mersenneforum.org  

Go Back   mersenneforum.org > Fun Stuff > Puzzles

Reply
 
Thread Tools
Old 2007-02-07, 14:35   #1
T.Rex
 
T.Rex's Avatar
 
Feb 2004
France

2·457 Posts
Default A security puzzle

Hello,
My Bank provides its customers with a Web interface so they can get information about their account from home.
One must give a number and a secret key. The number is typed with the keyboard, though the mouse is used to securely give the key (6 digits between 0 and 9).
In a a 5x5 square, the 10 digits (0..9) are randomly placed: the customer must "click" each of the 6 digits that make the key, from left digit to right digit.
That seems perfect ... but the digits are not really randomly placed on the 5x5 square (seems they have made a mistake): the 10 digits are placed, from 0 to 9 (or from 1 to 9 and then 0) from the left to the right and from the top to the bottom of the square. (There are also some not-perfect symmetries in the way the digits are placed in the square, but that seems difficult to see a rule.)
See the examples below.
As an example, let say the key is: 451093 and that i-j represent case of line i (from top to bottom) and column j (from left to right), with i and j from 1 to 5. Thus, a customer would have to click the cases: (2-1 3-2 1-2 1-1 5-4 1-5) to provide the secret key.

My opinion is that, with a spy gathering the "mouse clicks", it would be possible to find the key with a limited (less than 100) number of collects. Because one can build relations ships between the 6 digits : (2-1 3-2 1-2) for 451 means that second digit is greater than first digit and that third digit is smaller than first and second digits, and so on with the other digits, and so on with more examples of the customer giving the secret key with a different square.
But I have no idea about which Math theory would help.

Do you have ideas and can you propose algorithms or real code ?
Regards,
Tony
Attached Thumbnails
Click image for larger version

Name:	key3.gif
Views:	223
Size:	2.9 KB
ID:	1477  
T.Rex is offline   Reply With Quote
Old 2007-02-07, 14:36   #2
T.Rex
 
T.Rex's Avatar
 
Feb 2004
France

91410 Posts
Default Another example

Another example.
Customer must type: (1-5 3-2 1-2 5-5 4-5 1-4) .
Attached Thumbnails
Click image for larger version

Name:	key2.gif
Views:	202
Size:	3.0 KB
ID:	1478  

Last fiddled with by T.Rex on 2007-02-07 at 14:39
T.Rex is offline   Reply With Quote
Old 2007-02-07, 14:37   #3
T.Rex
 
T.Rex's Avatar
 
Feb 2004
France

2×457 Posts
Default A third example

A third example.
Customer must type: (3-3 3-5 1-2 4-5 4-4 3-2) .

Let me know if more examples are needed.
T.
Attached Thumbnails
Click image for larger version

Name:	key1.gif
Views:	206
Size:	3.0 KB
ID:	1479  

Last fiddled with by T.Rex on 2007-02-07 at 14:41
T.Rex is offline   Reply With Quote
Old 2007-02-08, 17:56   #4
Xyzzy
 
Xyzzy's Avatar
 
"Mike"
Aug 2002

1E0816 Posts
Default

We still can't withdraw any money from your account even with those clues. Please provide more detailed examples.

Xyzzy is offline   Reply With Quote
Old 2007-02-08, 18:29   #5
T.Rex
 
T.Rex's Avatar
 
Feb 2004
France

2×457 Posts
Default Other examples

(451093) -> (3-4 4-1 1-3 1-2 5-4 2-4)
(abcdef)

Easy to see that 4th digit d in (abcdef) is 0, 1 or 2. And that 3th digit c = d+1 .
So, it seems easier to find small digits (0, 1, 2, 3) than big ones (9, 8, 7, 6).
Attached Thumbnails
Click image for larger version

Name:	Clef1.GIF
Views:	201
Size:	3.7 KB
ID:	1487  
T.Rex is offline   Reply With Quote
Old 2007-02-08, 18:36   #6
T.Rex
 
T.Rex's Avatar
 
Feb 2004
France

2·457 Posts
Default Other examples

(451093) -> (2-4 3-1 1-1 5-3 5-2 2-1)
(abcdef).........a....b....c....d....e....f

Easy to see that 3th digit c in (abcdef) is 0, or 1.
Since 4th digit d is now in the last row on the bottom and in the highest column on the right of this row, and since (previous example) d=c-1 , then d=0 and c=1 !
Attached Thumbnails
Click image for larger version

Name:	Clef2.PNG
Views:	200
Size:	25.8 KB
ID:	1488  
T.Rex is offline   Reply With Quote
Old 2007-02-08, 18:38   #7
T.Rex
 
T.Rex's Avatar
 
Feb 2004
France

2×457 Posts
Default

Quote:
Originally Posted by Xyzzy View Post
We still can't withdraw any money from your account even with those clues.
I will not tell you the name of my Bank !
Quote:
Please provide more detailed examples.
Do you need more ?
T.Rex is offline   Reply With Quote
Old 2007-02-08, 22:09   #8
T.Rex
 
T.Rex's Avatar
 
Feb 2004
France

2·457 Posts
Default Example 6

(451093) -> (1-5 2-1 1-2 5-5 4-2 1-4)
(abcdef).........a....b....c....d....e....f

Since b appears just after a (in the order the crazzy program of my Bank puts digits) then: b=a+1 .

Oh, thanks to example 5 in post #6, since e appears just before d=0, then e=9 !
Attached Thumbnails
Click image for larger version

Name:	Clef3.JPG
Views:	188
Size:	4.1 KB
ID:	1492  

Last fiddled with by T.Rex on 2007-02-08 at 22:11
T.Rex is offline   Reply With Quote
Old 2007-02-08, 22:17   #9
T.Rex
 
T.Rex's Avatar
 
Feb 2004
France

2×457 Posts
Default Example 7

(451093) -> (2-4 3-3 1-1 5-5 4-5 2-1)
(abcdef).........a....b....c....d....e....f

How to find more than 3 digits ?
Attached Thumbnails
Click image for larger version

Name:	Clef4.JPG
Views:	196
Size:	4.3 KB
ID:	1493  
T.Rex is offline   Reply With Quote
Old 2007-02-08, 22:46   #10
gribozavr
 
gribozavr's Avatar
 
Mar 2005
Internet; Ukraine, Kiev

6278 Posts
Default

What do you mean by 'a spy gathering the "mouse clicks"'? If someone is able to run arbitrary code on your machine, they can take screenshots of (say) 20x20 pixel area under your mouse pointer at every click. From the screenshots it is very easy to read the code, even for an automated OCR, as the text is not obfuscated.
gribozavr is offline   Reply With Quote
Old 2007-02-09, 15:31   #11
T.Rex
 
T.Rex's Avatar
 
Feb 2004
France

2·457 Posts
Default Example 8

Quote:
Originally Posted by gribozavr View Post
What do you mean by 'a spy gathering the "mouse clicks"'? If someone is able to run arbitrary code on your machine, they can take screenshots of (say) 20x20 pixel area under your mouse pointer at every click. From the screenshots it is very easy to read the code, even for an automated OCR, as the text is not obfuscated.
I suppose what you say is possible. I'm not an expert and I thought it may be complex to have screenshots of the PC display at every click ; also I thought that the size (several MBs) would be a problem for a spy. But, if taking a screenshot of a reduced part of the display around the clicks is possible ... that means that no Bank access is secure on a PC ! I have tools for searching and destroying spys, but you never know if a one of a new kind is not already at work ... My Bank should propose a mean based on my fingerprints !
However, we have here a nice puzzle: based only on the clicks, is it possible (thanks to the badly random way of placing the digits in the square) to guess a secret key ? I think some secret keys may be easier to compute than others, since small digits and high digits (0, 1, 8, 9) may be easier to find than the other ones. But, with many examples, a smart program could deduce information about statistics ...
So, is someone interesting to elaborate some strategy ?
I'll have more free time next week, and I'll try to write some program ...
Here is another example. N° 8. (451093) --> (1-5 3-1 1-1 5-4 5-3 1-3)
Thanks,
Tony
Attached Thumbnails
Click image for larger version

Name:	key1.gif
Views:	160
Size:	2.9 KB
ID:	1494  
T.Rex is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unclear Security Nick Soap Box 180 2020-06-28 22:04
Water security Nick Soap Box 66 2018-08-03 17:16
security of the webpage? Unregistered Information & Answers 4 2013-02-08 04:42
Key fob security. Xyzzy Science & Technology 13 2007-03-09 02:39
PrimeNet Security Damian PrimeNet 7 2005-06-21 12:46

All times are UTC. The time now is 20:54.

Fri Sep 18 20:54:18 UTC 2020 up 8 days, 18:05, 1 user, load averages: 1.32, 1.56, 1.67

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.