Re: Generating Prepaid Card Numbers
- From: Paul Rubin <http://phr.cx@xxxxxxxxxxxxxx>
- Date: 19 Dec 2005 18:57:32 -0800
"Michael Fork" <mjfork@xxxxxxxxx> writes:
> > I'd add a checksum in any case. It's always good to be able to detect
> > typing errors before querying the database at all. This also prevents
> > users from "stealing" other peoples cards by accident.
> What is the suggested way to implement a check digit in an application
> like this?
Credit card numbers just have very simple checksum algorithms, with no
attempt to keep them secret. If you want to slow people down from
generating potentially-valid numbers, you could apply the check digit
I'm a little more concerned about your plan to re-use numbers, and
also that you don't have enough digits. Other systems of this type
typically have as many as 20 digits. If you're issuing 20 million
cards a year and it's doubling every year, that's 20M this year, 40M
next year, 80M in 2 years, etc. If it continues out to 5 years,
that's 640 million cards. You want at least 10 billion distinct card
numbers (10 variable digits) and if you have three fixed digits (why
do you need any, if you can just track the cards in a database?) and
one check digit, that means any random number with a correct check
digit has 1% chance of being a valid card number.
I don't think you need to mess with hardware RNG's. Just populate a
database with valid card numbers from a software RNG or crypto
algorithm. Keep track of which cards have been activated, and expire
unactivated cards after 2 years or so (but don't re-issue those
numbers). The algorithms for generating the numbers etc. are simple
and other people have suggested some. You have more of a procedural
and logistics problem than a cryptographic one.
- Prev by Date: Re: Generating Prepaid Card Numbers
- Next by Date: Re: breaking elgamal possible?
- Previous by thread: Re: Generating Prepaid Card Numbers
- Next by thread: Re: Generating Prepaid Card Numbers