Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 1 of 86
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Exhibit 8
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 2 of 86
`6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 2
`Wolfgang Rankl * Wolfgang Effing
`
`Smart
`ae
`
`Handbook.
`
`tics citon
`
`WW) WILEY
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 3 of 86
`
`Smart Card
`Handbook
`Third Edition
`
`Wolfgang Rankl and Wolfgang Effing
`Giesecke & Devrient GmbH, Munich, Germany
`
`Translated by
`Kenneth Cox
`Kenneth Cox Technical Translations, Wassenaar, The Netherlands
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 4 of 86
`
`Smart Card
`Handbook
`
`Third Edition
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 5 of 86
`
`Smart Card
`Handbook
`Third Edition
`
`Wolfgang Rankl and Wolfgang Effing
`Giesecke & Devrient GmbH, Munich, Germany
`
`Translated by
`Kenneth Cox
`Kenneth Cox Technical Translations, Wassenaar, The Netherlands
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 6 of 86
`
`First published under the title Handbuch der Chipkarten by Carl Hanser Verlag
`C(cid:1) Carl Hanser Verlag, Munich/FRG, 2002
`All rights reserved.
`Authorized translation from the 4th edition in the original German language
`published by Carl Hanser Verlag, Munich/FRG.
`Copyright C(cid:1) 2003 John Wiley & Sons Ltd, Baffins Lane, Chichester
`West Sussex, PO19 1UD, England
`
`01243 779777
`National
`International
`(+44) 1243 779777
`
`Email (for orders and customer service enquiries): cs-books@wiley.co.uk
`Visit our Home Page on www.wileyeurope.com or www.wiley.com
`
`All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
`means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs
`and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road,
`London W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher should be addressed to the
`Permissions Department,
`John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed to
`permreq@wiley.co.uk, or faxed to (+44) 1243 770571.
`
`This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the
`understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is
`required, the services of a competent professional should be sought.
`
`Other Wiley Editorial Offices
`
`John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA
`
`Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA
`
`Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany
`
`John Wiley & Sons Australia Ltd, 33 Park Road, Milton, Queensland 4064, Australia
`
`John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809
`
`John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada M9W 1L1
`
`Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic
`books.
`
`Library of Congress Cataloging-in-Publication Data
`Rankl, W. (Wolfgang)
`[Handbuch der Chipkarten. English]
`Smart card handbook / Wolfgang Rankl and Wolfgang Effing. – 3rd ed.
`p.
`cm.
`Includes bibliographical references and index.
`ISBN 0-470-85668-8 (alk. paper)
`1. Smart cards–Handbooks, manuals, etc.
`TK7895.S62R3613 2003
`006 – dc22
`
`I. Effing, W. (Wolfgang)
`
`II. Title.
`
`2003062750
`
`British Library Cataloguing in Publication Data
`
`A catalogue record for this book is available from the British Library
`
`ISBN 0-470-85668-8
`
`Typeset in 10/12pt Times by TechBooks, New Delhi, India
`Printed and bound in Great Britain by Antony Rowe Ltd, Chippenham Wiltshire
`This book is printed on acid-free paper responsibly manufactured from sustainable forestry
`in which at least two trees are planted for each one used for paper production.
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 7 of 86
`
`Contents
`
`Preface to the Third Edition
`Symbols and Notation
`Program Code Conventions
`Abbreviations
`
`1 Introduction
`1.1 The History of Smart Cards
`1.2 Application Areas
`1.2.1 Memory cards
`1.2.2 Microprocessor cards
`1.2.3 Contactless cards
`1.3 Standardization
`
`2 Types of Cards
`2.1 Embossed Cards
`2.2 Magnetic-stripe Cards
`2.3 Smart Cards
`2.3.1 Memory cards
`2.3.2 Microprocessor cards
`2.3.3 Contactless smart cards
`2.4 Optical Memory Cards
`
`3 Physical and Electrical Properties
`3.1 Physical Properties
`3.1.1 Card formats
`3.1.2 Card components and security features
`3.2 The Card Body
`3.2.1 Card materials
`3.2.2 Chip modules
`3.3 Electrical Properties
`3.3.1 Electrical connections
`3.3.2 Supply voltage
`
`xiii
`xv
`xvii
`xix
`
`1
`2
`5
`6
`6
`8
`9
`
`15
`15
`16
`18
`19
`20
`21
`23
`
`27
`27
`28
`31
`38
`40
`42
`52
`53
`55
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 8 of 86
`
`vi
`
`Contents
`
`3.3.3 Supply current
`3.3.4 External clock
`3.3.5 Data transmission
`3.3.6 Activation and deactivation sequences
`3.4 Smart Card Microcontrollers
`3.4.1 Processor types
`3.4.2 Memory types
`3.4.3 Supplementary hardware
`3.5 Contact-type Cards
`3.6 Contactless Cards
`3.6.1 Close-coupling cards: ISO/IEC 10536
`3.6.2 Remote-coupling cards
`3.6.3 Proximity integrated circuit(s) cards: ISO/IEC 14 443
`3.6.4 Vicinity integrated circuits cards (ISO/IEC 15 693)
`3.6.5 Test methods for contactless smart cards
`
`4 Informatic Foundations
`4.1 Structuring Data
`4.2 Coding Alphanumeric Data
`4.2.1 7-bit code
`4.2.2 8-bit code
`4.2.3 16-bit code (Unicode)
`4.2.4 32-bit code (UCS)
`4.3 SDL Notation
`4.4 State Machines
`4.4.1 Basic theory of state machines
`4.4.2 Practical applications
`4.5 Error Detection and Correction Codes
`4.5.1 XOR checksums
`4.5.2 CRC checksums
`4.5.3 Reed–Solomon codes
`4.5.4 Error correction
`4.6 Data Compression
`4.7 Cryptology
`4.7.1 Symmetric cryptographic algorithms
`4.7.2 Asymmetric cryptographic algorithms
`4.7.3 Padding
`4.7.4 Message authentication code and cryptographic checksum
`4.8 Key Management
`4.8.1 Derived keys
`4.8.2 Key diversification
`4.8.3 Key versions
`4.8.4 Dynamic keys
`4.8.5 Key parameters
`4.8.6 Key management example
`4.9 Hash Functions
`
`58
`60
`60
`61
`62
`66
`70
`80
`91
`93
`101
`107
`108
`153
`153
`
`155
`156
`161
`161
`161
`163
`163
`164
`165
`166
`166
`169
`171
`172
`174
`174
`176
`177
`182
`189
`199
`201
`202
`202
`203
`203
`203
`204
`206
`208
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 9 of 86
`
`4.10 Random Numbers
`4.10.1 Generating random numbers
`4.10.2 Testing random numbers
`4.11 Authentication
`4.11.1 Symmetric unilateral authentication
`4.11.2 Symmetric mutual authentication
`4.11.3 Static asymmetric authentication
`4.11.4 Dynamic asymmetric authentication
`4.12 Digital Signatures
`4.13 Certificates
`
`5 Smart Card Operating Systems
`5.1 Historical Evolution of Smart Card
`Operating Systems
`5.2 Fundamentals
`5.3 Design and Implementation Principles
`5.4 Completion
`5.5 Memory Organization
`5.6 Smart Card Files
`5.6.1 File types
`5.6.2 File names
`5.6.3 File selection
`5.6.4 EF file structures
`5.6.5 File access conditions
`5.6.6 File attributes
`5.7 File Management
`5.8 Sequential Control
`5.9 Access to Resources in Accordance with
`ISO/IEC 7816-9
`5.10 Atomic Operations
`5.11 Open Platform
`5.12 Downloadable Program Code
`5.13 Executable Native Code
`5.14 Open Platforms
`5.14.1 Java Card
`5.14.2 Multos
`5.14.3 Basic Card
`5.14.4 Windows for Smart Cards
`5.14.5 Linux
`5.15 The Small-OS Smart Card Operating System
`
`6 Smart Card Data Transmission
`6.1 The Physical Transmission Layer
`6.2 Answer to Reset (ATR)
`6.2.1 ATR characters
`6.2.2 Practical examples of ATRs
`
`Contents
`
`vii
`
`210
`211
`213
`216
`218
`219
`222
`223
`225
`229
`
`233
`
`234
`237
`242
`245
`249
`252
`254
`257
`261
`263
`267
`270
`271
`279
`
`280
`288
`290
`293
`296
`302
`303
`322
`323
`323
`324
`326
`
`371
`373
`377
`379
`389
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 10 of 86
`
`viii
`
`Contents
`
`6.3 Protocol Parameter Selection (PPS)
`6.4 Data Transmission Protocols
`6.4.1 Synchronous data transmission
`6.4.2 The T = 0 transmission protocol
`6.4.3 The T = 1 transmission protocol
`6.4.4 The T = 14 transmission protocol (Germany)
`6.4.5 The USB transmission protocol
`6.4.6 Comparison of asynchronous transmission protocols
`6.5 Message Structure: APDUs
`6.5.1 Structure of the command APDU
`6.5.2 Structure of the response APDU
`6.6 Securing Data Transmissions
`6.6.1 The authentic mode procedure
`6.6.2 The combined mode procedure
`6.6.3 Send sequence counter
`6.7 Logical Channels
`
`7 Smart Card Commands
`7.1 File Selection Commands
`7.2 Read and Write Commands
`7.3 Search Commands
`7.4 File Manipulation Commands
`7.5 Identification Commands
`7.6 Authentication Commands
`7.7 Commands for Cryptographic Algorithms
`7.8 File Management Commands
`7.9 Commands for Managing Applets
`7.10 Commands for Completing the Operating System
`7.11 Commands for Hardware Testing
`7.12 Commands for Data Transmission Protocols
`7.13 Database Commands: SCQL
`7.14 Commands for Electronic Purses
`7.15 Commands for Credit and Debit Cards
`7.16 Application-Specific Commands
`
`8 Security Techniques
`8.1 User Identification
`8.1.1 Testing a secret number
`8.1.2 Biometric methods
`8.2 Smart Card Security
`8.2.1 A classification of attacks and attackers
`8.2.2 Attacks and defensive measures during development
`8.2.3 Attacks and defensive measures during production
`8.2.4 Attacks and defense measures while the card is in use
`
`9 Quality Assurance and Testing
`9.1 Card Body Tests
`
`392
`396
`397
`403
`409
`419
`420
`421
`421
`422
`424
`425
`429
`430
`432
`434
`
`435
`439
`442
`450
`452
`453
`457
`462
`468
`474
`474
`477
`481
`482
`486
`489
`490
`
`491
`491
`493
`498
`510
`511
`517
`520
`521
`
`565
`566
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 11 of 86
`
`9.2 Microcontroller Hardware Tests
`9.3 Evaluating and Testing Software
`9.3.1 Evaluation
`9.3.2 Test methods for software
`9.3.3 Dynamic testing of operating systems and applications
`
`10 The Smart Card Life Cycle
`10.1 The Five Phases of the Smart Card Life Cycle
`10.2 Phase 1 of the Life Cycle in Detail
`10.2.1 Generating the operating system and producing the chip
`10.2.2 Producing card bodies without integrated coils
`10.2.3 Producing card bodies containing integrated coils
`10.2.4 Combining the card body and the chip
`10.3 Phase 2 of the Life Cycle in Detail
`10.4 Phase 3 of the Life Cycle in Detail
`10.5 Phase 4 of the Life Cycle in Detail
`10.6 Phase 5 of the Life Cycle in Detail
`
`11 Smart Card Terminals
`11.1 Mechanical Properties
`11.2 Electrical Properties
`11.3 Security Technology
`11.4 Connecting Terminals to Higher-Level Systems
`11.4.1 PC/SC
`11.4.2 OCF
`11.4.3 MKT
`11.4.4 MUSCLE
`
`12 Smart Cards in Payment Systems
`12.1 Payment Transactions using Cards
`12.1.1 Electronic payments with smart cards
`12.1.2 Electronic money
`12.1.3 Basic system architecture options
`12.2 Prepaid Memory Cards
`12.3 Electronic Purses
`12.3.1 The CEN EN 1546 standard
`12.3.2 Common Electronic Purse Specifications (CEPS)
`12.3.3 Proton
`12.3.4 The Mondex system
`12.4 The EMV Application
`12.5 The Eurocheque System in Germany
`
`13 Smart Cards in Telecommunications
`13.1 Survey of Mobile Telecommunication Systems
`13.1.1 Multiple-access methods
`13.1.2 Cellular technology
`
`Contents
`
`ix
`
`573
`574
`575
`581
`589
`
`597
`598
`600
`600
`612
`621
`628
`630
`638
`650
`652
`
`655
`660
`663
`665
`667
`667
`671
`672
`672
`
`673
`674
`674
`679
`681
`684
`685
`685
`701
`702
`703
`708
`714
`
`723
`727
`727
`730
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 12 of 86
`
`x
`
`Contents
`
`13.1.3 Cell types
`13.1.4 Bearer services
`13.2 The GSM System
`13.2.1 Specifications
`13.2.2 System architecture and components
`13.2.3 Important data elements
`13.2.4 The subscriber identity module (SIM)
`13.2.5 General Packet Radio System (GPRS)
`13.2.6 Future developments
`13.3 The UMTS System
`13.4 Microbrowsers
`13.5 The Wireless Identification Module (WIM)
`13.6 Public Card Phones in Germany
`
`14 Sample Applications
`14.1 Contactless Memory Cards for Air Travel
`14.2 Health Insurance Cards
`14.3 Electronic Toll Systems
`14.4 Digital Signatures
`14.5 The PKCS #15 Signature Application
`14.6 The FINEID Personal Identification Card
`14.7 Tachosmart
`
`15 Application Design
`15.1 General Information and Characteristic Data
`15.1.1 Microcontrollers
`15.1.2 Applications
`15.1.3 System considerations
`15.1.4 Compliance with standards
`15.2 Formulas for Estimating Processing Times
`15.3 Timing Formulas for Typical Smart Card Commands
`15.4 Typical Command Processing Times
`15.5 Application Development Tools
`15.6 Analyzing an Unknown Smart Card
`15.7 Life-Cycle Models and Process Maturity
`15.7.1 Life-cycle models
`15.7.2 Process maturity
`15.8 The Course of a Smart Card Project
`15.9 Design Examples for Smart Card Applications
`15.9.1 An electronic purse system for arcade games
`15.9.2 Access control system
`15.9.3 Testing the genuineness of a terminal
`
`16 Appendix
`16.1 Glossary
`16.2 Related Reading
`
`732
`733
`735
`737
`740
`741
`745
`786
`787
`789
`794
`802
`804
`
`811
`811
`814
`819
`822
`833
`840
`840
`
`843
`843
`843
`846
`848
`850
`850
`858
`860
`864
`868
`870
`874
`882
`885
`886
`888
`890
`894
`
`897
`897
`985
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 13 of 86
`
`Contents
`
`xi
`
`16.3 Literature
`16.4 Annotated Directory of Standards and Specifications
`16.5 Coding of Data Objects
`16.5.1 Data objects compliant with ISO/IEC 7816-4
`16.5.2 Data objects compliant with ISO/IEC 7816-6
`16.5.3 Data objects for chip manufacturers as specified by ISO/IEC 7816-6
`16.6 Registration Authorities for RIDs
`16.7 Selected RIDs
`16.8 Trade Fairs, Conferences and Conventions
`16.9 World Wide Web Addresses
`16.10 Characteristic Data and Tables
`16.10.1 ATR interval
`16.10.2 ATR parameter conversion tables
`16.10.3 Determining the data transmission rate
`16.10.4 Sampling times for serial data
`16.10.5 The most important smart card commands
`16.10.6 Summary of utilized instruction bytes
`16.10.7 Smart card command coding
`16.10.8 Smart card return codes
`16.10.9 Selected chips for memory cards
`16.10.10 Selected microcontrollers for smart cards
`
`Index
`
`985
`994
`1030
`1030
`1031
`1032
`1032
`1032
`1033
`1034
`1044
`1044
`1044
`1046
`1046
`1047
`1051
`1053
`1056
`1058
`1060
`
`1067
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 14 of 86
`
`8 S
`
`ecurity Techniques
`
`One of the main advantages of smart cards in comparison with other data storage media, such
`as magnetic-stripe cards and diskettes, is that they can store data such that it is protected and
`kept secret. An essential requirement for this is chip hardware that is tailored and optimized
`for this purpose, along with suitable cryptographic methods for protecting confidential data.
`However, security depends on more than just special microcontroller hardware and algorithms
`implemented in operating system software. The security of the smart card application, and the
`design principles used by its developers, are also of fundamental importance. This chapter is a
`compendium of essential principles, methods and strategies for producing secure smart cards
`and secure smart card applications.
`
`8.1 USER IDENTIFICATION
`
`Since ancient times, a variety of techniques have been used for the unambiguous identification
`of persons. The simplest form of identification is an identity card bearing a photograph or a
`signature written in the presence of the examiner. The photograph on an identity card can be
`compared with the actual person, with the result being an assessment of the genuineness of the
`person’s identity.
`In the field of information technology, this comparison is not so easy, since it must be per-
`formed by a computer instead of another person. Despite their success in performing mindless
`activities, computers still have tremendous difficulty in performing intelligent tasks. Conse-
`quently, entering a password via a keypad has generally become the preferred identification
`method. The effort needed for the comparison is minimal, since essentially all the computer
`has to do is to compare the entered password with a stored reference value and make a simple
`yes/no decision. Password comparison effectively amounts to making a decision regarding the
`genuineness of the identity of the person being tested.
`There are basically only three different methods that can be used to identify a person. If a
`password is used, what is tested is whether the person knows a particular secret. If he or she
`does, the conclusion is that the person is who he or she claims to be. The second option is
`
`Smart Card Handbook, Third Edition. W. Rankl and W. Effing
`C(cid:1) 2004 John Wiley & Sons, Ltd ISBN: 0-470-85668-8
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 15 of 86
`
`492
`
`Security Techniques
`
`to test whether a person possesses a particular object. The third possibility is to test specific,
`unique bodily features of the person.
`Methods that rely on knowing a secret or possessing a particular item have a significant
`drawback, which is that the person to be identified must either remember something or carry
`something on his or her person. Depending on the situation, the fact that the secret or object
`can be passed to another person can be considered to be an advantage or a disadvantage. In
`any case, it is not possible to unambiguously ascertain that the person holding the secret or
`the object is truly its legitimate owner, instead of someone else who may have illegitimately
`acquired the secret or item that is tested.
`The third identification method eliminates this transferability, since it is based on using
`specific features of the human body for purposes of identification. Of course, the measurements
`are in most cases technically difficult, since for obvious reasons biological features that can be
`easily measured, such as weight or height, cannot be used.
`
`User identification
`
`knowledge of a secret
`
`possission of an object
`
`bodily feature
`
`Figure 8.1 Classification of methods for identifying a person
`
`It is easier to understand these three possible identification methods if you consider the
`following example. Suppose you have to meet an unknown person at the train station. As soon
`as you see a possible candidate, you have the problem of deciding whether he is really the
`person you are looking for. However, if the unknown person shows up at the right place and
`the right time, this actually amounts to an implicit test of a secret, since you can at least hope
`that the place and time of your meeting are not generally known. An explicit test of a secret
`would occur if the unknown person were to utter a password that is known only to you and him.
`Alternatively, he could identify himself by means of an item that he possesses, for example
`by holding a newspaper printed on a specific day under his arm. Certainly, the most secure
`method would be to check the person for a specific bodily feature. Perhaps he has an unusually
`large nose, like Pinocchio’s (which grows very long when he lies . . . ).
`This train station scenario clearly shows that identifying an unknown person can be regarded
`as a classic problem that occurs in everyday life as well as in spy novels, rather than just being
`limited to computers and smart cards.
`It has now become a common practice to enter a PIN into many types of automated equip-
`ment and computers. The resulting marked increase in the number of PINs used for various
`purposes makes it very difficult for ordinary people to keep track of all of their PIN codes.
`After all, who can remember 20 or more different PINs? The security and good name of
`a system are naturally not improved if every user jots down his or her PIN on the card,
`since the number of cases of fraud will be excessive. For this reason, a desire to use other
`identification methods in place of PIN codes has arisen in recent years. Biometric features
`that allow a particular person to be unambiguously identified by a machine are ideal for this
`purpose.
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 16 of 86
`
`8.1 User Identification
`
`8.1.1 Testing a secret number
`
`493
`
`The most commonly used method of user identification is entering a secret number, which
`is generally referred to by the abbreviation PIN (for ‘personal identification number’), or
`sometimes CHV (cardholder verification).
`A PIN is usually a four-digit number, usually composed of the decimal numerals 0 through 9.
`The reason for using a purely numeric entry is simply that card terminals generally only have
`numeric keypads. The PIN is entered using the terminal keypad or a computer keyboard, and
`then sent to the smart card. The smart card compares the value that it receives with an internally
`stored reference value and reports the result to the terminal.
`PIN entry is particularly considered to be a security issue in financial transaction appli-
`cations, so requirements relating to the nature of the keypad are frequently found in this
`application area. Special keypads that satisfy these requirements are often called ‘PIN pads’.
`In Germany, for example, there is a requirement (from the ZKA) that the PIN for a Eurocheque
`card can only be entered using a keypad having special mechanical and cryptographic protec-
`tion. PIN pads have all the features of a security module, such as case-opening sensors and
`foils to protect against drilling, and they encrypt the PIN directly as it is entered. This provides
`reliable protection against tampering with a keypad in order to allow a PIN to be intercepted
`while it is being entered.
`A distinction can be made between static and modifiable PINs. A static pin cannot be
`changed by the user, so it effectively must be memorized by the user. If it becomes known, the
`user should destroy the card and obtain a new one with a different static PIN. A modifiable PIN
`can be altered according to the wishes of the user, or changed to a number that the user finds
`easy to remember. There is a danger in this, since the numbers that many people find easy to
`remember are ones such as''1234'',''4711''and''0815''. The smart card does not check for the
`use of such trivial numbers, since there is not enough memory available to store the necessary
`table. However, it would be perfectly conceivable for the terminal to prohibit the PIN from
`being changed to such a number. In order to change a PIN, it is always necessary to enter the
`PIN, since otherwise an attacker could replace every existing PIN with one of his own.
`The situation is different with personal unblocking keys (PUKs), which are also called
`‘super PINs’. These keys usually have more digits than a normal PIN (a typical value is six),
`and they are used to reset the retry counter of a PIN to zero if it has reached its maximum
`value. A new PIN is also entered into the card when the PUK is entered, since resetting the
`retry counter is of little use if the user has forgotten the PIN. This is usually the case when the
`retry counter has reached its maximum value.
`There are also applications that use transport PINs. In this case, the smart card is personalized
`with a random PIN and the cardholder receives the PIN value by letter. The cardholder then
`replaces the PIN used for card personalization with a PIN of his or her choice before actually
`using the card. In a similar method, called the ‘null PIN’ method, the card is preloaded with
`a trivial PIN, such as ''0000'', and the smart card again forces the PIN to be changed before
`it can be used. Both of these methods prevent a PIN that has been ‘spied out’ during card
`personalization from later being put to good use.
`According to a recommendation of the ISO 9564-1 standard, the PIN should consist of
`four to 12 alphanumeric characters in order to minimize the probability of determining the
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 17 of 86
`
`494
`
`Security Techniques
`
`correct PIN by pure trial and error. However, the situation in actual practice is often somewhat
`different. Entering non-numeric characters is technically impossible in many locations, since
`the keypad has only numeric characters.
`The number of characters in a PIN depends not only on the desired level of security, but
`also to a large degree on the memory capacity of the average card user. For years, people
`have been accustomed to using four-digit PINs, which means that changing to PINs with six
`or more digits would be very difficult. In practice, the presumed improvement in security
`provided by using a six-digit or eight-digit PIN might turn out to be purely theoretical. Many
`people find it difficult to remember numbers of this length, especially if they do not use
`them very often, and consequently write them down on the card or on a slip of paper kept
`near the card. The level of security with a long PIN is then significantly lower than with a
`short PIN.
`The perfectly well-founded insistence on periodically changing PINs meets with a similar
`fate. It may work with a high-security application having only a few users, but it is fatal for
`the acceptance of a mass-market application, which tries to use the simplest possible methods
`in order to accommodate people with poor memories.
`In this regard, there is another very important issue. In many cases, entering and verifying a
`PIN does more than just identify the user and indicate legitimate possession of the card. It also
`represents a profession of intent by the user, who agrees to a particular transaction by entering
`his or her PIN. A good example is entering a PIN into a cash dispenser. This identifies the card
`user by means of his of her knowledge of the secret PIN, but it also represents a declaration
`by the user that he or she agrees to have a certain amount of cash paid out from his or her
`account. This is a very important consideration in connection with certain biometric features,
`some of which can be tested without the explicit permission of the person in question and do
`not necessarily represent a profession of intent.
`
`The probability of guessing a PIN
`
`The simplest attack on a PIN, aside from watching it being entered, is just guessing. The
`probability of success depends in part on the length of the PIN, the characters from which it
`can be composed and how many attempts are allowed. The probability of correctly guessing a
`four-digit PIN in three tries is 0.03 %, which is not particularly high. Two basic formulas for
`guessing passwords are presented here. They can be used in actual practice to estimate the risk
`associated with using a particular password.
`x = mn
`P = i /mn
`
`(8.1)
`(8.2)
`
`Incidentally, there is yet a fourth factor related to guessing a PIN, which for a long time
`has been inexcusably neglected. This is the uniformity of the distribution of PINs within
`an application. It is much easier to guess a PIN if you know that certain PINs are more
`common than others. The actual significance of this important secondary factor became evident
`almost overnight in 1977 in connection with German Eurocheque cards. Although the detailed
`procedure for computing a PIN from the data stored in the magnetic stripe of the Eurocheque
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 18 of 86
`
`8.1 User Identification
`
`495
`
`Table 8.1 Definitions and descriptions of the variables in Formulas (8.1) and (8.2)
`
`Variable
`
`Example
`
`Description
`
`i
`m
`n
`P
`x
`
`3
`10
`4
`0.0003 (0.03 %)
`10,000
`
`number of guesses
`number of possible characters per position
`number of positions
`probability of guessing the password
`number of possible passwords
`
`card is still secret, at least a few general steps of the procedure became known. From this
`information, it could be concluded that the PINs that are generated are not uniformly distributed,
`since the algorithm used produces the numerals 0 through 5 significantly more often than
`6 through 9. It also became known that the PIN algorithm suppressed leading zeros when
`generating PINs. With such a non-uniform distribution, it is not necessary to make 3333
`attempts in order to correctly guess a four-digit PIN with the permitted number of incorrect
`guesses (3), but only 150 [Karten 97]. With 10.5 % of the cards, the distribution is so poor
`that only 72 attempts will suffice if the characteristics of the PIN generation algorithm are
`taken into account [Schindler 97]. The end result of all this is that an improved PIN generation
`
`Table 8.2 PINs and passwords with various lengths and codings, and the number of possible
`combinations
`
`Type of PIN or password
`
`Range of values or coding
`of the PIN or password
`
`1-digit PIN
`1-character password
`1-character password
`1-character password
`
`4-digit PIN, no leading zero
`4-digit PIN
`4-character password
`4-character password
`4-character password
`
`5-digit PIN, no leading zero
`5-digit PIN
`6-digit PIN, no leading zero
`6-digit PIN
`6-character password
`6-character password
`6-character password
`
`PIN ∈ {0 . . . 9}
`password ∈ {0 . . . 9,''A''. . .''Z''}
`password ∈ {0 . . . 9,''a''. . .''z'',''A''. . .''Z''}
`password ∈ {0 . . . 9,''a''. . .''z'',''A''. . .''Z'',
`20 arbitrary special characters }
`PIN ∈ {1000 . . . 9999}
`PIN ∈ {0000 . . . 9999}
`password ∈ {0 . . . 9,''A''. . .''Z''}
`password ∈ {0 . . . 9,''a''. . .''z'',''A''. . .''Z''}
`password ∈ {0 . . . 9,''a''. . .''z'',''A''. . .''Z'',
`20 arbitrary special characters}
`PIN ∈ {10000 . . . 99999}
`PIN ∈ {00000 . . . 99999}
`PIN ∈ {100000 . . . 999999}
`PIN ∈ {000000 . . . 999999}
`password ∈ {0 . . . 9,''A''. . .''Z''}
`password ∈ {0 . . . 9,''a''. . .''z'',''A''. . .''Z''}
`password ∈ {0 . . . 9,''a''. . .''z'',''A''. . .''Z'',
`20 arbitrary special characters}
`
`Number of
`possible PINs
`or passwords
`
`10
`36
`62
`82
`9.00 × 103
`1.00 × 104
`1.68 × 106
`1.48 × 107
`4.52 × 107
`8.9 × 104
`1.00 × 105
`8.99 × 105
`1.00 × 106
`2.18 × 109
`5.68 × 1010
`3.04 × 1011
`
`

`

`Case 6:21-cv-01101-ADA Document 34-8 Filed 06/09/22 Page 19 of 86
`
`496
`
`Security Techniques
`
`algorithm is used with new Eurocheque cards, and the DES algorithm originally used has been
`replaced by a triple-DES algorithm.
`
`Generating a PIN
`
`In order to generate a PIN for a smart card, it is first necessary to have a random number
`generator and an algorithm that converts a random number into an ASCII-coded PIN of the
`required length. A table of known trivial combinations can then be used to detect and discard
`trivial PINs. Finally, the PIN must be stored in the smart card, and the VERIFY command
`must then be used as necessary to compare it with PIN codes transferred to the card from the
`terminal.
`A somewhat more complicated procedure for generating PINs is required for a system that
`uses magnetic-stripe cards instead of smart cards. This is because it must be possible for a
`cash dispenser operating offline to test an entered PIN using data contained in the magnetic
`stripe. This requirement does not actually apply to smart cards, but all debit cards (such as
`Eurocheque cards) presently have magnetic stripes for reasons of compatibility, even if they
`also have microcontrollers. When hybrid cards with both chips and magnetic stripes are used,
`the PIN generation algorithm must therefore be deterministic, which means that it must always
`produce the same result for a given set of input values. A random number generator cannot do
`this.
`A procedure is thus needed that can generate a PIN based on the magnetic stripe data. In
`order to avoid having the security of the system depend on the procedure itself, a secret key
`should also be involved in the computation. Figure 8.2 illustrates an algorithm similar to the
`one that is used for German Eurocheque cards. Its inputs consist of the bank routing code,
`the account number and the serial number of the card. This algorithm uses the DES algorithm
`with a secret key to generate a four-digit PIN. This procedure suffers from the previously
`mentioned disadvantage that it produces PINs that are not uniformly distributed over the total
`possible number space (''0000'' to ''9999'' in the case of a four-digit PIN). This is due to the
`mapping rule that is used to convert the hexadecimal numerals ('A','B','C','D','E', and'F') into
`decimal numerals following the encryption process. This undesirable feature could be easily
`avoided by using a better mapping rule. The DES algorithm is used in part because the key
`rather than the procedure must be kept secret, and in part due to its properties of confusion and
`diffusion.1
`The PIN generation procedure that was used between 1981 and 19972 for German Eu-
`rocheque cards produced PINs that were not uniformly distributed over the entire number
`space. Consequently, some PINs were significantly more probable than others, and such PINs
`could be used for attacks (which were generally not successful). For this reason, it is important
`to ensure that procedures used to generate PINs produce PINs that are distributed uniformly
`over the available number space.
`
`1 See also Section 4.6.1, ‘Symmetric cryptographic algorithms’
`2