Display-TAN
## Display-PIN

### How does it work?

### Constructing the Permutation

#### Test Interface

#### Randomness

## Remarks

## Links

Seite nur auf Englisch verfĂĽgbar

Display-PIN allows to enter a PIN on an insecure end device - being guaranteed that the PIN cannot be tapped by malware on the end device or within the Internet.

Display-PIN uses the Display-TAN card. Display-PIN has the same level of security as if the PIN would be entered via 10 buttons on the card.

From a user's perspective Display-PIN works the following way. On the Display-TAN card a permutation of the 10 digits is shown (bottom right in the image below). The user now enters his PIN on his smartphone the following way: He looks where on the card display the first digit of his PIN is positioned (in the example it is the digit 4 which is positioned on the rightmost field of the center block). He then clicks on his smartphone on the unlabeled field which is in the corresponding position. He proceeeds this way for all the digits of his PIN, and finally submits his clicks to the server.

**Display-PIN**

The server receives the positions of the clicks of the user. The server knows the permutation of the digits on the card, and therefore is able to reconstruct the PIN the user has entered, and will check if this PIN is correct. The permutation is random to anybody not knowing the secret seed on the card. Moreover, each time the permutation is a different one (via nonce). Therefore, a keylogger on the smartphone or within the Internet will not be able to tap the PIN.

When Display-PIN is activated (via flag P in the data string send to the card), the card will do exactly the same thing like without that flag, including the computation of the 8 digit OCRA value. But after that the 8-digit OCRA value is not sent to the smartphone but instead a permutation is computed from it and is shown on the display.

$v=10000000; $p=array("","","","","","","","","",""); $m=array(false,false,false,false,false, false,false,false,false,false); for ($i = 0; $i < 10; $i++) { $j = 10-$i; $r = $v % $j; $count = 0; $z = 0; while ($count < $r) { if ($m[$z]) $count++; $z++; } while ($m[$z]) $z++; $p[$i] = $z; $m[$z] = true; $v=floor($v / $j); }

We have to define a deterministic algorithm for the construction of the permutation from the 8 digit OCRA value. The following algorithm seems to be the most straightforward one. On the right you find the php code of this algorithm, and below is a demo showing the steps of the construction.

**Algorithm.**
We construct the permutation p[0], p[1],.., p[9] from the left, i.e. first the digit p[0] for the leftmost of the 10 positions on the display is computed. Then the 2nd leftmost digit p[1] is computed, etc., until all 10 positions are computed. Moreover, we have an array m[0],m[1],..,m[9] of 10 flags, leaving each digit 0,...,9 marked or unmarked. The initial state is that every digit is unmarked.

Let v be the 8 digit OCRA value. The first digit p[0] of the permutation is computed in round 0 as v mod 10. In other words, p[0] is the rightmost digit of v. We set p[0] as being marked and set v to v div 10. In the next round 1, and we compute r = v mod 9. Now we step through the array m[0],m[1],..,m[9] exactly r steps, starting with m[0] and skipping (= not counting) the position which was already marked in case we get that far. The position z where this procedure stops is the new p[1]. We mark z and set v to v div 9. We continue this way, i.e. in round i we set r to v mod 10-i, step through the array m[0],m[1],..,m[9] exactly r steps, starting with m[0] and skipping the positions which are already marked. The position z where this procedure stops is the new p[i]. We mark z, set v to v div 10-i, and go to the next round i+1. After 10 rounds we have constructed the permutation p[0], p[1],.., p[9].

Here the algorithm can be tested with any 8-digit input:

round i | j=10-i | v | v div j | r=v mod j | m0 | m1 | m2 | m3 | m4 | m5 | m6 | m7 | m8 | m9 | p0 | p1 | p2 | p3 | p4 | p5 | p6 | p7 | p8 | p9 | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

0 | 10 | 10000000 | 1000000 | 0 | x | 0 | ||||||||||||||||||||

1 | 9 | 1000000 | 111111 | 1 | x | x | 2 | |||||||||||||||||||

2 | 8 | 111111 | 13888 | 7 | x | x | x | 9 | ||||||||||||||||||

3 | 7 | 13888 | 1984 | 0 | x | x | x | x | 1 | |||||||||||||||||

4 | 6 | 1984 | 330 | 4 | x | x | x | x | x | 7 | ||||||||||||||||

5 | 5 | 330 | 66 | 0 | x | x | x | x | x | x | 3 | |||||||||||||||

6 | 4 | 66 | 16 | 2 | x | x | x | x | x | x | x | 6 | ||||||||||||||

7 | 3 | 16 | 5 | 1 | x | x | x | x | x | x | x | x | 5 | |||||||||||||

8 | 2 | 5 | 2 | 1 | x | x | x | x | x | x | x | x | x | 8 | ||||||||||||

9 | 1 | 2 | 2 | 0 | x | x | x | x | x | x | x | x | x | x | 4 |

Resulting Permutation: **0291 7365 84**

If the 8-digit input values are random then also the computed permutations are random (besides a negligable inbalance caused by the fact that 10^8 is not divisable by 9, 7, etc.), i.e. each of the 10! permutations has the same chance to appear.

In other words, given that the OCRA value will appear random to anybody not knowing the secret seed (what is the current state concerning the OCRA/SHA1 hash algorithm), then also the permutation will appear random to anybody not knowing the secret seed.

**Login**. Display-PIN can not only be used for transaction authentication as shown in the example on top, but also just for the login. And even if the card works event-based (fallback in case Bluetooth is not available on the end device) a permutation can be shown instead of the OTP. In any of these scenarios the user PIN is not tappable by malware but nevertheless the server is able to check the user PIN.

**Blocks**. Fortunately, the current Display-TAN card's display has 3 blocks with 4, 4, and 2 digits each, resp.. Without these blocks Display-PIN would not really be usable: it would be too hard for the user to spot a certain field of the 10 fields, both on the card and on the smartphone (it is kind of hard even with the help of the 3 blocks of the current 1-row display).

**Matrix Display**

**2D-Display**. If a display has more space/rows than just the single row of the current Display-TAN card (Version 1 and 2),
then a 2-dimensional representation of the permutation is preferable in terms of usability, see image to the right.

**Variant**. An implementation of a variant of Display-PIN which uses a smartphone instead of a card and reads a 2D-code instead of receiving the information through Bluetooth is eKaay PIN. On that webpage the full procedure of entering a given PIN (not just the first digit) is shown, using a 2D-display. Moreover, entering the PIN can be tested via smartphone app.