Implement authentication protocol

[aki8]

Implement an authentication protocol to make sure user is correctly authorized and safely authenticated in card usage. A safe solution could include PIN usage.

[aki8]

Protocol: Implement the Provision of User PIN (atleast 6 digit) for using card such that every moment the card is connected it will ask for PIN. There should be a separate Master PIN hard-coded which is allowed to change only after its verification. Only 3 attempts of wrong user PIN entry is allowed and thereafter the card should be permanently locked which could reset the user only with Master PIN in single attempt. Applet shall not allow setting of Any PIN unless the Master PIN is verified After successful verification of the User PIN only, the Applet should process any APDU Master PIN should be used for resetting the user PIN only and not for applet usage

[viktech123]

There can be various solution to implement the authentication such that PAKE is one of the options. We have been taught the same. We can make use of PIN based authentication prior to key agreement between user and App. Further, PIN can be 4 digits and max trials can be kept as 3 , however , PIN will be user prompted and not hardcoded.

[McCio]

Thus, this is partially related to #10. Regarding authentication, there will be the following basic states

• Uninitialized: master PIN (6 digits at least) is set during installation (not hardcoded), and no user PIN has ever been set
• Initialized: user PIN (4 digits can be good) has been set - main usage of card
• Locked: PIN attempts are ended - should be possible to get the cause of locking, so not a whole-card lock

The PIN APDUs will be in plaintext for now.

[viktech123]

Ok , This seems to be a possible solutions

[aki8]

Finalized Authentication Protocol: (Two PINs: Master PIN & User PIN)

1. Uninitialized: "Master PIN" (6 digits at least) is set during installation/reinstallation (not hardcoded), and no user PIN has ever been set. This is required only to set User PIN. This PIN can be changed only after the verification of old Master PIN.
2. Initialized: "User PIN" (4 digits is good) is set/reset using Master PIN. This PIN shall be verified every time the card is inserted for its usage/functionality.
3. The total number of contiguous failure attempts (Maximum 3) of both PINs (Master PIN and User PIN) shall be logged .
4. Maximum failure attempts of "User PIN" shall temporarily block the Applet usage. It can be re-allowed by resetting the "User PIN" but only after verification of "Master PIN" & applet version.
5. Maximum failure attempts of "Master PIN" shall permanently block the Card usage. It can be reused only after fresh re-installation of the Applet.

Note: As of now, the plaintext PIN data shall be used in the respective APDUs. But it would be better if some standard authentication protocols like PAKE, ECDH etc. be used for PIN authentication/verification.

[viktech123]

Ok, now it seems to be prefect solution

[viktech123]

Added Verification of User PIN and Master PIN Added Setting of New User PIN @McCio please check the same and improve if required

[McCio]

Now it should be improved as much as possible, also with heavy testing.

Only thing that is missing, as per original protocol idea, is the setting of the PINs during installation.

[viktech123]

Added tests for same

[aki8]

User and Master Pin verification alongwith tests is updated as above. So, the issue seems to be resolved and worth closing.