Browse Prior Art Database

Strengthening Authentication Patterns

IP.com Disclosure Number: IPCOM000041339D
Original Publication Date: 1984-Jan-01
Included in the Prior Art Database: 2005-Feb-02
Document File: 2 page(s) / 27K

Publishing Venue

IBM

Related People

Hopkins, WD: AUTHOR [+4]

Abstract

This article discloses a method for strengthening authentication patterns (AP) used as part of a personal verification process in an electronic funds transfer (EFT) system. The first step in performing a user verification process is for the user to enter a personal identification number (PIN) into an EFT terminal. Numerous techniques exist for protecting the PIN once it is entered into the system via the EFT terminal, almost all of which begin by combining the PIN with some other, non-secret, static information to eliminate certain dictionary attacks. PINs are then encrypted with secret system keys affording the PIN protection during periods of transmission or storage. However, where access to the encrypt function can be obtained, certain exhaustive attacks may be performed to recover the key.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 59% of the total text.

Page 1 of 2

Strengthening Authentication Patterns

This article discloses a method for strengthening authentication patterns (AP) used as part of a personal verification process in an electronic funds transfer (EFT) system. The first step in performing a user verification process is for the user to enter a personal identification number (PIN) into an EFT terminal. Numerous techniques exist for protecting the PIN once it is entered into the system via the EFT terminal, almost all of which begin by combining the PIN with some other, non-secret, static information to eliminate certain dictionary attacks. PINs are then encrypted with secret system keys affording the PIN protection during periods of transmission or storage. However, where access to the encrypt function can be obtained, certain exhaustive attacks may be performed to recover the key. Various groups have each developed a method for protecting the PIN based on some combination of the PIN and the user ID as follows: (1) AP=PIN ID, (2) AP=PIN O ID and (3) AP=ID PIN, where represents concatenation and O represents modulo 2 addition. Thus, generally speaking, AP is a function of PIN and ID or AP = f(PIN,ID). However, since ID is assumed to be public (read from a bank card), AP remains susceptible to exhaustive attacks allowing an opponent to defeat the system key and obtain a large set of AP and corresponding ID pairs. Therefore, to provide a method for transforming PIN or f(PIN, ID) so that it is not vulnerable to an exh...