Aw: Re: Re: SmartCard v2.1 : factory reset fails

NIIBE Yutaka gniibe at fsij.org
Fri Feb 17 01:00:00 CET 2017


Hello,

Thanks a lot for your report in detail, in the style which I can replicate.

I'm afraid you are facing same issue what I encountered in 2011.

CHANGE REFERENCE DATA (OpenPGP card specification 2.0):
https://www.gniibe.org/log/bugreport/gnupg/openpgp-card-spec-2.0-chenge-reference-data.html

IIUC, this protocol is due to smartcard practice and standard.  I had
asked Achim (the author of OpenPGPcard specification) if this could be
changed.  No positive answer, but I think that the problem is clear
enough.

Fib Moro <fibmoro at gmx.de> wrote:
> It then asks me to "Please enter the Admin PIN".
> Now, in the believe that *123456789* was the correct default Admin PIN value,
> I would enter this *wrong* value.
> I am then prompted to enter "New Admin PIN" value and confirm that. 
> Let's say I use the value *smartcardrocks*.
> My change is then confirmed with;
>
>>>>>>>>>>>>>>
> PIN changed.
> <<<<<<<<<<<<<

Yes.  Now, New Admin PIN is *9smartcardrocks*.

> I would now be in the believe that *smartcardrocks* is the new correct Admin
> PIN.

I understand your expectation.  It was exactly same of mine.  But, new
Admin PIN is *9smartcardrocks*, which is totally confusing.

> However, any subsequent command that would require the Admin PIN would fail
> (e.g. moving keys to card, setting reset code, changing admin pin).

Naturally.

> For example, when I try to set a new reset code I am asked to enter the Admin
> PIN. 
> I enter *smartcardrocks* I get "Error setting the Reset Code: Bad PIN".
> I enter *12345678* I also get "Error setting the Reset Code: Bad PIN".
>
> I seems the Admin PIN is then broken and set to an "unknown" value.
>
> Can you replicate the above described behavior?

Yes.  The bug (from my point of view) is still there.


No, I don't have an idea to keep this problem forever.  I am currently
considering KDF generation scheme by host side.  I'm going to send my
proposal to Achim.  In this new scheme, the length of string for PIN is
fixed.  And then, this problem will be no longer valid.  That's my
development now.
-- 



More information about the Gnupg-users mailing list