Please note: this is an english list. I'll try to translate. Claudia: wenn Du kein englisch kannst, forwarde mir diese Mail nochmal, ich werde sie dann wieder ins deutsch übersetzen. * Claudia Arnold wrote on Sun, Dec 31, 2000 at 13:11 +0100:
Wenn ein Passwort verschlüsselt ist (z.B. shadow) und man davon ausgeht, daß es Verschlüsselungsverfahren gibt, die nur schwer bzw. (momentan) gar nicht zu knacken sind, wie bekommt dann das System (z.B. bei Login-Passwort) das unverschlüsselte Passwort heraus ???
The question: If a encrypted password is difficult to crack, how knows the system the unencrypted password (i.e. at the login prompt)? Answer: The system don't know the cleartext password. A encrypted password is stored. At login, you enter the cleartext password. That password gets encrypted in the same way like the stored became encrypted. Now the both encrypted values are compared. If they are equal, the entered cleartext password were the same as the cleartext of the stored.
OK, ich könnte mir vorstellen, daß die Entschlüsselung o.ä. im Login-Programm enthalten ist, aber dann wäre sie doch (wegen Open-Source u.ä.) auch frei verfügbar - oder nicht !?
Quenstion: I could imagine that the decryption is included in some login program, but since it's open source everybody could use it, ain't? Answer: See above, it's not neccesary to decrypt the password. Anyway, the algorihtms to crack passwords are known to the public, but it's take a long time to crack a (good) password, but's not impossible. The needed time depends on uses environment and used password encryption (or hash) algorithm of course.
Das gleiche ist ja auch bei z.B. EC-Karten der Fall.
The same with EC-cards.
Glaubt man der Bank, so ist es für die Angestellten nicht möglich eine vergessene Geheimzahl nachträglich herauszufinden.
According to bank, it's impossible to retrieve a forgotten PIN.
Wie schafft es denn dann der Geldautomat herauszufinden, ob ich die korrekte Geheimzahl eingegeben habe ???
But how the cash automate knows if I entered the correct PIN? Answer: In general, there are two possibilities: offline and online verification. Offline verification could be done in such a way: The pin number is calculated by the data stored on the card, and is encrypted by a secret key. The automate contains a hardware security module which contains the key in a safe way (i.e. it's impossible to read out that key, even with tricks). The automate could use that module to recalculate the PIN and check if it's match. The second if online verification. The automate uses a phone line to transfer the PIN to some serversystem and gets a positive or negative response (of course the transfer is encrypted, too). The serversystems knows about all the keys and is able to verify the PIN. This requires a online-link of course. In germany, all cash automates use online-verification to archive maximum security.
Dementrsprechend muß es doch auch (mehr oder weniger leicht) möglich sein, die Geheimzahl zu ermitteln, da es der Automat ja auch kann....
Question: then it should be possible to calculate the PIN, since the automate is able to do it. Answer: It's possible, but only if you have the secret key used for calculating the PIN. And that secret keys are secret. Even if you steal a hardware-security-module, you won't be able to retrive the keys, since the module destroys itself if it detects some attacks (i.e. magnetic fields and so on). So you will not get the key --> you will not be able to calculate the PIN.
Oder befinde ich mich da vollkommen auf dem Holzweg ???
Question: Or I am wrong? Answer: yes ;) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.