Smart cards are the most versatile two factor authentication devices and essential for secure PKI deployments. Two factors means that for successful use, you need to have something (a smart card) and know something (a PIN code). While still better than simple passwords, a PIN code entered like a password through standard computer keyboard is exposed to host software and thus easily intercepted by the worst kind of malware - trojans, which could then abuse your inserted card and do covert transactions with the card once the PIN code has been captured by the trojan (or keylogger).

To protect against such attacks, secure PIN entry devices (commonly known as pinpad readers) exist. Such devices are supposed to be with specially designed hardware which guarantee that PIN codes travel directly from the device keypad to the smart card, without passing through the host computer and thus not visible to possibly hostile software on the host computer.

This is a reminder to not be fooled by marketing alone. A device with Hewlett-Packard logo (model KUS0133) claims secure PIN entry and modification capability in the CCID descriptor but in fact does not enforce the secure PIN entry promise - the entered code can be read by host software. This behavior was discovered by accident - the device *seems* to work flawlessly on Linux but have a look what happens on Mac OS X 10.6.6:

mrtn:~ martin$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    No    PIN pad   HP USB Smart Card Keyboard 00 00
mrtn:~ martin$ pkcs11-tool --login --test --slot 1 --module /Library/OpenSC/lib/opensc-pkcs11.so 
1234

error: PKCS11 function C_Login failed: rv = CKR_GENERAL_ERROR (0x5)

Small explanation:

• After the keyboard has been connected and identified to Mac OS X, OpenSC detects the reader and the advertised pinpad capability
• Trying to do some operations with the inserted smart card leads to the point where the software sends the correct command to the reader to do a secure PIN entry operation and the "secure PIN entry" led on the keyboard is turned on, signaling that the PIN code should be entered on the numpad of the keyboard. On Linux, keys other than ESC (which cancel the transaction) and ENTER (which confirms the entered PIN) don't work in this mode (nothing appears on the screen at least).
• Now the unexpected happens: the entered PIN ("1234" in this example) is shown on standard input! In fact, all keys work and entry to stdin is possible. The expected output should be the tool showing test results of operations with keys on the card without any keyboard input.

Without further investigation I can guess there are two possibilities of what's going on:

1. It is possible for the host software to set the device firmware to a state where the pinpad is malfunctioning and sends keyboard input to the host
2. The entered PIN code is always transmitted over USB but Linux "correctly" routes those packets to /dev/null

Either way the reader can't be considered as a secure PIN entry device as the host software can affect the functioning of the device and the secure PIN entry mode is not enforced by the keyboard firmware.

What next?

• The next release of OpenSC shall disregard the advertised pinpad capability of this reader and enforce normal (no pinpad) mode
• Probably an upcoming release of the open source CCID driver shall have the pinpad feature disabled already in the driver layer
• The myth that devices that claim to do everything actually do nothing well got reassured. If you are worried about the secrecy of your PIN code, buy a dedicated pinpad reader with tamper evident features (like a hologram sticker and certified firmware)
• Remember to keep your computer up to date with security patches and don't install software or visit websites you don't trust - the best protection against trojans. Also make sure that you remove your smart card from the reader as soon as you have finished using it, to limit the time when hostile software could abuse your connected smart card

Programming is very much a lifelong learning process. Whenever you learn new stuff you first make a "Hello world!" program in the new language. Yesterday at 21:56 my first "Hello world!" program in parenthood completed successfully, producing the expected result: a 48 cm long 3.1kg boy. EDIT: Mandatory picture of the little guy chilling:

Some notes from the Mobile Monday Estonia event Mobile Marketing & Advertising which I visited last monday.

• Global Trends on Mobile Marketing: Most interesting slides as they had actual and factual information from a survey listing different trends and technologies which are used in marketing. Notice that LBS has a HUGE growth potential ("planning to use in next 12 months vs have used in past 12 months") and that majority of marketeers still rely on messaging. LBS drum has been hammered for years now as The Next Big Thing. But to me it comes with no surprise that iPhone does not have MMS support - it is expensive, cumbersome and mobile/closed (vs web/open) technology apparently invented (read: sucked out from a pencil) only to bring you junkmail. Multimedia exchange between peers feels much more potent via social services running over the (mobile)internet using internet methods (http, e-mail, social sharing services) than via monstrums like MMS. From my ignorant point of view, MMS represents a greedy mockup by operators who hope that it will follow the success of SMS (which, unlike ugly-CORBA-successor-SOAP based MMS, is a neat and clever hack on top of existing GSM network). I hope MMS dies soon.
• Estonian Operators Mobile Advertising Reach Package: Rrrright. After reading "2/3 of mobile internet traffic comes from operator portals" I understood that I've never given much thought to the difference of Mobile Internet and Mobile Broadband. For me mobile broadband internet is just a Pipe going through the Air into some Processing Device. Sometimes the device is attached to a computer, sometimes the processing device itself has input-output and user interaction capabilities and sometimes the broadband comes in sub-GPRS speeds. And operators are fighting hard not to become mere Pipes, hoping they could maintain their walled gardens. I still don't believe that 2/3 of handset browsing only goes to the operator portal, but then again, most people don't use technology the way I do or they don't use it at all. After getting a glimpse of what the global trends are (technology, attitude and the unique right place-time-location mantra) it came a little shocking that the only thing they provide is a way to buy wholesale 'dumb pixel squares' on mobile 'web' portals. No demographics, no advanced features. Nothing. A suggestion to operators who are evaluating their location based services (and advanced marketing) strategies for Mobile *Broadband*. Mix LBS with web technologies such as Gears Geolocation API to give location aware ads and web content to desktop browser. A good (also a bit scary) example was JoikuSpot, which turns your 3G Nokia phone into a WiFi hotspot. The landing page of the hotspot displayed a Google map with the location of your mobile...
• Mobile Marketing Case Studies: There have been moments when I've thought that operators exist only because of football, because different big football events are very often natural stress-tests for mobile messaging technologies - spikes in traffic are guaranteed during New Year and world cup. Life in mobile messaging revolves around football, so did the Snickers campaign launch just hours before an important match. Does some big operator (Vodafone? Telefonica?) already own some FCs? If not, they should!

I'm not really into advertising and I hate annoying popups and 'look here what we have to offer!' pictures. I'll have to wait until *marketing* guys come up with something technically advanced like offering meaningful information when I check for better prices in a supermarket.

I'll be at Net-ID 2008 conference in March, talking about OpenID and Estonian eID infrastructure and how they come together in OpenID.ee.

2008 started with interesting events and great ideas: People are URLs too. OpenID.ee uses the same idea - that people and URLs are the same things to some extent in certain situations. At least when URLs are used for matching identifiers for authentication purposes. In fact - if URLs are people then OpenID.ee provides permalinks for people. Cool URIs allow to address people, but OpenID.ee allows to address real people in the real world. And not only address - also to authenticate them. Scott Kveton is definitely right - 2008 shall be very exciting!