Supporting fixed length keypad input

Achim Pietig achim at pietig.com
Sat Mar 2 15:35:11 CET 2013 

Hi,

I was asked for the latest standards relevant for PIN or password input with PINPads:

PC/SC V2: Interoperability Specification for ICCs and Personal Computer Systems, Part 10 IFDs with Secure PIN Entry Capabilities, Revision 2.02.09 November 2012
Secoder 2: from german banks (GeldKarte), not public available

Most standards support the PIN 2 block format as most (banking standard for digits only).
The OpenPGP card uses alphanumeric password, a reason was to use passphrases on the card too.

If the support of readers for alpha passwords with variable length is too complex, a next version of the OpenPGP card may support PIN 2-block too, but then an algorithm ID or a usage flag in Extended
capabilies is needed. What do you think?

Regards,
Achim


Am 15.01.2013 03:36, schrieb NIIBE Yutaka:
> Thanks for your comments.
> 
> My replies are by different order.
> 
> On 2013-01-10 at 09:03 +0100, Achim Pietig wrote:
>> "pinpad" is the most common word in standards.
> 
> I see.
> 
>> If support for "old" readers with fixed length input is requirerd, I
>> prefere a local var (e. g. gpgconf) with the fixed length preferred
>> by the user.  If the var is 0 or not defined, the min-max length
>> should be taken from the card. The var may be evaluated by pinentry.
>> If the password is defined by a keyboard, --disable-pinpad may be
>> useful.  All this affects the local environment only.
> 
> I understand the need for configuration on host PC (for card specific
> configuration).  The issue is: how to implement this.  IIUC, SCDaemon
> is the lower level driver which handles smartcard/token communication
> (perhaps, this understanding of mine would be wrong), and how to get
> card specific information is under discussion.
> 
>> Actual there are 3 standards for readers with PIN-pad, all support
>> var-lenth-pins, so older readers will be obsolet soon.  If you want
>> to support this old items anyway, then keep it simple...  It makes
>> no sence to me to find a solution with new information in card or
>> servers etc. to make this run at any pin-pad - standard compliant
>> pinpads will run with min-max values!
> 
> Could you please let me know the references for the standards?  A
> vendor which I contacted last year claimed that the reader is standard
> compliant (even if it doesn't support variable length input).
> 
> Well, I understand that fixed length input support should be special
> case.
> 
> To summarize discussion, I'd like to propose the following for pinpad
> input.
> 
>   * Default is variable length pinpad input when reader supports the
>     feature.
> 
>   * Use pinentry by keyboard on host PC, when reader doesn't supports
>     the feature (including reader supports pinpad input but requires
>     fixed length input).
> 
>   * Only when a user wants to do special thing, he needs to specify
>     this.  Special cases are:
> 
>     (1) Use pinentry by keyboard even with pinpad reader.
>         (for cases when PIN has characters other than digits.)
> 
>     (2) Use fixed length input.
> 
>> Login-Data is an ISO definied data object (7816-6).
>> It should not contain other information than defined by ISO, so
>> first check if this information is possible there.
> 
> It says:
> 
> 	Proprietary login data
> 
> 	Referenced by tag '5E', this interindustry data element
> 	consists of login data with proprietary structures not
> 	specified in ISO/IEC 7816.
>

More information about the Gnupg-devel mailing list