Geek Answers Handbook

How to store and verify randomly selected numbers from PIN / password

If I have a 6-digit user PIN (or n char) and I want to confirm that 3 digits randomly selected from the PIN (or x-characters) as part of the login procedure, store the PIN the code in the database or some encrypted / hashed version of the PIN code so that I can verify the user ID?

Thoughts:

  • Store the PIN in a reversible (symmetric or asymmetric) encrypted form, decrypt for digit checks.
  • Keep a range of hashed PIN permutations from some IDs that refer to "random digits, for example:
    • ID: 123 = Hash of digits 1, 2, 3
    • ID: 416 = Hash of digits 4, 1, 6

Problems:

  • Key Security: Assume that the key is 'protected' and that the application is not financial or extremely critical, but “large volume”.
  • Creating a large number of permutation hashes has prohibited high memory (16 bytes x multiple permutations) and is time-consuming, possibly overkill.

Are there any other options, problems, or clarifications?

Yes. I know that storing passwords / PINs in a reversible way is “controversial” and ideally should not be done.

Update

Just to clarify: 1. Random numbers are a scheme that I am considering to avoid using keys. 2. It is not possible to complete more than a limited number of attempts. 3. Other elements help protect and authenticate access.

+4
security authentication passwords encryption hash
source share
6 answers
  • The key is "protected"
  • The application is not financial and highly critical,
  • The application is "high volume."
  • Creating a large number of permutation hashes has prohibited high memory (16 bytes x multiple permutations) and is time consuming, probably an excess
  • Random numbers is a scheme that I am considering the ability to lock keys.
  • It is impossible to try more than a limited number of attempts.
  • Other elements help protect and authenticate access.

You seem to be arguing about storing the PIN in the box. I say, follow him. Basically you describe a method for checking the response to a request, and server-side clear-text storage is common to this use case.

Something like this is a one-time keyboard or secret key matrix. The difference is that the user must have / have a pad with them for access. The advantage is that as long as you get enough secure key distribution, you are very safe from keyloggers.

If you want to make the exposure of the matrix / pad not cause compromises, ask the user to use a short (3-4 number) PIN code with the pad and save your sensitive locking mechanism.

Matrix example:

1 2 3 4 5 6 7 8 A ; kjlkasg B fq 3 n 0 8 u 0 C 1 2 8 egu 8 -

The task may be as follows: "Enter your PIN code, and then the character from the square B3 from your matrix."

The answer may be: 98763

0
source share

Since any encryption scheme that you use to store passwords / passwords will be either too expensive or easily hacked, I go to the side of simply storing it in plain textr and guarantee that the database and server security are zero.

You can consider a small encryption scheme to hide passwords from a random database browser, but you must admit that any scheme will have two main vulnerabilities. One - your program will need a password or a key that needs to be stored somewhere and will be almost as vulnerable to tracking, since the actual passwords are calculated in plain text, and Two - if you have a reasonable number of users, then a hacker who has there is access to encrypted passwords, it has many "tips" to help its brute force attack, and if your site is open to the public, it can insert any number of "known texts" into your database.

+2
source share

Since 6C3 is equal to 20, and 10C3 is equal to 120, I will get a false positive (to be confirmed) for 1/6 of my guesses.

This scheme is slightly better than the lack of authentication, no matter how you store the token.

+1
source share

I completely agree with msw, but this argument is (or mainly) valid for a six-digit scheme. For the n-char approach, the false positive ratio (sometimes ...) will be significantly lower. One improvement would be that random characters should be entered in the same order as in the password.

I also think that saving hashed permutations would make it easier to find the key using some brute force approach. For example, testing and combining various combinations of three characters and checking them for stored hashes. This will lead to victory in the goal of hashing the key in the first place, so that you can instead keep the key encrypted.

Another, completely different argument is that your users can be very confused by this odd login procedure :)

+1
source share

One possible solution is to use Reed-Solomon (or something like this) to build an n-of-m scheme: creating an nth degree polynomial f(x) , where n is the number of digits needed to enter the system, and generate output digits by evaluating f(x) at x=1..6 . The numbers combined will become your complete pin. Then, any three of these digits can be used (together with their x coordinate) to interpolate the constants of the polynomial. If they are equal to the source constants, the numbers are correct.

The biggest problem, of course, is to form a field of numbers 0..9 for polynomial constant arithmetic. Normal arithmetic will not cut it out in this case. And my final field is too rusty to remember, if possible. If you switch to 4 bits per digit, you can use GF(2^4) to overcome this drawback. In addition, it is not possible to select your PIN code. It should be assigned to you. Finally, assuming that you can fix all the problems, there are only 1000 different polynomials for the 3rd circuit, and it is too small for security.

In any case, I do not think that this will be a good method, but I wanted to add some ideas to the mix.

+1
source share

You say that you have other elements for authentication. If you have passwords, you can do the following:

  • Request a password (the password is stored as a hash only on your side)
  • First check the hash of the entered password for the stored password hash
  • If successful, otherwise return to 1
  • Use the entered (unhashed) password there as a key for symmetrically encrypted PIN codes
  • Request some random PIN numbers

Thus, the PIN code is encrypted, but the key is not saved as plain text on your side. It seems to me that my bank’s online portal does this (at least I hope that the PIN code is encrypted, but from the users viewing the registration process is similar to the one described above).

+1
source share

More articles:


All Articles