RE: [WEB SECURITY] Hashing and entropy

[<Glenn.Everhart@xxxxxxxxx>]

I figure 30 to 38 bits if you know the bank. Why does anyone want to hash
card numbers???

Figuring out what number a hash corresponds to is comparable to doing the
same with SSN (also 9 digits) which would be the 30 bit case. 

Heck's bells: you might as well hash someone's age in years and expect that to
obscure it!  (That's a bit easier but illustrates the problem.)

If you encrypt or add a decently long salt, you can at least have enough entropy
to make 100 or so bits' worth, or more if you do it better. You have to keep the
extra entropy secret but at least it is harder than just hashing a few billion
trials to match hashes.

-----Original Message-----
From: Amit Klein [mailto:aksecurity@xxxxxxxxx]
Sent: Friday, June 20, 2008 3:34 PM
To: Nathanael Hoyle
Cc: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Hashing and entropy


Nathanael Hoyle wrote:
> Oliver Lavery wrote:
>
> <snip>
>> The parameters of the problem as I see it are:
>>
>> 1) credit card numbers have roughly 10**16 distinct values, well 
>> below 2**128 (MD5) much less 2**160 (SHA1)
>>
>
> I would point out that the practical range may be narrowed by an 
> attacker.  IIRC, all Visa card numbers start with a 4, and all 
> MasterCard ones start with a 5.  These two cases account for a huge 
> proportion of all CC numbers.  In either of these cases, the range is 
> 10**15 * 2, which is notably smaller.

It's much worse - check out http://en.wikipedia.org/wiki/Credit_card_numbers

-Amit

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



-----------------------------------------
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
 If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA