{"id":330,"date":"2011-10-02T23:56:26","date_gmt":"2011-10-02T23:56:26","guid":{"rendered":"http:\/\/41j.com\/blog\/?p=330"},"modified":"2011-10-02T23:56:48","modified_gmt":"2011-10-02T23:56:48","slug":"unobservable-pin-and-password-entry","status":"publish","type":"post","link":"https:\/\/41j.com\/blog\/2011\/10\/unobservable-pin-and-password-entry\/","title":{"rendered":"Unobservable pin and password entry"},"content":{"rendered":"

This is a combination of two blog posts from Linuxjunk. The general idea to to create a pin and password entry system where even if you want watch the whole process and you know exactly what the user typed in, you still can’t unambiguously guess their password. I think it’s a pretty neat idea.<\/p>\n

A one to many mapping is created between password symbols and the numbers you type in. That means the value you type in could come from any of a number of password characters. The mapping should be random so that the values you enter every time will be different. Given enough observations of course the attacker could identify the password, but it offers some security and could offer some advantage over challenge and response type systems.<\/p>\n

I have two pieces of code, one from pin entry and one from alphabetic password entry.<\/p>\n

Unobservable pin entry<\/h2>\n

The following is a command line, number mapping based version of the technique described at http:\/\/dapl.me\/pinsecurity.html. It’s just a proof of concept, but I think Dans general idea is pretty neat. It could be a viable alternative to challenge and response type systems, and having this as a PAM module would be neat.<\/p>\n

The following code is just a proof of concept. But it presents the user with two lists of numbers. The user PIN is hard coded as 1803 in this example. The first line shows the numbers 0 through 9. The second a random list of numbers.<\/p>\n

The user enters numbers matching mapping from the first line to the second. Using this method it’s impossible for an observer to unambiguously guess the users pin.<\/p>\n

Here’s an example run:<\/p>\n

\r\n0,1,2,3,4,5,6,7,8,9,\r\n2,4,3,3,0,2,4,3,3,4,\r\nplease enter pin: 4323\r\n<\/pre>\n
\r\n#include <iostream>\r\n#include <vector>\r\n\r\nusing namespace std;\r\n\r\nint main() {\r\n\r\n int valid_pw[5];\r\n valid_pw[0] = 1;\r\n valid_pw[1] = 8;\r\n valid_pw[2] = 0;\r\n valid_pw[3] = 3;\r\n\r\n int random_mapping[10];\r\n\r\n for(size_t n=0;n<10;n++) {\r\n   random_mapping&#91;n&#93; = rand()%5;\r\n }\r\n\r\n for(size_t n=0;n<10;n++) {\r\n   cout << n << ",";\r\n }\r\n cout << endl;\r\n\r\n for(size_t n=0;n<10;n++) {\r\n   cout << random_mapping&#91;n&#93; << ",";\r\n }\r\n cout << endl;\r\n\r\n cout << "please enter pin: ";\r\n\r\n int get_pw&#91;4&#93;;\r\n\r\n \/\/ get pw...\r\n string input_line;\r\n getline(cin, input_line);\r\n\r\n for(size_t n=0;n<4;n++) {\r\n   string singlechar;\r\n   singlechar  += input_line&#91;n&#93;;\r\n   get_pw&#91;n&#93; = atoi(singlechar.c_str());\r\n }\r\n\r\n \/\/ validate pw\r\n bool pass = true;\r\n for(size_t n=0;n<4;n++) {\r\n\r\n   \/\/ find all locations with this mapping\r\n   vector<int> valid_locs;\r\n   for(size_t i=0;i<10;i++) {\r\n     if(random_mapping&#91;i&#93; == get_pw&#91;n&#93;) valid_locs.push_back(i);\r\n   }\r\n\r\n\r\n   \/\/ if any match valid_pw&#91;n&#93; then the password is ok.\r\n   bool thispass=false;\r\n   for(size_t i=0;i<valid_locs.size();i++) {\r\n     \/\/ cout << "valid: " << valid_locs&#91;i&#93; << endl;\r\n     if(valid_locs&#91;i&#93; == valid_pw&#91;n&#93;) thispass=true;\r\n   }\r\n   if(thispass == false) pass = false;\r\n }\r\n cout << endl;\r\n\r\n if(pass) cout << "password valid"   << endl;\r\n     else cout << "password invalid" << endl;\r\n}\r\n&#91;\/sourcecode&#93;\r\n\r\n<h2>Unobservable alphabetic password entry<\/h2>\r\n\r\nThis version allows you to use alphabetic passwords. It takes a command line argument which is the true password. When run it displays the following prompt:\r\n\r\n[sourcecode language="bash"]\r\n$ .\/a.out test\r\n| a | b | c | d | e | f | g | h | i | j | k | l | m | \r\n| 1 | 5 | 0 | 5 | 4 | 6 | 8 | 2 | 0 | 9 | 6 | 7 | 9 | \r\n\r\n| n | o | p | q | r | s | t | u | v | w | x | y | z | \r\n| 4 | 4 | 8 | 3 | 4 | 0 | 3 | 5 | 9 | 7 | 3 | 2 | 1 | \r\n\r\nplease enter pin: 3403\r\npassword valid\r\n<\/pre>\n
#include 
\n#include <\/p>\n
using namespace std;<\/p>\n
void display_mapping(size_t start,size_t end,vector random_mapping) {
\n  cout << \"| \";\n  for(size_t n=start;n valid_pw;
\n string valid_pw_str = argv[1];<\/p>\n
 for(size_t n=0;n random_mapping(26,-1);<\/p>\n
 srand(time(NULL));
\n for(size_t n=0;n get_pw;<\/p>\n
 \/\/ get pw…
\n string input_line;
\n getline(cin, input_line);<\/p>\n
 for(size_t n=0;n valid_locs;
\n     for(size_t i=0;i<26;i++) {\n       if(random_mapping[i] == get_pw[n]) valid_locs.push_back('a' + i);\n     }\n\n     \/\/ if any match valid_pw[n] then the password is ok.\n     bool thispass=false;\n     for(size_t i=0;i\n","protected":false},"excerpt":{"rendered":"
This is a combination of two blog posts from Linuxjunk. The general idea to to create a pin and password entry system where even if you want watch the whole process and you know exactly what the user typed in, you still can’t unambiguously guess their password. I think it’s a pretty neat idea. A […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-330","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1RRoU-5k","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/comments?post=330"}],"version-history":[{"count":2,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/330\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/330\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/media?parent=330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/categories?post=330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/tags?post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}