Re: Weakness in Social Security Numbers Is Found

2009-07-12 Thread Darren J Moffat

d...@geer.org wrote:

I don't honestly think that this is new, but even
if it is, a 9-digit random number has a 44% chance
of being a valid SSN (442 million issued to date).


I wonder if the UK NI numbers suffer from a similar problem.

The look a little like this:  AB 12 34 56 C

Information on how they are strutured is here:

http://en.wikipedia.org/wiki/National_Insurance#National_Insurance_number

However given we don't use the NI number in the UK like the SSN is 
abused in the US there isn't the same security risk in guessing them. 
Although the Wikipedia article claims they are sometimes used for 
identification I know I have never been asked for mine other than by an 
employer or suitably authorised government body how has a real need to know.


--
Darren J Moffat

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


112-bit prime ECDLP solved

2009-07-12 Thread Joppe Bos

Hi all,

We are pleased to announce that we have set a new record for the elliptic
curve discrete logarithm problem (ECDLP) by solving it over a 112-bit
finite field. The previous record was for a 109-bit prime field and
dates back from October 2002. Our calculation was done on a cluster of
more than 200 PlayStation 3 game consoles at the EPFL.

See for more details our announcement at http://lacal.epfl.ch/page81774.html.

Best regards,

Joppe Bos

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Weakness in Social Security Numbers Is Found

2009-07-12 Thread Jerry Leichter

On Jul 8, 2009, at 8:46 PM, d...@geer.org wrote:

I don't honestly think that this is new, but even
if it is, a 9-digit random number has a 44% chance
of being a valid SSN (442 million issued to date).
Different attack.  What they are saying is that given date and place  
of birth - not normally considered particularly sensitive - they have  
a good chance of predicting *a particular person's* SSN.


For untargetted attacks, broad statistics about the number of SSN's  
out there are fine.  But much attention these days is on targetted  
attacks against high value individuals.  It's in fact probably  
*easier* to find basic biographical information about date and place  
of birth of such individuals - you can often get much of it for, say,  
CEO's of public companies from their own brief bio's of their senior  
officers; scan newspapers for charity birthday events and you can get  
quite a bit more - than for a random member of the population.


Now, whether this really buys you all that much over other ways of  
getting hold of SSN's is questionable - and in fact the researchers  
are quoted as saying it's more of a demonstration of principle than  
anything practical.


BTW, 442 million SSN's have been issued, but how many are for people  
who have since died?  For many attacks, you need one for a living  
victim, which lowers the probability.

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com