Testing a secret number
The most commonly used method of user identification is entering a secret number, which is generally referred to by the abbreviation PIN (for ‘personal identification number’), or sometimes CHV (cardholder verification). APIN is usually a four-digit number, usually composed of the decimal numerals 0 through 9. The reason for using a purely numeric entry is simply that card terminals generally only have numeric keypads. The PIN is entered using the terminal keypad or a computer keyboard, and then sent to the smart card. The smart card compares the value that it receives with an internally stored reference value and reports the result to the terminal. PIN entry is particularly considered to be a security issue in financial transaction applications, so requirements relating to the nature of the keypad are frequently found in this application area. Special keypads that satisfy these requirements are often called ‘PIN pads’. In Germany, for example, there is a requirement (from the ZKA) that the PIN for a Eurocheque card can only be entered using a keypad having special mechanical and cryptographic protection. PIN pads have all the features of a security module, such as case-opening sensors and foils to protect against drilling, and they encrypt the PIN directly as it is entered. This provides reliable protection against tampering with a keypad in order to allow a PIN to be intercepted while it is being entered. A distinction can be made between static and modifiable PINs. A static pin cannot be changed by the user, so it effectively must be memorized by the user. If it becomes known, the user should destroy the card and obtain a new one with a different static PIN. A modifiable PIN can be altered according to the wishes of the user, or changed to a number that the user finds easy to remember. There is a danger in this, since the numbers that many people find easy to remember are ones such as”1234”,”4711”and”0815”. The smart card does not check for the use of such trivial numbers, since there is not enough memory available to store the necessary table. However, it would be perfectly conceivable for the terminal to prohibit the PIN from being changed to such a number. In order to change a PIN, it is always necessary to enter the PIN, since otherwise an attacker could replace every existing PIN with one of his own. The situation is different with personal unblocking keys (PUKs), which are also called ‘super PINs’. These keys usually have more digits than a normal PIN (a typical value is six), and they are used to reset the retry counter of a PIN to zero if it has reached its maximum value. A new PIN is also entered into the card when the PUK is entered, since resetting the retry counter is of little use if the user has forgotten the PIN. This is usually the case when the retry counter has reached its maximum value.

There are also applications that use transport PINs. In this case, the smart card is personalized with a random PIN and the cardholder receives the PIN value by letter. The cardholder then replaces the PIN used for card personalization with a PIN of his or her choice before actually using the card. In a similar method, called the ‘null PIN’ method, the card is preloaded with a trivial PIN, such as ”0000”, and the smart card again forces the PIN to be changed before it can be used. Both of these methods prevent a PIN that has been ‘spied out’ during card personalization from later being put to good use. According to a recommendation of the ISO 9564-1 standard, the PIN should consist of four to 12 alphanumeric characters in order to minimize the probability of determining the correct PIN by pure trial and error. However, the situation in actual practice is often somewhat different. Entering non-numeric characters is technically impossible in many locations, since the keypad has only numeric characters. The number of characters in a PIN depends not only on the desired level of security, but also to a large degree on the memory capacity of the average card user. For years, people have been accustomed to using four-digit PINs, which means that changing to PINs with six or more digits would be very difficult. In practice, the presumed improvement in security provided by using a six-digit or eight-digit PIN might turn out to be purely theoretical. Many people find it difficult to remember numbers of this length, especially if they do not use them very often, and consequently write them down on the card or on a slip of paper kept near the card. The level of security with a long PIN is then significantly lower than with a short PIN. The perfectly well-founded insistence on periodically changing PINs meets with a similar fate. It may work with a high-security application having only a few users, but it is fatal for the acceptance of a mass-market application, which tries to use the simplest possible methods in order to accommodate people with poor memories. In this regard, there is another very important issue. In many cases, entering and verifying a PIN does more than just identify the user and indicate legitimate possession of the card. It also represents a profession of intent by the user, who agrees to a particular transaction by entering his or her PIN. A good example is entering a PIN into a cash dispenser. This identifies the card user by means of his of her knowledge of the secret PIN, but it also represents a declaration by the user that he or she agrees to have a certain amount of cash paid out from his or her account. This is a very important consideration in connection with certain biometric features, some of which can be tested without the explicit permission of the person in question and do not necessarily represent a profession of intent.

The probability of guessing a PIN
The simplest attack on a PIN, aside from watching it being entered, is just guessing. The probability of success depends in part on the length of the PIN, the characters from which it can be composed and how many attempts are allowed. The probability of correctly guessing a four-digit PIN in three tries is 0.03 %, which is not particularly high. Two basic formulas for guessing passwords are presented here. They can be used in actual practice to estimate the risk associated with using a particular password.
x = mn (8.1)
P = i/mn (8.2)
Incidentally, there is yet a fourth factor related to guessing a PIN, which for a long time has been inexcusably neglected. This is the uniformity of the distribution of PINs within an application. It is much easier to guess a PIN if you know that certain PINs are more common than others. The actual significance of this important secondary factor became evident almost overnight in 1977 in connection with German Eurocheque cards. Although the detailed procedure for computing a PIN from the data stored in the magnetic stripe of the Eurocheque card is still secret, at least a few general steps of the procedure became known. From this information, it could be concluded that the PINs that are generated are not uniformly distributed, since the algorithm used produces the numerals 0 through 5 significantly more often than 6 through 9. It also became known that the PIN algorithm suppressed leading zeros when generating PINs. With such a non-uniform distribution, it is not necessary to make 3333 attempts in order to correctly guess a four-digit PIN with the permitted number of incorrect guesses (3), but only 150 [Karten 97]. With 10.5% of the cards, the distribution is so poor that only 72 attempts will suffice if the characteristics of the PIN generation algorithm are taken into account [Schindler 97]. The end result of all this is that an improved PIN generation algorithm is used with new Eurocheque cards, and the DES algorithm originally used has been replaced by a triple-DES algorithm.

Generating a PIN
In order to generate a PIN for a smart card, it is first necessary to have a random number generator and an algorithm that converts a random number into an ASCII-coded PIN of the required length. A table of known trivial combinations can then be used to detect and discard trivial PINs. Finally, the PIN must be stored in the smart card, and the VERIFY command must then be used as necessary to compare it with PIN codes transferred to the card from the terminal. A somewhat more complicated procedure for generating PINs is required for a system that uses magnetic-stripe cards instead of smart cards. This is because it must be possible for a cash dispenser operating offline to test an entered PIN using data contained in the magnetic stripe. This requirement does not actually apply to smart cards, but all debit cards (such as Eurocheque cards) presently have magnetic stripes for reasons of compatibility, even if they also have microcontrollers. When hybrid cards with both chips and magnetic stripes are used, the PIN generation algorithm must therefore be deterministic, which means that it must always produce the same result for a given set of input values. A random number generator cannot do this. A procedure is thus needed that can generate a PIN based on the magnetic stripe data. In order to avoid having the security of the system depend on the procedure itself, a secret key should also be involved in the computation. Figure 8.2 illustrates an algorithm similar to the one that is used for German Eurocheque cards. Its inputs consist of the bank routing code, the account number and the serial number of the card. This algorithm uses the DES algorithm with a secret key to generate a four-digit PIN. This procedure suffers from the previously mentioned disadvantage that it produces PINs that are not uniformly distributed over the total possible number space (”0000” to ”9999” in the case of a four-digit PIN). This is due to the mapping rule that is used to convert the hexadecimal numerals (‘A’,'B’,'C’,'D’,'E’, and’F') into decimal numerals following the encryption process. This undesirable feature could be easily avoided by using a better mapping rule. The DES algorithm is used in part because the key rather than the procedure must be kept secret, and in part due to its properties of confusion and diffusion. The PIN generation procedure that was used between 1981 and 19972 for German Eurocheque cards produced PINs that were not uniformly distributed over the entire number space. Consequently, some PINs were significantly more probable than others, and such PINs could be used for attacks (which were generally not successful). For this reason, it is important to ensure that procedures used to generate PINs produce PINs that are distributed uniformly over the available number space.

Testing the authenticity of a terminal
As is well known, entering a PIN is used to verify the identity of the user. However, the user might equally well want to be able to verify the genuineness of a terminal. For instance, consider the possibility of a dummy cash dispenser. Someone with fraudulent intentions could use such a machine to collect PINs entered by unsuspecting users. If the person who set up the machine then steals the users’ cards, he or she could use the PINs acquired via the dummy cash dispenser to withdraw money from the cardholders’ accounts. All of this is possible because there is no way for the user to test the genuineness of the terminal. However, there is a procedure that can be used to defend against this type of attack. It involves storing a password in a file in the card. This password is known only to the card user and can be changed only by the user. It can be a name or a number chosen by the user. The smart card operating system allows read access to this file only after the terminal has been authenticated by the card.The first thing that happens after the user has inserted a smart card into the terminal is a mutual authentication transaction between the card and the terminal. If this is successful, each party knows that the other party is genuine. The card then allows read access to the file containing the user’s secret password, which is displayed on the terminal. The user sees his or her password and thus knows that the terminal is genuine, since it would have otherwise had no access to the file containing the user’s secret password. He or she can now safely enter the PIN. This procedure is also a simple way to prevent PINs from being entered into terminals that have been manipulated. Any arbitrary word or number can be used for the password. It should be possible for the cardholder to change the password as desired, in order to prevent potential attackers from being able to ferret it out. This procedure can also be extended or modified as necessary to meet other demands of a similar nature.