[Gllug] OT - chip & pin
Mike Brodbelt
mike at coruscant.demon.co.uk
Mon Apr 3 21:22:27 UTC 2006
On Mon, 2006-04-03 at 21:16 +0100, t.clarke wrote:
> I am confused - if only an 'offset to the pin' is stored on the card, how
> does the card verify the PIN entered is correct ??
>From memory, the PIN is originally derived from a hash of the customers
account number, with a bank held secret key. The bank computer can thus
recalculate the PIN on demand. When the customer change the PIN, the
offset from the calculated PIN is stored on the magstripe. Verification
of PIN must be carried out online. The chip & pin systems change this by
adding a cryptoprocessor to the card, which is capable of verifying the
PIN without any connection to the bank's computers. This necessitates
storing the PIN locally of course, but the chip is supposedly
tamper-proof, and regarded (by the bank) as safe enough to hold this
information.
Mike
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list