Presentation is loading. Please wait.

Presentation is loading. Please wait.

Decimalisation Table Attacks for PIN cracking “ It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000.

Published byBonnie Harris Modified over 8 years ago

Similar presentations

Presentation on theme: "Decimalisation Table Attacks for PIN cracking “ It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000."— Presentation transcript:

1 Decimalisation Table Attacks for PIN cracking “ It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. ” Presented by Ji SUN By Mike Bond and Piotr Zieliński University of Cambridge Computer Laboratory Technical Report 560, February 2003, 14 pp.

2 Summary This paper presents an attack on HSM to crack customer PINs using adaptive decimalisation tables and guesses. Terminology Decimalisation table: *-to-1 mapping between hexadecimal and decimal digits HSM (Hardware Security Module): only YES/NO answer PIN (Personal Identification Number) ATM (Automatic Teller Machine, cash machine) PIN Generation Key: a secret DES key

3 Critical comments This paper should talk more about general background information of PIN security.  the architecture of ATM networks,  solutions to this kind of decimalisation table attacks If potentially serious vulnerabilities have been exploited by the bad guys to steal millions of cash from ATM because of publishing of this paper, so do you think bond and Zieliński should publish it in public? My answer is: No.

4 Appreciative comments This paper is very interesting because it mentioned an attacker can discover 7000 PINs in half an hour. ( HSM) 60 PINs/sec * 60 sec/min * 30 min ÷ 15 guesses =7200 PINs Bond and Zieliński described the fundamental techniques behind the decimalisation attacks in great detail. (See next slide)

5 Appreciative comments (cont.) Initial scheme (24 guesses, twice in the worse case) Three Attacks DigitsPossibilities (only in the 2 nd phase)Total Possibilities AAAAA(1)10/2 + 1 = 6 ABABBB(4),AABB(6),AAAB(4)10/2 +14 = 19 ABCAABC(12),ABBC(12),ABCC(12)10/2 + 36 = 41 ABCDABCD(24)10/2 +24 = 29 Average guesses: (6+19+41+29)/4= 23.75 ≈ 24 guesses Adaptive scheme (22 guesses?) PIN Offset Adaptive scheme (16.5 guesses)

6 IBM 3624-Offset PIN Generation Method Account Number:4556 2385 7753 2239 PIN (derivation) key:0505 0505 0505 0505 Dec. Encrypted Acc.:3572 2001 0020 8013 Encrypted Account:3F7C 2001 00CA 8AB3 Decimalisation PIN: 3572 Offset :4344 Customer PIN:7816 Decimalisation Table:0123 4567 8901 2345

7 PIN Verification (Offsets) Validation Data DigitReplacement Intermediate PIN (IPIN) Digit Subtraction module 10 module 10Customer Selected PIN DecimalisationTable Offset EDE Multiple EncryptionCiphertext PIN Generation Key The diagram quoted from: Clulow, J.S. “ I know your PIN ”, RSA Europe, October 2002

8 An example of Decimalisation Attack Dec. Table (0) = 1123456789012345 Dec. PIN = 3572 Offset= 4344 (will pass) Dec. Table (1) = 0223456789012345 Dec. PIN = 3572 Offset= 4344 (will pass) Dec. Table (2) = 0133456789012345 Dec. PIN = 3573 Offset= 4344 (will fail) = 4343 (will pass) In this example, we have identified that the 4 th digit in the original Decimalisation PIN is a 2 and so the 4 th final PIN digit is 2 + 4 = 6 (Dec.PIN + Offset = final PIN is 7816).

9 Questions? Is this decimalisation table attack a hypothetical threat or real one? Should Bond and Zieliński publish these attacks in public?

Download ppt "Decimalisation Table Attacks for PIN cracking “ It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000."

Similar presentations

Card Verification Support

Card Verification Support
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.

Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
I Know your PIN I Know Your PIN Jolyon Clulow Prism

I Know your PIN I Know Your PIN Jolyon Clulow Prism
Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check.

Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check.
Slide 01-1COMP 7370, Auburn University COMP 7370 Advanced Computer and Network Security Dr. Xiao Qin Auburn University

Slide 01-1COMP 7370, Auburn University COMP 7370 Advanced Computer and Network Security Dr. Xiao Qin Auburn University
Improving ATM Security via Facial Recognition CPSC510 James Maxlow November 25 th, 2002.

Improving ATM Security via Facial Recognition CPSC510 James Maxlow November 25 th, 2002.
Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.

Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.

1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.
Why cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 SSR Jiyeon Park.

Why cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 SSR Jiyeon Park.
HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.

HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.
Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.

Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.
1 PIN Security Management and Concerns Susan Langford Sr. Cryptographer CACR Information Security Workshop.

1 PIN Security Management and Concerns Susan Langford Sr. Cryptographer CACR Information Security Workshop.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
By Jyh-haw Yeh Boise State University ICIKM 2013.

By Jyh-haw Yeh Boise State University ICIKM 2013.
RSA Encryption & Cryptography

RSA Encryption & Cryptography

Similar presentations

Ads by Google