posted
I have a lovely puzzle at work, and I'm going to throw it out to you all before I even get started on it. On the chance that it's not impossible, and on the chance (better) that I fail to figure it out, maybe someone here will do better.
We have a list of ten PIN numbers (I know that's redundant, but it's common usage) we've created. And we have the database where the PINs are stored. But the application, which we don't have source code for (and are unlikely to be able to get) encrypts the PINs before storing them.
We're doing an app for a customer who uses this app, and they want us to use the native PINs. Which are encrypted. And we don't know how. You see the problem.
Personally, I think it's a waste of time to even try. The encryption I use personally for PINs when I'm coding stuff is one line of code, but it's still un-decryptable, for the simple reason that more than one input value can result in the same output value.
And even if it's possible, it may be that a sample of 10 PINs isn't enough. However, the co-worker with access to the app is gone for the weekend, so that's what I have.
Anyone want to take a poke at this? Or should I not even bother with it?
Btw, the encryption algorithm I use involves the ASCII value of the string representation of each number, as well as its location in the PIN. It's not complicated; but it works for me. It could be that this works along the same lines. That's one of the things I'm going to look for.
posted
Without some more knowledge about the algorithm, it won't be easy.
I'm surprised at the absence of standard hashing functions. These problems are well solved, and hand-crafted ones almost always have significant vulnerabilities.
Even without the source code, you could almost certainly decompile the binary and find the piece of code doing the hashing.
A few more examples would be good, but you might be able to get something out. If you suspect that sort of pattern, I'd just treat it as a set of data involving the digits and their positions as observations and do a principal components analysis. Any hash that's a linear combination of those should drop right out, and even if that isn't purely it, it should give you some hints.
And keep in mind that attackers don't need to decrypt it, they just need to find one PIN that hashes to the same thing and that will work with the application.
Posts: 15770 | Registered: Dec 2001
| IP: Logged |
I'm not concerned about the columns matching, obviously, since there could be a factor. I wanted to see if they'd fall into the same numerical order. And they almost do. So I think I'm on the right track. But I could play with this forever and never get anything.
How would you go about decompiling an executable? Or a DLL, which is possible. I haven't even looked at the installation yet.
Posts: 12266 | Registered: Jul 2005
| IP: Logged |
posted
Well, I figured as long as it was only probably impossible, I might as well give it a shot.
First thing I noticed was the difference between the first two being 404, which made me figure it was just a reordering of the PIN plus some constant. I sorted the results, and could then see patterns in the PINs.
I like the idea of being brilliant, but I'm not sure this was it. *smile*
Posts: 6213 | Registered: May 2001
| IP: Logged |
posted
Whoops -- It's 3241, not 4231. (I figured it out right, but didn't check when I wrote it down.) There goes the brilliant thing.
Posts: 6213 | Registered: May 2001
| IP: Logged |
posted
No, it doesn't go. Why did 404 mean something to you? Normally, when I see a difference that's divisible by 9, I figure it's switched digits. But 404?
Posts: 12266 | Registered: Jul 2005
| IP: Logged |
posted
404 caught my eye in conjunction with the 22 and 66 in the two codes. And I started with those two because they were the smallest resulting numbers.
Posts: 6213 | Registered: May 2001
| IP: Logged |
posted
Nice. Of course, if you know (or suspect) it's reorder-and-add-something, the 9999 is a dead giveaway.
Posts: 1810 | Registered: Jan 1999
| IP: Logged |
posted
I gotta say, that's the dumbest form of "encryption" I've ever seen. Please tell me this isn't for a major financial institution or government agency...
Posts: 3486 | Registered: Sep 2002
| IP: Logged |
posted
Yeah, this is why strong hashes with a salt are very important.
And applications that need to authenticate against the same information should do so through the central app (though, like usual, this one probably wasn't made to make that possible).
Excellent deductive work, Papa Moose
Posts: 15770 | Registered: Dec 2001
| IP: Logged |
quote:Originally posted by Nighthawk: I gotta say, that's the dumbest form of "encryption" I've ever seen. Please tell me this isn't for a major financial institution or government agency...
I can't tell you, but it's even odder than that. Still, the PIN is only used for ancillary stuff, so maybe they didn't think it mattered.
quote:Originally posted by Nighthawk: I gotta say, that's the dumbest form of "encryption" I've ever seen. Please tell me this isn't for a major financial institution or government agency...
Still, if he hadn't figured this out, no one was even on the right track.
Posts: 549 | Registered: Feb 2008
| IP: Logged |