From: Fergal Daly (fergal at domain esatclear.ie)
Date: Mon 18 Jun 2001 - 16:30:58 IST
On Mon, Jun 18, 2001 at 04:04:00PM +0100, Nick Hilliard wrote:
> > What are the weak points?
>
> Firstly, your key size is probably going to be small. If you're using a 4
> digit pin on a hex keypad, then there will be just 65536 possible
> combinations for your password. If it's restricted to digits only, then
> you're talking about just 10K combinations. This is certainly a weak link,
> which would allow pretty much anyone with a crypted password list to do a
> complete BF&I password scan pretty quickly.
Thinking about 10-digit, so 32 bits but yes, it's not enormous
> > Is there anything wrong with using XOR assuming
> > your PINs are nicely random?
>
> XOR is not secure. There are reversible encryption mechanisms available on
> the net which are much, much better. But if you're stuck with such limited
> pins, it may not make much of a difference.
Apart from speed, in what way is it any less secure than other reversible
encryption methods?
Assuming no knowledge is available about the distribution of PINs and
passwords (ie. both are coming from /dev/random) then the 2-way algo is
irrelevant as you have no way of knowing if you've got the correct PIN
without testing it against the 1-way algo or just trying to authenticate
with what you think is the plain test password.
Of course if the passwords are coming from /dev/random then I may as well
just use the PIN as the password, but I want the option of not having to do
this for every case,
Fergal
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:10:43 GMT