Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Code Project
  1. Home
  2. The Lounge
  3. More fun with PINs

More fun with PINs

Scheduled Pinned Locked Moved The Lounge
databasecryptographysales
1 Posts 1 Posters 0 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P Offline
    P Offline
    Peter_in_2780
    wrote on last edited by
    #1

    Thirtysome years ago I designed and built cryptographic modules for EFT processing. Early days... In those days there were two main algorithms for PIN verification. The IBM Derived PIN system used data from the mag stripe (some of the account number and other fields) to crunch up with DES and other things to generate the expected PIN, which was verified by direct comparison (at a processing system, since the terminal did not have the relevant DES keys etc). The (more popular) VISA method took the PIN and some stripe data, crunched them up and came out with a 4 digit value which was compared with the PVV (PIN verification value) from the stripe (or issuer's database). This can be viewed as an elaborate hash function (4 digit PIN -> 4 digit PVV) I investigated its properties as a hash, and (re-)discovered some interesting statistics. Obviously a 1:1 mapping could be fairly easily brute-forced, so information is "destroyed" to make it a one-way operation. As a consequence, looking at the PVV space: 1/e (almost 37%) of PVVs are unreachable - no corresponding PINs 1/e have one PIN mapped to them 1/2e (over 18%) of PVVs have TWO PINs that map to them 1/6e (6%+) of PVVS have THREE PINs that map 1/24e (1.5%+) have FOUR ... and so on So, (back in PIN space) there is a very real chance that your card has more than one PIN that would work. (Good luck finding the other(s)!) That fact blew the mind of more than a few bean-counters and auditors.... With regard to OG's thread below, we had requests from card issuing institutions to NOT generate "simple" PINs. In the end I think we discarded PINs with 4 consecutive digits or more than two repeats. (A little repetition is good - my favoured PINs have two characteristics: They can be keyed by laying my hand over the PIN pad and merely flexing fingers. They include a repeat so even keen watchers wind up missing something.) Some time later, customer selected PINs (and PIN change terminals) hit the streets... Ah, nostalgia (ain't what it used to be)!

    Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012

    1 Reply Last reply
    0
    Reply
    • Reply as topic
    Log in to reply
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes

    • Login
    • Don't have an account? Register
    • Login or register to search.
    • First post
      Last post
    0
    • Categories
    • Recent
    • Tags
    • Popular
    • World
    • Users
    • Groups