|
|
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
Info file on visa card pin encryption
From msuinfo!netnews.upenn.edu!news.amherst.edu!news.mtholyoke.edu!world!news.kei.com!MathWorks.Com!opa.eng.gtefsd.com!howland.reston.ans.net!EU.net!sunic!ugle.unit.no!ugle.unit.no!hanche Sat May 281:5:17 1994
Path: msuinfo!netnews.upenn.edu!news.amherst.edu!news.mtholyoke.edu!world!news.kei.com!MathWorks.Comropa.eng.gtefsd.com!howland.reston.ans.net!EU.net!sunic!ugle.unit.no!ugle.unit.no!hanche
From: [email protected] (Harald Hanche-Olsen)
Newsgroups: sci.crypt
Subject: Re: Unsecure Cash machines
Date: 25 May 1994 19:05:22 GMT
Organization: University of Trondheim, Norway
Lines: 35
Message-ID: <[email protected]>
References: <[email protected]> <[email protected]>
<[email protected]> <[email protected]>
NNTP-Posting-Host: pyanfar.imf.unit.no
In-reply-to: [email protected]'s message of Wed, 25 May 1994 15:56:54 GMT
A paper that was posted to the net a good while back has the
following information about how the PIN is computed for a VISA card:
(At least I think that is what he's saying...)
PINs are calculated as follows. Take the last five significant digits of the
account number, and prefix them by eleven digits of validation data. These
are often the first eleven digits of the account number; they could also be a
function of the card issue date. In any case, the resulting sixteen digit
value is input to an encryption algorithm (which for IBM and VISA systems is
DES, the US Data Encryption Standard algorithm), and encrypted using a sixteen
digit key called the PIN key. The first four digits of the result are
decimalised, and the result is called the `Natural PIN'.
Many banks just issued the natural PIN to their customers. However, some of
them decided that they wished to let their customers choose their own PINs,
or to change a PIN if it became known to somebody else. There is therefore a
four digit number, called the offset, which is added to the natural PIN to
give the PIN which the cusomer must enter at the ATM keyboard.
Reference: Article <[email protected]> by
[email protected] (Ross Anderson) of Tue, 8 Dec 1992 11:21:25 GMT.
This explains both how the PIN can be encrypted on the card and how
the user may change it. The paper goes on to talk about how this
encryption is worthless unless good protocols are adhered to. Of
course, an interesting situation will occur if the PIN key is ever
compromised...
For a while at least, I'll make my copy of that paper available at
http://www.imf.unit.no/~hanche/atm.tex.gz
for those who may be interested in more detail.
- Harald
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed. If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|