Full Disclosure mailing list archives
Re: Re: choice-point screw-up and secure hashes
From: Jason <security () brvenik com>
Date: Sat, 19 Mar 2005 20:25:02 -0500
I don't see any disclosure in this thread but what the heck. Valdis.Kletnieks () vt edu wrote:
On Sat, 19 Mar 2005 19:27:22 EST, Atom Smasher said:the way i see it, some people bought personal info from choicepoint. if that info contained hashed SSNs it would be just as valuable to a LEGITIMATE user for verification purposes.Explain why. Remember that I'm sitting down at the bank applying for a loan, and *I* have no idea what my SSN hashes to, and the bank has a vested interest in getting back a report they can easily verify is The Right One - this means that either the report back from ChoicePoint needs to contain a cleartext SSN that the loan officer can verify, or the bank needs to be able to hash my SSN and compare (ever eyeball-checked the MD5sum of a file you downloaded? Now imagine a non-techie doing that all day - it's significantly harder than using eyeball compares for 2 sets of (3,2,4) digit numbers...) And it has to have one of the 3 following characteristics: 1) It has to work over a fax machine, because that's what the competing companies have as the entry level technology. 2) It has to provide *such* additional benefit *to the subscriber* to make them pay for an essentially one-use piece of hardware. The fax machine they can use for all their fax needs, a specialized hardware for connecting to your database is probably not going to be a win. 3) You have to be willing to pay for the hardware for your subscribers.
It is a trivial problem to solve. hashkey = make_hash(known_entity, SSN); hash_words = make_words(hash_key); the end result might be something like this yellow sumbarine steroids crime education lies halliburton president for a social the values might be mothers maiden name and SSN. make_hash(mothers_maiden_name, your_ssn);now you have a secure method of verifying the SSN, cross referencing valuable data, and easily validating the results.
#1 - Solved #2 - not needed #3 - not neededIt has the added benefit of allowing you to capture and validate the important information when required without ever storing that information in a database.
This same method could apply to credit cards, license numbers, socials...The merchant implementing this scheme would never have to store the information to prove that they were provided the proper data and that they were dealing with the correct entity.
Remember - the people who are going to end up paying for the security aren't the people who care about the security - which will tend to limit your security budget.
When the merchants enjoy lower liabilities as a result of fraud reduction things become a little different on the budget and political fronts.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: choice-point screw-up and secure hashes, (continued)
- Re: Re: choice-point screw-up and secure hashes Vincent van Scherpenseel (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Ron DuFresne (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Ron DuFresne (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Jason (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)
- Re: Re: choice-point screw-up and secure hashes Valdis . Kletnieks (Mar 19)
- Re: choice-point screw-up and secure hashes Atom Smasher (Mar 19)