Category Archives: Security

Using the German electronic identity card (eID) in Ubuntu 20.04

The new eID functionality of the German identity card enables you to identify yourself with your real name towards government or commercial web services. It makes sure that it is really you who uses the web services, and not someone who stole your online identity by email spoofing, SIM swapping, IMSI catcher, etc. .

In this example, we will be using the eID to sign a PGP key. This will uniquely identify the owner of the German identity card as the owner of the PGP key, which can then be used to sign and encrypt emails. That way PGP no longer relies on a web of trust, but works similar to the PKI concept of S/MIME certificates, in that it checks the real identity of the owner of the certificate, and then signs the certificate by a common public authority that everyone trusts.


  • A German identity card with eID functionality.
  • A supported RFID card reader, e.g. from REINER SCT.
  • Operating system drivers for your card reader. In Ubuntu 20.04 drivers for all REINER SCT card readers (also called "cyberJack") are included in the package libifd-cyberjack6. You can download Ubuntu drivers from their website too, but they didn't work for me.
  • On Linux, the pcscd daemon that enables access to smart card readers.
  • An application called AusweisApp2 that handles authentication (PIN entry) and authorization (who wants to access what kind of information on your eID). In Ubuntu 20.04 AusweisApp2 is already included in the standard repositories (version 1.20.0). The app is also included as a snap install (newer version 1.20.2), but that didn't work for me (for the error message see below).

First steps

  • Make sure you have the letter with the initial PIN for your eID at hand.
  • IMPORTANT: Make sure your RFID card reader is updated to the latest firmware release. With most card readers, the firmware can only be updated while you install the card reader on a Windows system.
  • IMPORTANT: Remove usbguard. Even after I permanently added the card reader to the list of allowed devices, pcscd could not find my card reader, or AusweisApp2 did not properly recognize my card reader and complained about missing drivers.
  • Install all necessary software packages and drivers for Ubuntu 20.04:
    pcscd pcsc-tools libifd-cyberjack6 libusb-1.0-0 libusb-1.0-0 libccid libpcsclite1 libpcsc-perl libpcsclite-dev

Test your card reader

Start the pcscd daemon in debug mode:

$ sudo pcscd -df
00000000 [140135772616640] pcscdaemon.c:347:main() pcscd set to foreground with debug send to stdout
00000086 [140135772616640] configfile.l:293:DBGetReaderListDir() Parsing conf directory: /etc/reader.conf.d
00000017 [140135772616640] configfile.l:329:DBGetReaderListDir() Skipping non regular file: ..
00000006 [140135772616640] configfile.l:369:DBGetReaderList() Parsing conf file: /etc/reader.conf.d/libccidtwin
00000029 [140135772616640] configfile.l:329:DBGetReaderListDir() Skipping non regular file: .
00000009 [140135772616640] pcscdaemon.c:663:main() pcsc-lite 1.8.26 daemon ready.
00003514 [140135772616640] hotplug_libudev.c:299:get_driver() Looking for a driver for VID: 0xABCD, PID: 0x1234, path: /dev/bus/usb/001/001

Plug in your card reader.

IMPORTANT: If you use a USB card reader, plug it directly into your PC or laptop. Do not use a USB hub, as the hub may not provide enough power for the USB device. Also make sure to use the USB cable that came with the card reader. Longer cables may result in unstable connections.

In the output of the pcscd daemon (after a couple of seconds, wait for it!), you will see something like this:

99999999 [140135764219648] hotplug_libudev.c:655:HPEstablishUSBNotifications() USB Device add
00000158 [140135764219648] hotplug_libudev.c:299:get_driver() Looking for a driver for VID: 0x0C4B, PID: 0x0500, path: /dev/bus/usb/002/012
00000010 [140135764219648] hotplug_libudev.c:440:HPAddDevice() Adding USB device: REINER SCT cyberJack RFID standard
00000050 [140135764219648] readerfactory.c:1074:RFInitializeReader() Attempting startup of REINER SCT cyberJack RFID standard (1234567890) 00 00 using /usr/lib/pcsc/drivers/l
00001347 [140135764219648] readerfactory.c:950:RFBindFunctions() Loading IFD Handler 3.0
00023288 [140135764219648] readerfactory.c:391:RFAddReader() Using the pcscd polling thread

Notice that the pcscd daemon uses the driver from the package libifd-cyberjack we installed earlier. You can also check the output from the pcscd client tool:

$ pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: REINER SCT cyberJack RFID standard (1234567890) 00 00

Thu Nov 19 13:17:31 2020
Reader 0: REINER SCT cyberJack RFID standard (1234567890) 00 00
 Event number: 0
 Card state: Card removed,

As you can see, pcscd properly detected the card reader. Now insert your identity card into the card reader while pcsc_scan is running. The output of pcsc_scan will show something like this:

Thu Nov 19 13:21:24 2020
Reader 0: REINER SCT cyberJack RFID standard (1234567890) 00 00
 Event number: 3
 Card state: Card inserted,
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
       Personalausweis (German Identity Card) (eID)

Install and start the application AusweisApp2

Install the application AusweisApp2 from the general Ubuntu repository. Do not install the snap app! In my case, the snap version of AusweisApp2 did not work properly. I got the following error message in my system logs:

Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 07606784 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:0c4b/0500:libudev:0:/dev/bus/usb/002/006)
Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 00000015 readerfactory.c:376:RFAddReader() REINER SCT cyberJack RFID standard (1234567890) init failed.
Nov 18 17:32:03 server ausweisapp2-ce.pcscd[6911]: 00000073 hotplug_libudev.c:526:HPAddDevice() Failed adding USB device: REINER SCT cyberJack RFID standard

After you start the application, go to Start -> Settings -> USB card reader to check if the app can communicate with your card reader.

If you haven't done so before, the app will ask you to change the initial PIN that you received by mail. You have to set your own PIN before you use any online service.

Test the authentication process

Go to Start -> Self-Authentication -> See my personal data. Here you can check the data that is stored on your eID, and also make sure that the authentication process is working properly.

Click on "Proceed to PIN entry". On your card reader, you will need to confirm the service provider who wants to access your card, and also which information is requested from your card. Of course you also need to enter your new PIN.

Sign your PGP certificate

Go to Start -> Provider -> Other services -> Schlüsselbeglaubigung. The key signing service is provided by Governikus, the company who develops AusweisApp2.

Click on "To online application". This will start your default web browser and open the URL . Of course you can also enter the URL directly into your web browser. Just make sure that AusweisApp2 is running in the background.

On the website you may upload your PGP public certificate. After successful authentication by eID, you will receive an email with your certificate signed by Governikus. The signature makes sure that the PGP key really belongs to you and not someone else who is impersonating you by using your email address (email spoofing) or smartphone number (SIM card swapping, IMSI catcher).


The whole eID authentication process on a website can be described as follows:

  1. Start the pcscd daemon, either by "sudo systemctl start pcscd", or if this doesn't work by "sudo pcscd -f".
  2. Plug in you card reader. You should see a confirmation in the daemon output (or by typing "systemctl status pcscd" if you started pcscd with systemctl):
    "CYBERJACK: Started"
  3. Start the application AusweisApp2.
  4. Go to the website that requests eID authentication ("elektronischer Personalausweis"), and click on "Login".
  5. Control is transferred to AusweisApp2. There you should see who requests information, and what kind of information.
  6. Insert the identity card into your card reader.
  7. In AusweisApp2, click on "Proceed to PIN entry".
  8. Control is transferred to your card reader. There you need to confirm:
    1. The service provider.
    2. The information he wants to access.
    3. Enter your PIN.
  9. On the display of your card reader, you should see something like "Tunnel established". AusweisApp2 shows something like "Authentication successful". The website should automatically proceed to its regular contents, just as if you would have entered a regular username and password.
  10. That's it.


  • If you see the following error message in the output of pcsc_scan, it means that pcsc_scan cannot communicate with the daemon pcscd. Make sure that the daemon is running.
SCardGetStatusChange: RPC transport error.
  • If AusweisApp2 does not recognize your card reader, or complains about missing drivers, try to start pcscd from the command line ("sudo pcscd -f"), and not as a background service ("sudo systemctl start pcscd"). Also make sure that you removed usbguard and did a reboot afterwards.
  • If the authentication process is not working, try to update the firmware of your smart card reader to the latest version. This might only be possible under Windows during driver installation.

Are you safe from BGP hijacking?

How serious is your ISP about Internet security? There is a website now where you can check if your ISP is vulnerable to BGP hijacking:

The website also contains additional background information about BGP hijacking and how to prevent it in the first place.

ISP = Internet Service Provider, the company that hooks you up to the Internet


Let's Encrypt Certificate for SMTP with STARTTLS

TLS Encryption

Let's Encrypt provides an easy way to get free certificates not only for web servers, but also for email servers like Postfix.

The way Let's Encrypt usually works requires you to setup a web server. Let's Encrypt sends you a challenge, and you have to prove ownership of the domain by providing a response to that challenge. You do this by placing the response in a certain URL on your web server:

That way you prove that you are the owner of the domain "". But there is another even easier way to prove ownership of a domain: DNS. You place the response in a specific TXT record of your domain:

  • You can use your domain hosting service (GoDaddy, Whois, etc.) to create a new TXT record.
  • The "certbot" command line client does all the rest in just one call.
  • Under Debian 9 and 10, "certbot" is part of the official package repository.
  • You can run certbot on any Linux client. You don't have to run it on the email server.


In this example the public hostname of your mail server is Therefore you have to create a TXT record called . The value of the TXT record is in the output of certbot.

# certbot certonly --manual --preferred-challenges dns -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Plugins selected: Authenticator manual, Installer None 
Obtaining a new certificate 
Performing the following challenges: 
dns-01 challenge for 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
NOTE: The IP of this machine will be publicly logged as having requested this 
certificate. If you're running certbot in manual mode on a machine that is not 
your server, please ensure you're okay with that. 
Are you OK with your IP being logged? 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(Y)es/(N)o: Y 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Please deploy a DNS TXT record under the name with the following value: 
Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue 
Waiting for verification... 
Cleaning up challenges 
 - Congratulations! Your certificate and chain have been saved at: 
   Your key file has been saved at: 
   Your cert will expire on 2020-02-15. To obtain a new or tweaked 
   version of this certificate in the future, simply run certbot 
   again. To non-interactively renew *all* of your certificates, run 
   "certbot renew" 
 - If you like Certbot, please consider supporting our work by: 
   Donating to ISRG / Let's Encrypt: 
   Donating to EFF:          

World's most famous and secure public VPN service is leaking sensitive information

Probably one of the world's most famous public VPN providers is leaking your traffic. The weirdest thing about it is, nobody noticed the traffic before.

Lessons learned: Always check no matter how good the reputation might be.

Update (2019-10)
Nobody is perfect. Half a year later, there seems to be another problem with our famous VPN service. Not so much information about it out there, so here is a link in case you want to check yourself.

Lessons learned: Double check for safety's sake.

Update (2019-10)
Oh noooo, now our famous VPN provider got hacked really bad. Private keys for OpenVPN have been revealed, but they already expired in 2018. Nevertheless, it could be that those keys were hacked in 2018 when they were still valid. All I can say: "Told ya!"

Lessons learned: Triple check for safety's sake.


Security Alert: Migrate to Post-Quantum Cryptography Right Now!

Current cryptographic algorithms will be broken within the next couple of years. The time to migrate to post-quantum cryptography is right now. Ah yes ... and while you're at it, don't forget about crypto currency.

Migration steps towards post-quantum cryptography:

  1. Identify possible technologies
  2. Choose algorithms for standardization
  3. Standardization (RFCs)
  4. Implementation
  5. Integration into operating systems

Right now, we are at step 1 and 2.

Update (20.04.2018)
OpenSSH 8.0 supports quantum-computing resistent key exchange method - still experimental though.


iptables: Block traffic by country (Debian 10)

You need the package versions from at least Debian 10 testing for this to work. Installing specific packages from the testing branch is beyond the scope of this article, but there are many tutorials online.

  • Switch to legacy iptables (I did not try it with the new nftables packet filter that came with Debian 10):
sudo update-alternatives --config iptables 
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables). 

 Selection    Path                       Priority   Status 
 0            /usr/sbin/iptables-nft      20        auto mode 
* 1            /usr/sbin/iptables-legacy   10        manual mode 
 2            /usr/sbin/iptables-nft      20        manual mode 

Press <enter> to keep the current choice[*], or type selection number: 1
  • Install iptables module "geoip" (from testing) and dependencies:
sudo aptitude install xtables-addons-common/testing xtables-addons-dkms/testing libnet-cidr-lite-perl libtext-csv-xs-perl
  • Make sure you have the right version (from Debian testing):
apt show xtables-addons-common
Version: 3.5-0.1
  • Download and build geoip database (zipped CSV file from MaxMind):
sudo -i
mkdir /usr/share/xt_geoip/ 
cd /usr/share/xt_geoip/
cd GeoLite2-Country-CSV_* 
cp *iv? ..
  • Check your iptables rules in INPUT chain. It should look something like this, if you already setup iptables:
# iptables --line-numbers -nL  INPUT

Chain INPUT (policy DROP) 
num  target     prot opt source               destination          
1    ACCEPT     all  --              state RELATED,ESTABLISHED
2    ACCEPT     ...
3    ACCEPT     ...
8    LOG        all  --              state INVALID,NEW LOG flags 0 level 4 prefix "DROP input:"
  • Add iptables rule to block all incoming traffic from e.g. Prague/Czech Republic. Make sure to insert the new rule after the RELATED/ESTABLISHED rule and before any other ACCEPT rules. In this example, the rule is inserted as line number 2.
iptables -I INPUT 2 -m geoip --src-cc CZ -j DROP
  • In the second example we block all traffic except the one that is originating from the United States. TCP traffic is not simply dropped, but spoofed by the DELUDE target.
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
iptables -I INPUT 2 -p tcp -m geoip ! --src-cc US -j DELUDE

Important things to note:

  • You have to reinstall package "xtables-addons-common" with every new kernel version because it is compiled during package installation using the current kernel source (see /usr/src/xtables-addons-*).
  • For more information about the DELUDE target in the second example, see "man xtables-addons". It spoofs nmap scans and makes it harder for port scanners to scan the destination host. It is only valid for TCP traffic.

Add entropy to KVM virtual guests (Why is key creation so slow?)


Cryptographic key creation (GnuPG, SSH, etc.) in virtual guests may be very slow because there is not enough entropy.

$ cat /proc/sys/kernel/random/entropy_avail 


Add /dev/urandom from virtual host in virt-manager. Click on "Add Hardware".

Add "RNG" device.

This is what will be added to the qemu xml file in /etc/libvirt/qemu:

<domain type='kvm'>
   <rng model='virtio'> 
     <backend model='random'>/dev/urandom</backend> 
     <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> 

In the virtual guest, install "rng-tools" (Ubuntu 18.04).

$ sudo apt-get install rng-tools

If something goes wrong, the rngd daemon will complain in /var/log/syslog.

Oct 13 22:48:07 guest rngd: read error 
Oct 13 22:48:07 guest rngd: message repeated 99 times: [ read error] 
Oct 13 22:48:07 guest rngd: No entropy sources working, exiting rngd

If rngd is working correctly, check entropy level again.

$ cat /proc/sys/kernel/random/entropy_avail

Security Guidelines

Computer Security

Physical Device Security

  • Always completely switch off your computer and lock your computer safely away, even if you just visit the bathroom. Screen saver locking or putting the laptop into sleep mode is not enough (Cold Boot Attacks).
  • Don't display anything important on your computer screen (Van-Eck-Phreaking).
  • Don't type in anything important on your keyboard or touchscreen.
  • Install USBGuard to protect against unknown USB devices.
    (Note that USB IDs and serial numbers of USB devices can easily be replicated. Once an attacker knows the type of USB device you are using, and its serial number, USBGuard can easily be bypassed. That means: Never lend someone your USB stick, never accept a USB device from untrustworthy persons ... which means anyone.)

Software Security

  • Always use fingerprints to identify certificates for important web services. Don't rely solely on CAs.

Useful Links

  • Ubuntu Security
  • Ubuntu Security Features Matrix
  • End User Device Security Guidance for Ubuntu 18.04 LTS from the NCSC (National Cyber Security Center, part of GCHQ)

Password security - it is not about length or complexity


Passwörter sollten nach Möglichkeit nicht im Klartext am Bildschirm angezeigt werden. Neben dem offensichtlichen Shoulder Surfing ("über die Schulter schauen"), gibt es auch sog. Seitenkanalangriffe in blickgeschützten Bereichen.

Das ursprünglich für ältere Röhrenmonitore entwickelte Van-Eck-Phreaking, bei dem die elektromagnetische Strahlung über größere Distanzen aufgezeichnet wird, lässt sich offenbar auch für moderne LCD-Monitore mit HDMI-Kabel ausnutzen. Aus der empfangenen elektromagnetischen Strahlung wird dann das ursprüngliche Monitorbild rekonstruiert. Die dazu notwendige Elektronik ist mittlerweile schon für ambitionierte Hobby-Bastler erschwinglich.

Einige Quellen im Internet weisen ebenso auf relativ hohe elektromagetische Strahlungen und akustische Signale von aktuellen PC-Grafikkarten und Flachbildschirmen/Touchscreens in Kombination mit Monitor- und Stromkabeln hin, die im Prinzip wie eine Antenne funktionieren.

Um Sicherheitsproblemen in diesem Bereich von vornherein aus dem Weg zu gehen, kann man z.B. moderne Passwortmanager verwenden, die Passwörter automatisch generieren und dann über die Zwischenablage in die Anwendung kopieren, ohne das Passwort selbst im Klartext eintippen oder auf dem Bildschirm anzeigen zu müssen.