Re: PIN Numbers and ATM Session Keys

Giff (giff@eng.us.uu.net)
Fri, 21 Aug 1998 18:42:08 -0400 (EDT)

• Next message: David Honig: "Re: Encryption is like a locked suitcase"
• Previous message: steven.soroka@mts.mb.ca: "Re: Crypto-sendmail (was Crypto Coding Project)"
• Maybe in reply to: Steve Chew: "Crypto-sendmail (was Crypto Coding Project)"
• Next in thread: Antonomasia: "Re: PIN Numbers and ATM Session Keys"

On Fri, 21 Aug 1998, Cory R. King wrote:

> It's actually quite simple:
>
> 1. User Enters PIN ## and proceeds to use ATM
> 2. User completes transaction, ATM now attempts to verify..
> 3. ATM calls "home base" and sends the account number to the server
> 4. Server looks up a hash of the users PIN number in database.
> 5. ATM also generates the hash based on the PIN number the user entered

Although in most cases, the user may do multiple transactions without
having to re-enter the PIN in each case.

> - From this point forward the server would expect the transaction
> to be encrypted using the hash as a key..

If the server's identity is known, why not negotiate a session key right
from the beginning? This prevents any eavesdropper from even learning
which account number is used.

As a separate point, the hash of the user's PIN will be constant. So
using that as a key each time when talking with the server is probably not
a good idea long term.

-Giff

• Next message: David Honig: "Re: Encryption is like a locked suitcase"
• Previous message: steven.soroka@mts.mb.ca: "Re: Crypto-sendmail (was Crypto Coding Project)"
• Maybe in reply to: Steve Chew: "Crypto-sendmail (was Crypto Coding Project)"
• Next in thread: Antonomasia: "Re: PIN Numbers and ATM Session Keys"