Re: Pin generation algorithm question

From: Peter Pearson (ppearson_at_are.see.enn.com)
Date: 04/22/04


Date: Thu, 22 Apr 2004 09:01:21 -0700

Kees Snijders wrote:

> I could use some help in coming up with a pin generation algorithm.
> It has the following requirements:

Congratulations for starting in the right place. If you don't
have clear requirements, you won't know when you've arrived.

> All generated pins must be unique over the lifetime of the
> application.

As Ernst Lippe points out, this requires permanent memory in
the pin-generation system. Might it be acceptable to have just
a low probability of collision? In which case, the number of
PINs required becomes important.

> A pin must be sufficiently random to discourage attacks.

What constitutes an attack? If I can guess at PINs for
free (Is this a PIN? Is THIS a PIN? . . . ) then all is
lost.

> A pin must be 16 digits in lenth.

This is a peculiar requirement. Is this 16-digit figure
required for compatibility with an existing system? Or is
it an attempt to capture some less visible requirement on
the level of security?

> No reliance on the 'secrecy' of the algorithm can be made.

By "the algorithm," do you mean the PIN-generating algorithm,
excluding perhaps a secret key?

> Nice to have:
> Some characteristic which could be used to recognise a pin with some
> degree of certainty.

If this characteristic becomes known, that will vitiate the
"sufficiently random to discourage attacks" requirement . . . right?

> I was thinking of combining a sequence and a pseudo random number.
> Say 10 digits for the sequence and 6 digits for the random number.
> If the sequence itself could contain some 'randomness' based on a key
> that could be altered for each execution of my pin-generator but still
> guarantee uniqueness, that would help the cause.

So you're thinking of something like a mapping from 10-digit sequence
numbers onto a 6-digit check field, where the mapping algorithm isn't
secret . . . right? . . . but can involve a secret key . . . right?
And you use the same algorithm and secret key in the field to verify
that a PIN is valid, right? And you hope that bad guys won't extract
the secret key from the validating device, right?

Is this helping?
- Peter



Relevant Pages

  • A poormans block encryption algorithm
    ... scenario where two partners agree on a secret key for block encryption ... under the circumstance that one of them has to implement the algorithm ... coefficients can be generated from the given secret key by ...
    (sci.crypt)
  • Re: Learning cryptanalysis
    ... he picks an algo in function of the date/time and the secret key, ... Even you idea of a one time algorithm is flawed and I will give you the complete reason: There has been available for more than a century a perfect algorithm which is totally unbreakable - it is the One Time Pad. ... The OTP is rarely or never used because the problem of distributing the keys is insolvable - the cost is so prohibitive that only governments use it and even then they use it only for their most important messages, certainly much less than one message in a million. ...
    (sci.crypt)
  • Re: A question about passwords and login/authentication
    ... The DES algorithm is a secret key algorithm (so the same key is used ... comunication between Windows and SAMBA and "how does one determine ... For SAMBA on a linux: the authentification is determinate by the ...
    (Focus-Linux)
  • Re: HELP: Need a simple hash function
    ... >> folding rather than truncating. ... only one algorithm in use in 2G cellphones that ... CAVE for "Cellular Authentication and Voice ... inputs except for the 64-bit secret key, ...
    (sci.crypt)
  • Re: TECH : Logic equations......
    ... >>I'm working on a software algorithm to reduce the number of product ... >>If we disregard the pins that are common across the logic terms, ... >>stop worrying, or my algorithm is up the spout. ...
    (sci.electronics.components)