🔗

My hardware security token stopped working

2020-06-06

I bought a cheap security token some times ago. Since then, I've been using it and even did some project specifically for it.

A few days ago, my token stopped working on my home Windows installation. It was still working fine on my work PC.

Screenshot

The smart card cannot perform the requested operation or the operation requires a different smart card.

Coincidentally, I had switched to a Windows Insider build in the same period. The new FIDO2 compliant successor of my token (Feitian ePass FIDO NFC) also had been released, so all in all, I first thought a driver update might be responsible.

I tried to block Windows Update from auto-installing drivers and reset a lot of things, but to no avail.

I was actually trying to see if I could switch my KeePass plugin to PKCS11 to use the token (spoiler: no. The OpenSC PKCS11 driver—the only one I found for this token—does not support encryption☹) when I found the cause of the malfunction, and managed to fix it.

The cause

The driver for GIDS smart cards is integrated in Windows. My understanding is that Windows uses a minidriver system in this case, where each vendor only implement a few functions that plug into the main driver.

All these minidrivers are registered in the Windows registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards key.

I still haven't figured what exactly, but something related to my token got messed up in there, and I suspect Windows wasn't using the correct minidriver anymore (or it got misconfigured).

Fixing it

It turns out, the fix is relatively simple: delete the key related to the token!

I strongly advise you to make a backup before doing that, in case it breaks things even more, but in my case, it worked like a charm! 🙂

For completion, and in case it can help someone figure what was wrong with it, here is the key I exported before deleting it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\ePass FIDO NFC]
@=""
"ATR"=hex:3b,f9,13,00,00,81,31,fe,45,4a,43,4f,50,32,34,32,52,33,a2
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="eps_piv_csp11.dll"
Newer Older
0 comment



Formatting cheat sheet.
The current page url links to a specific comment.
The comment is shown highlighted below in context.

    JavaScript is required to see the comments. Sorry...