It is easy to perform a check upon the validity of the decimalisation table. Several PIN verification methods that use decimalisation tables require that the table should be 0123456789012345 for the algorithm to function correctly, and in these cases the API need only enforce this requirement to regain security. However, PIN verification methods that support proprietary decimalisation tables are harder to fix. A checking procedure that ensures a mapping of the input combinations to the maximum number of possible output combinations will protect against the first two decimalisation table attacks, but not against the attack which exploits the PIN offset and uses only minor modifications to the genuine decimalisation table. To regain full security, the decimalisation table input must be cryptographically protected so that only authorised tables can be used.
Saturday, December 5, 2009
Prevention
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment