« Previous Entries

 

Internet Banking Security Assessment Considerations

Aug 05, 2008 in Banking and EFTPoS, Security

I was asked some time ago what sort of things may be considered when looking at .

Below is a list of things which could be considered. It was just a brain dump and as such may not be complete.

Don’t underestimate the value of standard for your infrastructure, website configuration,  database engine configuration/, and /QA environments.

Some thoughts:

  • Many don’t lock accounts after X failed logins, this is normally done for good customer service, but leaves the system .

- And all the other things expected for a session (forced changes, aging, etc))
- Tools such as may be use to brute force authenticated sessions.

  • Many allow session sequence numbers to be incremented, allowing an authenticated user to view other customer session.

- These may be side, client side, cookie based, etc.
- Get someone to check the methodologies and the code being used.
- Database query strings can be placed into test entry fields, allowing table dumps to browser.
- Check all pages served are secure and contain user flags.

  • Customer may not be segregated, this needs to be checked.
  • Customer should not reside on the .
  • databases / system should not reside on the webserver.
  • The databases should reside on a private/semi-private .

- A different segment to the main system.

  • Webserver should be dual homed or equivalent (some VLAN techniques are good)

- Separate private and public cards, monitoring/backup/administration
- Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the .

  • At all segregation points ensure rules are in place which appreciates the traffic though that point.
  • All customer where possible should be sourced from a secure back-end database.

- This may be a . i.e. no the main system.
- This usually allows for transactions to appear real time to the customer.
- Many transactions may be batched in reality. (internal or external to the )

  • Ensure suitable rules have been set-up on firewalls.

- There should be inbound and outbound rules on firewalls and filtering routers.

  • Don’t allow any infrastructure on the front end to allow remote administrative connections. (, etc.)

- Use the serial console port to connect to a or back-end terminal .

  • Services not used by the system are active

- These should be disabled.

  • Port scan of the supporting infrastructure (routers /switches) and (s).

- Investigate the reasons for all open ports.

  • Don’t use the main gateway for trusted partner (clearing / RAS / etc.)
  • Do all that standard IIS checks and NT checks (Sample scripts, change management, methodologies, etc.)
  • Ensure denial of service precaution have been taken into for all infrastructure and equipment.
  • Check the adequacy of the escalation procedures used.

- Look for real-time monitoring and alerting.
- Look for responsibility matrix.
- Look for ownership of issues.

  • Consider upstream carrier(s) (denial of service, IP spoofing, , etc)
  • Consider social engineering of customer, administrative, partner accounts / systems / infrastructure.

- Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).

  • Use dynamic passwords where possible (SecureID, TACACS, etc.).
  • Use encrypted tunnelling where needed (, Firewall 1, etc)
  • Consider looking at other customer methods to enhance existing methods.

- cert, IP address locked to , etc.
- Consider use of or CVN for issued cards.

  • Consider how passwords are distributed /changed for customers.

- Plain email, telephone, etc.
- Can passwords be changed ?

  • Is additional used between sections of the services once authenticated?
  • Consider what the customer has to once authenticated.

- Look at , RTGS, inter- transfers, to cards, etc.
- If an attacker does get in, what can the do?

  • Use techniques to ensure pages, customer details are not cached at , or client system.

- These are flags that can be set within pages.
- Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
- Caching of SSL pages on the client system can be turned on on some browsers.
- May banks use a (or similar) applet for all customer interaction, restricting all caching issues.

  • Ensure paper based and on-line liability clauses are available are address all effected areas.
  • Ensure within the customer sign-up process liability is reduced.

- I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
- Not very customer focused, but that’s what their legal department recommended.

All of the above can effect the and/or operation of an on-line system.

Other things to consider:

  • External and of the application.
  • Ownership and management of the /applications
  • Publishing points for new content (internal/private/trusted or )
  • Topology of front end.  i.e. document should be in place and managed appropriately.
  • Are limited AP tests performed whenever changes are made to the ? i.e. integrated AP into Change management process.
  • Database . Is it buffered or is it live to the core systems.
  • What facilities are provided? Direct + + + ……. Consider different scenarios for your depending on the feature.
  • What other services are shared within the segment that the service is running. Can this be used to compromise the site. eg. different /business/ organisations with differing strategies/profiles.
  • Consider all external supporting services within you AP. Look at internal/external poisoning opportunities, mail , etc. What IPS’s do they use has the any opportunity to systems or supporting services which may affect .
  • Depending on the size of the , many organisation do not use the same groups for infrastructure and the application. As a result external connections to the infrastructure may be provided for an external organisation to administer the infrastructure.
  • Look at the business and user methods and paths (client side certs, secure ID, SMART , etc). Consider two factor and modern user methods. eg. what is your favourite food in addition to normal usernames and passwords. Do system administration staff use dynamic passwords (secureID, etc)?
  • See if the application sends email to users which may contain interesting information.
  • Better to the application can generally be gained after to the system. i.e. get an legitimate on the system. I have found that some sample/administration screens have been restricted to authenticated users only.
  • Consider social engineering the Help desk to have an reset.

No Comments »

Mobile Banking Security and Risk Assessment Considerations

Aug 05, 2008 in Banking and EFTPoS, Security

When considering Mobile and the associated risk, the an assessment approach depends greatly on the solution being created or provided.
Generally the approach is based on layered supporting and surrounding the technologies and techniques used.

Here are some things to consider.

assessments generally focuses on two main things.

1/ Sensitivity of the
What is being sent. eg. , numbers, balance, home address, number, etc.
may not be sensitive to the , but may be considered by the client as sensitive.
etc……….

2/ Opportunity to the .
What medium is being used?
Is it easy to ?
What is being used?
Are all paths secure (client and back end)?
Is there a 3rd party involved in the switching of the transactions?
etc………

Things to consider:

  • resets sent via to client, should not be used as the only method of accessing accounts. An additional client specific (possibly static) pass word/phrase should be used in addition to a dynamically generated . can be sniffed (depending on mode and location).
  • If WAP is used, are all devices capable of ? If devices are not capable of , do we deny to these devices? If client side or (win CE, etc), ensure this can not be compromised by a Trojan’s and other techniques.
  • Has the organisation considered client side certificates to verify the device prior to transactions being accepted? Consider multiple device and user methods (very solution dependant).
  • Most mobile POS terminals encrypt the client entered number, but do not encrypt everything within the . If the medium is compromised, we should consider if the can be cracked and if unencrypted is sensitive. Consider additional i.e. use of all of message (SSL, ) or use a terminal that utilises Derived Unique Key Per ().
  • Many applications have been affected by typical hacks such as session hijacking, SQL , non random session keys (client side and side), etc… These typical hacks should be considered in your Secure SDLC and QA Processes once you are aware of the used and/or deployed.
  • PBX systems and cabling distribution frames can have devices connected to collect transactions. Wireless devices are now being connected to these systems. The attacker sits in their car in the car park outside. This is often done in super markets.
  • Wireless gateways if not encrypted are easily collected by anyone within wireless range. 802.11 and other wireless/infra-red mediums are being used (assess the and medium being used).
  • Has the organisation considered dynamic keys for mobile users? There are some very low cost SecureID solutions available today, but customers need to have these devices on them when they want to do a .

No Comments »

Cisco Command Cheat Sheet

Jul 04, 2008 in Infrastructure

I found a list of useful which I though I would post here. When I get a chance I will continue to expand the list and broaden command set.

Thanks to the fastget2you.com Joined With #missomhack Community for the original list.

ROUTER COMMANDS :

  • Config# terminal editing - allows for enhanced editing commands
  • Config# terminal monitor - shows output on session
  • Config# terminal ip netmask-format hexadecimal|bit-count|decimal - changes the format of subnet masks

HOST NAME:

  • Config# hostname ROUTER_NAME

BANNER:

  • Config# banner motd # MESSAGE HERE # - # can be substituted for any character, must start and finish the message

DESCRIPTIONS:

  • Config# description THIS IS THE SOUTH ROUTER - can be entered at the Config-if level

CLOCK:

  • Config# clock timezone Central -6
    # clock set hh:mm:ss dd month yyyy - Example: clock set 14:13:00 25 August 2003

CHANGING THE REGISTER:

  • Config# config-register 0×2100 - ROM Monitor Mode
  • Config# config-register 0×2101 - ROM boot
  • Config# config-register 0×2102 - Boot from NVRAM

:

CDP:

  • Config# cdp run - Turns CDP on
  • Config# cdp holdtime 180 - Sets the time that a device remains. Default is 180
  • Config# cdp timer 30 - Sets the update timer.The default is 60
  • Config# int 0
  • Config-if# cdp enable - Enables cdp on the
  • Config-if# no cdp enable - Disables CDP on the
  • Config# no cdp run - Turns CDP off

HOST TABLE:

  • Config# ip host ROUTER_NAME INT_Address - Example: ip host lab-a 192.168.5.1
    -or-
  • Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 - Example: ip host lab-a 192.168.5.1 203.23.4.2 199.2.3.2 - (for e0, s0, s1)

:

  • Config# ip domain-lookup - Tell router to lookup domain names
  • Config# ip name- 122.22.2.2 - Location of
  • Config# ip domain-name cisco.com - Domain to append to end of names

CLEARING COUNTERS:

STATIC ROUTES:

  • Config# ip route Net_Add SN_Mask Next_Hop_Add - Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2
  • Config# ip route 0.0.0.0 0.0.0.0 Next_Hop_Add - Default route
    -or-
  • Config# ip default- Net_Add - Gateway LAN

IP ROUTING:

  • Config# ip routing - Enabled by default
  • Config# router rip
    -or-
  • Config# router igrp 100
  • Config# 0
  • Config-if# ip address 122.2.3.2 255.255.255.0
  • Config-if# no shutdown

IPX ROUTING:

LISTS:

IP Standard 1-99
IP Extended 100-199
IPX Standard 800-899
IPX Extended 900-999
IPX Filters 1000-1099

IP STANDARD:

  • Config# -list 10 permit 133.2.2.0 0.0.0.255 - allow all src ip’s on 133.2.2.0
    -or-
  • Config# -list 10 permit host 133.2.2.2 - specifies a specific host
    -or-
  • Config# -list 10 permit any - allows any address
  • Config# int 0
  • Config-if# ip -group 10 in - also available: out

IP EXTENDED:

  • Config# -list 101 permit tcp 133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq
    -protocols: tcp, udp, icmp, ip (no sockets then), among others
    -source then destination address
    -eq, gt, lt for comparison
    -sockets can be numeric or name (23 or , 21 or ftp, etc)
    -or-
  • Config# -list 101 deny tcp any host 133.2.23.3 eq www

-or-

-or-

  • Config# -list 801 permit -1 -1 - “-1″ is the same as “any” with /host addresses
  • Config# 0
  • Config-if# ipx -group 801 outIPX EXTENDED:
  • Config# -list 901 permit 4AA all 4BB all
    - Permit protocol src_add socket dest_add socket
    -”all” includes all sockets, or can use socket numbers

-or-

  • Config# -list 901 permit any any all any all
    -Permits any protocol with any address on any socket to go anywhere
  • Config# 0
  • Config-if# ipx -group 901 inIPX FILTER:
  • Config# -list 1000 permit 4aa 3 - “3″ is the service

-or-

  • Config# -list 1000 permit 4aa 0 - service of “0″ matches all services
  • Config# 0
  • Config-if# ipx input--filter 1000 - filter applied to incoming packets

-or-

  • Config-if# ipx output--filter 1000 - filter applied to outgoing packets

NAMED LISTS:

  • Config# ip -list standard LISTNAME
    -can be ip or ipx, standard or extended
    -followed by the permit or deny list
  • Config# permit any
  • Config-if# ip -group LISTNAME in
    -use the list name instead of a list number
    -allows for a larger amount of -lists

PPP SETUP:

  • Config-if# ppp
  • Config-if# ppp chap pap
    -order in which they will be used
    -only attempted with the listed
    -if one fails, then connection is terminated
  • Config-if# exit
  • Config# username Lab-b 123456
    -username is the router that will be connecting to this one
    -only specified routers can connect

-or-

  • Config-if# ppp chap hostname ROUTER
  • Config-if# ppp chap 123456
    -if this is set on all routers, then any of them can connect to any other
    -set same on all for easy configuration

ISDN SETUP:

  • Config# isdn switch- basic-5ess - determined by telecom
  • Config# serial 0
  • Config-if# isdn spid1 2705554564 - isdn “phonenumber” of line 1
  • Config-if# isdn spid2 2705554565 - isdn “phonenumber” of line 2
  • Config-if# PPP - or HDLC, LAPD

DDR - 4 Steps to setting up ISDN with DDR Configure switch

1. Config# isdn switch- basic-5ess - can be done at config

2. Configure static routes
Config# ip route 123.4.35.0 255.255.255.0 192.3.5.5 - sends traffic destined for 123.4.35.0 to 192.3.5.5
Config# ip route 192.3.5.5 255.255.255.255 bri0 - specifies how to get to 192.3.5.5 (through bri0)

3. Configure
Config-if# ip address 192.3.5.5 255.255.255.0
Config-if# no shutdown
Config-if# ppp
Config-if# dialer-group 1 - applies dialer-list to this
Config-if# dialer map ip 192.3.5.6 name Lab-b 5551212
connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic
can also use “dialer string 5551212″ instead if there is only one router to connect to

4. Specify interesting traffic
Config# dialer-list 1 ip permit any
-or-
Config# dialer-list 1 ip list 101 - use the -list 101 as the dialer list

5. Other Options
Config-if# hold-queue 75 - queue 75 packets before dialing
Config-if# dialer load-threshold 125 either
-load needed before second line is brought up
-”125″ is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
-can check by in, out, or either

Config-if# dialer idle-timeout 180
-determines how long to stay idle before terminating the session
-default is 120

FRAME SETUP:

  • Config# serial 0
  • Config-if# frame- - cisco by default, can change to ietf
  • Config-if# frame- lmi- cisco - cisco by default, also ansi, q933a
  • Config-if# bandwidth 56
  • Config-if# serial 0.100 point-to-point - subinterface
  • Config-if# ip address 122.1.1.1 255.255.255.0
  • Config-if# frame- -dlci 100
    -maps the dlci to the
    -can add and/or IETF at the end
  • Config-if# serial 1.100 multipoint
  • Config-if# no inverse-arp - turns IARP off; good to do
  • Config-if# frame- map ip 122.1.1.2 48 ietf
    -maps an IP to a dlci (48 in this case)
    -required if IARP is turned off
    -ietf and are optional
  • Config-if# frame- map ip 122.1.1.3 54

SHOW COMMANDS

  • Show -lists - all lists on the router
  • Show cdp - cdp timer and holdtime
  • Show cdp entry * - same as next
  • Show cdp neighbors detail - details of neighbor with ip add and ios version
  • Show cdp neighbors - id, local , holdtime, capability, platform portid
  • Show cdp - int’s running cdp and their
  • Show cdp traffic - cdp packets sent and received
  • Show controllers serial 0 - DTE or DCE status
  • Show dialer - number of times dialer string has been reached, other stats
  • Show flash - files in flash
  • Show frame- lmi - lmi stats
  • Show frame- map - static and dynamic maps for ’s
  • Show frame- - ’s and dlci’s
  • Show history - commands entered
  • Show hosts - contents of host table
  • Show int f0/26 - stats of f0/26
  • Show 0 - show stats of 0
  • Show ip - ip config of switch
  • Show ip -lists - ip -lists on switch
  • Show ip - ip config of
  • Show ip protocols - routing protocols and timers
  • Show ip route - Displays IP routing table
  • Show ipx -lists - same, only ipx
  • Show ipx interfaces - RIP and info being sent and received, IPX addresses
  • Show ipx route - ipx routes in the table
  • Show ipx servers - table
  • Show ipx traffic - RIP and info
  • Show isdn active - number with active status
  • Show isdn status - shows if SPIDs are valid, if connected
  • Show mac-address-table - contents of the dynamic table
  • Show protocols - routed protocols and net_addresses of interfaces
  • Show running-config - dram config file
  • Show sessions - connections via to remote device
  • Show startup-config - nvram config file
  • Show terminal - shows history size
  • Show a/b - stat of port 26/27
  • Show version - ios info, uptime, address of switch
  • Show vlan - all configured vlan’s
  • Show vlan-membership - vlan assignments
  • Show vtp - vtp configs

CATALYST COMMANDS
For Native IOS - Not CatOS

SWITCH ADDRESS:

  • Config# ip address 192.168.10.2 255.255.255.0
  • Config# ip default-gateway 192.168.10.1DUPLEX MODE:
  • Config# 0/5 - “fastethernet” for 100 Mbps ports
  • Config-if# duplex full - also, half | auto | full-flow-control

SWITCHING MODE:

  • Config# switching-mode store-and-forward - also, fragment-free

MAC ADDRESS CONFIGS:

  • Config# mac-address-table permanent aaab.000f.ffef e0/2 - only this mac will work on this port
  • Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
    -port 3 can only send out port 2 with that mac
    -very restrictive
  • Config-if# port secure max-mac-count 5 - allows only 5 mac addresses mapped to this port

VLANS:

  • Config# vlan 10 name FINANCE
  • Config# 0/3
  • Config-if# vlan-membership static 10 LINKS:
  • Config-if# on - also, off | auto | desirable | nonegotiate
  • Config-if# no -vlan 2
    -removes vlan 2 from the port
    -by default, all vlans are set on a port

    CONFIGURING VTP:

  • Config# delete vtp - should be done prior to adding to a
  • Config# vtp - the default is , also client and transparent
  • Config# vtp domain Camp - name doesn’t matter, just so all switches use the same
  • Config# vtp 1234 - limited
  • Config# vtp pruning enable - limits vtp broadcasts to only switches affected
  • Config# vtp pruning disableFLASH UPGRADE:
  • Config# copy tftp://192.168.5.5/configname.ios opcode - “opcode” for ios upgrade, “nvram” for startup config

DELETE STARTUP CONFIG:

  • Config# delete nvram

1 Comment »

Breaking VISA PIN

Jul 02, 2008 in Banking and EFTPoS

Below is an article I found recently. This one of the most comprehensive descriptions of Value () .

I thought I would replicate it here for my local reference.

As comment have been made regarding the grammar used in the original , I have corrected some of the obvious errors whilst maintaining the context of the original material.

http://69.46.26.132/~biggold1/fastget2you/tutorial.

——– Original ———-

Foreword
Have you ever wonder what would happen if you lose your or and someone finds it. Would this person be able to withdraw cash from an ATM guessing, somehow, your ? Moreover, if you were who finds someone’s would you try to guess the and take the chance to get some easy ? Of course the answer to both questions should be “no”. This work does not deal with the second question, it is a matter of . Herewith I try to answer the first question.

All the information used for this work is public and can be freely found in . The rest is a matter of and programming, thus we can learn and have some fun. I reveal no secrets. Furthermore, the aim (and final ) of this work is to demonstrate that algorithms are still strong enough to provide sufficient . We all know is not the .

This work analyses one of the most common algorithms, , used by many ( and cards) and tries to find out how resistant is to guessing attacks. By “guessing” I do not mean choosing a random and trying it in an ATM. It is well known that generally we are given three consecutive trials to enter the right , if we fail ATM keeps the . As is four digit long it’s easy to deduce that the chance for a random guessing is 3/10000 = 0.0003, it seems low enough to be safe; it means you need to lose your more than three thousand times (or losing more than three thousand cards at the same time :) until there is a reasonable chance of losing .

What I really meant by “guessing” was breaking the so that given any you can immediately know the associated . Therefore this document studies that possibility, analyzing the and proposing a method for the . Finally we give a tool which implements the and present results about the estimated chance to break the system. Note that as long as other related algorithms (other formats such as IBM or validation signatures such as or CVC) are similar to , the same analysis can be done yielding nearly the same results and conclusions.



One of the most common algorithms is the Value (). The customer is given a and a . Encoded in the is a four digit number, called . This number is a cryptographic signature of the and other related to the . When a user enters his/her the ATM reads the , encrypts and sends all this information to a central computer. There a trial is computed using the customer entered and the information with a cryptographic . The trial is compared with the stored in the , if they match the central computer returns to the ATM authorization for the . See in more detail.

The description of the can be found in two documents linked in the previous page. In summary it consists in the of a 8 byte (64 bit) string of , called Transformed Parameter (TSP), with (DEA) in Code Book mode (ECB) using a secret 64 bit key. The is derived from the output of the process, which is a 8 byte string. The four digits of the (from left to right) correspond to the first four decimal digits (from left to right) of the output from when considered as a 16 hexadecimal character (16 x 4 bit = 64 bit) string. If there are no four decimal digits among the 16 hexadecimal characters then the is completed taken (from left to right) non decimal characters and decimalizing them by using the conversion A->0, B->1, C->2, D->3, E->4, F->5. Here is an example:

Output from : 0FAB9CDEFFE7DCBA

: 0975

The strategy of avoiding decimalization by skipping characters until four decimal digits are found (which happens to be nearly all the times as we will see below) is very clever because it avoids an important bias in the distribution of digits which has been proven to be fatal for other systems, although the impact on this system would be much lower. See also a related problem not applying to .

The TSP, seen as a 16 hexadecimal character (64 bit) string, is formed (from left to right) with the 11 rightmost digits of the PAN ( number) excluding the last digit (check digit), one digit from 1 to 6 which selects the secret encrypting key and finally the four digits of the . Here is an example:

PAN: 1234 5678 9012 3445
Key selector: 1
: 2468

TSP: 5678901234412468

Obviously the problem of breaking consists in finding the secret encrypting key for . The method for that is to do a brute force search of the key space. Note that this is not the only method, one could try to find a weakness in DEA, many tried, but this old standard is still in wide use (now been replaced by AES and , though). This demonstrates it is robust enough so that brute force is the only viable method (there are some better attacks but not practical in our case, for a summary see LASEC memo and for the dirty details see Biham & Shamir 1990, Biham & Shamir 1991, Matsui 1993, Biham & Biryukov 1994 and Heys 2001).

The key selector digit was very likely introduced to cover the possibility of a key compromise. In that case they just have to issue new cards using another key selector. Older cards can be substituted with new ones or simply the ATM can transparently write a new (corresponding to the new key and keeping the same ) next time the customer uses his/her . For the shake of all users should be asked to change their PINs, however it would be embarrassing for the to explain the reason, so very likely they would not make such request.

Preparing the


A brute force consists in encrypting a TSP with known using all possible encrypting keys and compare each obtained with the known . When a match is found we have a candidate key. But how many keys we have to try? As we said above the key is 64 bit long, this would mean we have to try 2^64 keys. However this is not true. Actually only 56 bits are effective in keys because one bit (the least significant) out of each octet was historically reserved as a checksum for the others; in practice those 8 bits (one for each of the 8 octets) are ignored.

Therefore the key space consists of 2^56 keys. If we try all these keys will we find one and only one match, corresponding to the secret key? Certainly not. We will obtain many matching keys. This is because the is only a small part (one fourth) of the output. Furthermore the is degenerated because some of the digits (those between 0 and 5 after the last, seen from left to right, digit between 6 and 9) may come from a decimal digit or from a decimalized hexadecimal digit of the output. Thus many keys will produce a output which yields to the same matching .

Then what can we do to find the real key among those other false positive keys? Simply we have to encrypt a second different TSP, also with known , but using only the candidate keys which gave a positive matching with the first TSP- pair. However there is no guarantee we won’t get again many false positives along with the true key. If so, we will need a third TSP- pair, repeat the process and so on.

Before we start our we have to know how many TSP- pairs we will need. For that we have to calculate the for a random output to yield a matching just by chance. There are several ways to calculate this number and here I will use a simple approach easy to understand but which requires some background in of .

A can always be seen as the ratio of favorable cases to possible cases. In our problem the number of possible cases is given by the of 16 elements (the 0 to F hexadecimal digits) in a group of 16 of them (the 16 hexadecimal digits of the output). This is given by 16^16 ~ 1.8 * 10^19 which of course coincides with 2^64 (different numbers of 64 bits). This set of numbers can be separated into five categories:

Those with at least four decimal digits (0 to 9) among the 16 hexadecimal digits (0 to F) of the output.

Those with exactly only three decimal digits.

Those with exactly only two decimal digits.

Those with exactly only one decimal digit.

Those with no decimal digits (all between A and F).

Let’s calculate how many numbers fall in each category. If we label the 16 hexadecimal digits of the output as X1 to X16 then we can label the first four decimal digits of any given number of the first category as Xi, Xj, Xk and Xl. The number of different combinations with this profile is given by the product 6 i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 6 l-k-1 * 10 * 1616-l where the 6’s come from the number of possibilities for an A to F digit, the 10’s come from the possibilities for a 0 to 9 digit, and the 16 comes from the possibilities for a 0 to F digit. Now the total numbers in the first category is simply given by the summation of this product over i, j, k, l from 1 to 16 but with i < j < k < l. If you do some math work you will see this equals to the product of 104/6 with the summation over i from 4 to 16 of (i-1) * (i-2) * (i-3) * 6i-4 * 16 16-i ~ 1.8 * 1019.

Analogously the number of cases in the second category is given by the summation over i, j, k from 1 to 16 with i < j < k of the product 6i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 616-k which you can work it out to be 16!/(3! * (16-13)!) * 103 * 6 13 = 16 * 15 * 14/(3 * 2) * 103 * 613 = 56 * 104 * 613 ~ 7.3 * 1015. Similarly for the third category we have the summation over i, j from 1 to 16 with i < j of 6 i-1 * 10 * 6j-i-1 * 10 * 616-j which equals to 16!/(2! * (16-14)!) * 102 * 614 = 2 * 103 * 615 ~ 9.4 * 1014. Again, for the fourth category we have the summation over i from 1 to 16 of 6i-1 * 10 * 616-i = 160 * 615 ~ 7.5 * 1013. And finally the amount of cases in the fifth category is given by the of six elements (A to F digits) in a group of 16, that is, 616 ~ 2.8 * 1012.

I hope you followed the calculations up to this point, the hard part is done. Now as a proof that everything is right you can sum the number of cases in the 5 categories and see it equals the total number of possible cases we calculated before. Do the operations using 64 bit numbers or rounding (for floats) or overflow (for integers) errors won’t let you get the exact result.

Up to now we have calculated the number of possible cases in each of the five categories, but we are interested in obtaining the number of favorable cases instead. It is very easy to derive the latter from the former as this is just fixing the combination of the four decimal digits (or the required hexadecimal digits if there are no four decimal digits) of the instead of letting them free. In practice this means turning the 10’s in the formula above into 1’s and the required amount of 6’s into 1’s if there are no four decimal digits. That is, we have to divide the first result by 104, the second one by 103 * 6, the third one by 102 * 62 , the fourth one by 10 * 63 and the fifth one by 64 . Then the number of favorable cases in the five categories are approximately 1.8 * 1015, 1.2 * 1012, 2.6 * 1011 , 3.5 * 1010, 2.2 * 109 respectively.

Now we are able to obtain what is the for a output to match a by chance. We just have to add the five numbers of favorable cases and divide it by the total number of possible cases. Doing this we obtain that the is very approximately 0.0001 or one out of ten thousand. Is it strange this well rounded result? Not at all, just have a look at the numbers we calculated above. The first category dominates by several orders of magnitude the number of favorable and possible cases. This is rather intuitive as it seems clear that it is very unlikely not having four decimal digits (10 chances out of 16 per digit) among 16 hexadecimal digits. We saw previously that the relationship between the number of possible and favorable cases in the first category was a division by 10^4, that’s where our result p = 0.0001 comes from.

Our aim for all these calculations was to find out how many TSP- pairs we need to carry a successful brute force . Now we are able to calculate the expected number of false positives in a first search: it will be the number of trials times the for a single random false positive, i.e. t * p where t = 2^56, the size of the key space. This amounts to approximately 7.2 * 10^12, a rather big number. The expected number of false positives in the second search (restricted to the positive keys found in the first search) will be (t * p) * p, for a third search will be ((t * p) * p) * p and so on. Thus for n searches the expected number of false positives will be t * p^n.

We can obtain the number of searches required to expect just one false positive by expressing the equation t * p^n = 1 and solving for n. So n equals to the in base p of 1/t, which by properties of logarithms it yields n = log(1/t)/log(p) ~ 4.2. Since we cannot do a fractional search it is convenient to round up this number. Therefore what is the expected number of false positives if we perform five searches? It is t * p^5 ~ 0.0007 or approximately 1 out of 1400. Thus using five TSP- pairs is safe to obtain the true secret key with no false positives.

The


Once we know we need five TSP- pairs, how do we get them? Of course we need at least one with known , and due to the nature of the , that’s the only thing we need. With other systems, such as IBM, we would need five cards, however this is not necessary with . We just have to read the and then change the four times but reading the after each change.

It is necessary to read the of the to get the and the encrypting key selector. You can buy a commercial or make one yourself following the instructions you can find in the previous page and links therein. Once you have a see this description of standard magnetic tracks to find out how to get the from the read. In that document the field in tracks 1 and 2 is said to be five character long, but actually the true consists of the last four digits. The first of the five digits is the key selector. I have only seen cards with a value of 1 in this digit, which is consistent with the standard and with the secret key never being compromised (and therefore they did not need to move to another key changing the selector).

I did a simple C program, getpvvkey.c, to perform the . It consists of a loop to try all possible keys to encrypt the first TSP, if the derived matches the true a new TSP is tried, and so on until there is a mismatch, in which case the key is discarded and a new one is tried, or the five derived PVVs match the corresponding true PVVs, in which case we can assume we got the secret key, however the loop goes on until it exhausts the key space. This is done to assure we find the true key because there is a chance (although very low) the first key found is a false positive.

It is expected the program would take a very long time to finish and to minimize the risks of a power cut, computer hang out, etc. it does checkpoints into the file getpvvkey.dat from time to time (the exact time depends on the speed of the computer, it’s around one hour for the fastest computers now in use). For the same reason if a positive key is found it is written on the file getpvvkey.key. The program only displays one message at the beginning, the starting position taken from the checkpoint file if any, after that nothing more is displayed.

The is a key point in the program, it is therefore very important to optimize its speed. I tested several implementations: libdes, SSLeay, openssl, cryptlib, nss, libgcrypt, catacomb, libtomcrypt, cryptopp, ufc-crypt. The functions of the first four are based on the same code by Eric Young and is the one which performed best (includes optimized C and x86 assembler code). Thus I chose libdes which was the original implementation and condensed all relevant code in the files encrypt.c (C version) and x86encrypt.s (x86 assembler version). The code is slightly modified to achieve some enhancements in a brute force : the initial is a fixed common steep in each TSP and therefore can be made just one time at the beginning. Another improvement is that I wrote a completely new setkey function (I called it nextkey) which is optimum for a brute force loop.

To get the program working you just have to in the corresponding place five TSPs and their PVVs and then compile it. I have tested it only in UNIX platforms, using the makefile Makegetpvvkey to compile (use the command “make -f Makegetpvvkey”). It may compile on other systems but you may need to fix some things. Be sure that the definition of the long64 corresponds to a 64 bit integer. In principle there is no dependence on the endianness of the processor. I have successfully compiled and run it on Pentium-Linux, Alpha-Tru64, Mips-Irix and Sparc-Solaris. If you do not have and do not want to install Linux (you don’t know what you are missing ;-) you still have the choice to run Linux on CD and use my program, see m