Re: Changing PINs of German bank card

2017-07-12 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 12 July 2017 at 3:15:09 PM, in
, Binarus wrote:-



> (if the
> PIN needs to be
> stored at all in some backend which I doubt).

The Bank must know the PIN (or a hash). Otherwise they would not know
if you entered the correct PIN for online transactions.


- --
Best regards

MFPA  

War is a matter of vital importance to the State.
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWavfl8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5EszAPkBdc66gr6xgI+8/wFHlBwtPb+58kIumnL+XVILJ8EZBAD9HD2PgEEKU9j5
VfvdM0iCOzT7K3ZSoUVj9Nl5XyCsLw6JAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWavfl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8AeyB/4+7JPyR9ez4d2AsXzhS2icXOr8
kawHn5FozBjiwFaNdvzkwgUNP957+3eCOwF1+q/IXJyWwm0DuV76ZNfTbfKSqGAn
2RYNIvcnq85MeoYoV1tuSKUqHW3dZO67Dj5cYRzw/mZljRamDTBy7yh2ylwo15uk
F0Eo/cbxqfSKF2QE2oCz6jNeWAvN5RfgqAx0x8CiU4lcwN7GgmQR8HzDH3Sl7tev
glxl1XJq1+Ht2UNiHL2bDK8abWqdA5sRGnBwnwxXVkaE/dp77HpsMXcvH5+egnrN
YUW7jY1/COIvdyHzuU9CfTmss+GPnvC2jo77muBYd5b7onI2YRpFEVUfiaMk
=Wz8h
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

2017-07-12 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 12 July 2017 at 6:51:42 AM, in
, Binarus wrote:-


>and this means that such software would
> have to run on the
> card.

Or The ATM.

But maybe chip and PIN cards have the capacity.


- --
Best regards

MFPA  

If you save the world too often, it begins to expect it
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWWauiF8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5P3eAQD1OBo4LM/yLyQssGkVJEmgqn5OIpXCDt2coob3kzY5WQEA9ZhYPROmiMvt
WMpRAm0NREyj7rl8opW7BGnUjs2iogyJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWWaupV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8EhLB/9zPxVUybSMna2DgDDn2oLyfRvy
jUh79wzyxmJKPCvny/IVt15ax6JaGY4nNbw2uZTgvnHpyPWS2SKNahrC6+gCR9Jz
YMYzctU42VoKvpCZQE+AouuJIAdCRy/hCkQ7r6wI4w5UC3fjvV6nfiObO0RMTf9H
o3eodkUVmbGaZBJnraa9Zl6aqoqhaUbqicbBckHdNqCgSRAGG9xKW44dmsnaIvdp
r/43xYLoVSJw1GTnfenaYChn9yD6/R0rSZB780qgu5+lmmUOqUETwZDteTnHoSKL
948ntbgD3XgfXZ5NFZkk+q+5pRbzRf/V4uMROSPNvVxuykcm2XQMYZvcVKDs
=gCEn
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Don't get the pinentry for passphrase in some contexts

2017-07-12 Thread Damien Cassou 
Hi,

I have the attached application below that just tries to decrypt a file
with gpg2. When the gpg-agent has an empty cache (I temporarily set
max-cache-ttl to 0 while testing), the application has different
behavior when ran from a terminal or from a Firefox add-on:

1- in the terminal, I get the pinentry application that asks me to enter
   the passphrase for the gpg key used to encrypt the file;

2- when launched from a Firefox web extension's browser action (Firefox
   itself being launched with `web-ext run` from the same terminal), I
   just get an error: "Public key decryption failed: Operation
   canceled. Decryption failed: No secret key". I'm never asked for my
   passphrase.

Others have reported the exact same problem with another web-extension
and another native application (written in Go):
https://github.com/dannyvankooten/browserpass/issues/23

I checked the environment variables and they are very much similar (diff
attached).

Do you have any clue what could be different in the two environments
that could cause gpg2 to behave differently?

I sent the same message to the dedicated mailing-list at mozilla.org:
https://mail.mozilla.org/pipermail/dev-addons/2017-July/002966.html. They
suggested I contact you.

Thank you

-- 
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
#!/usr/bin/env node

let {env} = require('process')

let {spawnSync} = require('child_process')

let gpg2 = spawnSync('gpg2', ['--decrypt', 
'/home/cassou/.password-store/github.com.gpg'], {
  stdio: ['ignore', 'pipe', 'pipe']
})

console.error('--env:')
console.error(env)
console.error('--stdout:')
console.error(gpg2.stdout.toString())
console.error('--stderr:')
console.error(gpg2.stderr.toString())
--- terminal.log	2017-07-12 17:49:52.753432383 +0200
+++ firefox.log	2017-07-12 17:47:55.536277521 +0200
@@ -11,7 +11,7 @@
 GJS_DEBUG_TOPICS=JS ERROR;JS LOG
 GNOME_DESKTOP_SESSION_ID=this-is-deprecated
 GPGKEY=E2490AB1
-GPG_TTY=/dev/pts/6
+GPG_TTY=/dev/pts/5
 HISTCONTROL=ignoredups
 HISTSIZE=1000
 HOME=/home/cassou
@@ -24,6 +24,7 @@
 LC_NUMERIC=fr_FR.UTF-8
 LC_PAPER=fr_FR.UTF-8
 LC_TIME=fr_FR.UTF-8
+LD_LIBRARY_PATH=/home/cassou/Downloads/firefox
 LESSOPEN=||/usr/bin/lesspipe.sh %s
 LOADEDMODULES=
 LOGNAME=cassou
@@ -32,10 +33,27 @@
 MAILDIR=/home/cassou/Mail
 MODULEPATH=/etc/scl/modulefiles:/etc/scl/modulefiles:/usr/share/Modules/modulefiles:/etc/modulefiles:/usr/share/modulefiles
 MODULESHOME=/usr/share/Modules
+MOZ_ASSUME_USER_NS=1
+MOZ_CRASHREPORTER_DATA_DIRECTORY=/home/cassou/.mozilla/firefox/Crash Reports
+MOZ_CRASHREPORTER_EVENTS_DIRECTORY=/tmp/f03e27ce-dcb5-4c81-bf79-f28cd928abb3/crashes/events
+MOZ_CRASHREPORTER_PING_DIRECTORY=/home/cassou/.mozilla/firefox/Pending Pings
+MOZ_CRASHREPORTER_RESTART_ARG_0=/home/cassou/Downloads/firefox/firefox
+MOZ_CRASHREPORTER_RESTART_ARG_1=-start-debugger-server
+MOZ_CRASHREPORTER_RESTART_ARG_2=6005
+MOZ_CRASHREPORTER_RESTART_ARG_3=-foreground
+MOZ_CRASHREPORTER_RESTART_ARG_4=-no-remote
+MOZ_CRASHREPORTER_RESTART_ARG_5=-profile
+MOZ_CRASHREPORTER_RESTART_ARG_6=/tmp/f03e27ce-dcb5-4c81-bf79-f28cd928abb3
+MOZ_CRASHREPORTER_RESTART_ARG_7=
+MOZ_CRASHREPORTER_STRINGS_OVERRIDE=/home/cassou/Downloads/firefox/browser/crashreporter-override.ini
+MOZ_LAUNCHED_CHILD=
+MOZ_NO_REMOTE=1
+NO_AT_BRIDGE=1
+NO_EM_RESTART=
+NS_TRACE_MALLOC_DISABLE_STACKS=1
 NVM_DIR=/home/cassou/.nvm
-OLDPWD=/home/cassou/Documents/projects/firefox/passwe/add-on
 PATH=/home/cassou/.local/bin:/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/home/cassou/node_modules/.bin
-PWD=/home/cassou/Documents/projects/firefox/passwe/app
+PWD=/home/cassou/Documents/projects/firefox/passwe/add-on
 QTDIR=/usr/lib64/qt-3.3
 QTINC=/usr/lib64/qt-3.3/include
 QTLIB=/usr/lib64/qt-3.3/lib
@@ -63,4 +81,11 @@
 XDG_SESSION_TYPE=x11
 XDG_VTNR=2
 XMODIFIERS=@im=ibus
-_=./index.js
+XPCOM_DEBUG_BREAK=stack
+XRE_BINARY_PATH=
+XRE_PROFILE_LOCAL_PATH=
+XRE_PROFILE_NAME=
+XRE_PROFILE_PATH=
+XRE_START_OFFLINE=
+XUL_APP_FILE=
+_=/usr/bin/web-ext
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

2017-07-12 Thread Binarus 
On 12.07.2017 12:10, Peter Lebbing wrote:
> On 12/07/17 07:51, Binarus wrote:
>> Furthermore (not being sure, so read with care), I think that the bank
>> does not know your pin
> 
> When my bank card is replaced because its validity is about to end, the
> new card has the same PIN as the old one. I can't readily think of a way
> to do that without the bank knowing my PIN, since the new card didn't
> physically exist yet when the old card got its copy of the PIN.[1]

See

https://security.stackexchange.com/questions/62306/a-second-bank-card-arrived-with-the-same-pin

and

https://security.stackexchange.com/questions/88711/how-can-my-bank-issue-a-new-credit-card-with-the-same-pin-number

> Furthermore, I see no use to the bank not knowing my PIN. If their
> backend got hacked, these random 4 digits being public knowledge are the
> least of the problems.
> 
> And since a pin has so low entropy, I don't see how to protect it with a
> hash. Any system that can verify correctness in the time it takes to do
> a PIN payment[2] can do 10,000 guesses in reasonable time.

Right, but no reason to not do it that way (if the PIN needs to be
stored at all in some backend which I doubt).
> Also, back when you could do payments with the magstripe (which, AFAIK,
> can still be done in some countries, using your Dutch bank card, if you
> allow it), the PIN necessarily went to the bank, there was no way for a
> check by the chip in the card.

I never did look into the magstripe technique ... so no clue here. I
only know that those cards could be copied easily.

> Anyway, I'm still writing this even though I questioned its usefulness.
> But let's consider whether this thread really needs to go on much
> longer, it seems it has run its course and is now turning into a wide
> trickling delta that is no longer hurrying towards its destination but
> rather seeking the path of least resistance in any random direction :-).

You are right - let's finish.

Regards,

Binarus

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

OpenPGP Notations

2017-07-12 Thread Neal H. Walfield 
Hi,

I'm collection examples of notations.  If you somehow use notations,
I'd love to hear how you are using them.  (If you prefer to remain
anonymous, please feel free to reply privately.)

Also, I'm curious if anyone has a good use for unsigned ("unhashed")
notations.

Thanks!

:) Neal

Key: 8F17 7771 18A3 3DDA 9BA4  8E62 AACB 3243 6300 52D9

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

2017-07-12 Thread Binarus 
On 12.07.2017 12:27, NdK wrote:
> Il 12/07/2017 12:01, Binarus ha scritto:
> 
>> Not sure about that. Similar to serious websites which don't store your
>> password in clear text, but do store the password's hash instead, I
>> would expect that banks don't store your PIN in clear text as well.
> Even with 6-digits PIN it would take *seconds* to an attacker to brute
> force hashed PINs once he gets the hashed database. [...]

While this is correct, it is no reason for not doing it that way (if we
choose to ignore the endless possibilities cryptography offers and
decide to store the PIN in some form in a backend at all).

 Salted hashes would
> multiply the needed time by the number of PINs (approx).
> So keeping such a database would be a really stupid thing to do --
> unless it's kept in a HSM.

Of course, I was talking about salted hashes. Besides that:

https://security.stackexchange.com/questions/88711/how-can-my-bank-issue-a-new-credit-card-with-the-same-pin-number

https://security.stackexchange.com/questions/62306/a-second-bank-card-arrived-with-the-same-pin

Some comments / answers in the first one claim that the PIN might be
stored in hashed form in some database. Most comments / answers in the
second one claim that the PIN is stored on HSM (they don't seem to be
sure if it is in clear text or encrypted there) (if I had more time for
research, I probably had found better explanations ... the two links
basically were on the first result page on Google when searching the
respective keywords).

But whatever: My key point was that the PIN *never* is stored (or
transmitted) in clear text outside an HSM, meaning that software which
could examine the PIN according to certain criteria will have to run
inside that HSM. I do not think that any bank has implemented such a thing.

Regards,

Binarus

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

2017-07-12 Thread NdK 
Il 12/07/2017 12:01, Binarus ha scritto:

> Not sure about that. Similar to serious websites which don't store your
> password in clear text, but do store the password's hash instead, I
> would expect that banks don't store your PIN in clear text as well.
Even with 6-digits PIN it would take *seconds* to an attacker to brute
force hashed PINs once he gets the hashed database. Salted hashes would
multiply the needed time by the number of PINs (approx).
So keeping such a database would be a really stupid thing to do --
unless it's kept in a HSM.

Passwords have way larger key space (from 10^N for N digits of the PIN
to 64^N or more for the passwords -- considering uppercase, lowercase,
digits and symbols), hence salted hashes are quite secure.

BYtE,
 Diego

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

2017-07-12 Thread Peter Lebbing 
On 12/07/17 07:51, Binarus wrote:
> Furthermore (not being sure, so read with care), I think that the bank
> does not know your pin

When my bank card is replaced because its validity is about to end, the
new card has the same PIN as the old one. I can't readily think of a way
to do that without the bank knowing my PIN, since the new card didn't
physically exist yet when the old card got its copy of the PIN.[1]
Furthermore, I see no use to the bank not knowing my PIN. If their
backend got hacked, these random 4 digits being public knowledge are the
least of the problems.

And since a pin has so low entropy, I don't see how to protect it with a
hash. Any system that can verify correctness in the time it takes to do
a PIN payment[2] can do 10,000 guesses in reasonable time.

Also, back when you could do payments with the magstripe (which, AFAIK,
can still be done in some countries, using your Dutch bank card, if you
allow it), the PIN necessarily went to the bank, there was no way for a
check by the chip in the card.

Anyway, I'm still writing this even though I questioned its usefulness.
But let's consider whether this thread really needs to go on much
longer, it seems it has run its course and is now turning into a wide
trickling delta that is no longer hurrying towards its destination but
rather seeking the path of least resistance in any random direction :-).

Cheers,

Peter.

[1] Barring any neat trickery like waiting for me to enter my PIN and
listening in so they can then program the new card.

[2] That's what they're called in The Netherlands. Well, PIN-betaling
actually, I did translate.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

2017-07-12 Thread Binarus 
On 12.07.2017 11:42, Guan Xin wrote:
> On Wed, Jul 12, 2017 at 1:51 PM, Binarus  > wrote:
> 
> On 11.07.2017 20:38, MFPA wrote:
> >
> >
> > On Tuesday 11 July 2017 at 8:44:48 AM, in
> >  >,
> Binarus wrote:-
> >
> >
> >> I am not sure if this is an intentional limitation of
> >> the cards (to
> >> prevent users from choosing idiotic pins like 1234 or
> >> their birthday).
> >
> >
> > Surely things like 1234 can be prevented by software.
> >
> 
> But birthdays and the like probably not.
> 
> Furthermore (not being sure, so read with care), I think that the bank
> does not know your pin, but it is stored in the banks' backends as some
> sort of hash, and this means that such software would have to run on the
> card.
> 
> Such software can run on ATMs if that are the only places where one can
> change the PIN.
> And I don't think the bank needs the hash of the PIN. They may need the
> hash of the key(s) protected by the PIN, however.

Not sure about that. Similar to serious websites which don't store your
password in clear text, but do store the password's hash instead, I
would expect that banks don't store your PIN in clear text as well.

As far as I know, no bank will be able to tell you your PIN if you have
forgotten it even if you go there and show them your passport. They can
only generate a new one (or a new card), but they can't tell you the
existing one because they just don't know it.

That means that the bank's backend will never see the PIN you choose and
thus can never decide if it is insecure (i.e. something like ). If a
bank decides to handle the PINs that way, they probably won't allow the
ATM to get hold of the PIN in clear text as well.

I might be wrong, though.

Regards,

Binarus







___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

2017-07-12 Thread Guan Xin 
On Wed, Jul 12, 2017 at 1:51 PM, Binarus  wrote:

> On 11.07.2017 20:38, MFPA wrote:
> >
> >
> > On Tuesday 11 July 2017 at 8:44:48 AM, in
> > , Binarus wrote:-
> >
> >
> >> I am not sure if this is an intentional limitation of
> >> the cards (to
> >> prevent users from choosing idiotic pins like 1234 or
> >> their birthday).
> >
> >
> > Surely things like 1234 can be prevented by software.
> >
>
> But birthdays and the like probably not.
>
> Furthermore (not being sure, so read with care), I think that the bank
> does not know your pin, but it is stored in the banks' backends as some
> sort of hash, and this means that such software would have to run on the
> card.
>
> Such software can run on ATMs if that are the only places where one can
change the PIN.
And I don't think the bank needs the hash of the PIN. They may need the
hash of the key(s) protected by the PIN, however.

Guan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

2017-07-12 Thread Julian H. Stacey 
> A little bit of statistics (your name sounds German):
> http://www.sueddeutsche.de/wissen/unsichere-pin-codes-erwischt-1.1486312

I read the German, here's English):
http://www.berklix.org/trans/   ->
https://translate.google.com/translate?sl=auto=en=y=_t=en=UTF-8=http%3A%2F%2Fwww.sueddeutsche.de%2Fwissen%2Funsichere-pin-codes-erwischt-1.1486312==url

Julian
-- 
Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer
 Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
 http://berklix.eu/brexit/#700k_stolen_votes

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing PINs of German bank card

2017-07-12 Thread Binarus 
On 11.07.2017 21:09, Matthias Apitz wrote:

> Why 1234 is an idiotic PIN? What are idiotic PINs? Of course, idiotic is
> any PIN which has in your pocket hints about this (like a sticker attached
> or your birthday). But remember, you normally have 3 tries only to test
> all "idiotic" PINs. 1234 is same idiotic as 2345 or as 3456 or  or as
> , or , or ...

According to my understanding, the most idiotic PIN exactly is the one
with the highest probability of being guessed, in other words, the one
that is most often used by other people as well.

You are right in a mathematical sense, but you leave out the human
factor. If all people would choose their PINs freely, PINs for sure were
not equally distributed. 10% of the pins would be , another 10%
1234, another 30% their owner's birthday and so on.

A little bit of statistics (your name sounds German):
http://www.sueddeutsche.de/wissen/unsichere-pin-codes-erwischt-1.1486312

I don't have time for a thorough research right now, but this article
gives us an idea. I don't think the situation has changed much since
2012 ...

Regards,

Binarus


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users