Re: Pin generation algorithm question

From: Peter Pearson (
Date: 04/22/04

Date: Thu, 22 Apr 2004 09:01:21 -0700

Kees Snijders wrote:

> I could use some help in coming up with a pin generation algorithm.
> It has the following requirements:

Congratulations for starting in the right place. If you don't
have clear requirements, you won't know when you've arrived.

> All generated pins must be unique over the lifetime of the
> application.

As Ernst Lippe points out, this requires permanent memory in
the pin-generation system. Might it be acceptable to have just
a low probability of collision? In which case, the number of
PINs required becomes important.

> A pin must be sufficiently random to discourage attacks.

What constitutes an attack? If I can guess at PINs for
free (Is this a PIN? Is THIS a PIN? . . . ) then all is

> A pin must be 16 digits in lenth.

This is a peculiar requirement. Is this 16-digit figure
required for compatibility with an existing system? Or is
it an attempt to capture some less visible requirement on
the level of security?

> No reliance on the 'secrecy' of the algorithm can be made.

By "the algorithm," do you mean the PIN-generating algorithm,
excluding perhaps a secret key?

> Nice to have:
> Some characteristic which could be used to recognise a pin with some
> degree of certainty.

If this characteristic becomes known, that will vitiate the
"sufficiently random to discourage attacks" requirement . . . right?

> I was thinking of combining a sequence and a pseudo random number.
> Say 10 digits for the sequence and 6 digits for the random number.
> If the sequence itself could contain some 'randomness' based on a key
> that could be altered for each execution of my pin-generator but still
> guarantee uniqueness, that would help the cause.

So you're thinking of something like a mapping from 10-digit sequence
numbers onto a 6-digit check field, where the mapping algorithm isn't
secret . . . right? . . . but can involve a secret key . . . right?
And you use the same algorithm and secret key in the field to verify
that a PIN is valid, right? And you hope that bad guys won't extract
the secret key from the validating device, right?

Is this helping?
- Peter

Relevant Pages

  • A poormans block encryption algorithm
    ... scenario where two partners agree on a secret key for block encryption ... under the circumstance that one of them has to implement the algorithm ... coefficients can be generated from the given secret key by ...
  • Re: Learning cryptanalysis
    ... he picks an algo in function of the date/time and the secret key, ... Even you idea of a one time algorithm is flawed and I will give you the complete reason: There has been available for more than a century a perfect algorithm which is totally unbreakable - it is the One Time Pad. ... The OTP is rarely or never used because the problem of distributing the keys is insolvable - the cost is so prohibitive that only governments use it and even then they use it only for their most important messages, certainly much less than one message in a million. ...
  • Re: A question about passwords and login/authentication
    ... The DES algorithm is a secret key algorithm (so the same key is used ... comunication between Windows and SAMBA and "how does one determine ... For SAMBA on a linux: the authentification is determinate by the ...
  • Re: HELP: Need a simple hash function
    ... >> folding rather than truncating. ... only one algorithm in use in 2G cellphones that ... CAVE for "Cellular Authentication and Voice ... inputs except for the 64-bit secret key, ...
  • Re: TECH : Logic equations......
    ... >>I'm working on a software algorithm to reduce the number of product ... >>If we disregard the pins that are common across the logic terms, ... >>stop worrying, or my algorithm is up the spout. ...