On Fri, Nov 19, 2010 at 7:27 AM, Dan Kaminsky <[email protected]> wrote:
>> Here’s an amazing fact: some individual
>> Social Security numbers are in use right now by up to 3,000
>> people and it isn’t at all unusual for a borrowed number to
>> be used by 200-1,000 people at the same time . . . "
>
> Well, that turned out a more nuanced answer than I expected.
> SSN's are nonrandom, but unique.
When I think of SSNs, it reminds me of SSL, and SSLs attempts at
making the IV secure. A SSN turns out to be roughly equivalent to SSL
v3 (some hand waiving):
This field [the IV] is first initialized by
the SSL handshake protocol. Thereafter the
final ciphertext block from each record is
preserved for use with the following record.
Unique, but not random.
> Interestingly, that means, given a working SSN#, all the numbers
> nearby are working SSN#'s as well. In fact, technically, a random
> sequence of digits is 50% likely to be a working SSN#, actually of
> somebody born approximately at the same time and place as the first #.
>
> This argues fairly strongly that the number alone isn't an identity,
> and that the (number,name) is. In fact, that seems to be how
> businesses are setting up their databases. Thus making the
> ruling...right.
As with SSL v3, it still not quite right....
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
