[ucc] Vending machine authentication ideas?
David Luyer
david_luyer at pacific.net.au
Wed Jun 23 12:24:49 WST 2004
Cameron Patrick wrote:
> Bernard Blackham wrote:
> | [SHA-1 is too hard for a snack machine to compute]
> | What other digests might be attainable?
>
> MD5 is slightly lighter than SHA1. Even something like a CRC would be
> "deterrent"-level encryption.
>
> One thing, though: aren't all of these vulnerable to replay attacks,
> making them kind of useless?
You should either challenge-response or sequence.
Examples:
Challenge-Response:
Machine: PLEASE SUBMIT ORDER 27
Customer: FOR ORDER 27 I WOULD LIKE CHICKEN CHIPS,
MD5("fishFOR ORDER 27 I WOULD LIKE CHICKEN CHIPS");
Sequence:
Customer: FOR ORDER 27 I WOULD LIKE CHICKEN CHIPS,
MD5("fishFOR ORDER 27 I WOULD LIKE CHICKEN CHIPS");
Machine: check 27 > last order number and approve order
[using a sample password of "fish"]
The first option is the better option. The order number can
be either sequential or random.
David.
More information about the ucc
mailing list