exclusive vs. shared smart card access

Jacob Appelbaum jacob at appelbaum.net
Mon Aug 31 18:20:14 CEST 2015

Dear Jan,

On 8/31/15, Jan Suhr <jan at nitrokey.com> wrote:
> Dear Jacob,
> Am 29.08.2015 15:12, schrieb Jacob Appelbaum:
>> Dear Jan,
>> On 8/28/15, Jan Suhr <jan at nitrokey.com> wrote:
>>> Hi Niibe and who it may concern!
>>> This issue has been discussed previously but since Werner seems to be
>>> positive about it now, I will give it another try:
>>> GnuPG uses an exclusive mode when accessing OpenPGP Cards. This
>>> prevents, or at least makes it complicated, to use OpenPGP Cards with
>>> GPG and other applications on the same system. In fact it is a
>>> repeating
>>> problem Nitrokey users are reporting. To my knowledge most other
>>> software (e.g. OpenSC, PKCS#11 drivers) use shared access rather than
>>> exclusive access. It seems to be best practice.
>>> We tested GPG in shared mode for several weeks and couldn't find any
>>> issue. Also the performance seems to be identical. Hence I would like
>>> to
>>> request changing smart card access to shared mode.
>>> The necessary modification is simple: Change the third parameter of
>>> pcsc_connect() from PCSC_SHARE_EXCLUSIVE to PCSC_SHARE_SHARED at:
>>>     GPG 1.4: Once in g10/apdu.c
>>>     GPG 2.0: Once in scd/apdu.c and twice in scd/pcsc-wrapper.c
>>>     GPG 2.1: Once in scd/apdu.c
>> What are the security considerations of this change? Would this allow
>> one application to auth to the card and another application to perform
>> operations, for example? If not, has anyone confirmed that?
> This would probably be possible. However, a malicious application would
> be able to phish the PIN by presenting a fake PIN entry dialog and do
> all sorts of bad things with the smart card, nomatter if shared or
> exclusive mode. Such applications shouldn't get access to the smart card
> in the first place. I think we will end up with better security for the
> user by reducing usability obstacles and making smart card usage a
> pleasant user experience.

It sounds like there is a problem with the authentication protocol for
the card, doesn't it?

If it is indeed possible to have one application authenticate while
another application uses the card as an oracle, I'd be worried about
enabling such a mode. It is true that people can present a false
dialog box but it is another thing entirely if they simply need to
wait and will win every time.

> Again, shared access is best practice for all other smart card
> frameworks I'm aware of.

I feel like I must not understand something or something is very wrong
with the best practices. Sorry if I'm not understanding correctly...

All the best,

More information about the Gnupg-devel mailing list