OpenPGP card v2.1 and Cherry ST-2000U - Only 1024-bit keys are possible

NIIBE Yutaka gniibe at fsij.org
Fri Sep 11 03:11:54 CEST 2015


Hello,

On 09/10/2015 11:23 PM, Guan Xin wrote:
> I'm new to gpg. Just got a Cherry ST-2000U and OpenPGP card v2.1.
> I can generate 1024-bit keys with the "generate" command of gpg2.
> However, generation of 2048 or 4096-bit keys never succeed. The errors are:
[...]
> scdaemon[10116]: please wait while key is being generated ...
> scdaemon[10116]: ccid_transceive failed: (0x1000a)
> scdaemon[10116]: apdu_send_simple(0) failed: card I/O error
> scdaemon[10116]: generating key failed
> gpg: key generation failed: Card error
> Key generation failed: Card error
> 
> Software versions:
> gpg (GnuPG) 2.0.29
> libgcrypt 1.5.3
> 
> Any help/hint is appreciated. Thanks in advance!

I think that you are using some Unix Operating System.  Could you try
to use PC/SC service, by installing pcscd (and libccid)?  If it works,
I think that it's the issue of timeout management of internal CCID of
GnuPG.


I'm afraid there is some firmware issue of the card reader.  Or, it's
because of bad interaction between scdaemon and the card reader.

While most commands and their responses are finished in a second or
so, key generation takes much time (like several minutes, if key size
is larger).

There is a protocol defined in CCID (host <-> reader) and card<->reader
to extend the time out.  The interaction is like following.

Usually, it's just like:

    Host           Reader         Card

        command ->
                         command->
                                   [some processing done by card]
                         <-response
        <-response

If it takes much time, it goes like:

    Host           Reader         Card

        command ->
                         command->
                                   [some processing done by card]
                         <-"please wait"
        <-"please wait"			
        [...]
                         <-"please wait"
        <-"please wait"			
                         <-response
        <-response

Host or Reader should not give up while it sees "please wait" message.
Here, there is a possibility that Host or Reader gives up earlier than
the receival of "please wait" message.  If it's Host side, we can
change the timeout value of internal CCID of GnuPG.


Your testing with pcscd will be much appreciated.  Thanks in advance.
-- 



More information about the Gnupg-users mailing list