Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:56
David Jablon (dpj@world.std.com)
Fri, 07 Aug 1998 09:17:59 -0400
At 11:24 AM 8/7/98 +0100, Martin Grap wrote:
>[...] even the ability to perform an offline PIN verification
>can be implemented without storing the (encrypted) PIN on the mag
>stripe (The PIN is derived from a MAC which has been calculated by the ATM
>over the data stored on the card).
... and ...
>"It is possible to implement PIN verification schemes which do
>not require the explicit storage of the PIN in any form on the magstripe
>of the ATM card and these schemes are widely used at least in Europe."
Both statements are wrong. Allowing off-line verification
of a PIN with a card means that knowledge of the magstripe data
puts the PIN at risk.
Given that the PIN is a very-low-entropy secret, any
PIN verification data stored on the card leads to a trivial
brute-force attack. The stored data is equivalent to an
encrypted PIN, which for any reasonable attacker
is equivalent to the PIN itself. In the case above, just
calculate the MAC repeatedly for every possible PIN.
Even if the MAC includes a secret ATM key, the same fixed
key must be semi-permanently embedded in each compatible
ATM machine, and it can't be changed without making all
cards obsolete.
Storing any PIN-associated data on a card is a risk.
This applies to smart-cards as well, if they're vulnerable
to timing or power-monitoring attacks.
On-line verification is stronger, and can be upgraded to
use modern password methods. The best system would prove
knowledge of the PIN between the ATM and the bank, without
revealing it in the process. The bank could also store a
hashed verifier, to prevent amatuer insider attack.
-- dpj
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:56