CCID (PC/SC) over TCP

Overview

SpringCard USB-enabled devices running in PC/SC Mode implement the USB CCID specification. For convenience and efficiency, most SpringCard non-USB couplers also implement the CCID protocol on top of whatever communication interface they feature. This is known as “PC/SC-like” operation.

This chapter details the implementation of CCID over the network interface of a SpringCore device, using a TCP channel.

CCID protocol over TCP

Every message starts with the Endpoint number (copied from USB), then the CCID Header and Payload. The receiver uses the length field (from the Header) to separate one message from another.

Warning: Because of fragmentation and reassembly introduced by the underlying communication layers, a single TCP segment may carry multiple messages, just as a single message may be split across multiple TCP segments. A client implementation must take this into account in order to correctly reconstruct and process the CCID messages.

Byte Name Description
0 Endpoint
1-10 CCID header Always present
11-N CCID payload Absent if not payload

Values for the Endpoint byte

Value Endpoint Purpose Protocol
00 ControlOut Control endpoint, PC to RDR See Non-USB Control
80 ControlIn Control endpoint, RDR to PC See Non-USB Control
02 BulkOut PC to RDR commands CCID_PC_To_RDR, see CCID protocol
81 BulkIn RDR to PC responses CCID_RDR_To_PC, see CCID protocol
83 InterruptIn RDR to PC notification of card(s) insertion/removal CCID_Interrupts, see CCID protocol

Format of the CCID header

The format conforms to the CCID specification for BulkOut and BulkIn endpoints. For the other endpoints, the format is exactly the same (hence not conform).

Byte Name Description
1 Message type Command or response opcode.
See tables in the CCID protocol chapter.
2-5 Length of payload DWORD, LSB-first
6-10 Parameters BulkOut/BulkIn endpoints: slot number and sequence number followed by 3 bytes of context-specific parameters or error/status
Other endpoints: free

Supported length

  • The shortest messages are 11-byte long (length=0, no payload),
  • BulkOut/BulkIn endpoints support 64kB of payload, i.e. messages up to 65547 bytes (max length is 0001000 in hex),
  • Other endpoints are limited to 256B of payload, i.e. messages up to 267 bytes (max length is 00000100 in hex).

Security considerations

This protocol is intrinsically insecure: it provides neither confidentiality nor integrity protection. It must therefore only be used on a trusted local or private network.