT DATA/INITIALIZE PIV EMULATION - 00 DA 01 50 14 [data] not supported by OsEID /planed in future release

(RSA speed tested on decrypt operation, time is difference between transmit ciphertext and receive decrypted data. The time may vary depending on the USB host.)

Drawback are similar to OsEID card. But one significant drawback should be pointed up:

1x ATMEL ATXMEGA128A4U-AU - microcontroller https://www.tme.eu/en/details/atxmega128a4u-au/8-bit-avr-family/microchip-atmel/

1x NXP PRTR5V0U2X.215 - ESD protection https://www.tme.eu/en/details/prtr5v0u2x.215/transil-diodes-arrays/nexperia/

1x MCP1700T3302E/TT LTO 3.3V - LDO stabilizer (quiescent current 1.6uA package SOT23) https://www.tme.eu/en/details/mcp1700t3302ett/ldo-unregulated-voltage-regulators/microchip-technology/mcp1700t-3302ett/

1x DL1206-4.7 4.7H - inductor package 1206 0.9ohm 50mA https://www.tme.eu/en/details/dl1206-4.7/smd-1206-inductors/ferrocore/dl1206-4r7/

1x DS1097-BN0 - USB connector https://www.tme.eu/en/details/usba-lp/usb-ieee1394-connectors/connfly/ds1097-bn0/

4x SMD capacitors in 1206 package (values from schematics) 4x SMD resistors in 1206 package (values from schematics) 2x SMD LED in 1206 package (red/green or red/blue)

1x Optional button OMRON B3U-3100PM https://www.tme.eu/en/details/b3u-3100pm/microswitches-tact/omron/

P2 connector is realized only by pads on PCB. Connector is used to program xmega by PDI programmer. Needle spring probe is used to connect programmer to P2 connector.

You need programmer that support PDI programming. One open source/open hardware can be found at:

https://www.olimex.com/Products/AVR/Programmers/AVR-ISP-MK2/open-source-hardware

To connect programmer to token, you need connector with spring needles (contacts pitch 2mm). Create a reduction from this connector to your PDI programmer. Use schematics of token and pin description of your programmer, to get correct connection. (P2 connector: 1st PIN to CPU is PDI, then RESET, + and GND). Make sure that programmer is set up to power device with 3.3V!

Example for avrdude and avrispmkII programmer:

Compiling is similar to ATmega128 version:

Overclocking is not recommended, but if someone need this, there is a simple way to do this. CPU clock is defined in file targets/xmega128a4u/avr_os.c

Overwrite multiplication factor (32 / 2) to requested value (for example (48 / 2)). Recompile and program your token.

There is lot of information about XMEGA overclocking on internet. Some people run XMEGA over 50MHz and more without any problems. Some other people report problems with EEPROM on overclocked XMEGAs. If your XMEGA burns, this is your problem. Please, read again disclaimer section in this manual.

There exists two version of PCB, one for classical photographic method and etching in ferric chloride and second version for CNC routing. You can found OsEID_token.ngc file in download section. This file is designed for linuxcnc http://linuxcnc.org. Please read this file, adjust feed rate, check safe Z position, tune spindle commands, tool number etc. Dimensions in file are given in mm, make sure your machine uses metric, not imperial units. Use 0.3 up to 0.5mm milling tool. PCB is positioned at Z=-1, Z=1 is used for traverse. Run your machine without tool first!

AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE OF YOUR MACHINE, TOOL OR ANY ANOTHER EQUIPMENTS. USE AT YOUR OWN RISK ONLY!

There is a plan for dual side PCB, with SD card reader. Development of this model is frozen for now.

These operations are relatively simple, but to achieve desired speed, operations are partially unrolled. In one unrolled step 32 or 64 bit of operands are processed.

AVR multiplication is based on karatsuba multiplication. It uses modified open source (public domain) implementation from Michael Hutter and Peter Schwabe [AVR_KARATSUBA]. 256 bit multiplication code is fully revised to enable run in interrupt safe way (stack pointer change is protected by CLI instruction.) Code is faster, original code took 4797 clock cycles (in branched version), new code is about 6% faster and about 7% smaller. Similar changes are made in 192 bit multiplication.

The 128 bit multiplication is used only for 512 bit RSA. Because 512 bit key is not safe today, it makes no sense to waste lot of flash for this multiplication. Here simple looped code is used and this code is able to calculate truncated multiplication (low part of result) too. Another 128 bit multiplication (karatsuba based) is integrated inside truncated 256 bit multiplication.

X - inclusive function call overhead (respect standard AVR ABI)

192 and 256 bit squaring was written from scratch, it uses similar method as described in [AVR_SQUARING]. Code is designed as non branched. Squaring code is interrupt safe too.

X - inclusive function call overhead (respect standard AVR ABI)

[AVR_SQUARING] is running in 1966/3253 clock cycles for 192/256 bit squaring.

Modular multiplicative inversion is based on left shift, similar to [Lorencz] or more similar to [Hars] shifting Euclidean algorithm. AVR microcontroller shift/rotate instruction allow us to rotate 8 bit value only by one bit in one instruction cycle. Original Hars algorithm is not usable without modifications (very slow repetitive rotations of V/S by f). The goal is to minimize the number of rotations.

In each step of algorithm U and V is aligned (by left rotations) on highest non zero bit, then this bit is eliminated by subtraction. R and S are kept updated similar to U and V. This step is repeating, but align is done by right rotation, until bit size of U is bigger that bit size of V. If this is not true, U and V (R and S) are swapped, and all rotations are returned back (right). This procedure is repeating until bit size of U is zero or one (no inversion exists or inversion found).

The U and V are represented as unsigned number, but there are helper variables sU and sV for storing the signs of U and V. R and S variables are signed (in range +- 1/2 of modulus). Final sign is determived from R sign and U sign.

C and AVR ASM version is available, but ASM version is not faster. Implementation allows us to calculate inversion for even modulus too (this is needed for calculation of CRT components). Code is designed to be small, the speed of the algorithm is not significant. (In versions before 20171231, right shift binary Euclidean algorithm was used, but this doesn’t allows us to calculate CRT components because modulus is always even number. This code is smaller as new code but is slower too.)

EC calculation uses projective coordinates. Lot of code is inspired by NIST [NIST_ECC] and [OPENCRYPTOTOKEN] EC point doubling is optimized for NIST curves and for secp256k1 curve. EC point multiplication is designed as constant time, with multiplication window of 4 bits. Point multiplication is blinded. For each supported curve, a separate fast reduction algorithm is used. The secp521r1 curve is supported only on devices with 8KB RAM and more (AVR128DA, xmega128A4U). Firmware for atmega128 microcontroller can be recompiled with two bits multiplication window, then secp521r1 is running on this device.

In the next table, there is RSA calculation timing in clock cycles (normal RSA / precalculated constants for modulo and P^-1 mod R and Q^-1 mod R in key file), interrupt always enabled. Exponentiation window is not optimal to any key size - optimal window for key size 512/768 is 4 bits, not 5, but code uses fixed size defined at compilation time (based on RAM size of device) for all key sizes. Because 512/768 bit key is not safe today, it makes no sense to optimize 512/768 bit calculation for window size 5 bits.

To reach this, lot of assembler routines are used, especially Montgomery algo and function like mul256 mod 2²⁵⁶ (truncated multiplication). To get best possible performance, the 384, 512, 768 and 1024 bit squaring and multiplication are unrolled as possible, with respect to flash memory size in AVR.

Code size: about 20 000 lines in AVR assembler, about 10000 lines in C. AVR flash in ATmega128 is occupied by ~ 63kB code, 64Kb is used as data space for card filesystem. RAM is almost full, there is approximately 80 bytes free in atmnega128 (4kB RAM space).

OsEID implements several protections to generally known attacks to RSA cryptosystem. There exists several types of side channel attacks:

Briefly, all implemented curves are not secure enough, more info at [SAFECURVES]. Apart from this information, implemented elliptic curves are widely used on the Internet. If you have any doubts about the safety of NIST curves, please search internet about rigidity of NIST curves. Some information can be found here: [NIST_RIGGED]

To prevent SPA, EC calculation is running in constant time (but not perfect constant time, for example, modular multiplicative inversion run time depends on input numbers). OsEID implementation also uses blinding in point multiplication. Random 32 bit value is used to blind private key in point multiplication. SPA attack is not very effective. Still DPA/IPA can be used to extract some of sensitive information from other functions. It is, however, much more problematic as the attack on not blinded point multiplication.

Card firmware implementation may also have some security bugs. You have been warned.

(Do you know about these shortcomings in the world of commercial cards?)

Card is automatically detected. No patch is needed. If you need support for secp256k1, please read about experimental support for secp256k1 below.

OpenSC 0.17, 0.18 and 0.19 can detect all features of OsEID except of support for secp256k1. To use myeid driver for OsEID card you need to configure OpenSC package only. Please insert OsEID ATR into opensc.conf file.

Speed measurement is only approximate, speed depend on card reader, 3.8MHz reader was used. USB utilization also have an impact on speed tests.

Note: OsEID card uses T0 protocol, MyEID and OsEID token use T1 protocol.

Code is modified, does not use standard permutations as described by DES original (NIST) description.

Message expansion (E), Permuted choice 1 (PC-1) and Permuted choice 2 (PC-2) are merged into one 56 bit long message expansion. This expanded message is directly XORed by plain key. S-box addresses are selected from result of XOR operation by table. S-boxes are merged to one table (256 bytes).

Initial and inverse initial permutation is done by procedures. Key expansion is in procedure too. Only the permutation (P) is unchanged.

Code is really small, 800 bytes for DES or 828 bytes if 3DES is needed. Speed about 50 000 clock cycles for DES decipher or encipher.

More informations can be found in C and ASM sources.

AES supports key sizes 128/192/256 bits. AES code is extra small, below 600 bytes. S-BOX is calculated into RAM. About 800 bytes of RAM is needed (for S-box, inverse S-box and expanded key). Code is compact, does not use context and therefore the S-box must be calculated repeatedly for every run of AES. Speed is sufficient, about 40 000 clock cycles for one AES encipher or decipher with 256 bit key.

Insert path to pkcs11 library into .ssh/config file:

PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Insert path to pkcs11 library into openvpn config file:

pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Determine serialized ID of your card/token:

openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so

Copy Serialized id from previous command output, and insert this into your openvpn config file:

pkcs11-id ' --- here serialized id — '

If you use RSA key, you can hit a error:

2020-10-12 16:41:13 us=348869 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib 2020-10-12 16:41:13 us=348892 TLS_ERROR: BIO read tls_read_plaintext error 2020-10-12 16:41:13 us=348907 TLS Error: TLS object → incoming plaintext read error 2020-10-12 16:41:13 us=348921 TLS Error: TLS handshake failed 2020-10-12 16:41:13 us=349019 Fatal TLS error (check_tls_errors_co), restarting

In this case please upgrade: openvpn to version 2.5-rc2 libpkcs11-helper1 to version 1.26

secured directory /var/www/html/SSL_AUTH_TEST/

insert into /etc/apache2/sites-available/default-ssl.conf

Do not use TLSv1.3 here, firefox/chromium fails here with message: "Cannot perform Post-Handshake Authentication."

This appendix is only partial, please read on internet for example:

http://cedric.dufour.name/blah/IT/SmartCardsHowto.html