Decimalisation Table Attacks for PIN cracking “ It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000.

Slides:



Advertisements
Similar presentations
Card Verification Support
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Data Encryption Standard (DES)
I Know your PIN I Know Your PIN Jolyon Clulow Prism
Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check.
Slide 01-1COMP 7370, Auburn University COMP 7370 Advanced Computer and Network Security Dr. Xiao Qin Auburn University
Improving ATM Security via Facial Recognition CPSC510 James Maxlow November 25 th, 2002.
Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.
Why cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 SSR Jiyeon Park.
HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.
Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.
1 PIN Security Management and Concerns Susan Langford Sr. Cryptographer CACR Information Security Workshop.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
By Jyh-haw Yeh Boise State University ICIKM 2013.
RSA Encryption & Cryptography
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
Long Multiplication! Foil Method! Example:
Rob Sherwood CS244 Lecture 8: Sound Strategies For Internet Measurement.
1 Why Cryptosystems Fail Ross Anderson University Computer Laboratory Cambridge
Hardware Protection Against Software Piracy Tim Maude and Derwent Maude Communication of the ACM September 1984 Presentation by Gayathri Ramakrishnan.
Chapter 8: Scrambling Through Cryptography Security+ Guide to Network Security Fundamentals Second Edition.
Information Security Lab. Dept. of Computer Engineering 182/203 PART I Symmetric Ciphers CHAPTER 7 Confidentiality Using Symmetric Encryption 7.1 Placement.
Chapter 17 Security. Information Systems Cryptography Key Exchange Protocols Password Combinatorics Other Security Issues 12-2.
Recognition of spoken and spelled proper names Reporter : CHEN, TZAN HWEI Author :Michael Meyer, Hermann Hild.
Positional Notation 642 in base 10 positional notation is:
Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
T Iteration Demo Group name [PP|I1|I2] Iteration
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
API-Level Attacks on Embedded Systems By Mike Bond and Ross Anderson “… by presenting valid commands to the security processor, but in an unexpected sequence,
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Exam Review for First Half of C430 2 May pm in Huxley 308 Michael Huth 2 May pm in Huxley 308 Michael Huth.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK
KASPAR T., SILBERMANN M., PAAR C. (2010) FINANCIAL CRYPTOGRAPHY AND DATA SECURITY, VOLUME 6052, PP All You Can Eat or Breaking a Real- World Contactless.
Lecture 2: Introduction to Cryptography
Network Security Lecture 27 Presented by: Dr. Munam Ali Shah.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004.
Cracking the DES Encryption
Computerization of a bank  Automatic Teller Machines  Net Banking  Phone Banking  Savings/ Current/ Fixed Deposit/ Recurring Deposit  Loans against.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
Usably Secure, Low-Cost Authentication for Mobile Banking Saurabh Gupta Sandeep Kumar Gupta.
Data Encryption Standard (DES)
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 8 September 14, 2004.
Version 02U-1 Computer Security: Art and Science1 Correctness by Construction: Developing a Commercial Secure System by Anthony Hall Roderick Chapman.
Modeling Complex Systems by Separating Application and Security Concerns H. Gomaa, M. Shin, "Modeling Complex Systems by Separating Application and Security.
Deposits pp SECTION. Click to edit Master text styles Second level Third level Fourth level Fifth level 2 SECTION Copyright © Glencoe/McGraw-Hill.
T Iteration Demo Group name [PP|I1|I2] Iteration
DES: Data Encryption Standard
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Why Cryptosystems Fail R. Anderson, Proceedings of the 1st ACM Conference on Computer and Communications Security, 1993 Reviewed by Yunkyu Sung
Attacking an obfuscated cipher by injecting faults Matthias Jacob Dan Boneh Edward.
Honeywords: Making Passwords-Cracking Detectable Ari Jules, Ronald L. Rivest Presented by: Karthik Padullaparty | kpad470 October 14, Karthik Padullaparty.
The Federal Information Processing Standards (FIPS) Encryption Suite Sean Smith COSC
Network Security Overview
CMGT 400 Week 2 Learning Team Kudler Fine Foods IT Security Report Top Threats Check this A+ tutorial guideline at
Why Cryptosystems Fail Ross Anderson University Computer Laboratory
Mohammad Alauthman Computer Security Mohammad Alauthman
Presentation transcript:

Decimalisation Table Attacks for PIN cracking “ It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. ” Presented by Ji SUN By Mike Bond and Piotr Zieliński University of Cambridge Computer Laboratory Technical Report 560, February 2003, 14 pp.

Summary This paper presents an attack on HSM to crack customer PINs using adaptive decimalisation tables and guesses. Terminology Decimalisation table: *-to-1 mapping between hexadecimal and decimal digits HSM (Hardware Security Module): only YES/NO answer PIN (Personal Identification Number) ATM (Automatic Teller Machine, cash machine) PIN Generation Key: a secret DES key

Critical comments This paper should talk more about general background information of PIN security.  the architecture of ATM networks,  solutions to this kind of decimalisation table attacks If potentially serious vulnerabilities have been exploited by the bad guys to steal millions of cash from ATM because of publishing of this paper, so do you think bond and Zieliński should publish it in public? My answer is: No.

Appreciative comments This paper is very interesting because it mentioned an attacker can discover 7000 PINs in half an hour. ( HSM) 60 PINs/sec * 60 sec/min * 30 min ÷ 15 guesses =7200 PINs Bond and Zieliński described the fundamental techniques behind the decimalisation attacks in great detail. (See next slide)

Appreciative comments (cont.) Initial scheme (24 guesses, twice in the worse case) Three Attacks DigitsPossibilities (only in the 2 nd phase)Total Possibilities AAAAA(1)10/2 + 1 = 6 ABABBB(4),AABB(6),AAAB(4)10/2 +14 = 19 ABCAABC(12),ABBC(12),ABCC(12)10/ = 41 ABCDABCD(24)10/2 +24 = 29 Average guesses: ( )/4= ≈ 24 guesses Adaptive scheme (22 guesses?) PIN Offset Adaptive scheme (16.5 guesses)

IBM 3624-Offset PIN Generation Method Account Number: PIN (derivation) key: Dec. Encrypted Acc.: Encrypted Account:3F7C CA 8AB3 Decimalisation PIN: 3572 Offset :4344 Customer PIN:7816 Decimalisation Table:

PIN Verification (Offsets) Validation Data DigitReplacement Intermediate PIN (IPIN) Digit Subtraction module 10 module 10Customer Selected PIN DecimalisationTable Offset EDE Multiple EncryptionCiphertext PIN Generation Key The diagram quoted from: Clulow, J.S. “ I know your PIN ”, RSA Europe, October 2002

An example of Decimalisation Attack Dec. Table (0) = Dec. PIN = 3572 Offset= 4344 (will pass) Dec. Table (1) = Dec. PIN = 3572 Offset= 4344 (will pass) Dec. Table (2) = Dec. PIN = 3573 Offset= 4344 (will fail) = 4343 (will pass) In this example, we have identified that the 4 th digit in the original Decimalisation PIN is a 2 and so the 4 th final PIN digit is = 6 (Dec.PIN + Offset = final PIN is 7816).

Questions? Is this decimalisation table attack a hypothetical threat or real one? Should Bond and Zieliński publish these attacks in public?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.