A bank wants to store the account number of its customers (8-digit number) in an
ID: 3801156 • Letter: A
Question
A bank wants to store the account number of its customers (8-digit number) in an encrypted form on magnetic stripe ATM cards. Discuss the security of the following methods for storing the account numbers against an attacker who can read the magnetic stripe: (A) Store a cryptographic hash of the account number; (B) Store the ciphertext of the account number encrypted with the bank's public key using a public- key cryptosystem; (C) Store the ciphertext of the account number encrypted with the bank's secret key using a symmetric cryptosystem.Explanation / Answer
Option (B)
Below is the explanation.
If you are developing a password-protected web site, you have to make a decision about how to store user password information securely.
What is "secure," anyway? Realize that the data in your database is not safe. What if the password to the database is compromised? Then your entire user password database will be compromised as well. Even if you are quite certain of the security of your database, your users' passwords are still accessible to all administrators who work at the web hosting company where your database is hosted. Scrambling the passwords using some home-brewed algorithm may add some obscurity but not true "security." Another approach would be to encrypt all passwords in your database using some industry-standard cipher, such as the Message-Digest Algorithm 5 (MD5).
MD5 encryption is a one-way hashing algorithm. Two important properties of the MD5 algorithm are that it is impossible to revert back an encrypted output to the initial, plain-text input, and that any given input always maps to the same encrypted value. This ensures that the passwords stored on the server cannot be deciphered by anyone. This way, even if an attacker gains reading permission to the user table, it will do him no good.
If you are developing a password-protected web site, you have to make a decision about how to store user password information securely.
What is "secure," anyway? Realize that the data in your database is not safe. What if the password to the database is compromised? Then your entire user password database will be compromised as well. Even if you are quite certain of the security of your database, your users' passwords are still accessible to all administrators who work at the web hosting company where your database is hosted. Scrambling the passwords using some home-brewed algorithm may add some obscurity but not true "security." Another approach would be to encrypt all passwords in your database using some industry-standard cipher, such as the Message-Digest Algorithm 5 (MD5).
MD5 encryption is a one-way hashing algorithm. Two important properties of the MD5 algorithm are that it is impossible to revert back an encrypted output to the initial, plain-text input, and that any given input always maps to the same encrypted value. This ensures that the passwords stored on the server cannot be deciphered by anyone. This way, even if an attacker gains reading permission to the user table, it will do him no good.
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.