bram (bram@gawth.com)
Fri, 7 Aug 1998 11:40:04 -0700 (PDT)
On Fri, 7 Aug 1998, David P Jablon wrote:
> I should have said that a fixed PIN-MAC key installed in
> all ATM's is too-vulnerable to theft or disclosure.
> And getting this key (by whatever means) enables a
> trivial brute-force attack on every card ever used with
> the system. This latter brute-force attack is on the
> order of 2^13, the size of a 4-digit PIN, rather than
> 2^56, or whatever.
Actually, that isn't true - if the PIN is salted - say by appending some
bits of random garbage to the end of it, and the result of that is left
encrypted on the card, then the result is reasonable secure. It's even
better if it's public-key encrypted and signed.
A bit of cleverness in a protocol can do wonderful things.
-Bram
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:56