Menu
I have a scenario akin to a door lock which requires two-factor authentication to gain access:
I need to securely store these within SQL Server 2008. I assume it is ok to store the GUID as normal, but what methods should be taken to secure the PIN in the database and on the system as a whole?
Is a typical hash/salt method enough for a 4 digit PIN?
What would be the proper approach to secure this type of system?
EDIT
Some more info...Ultimately this system most likely needs to be more secure than a standard "door lock". Users will authenticate with an RFID token and PIN number. After gaining access to the system, A user would have the opportunity to browse and purchase items, via a credit card linked to their account(using 3rd party gateway/vault service for storage). What implications would this impose on the system?
EDIT 2
In addition, the case is that this would NOT be a web based app. Users would only access the system from dedicated workstations. The workstations would then leverage web services to communicate with the backend system/DB. How can I factor this into the mix?
Can I use a system as @Remus suggests below, where the authentication/decryption is all a function of the RFID card? The workstation would then communicate with the backend using the authenticated users ID. Is there a way to implement such a system?
843
Embedded in each card is an RFID tag. A proximity card reader positioned between 2.5 inches and 20 feet (depending on the model chosen) receives a signal from the tag and grants or denies access accordingly. Like contactless smart cards, proximity cards can have new information written onto them.
To use RFID authentication: The users must register the RFID card as a secondary authentication factor. The RFID card reader must be plugged into the computer before starting it. If the device is not detected upon startup, the users must restart their computers.
No username is needed, although the user can optionally be required to enter a password or PIN for added security if the RFID reader has a keypad. Low-frequency (125 kHz) and high-frequency (13.56 MHz) devices can be used for RFID authentication.
RFID Tags in the form of badges or keyfobs provide secure access to employees or residents. Vehicles with RFID Tags on windshields or simply in a driver's possession also allow secure authorization and entry to private gated communities, apartments, or private parking lots.
Badge + PIN don't work by storing PINs in the database. PINS are actually the encryption key for accessing the badge cryptographic module itself. The badge stores a private key, encrypted with a key derived from the PIN. Authenticators have a public key and challenge the badge with a nonce. The badge cryptographic module itself signs the challenge nonce with the private key (decrypted internally with the PIN) and responds with the nonce signature. The authenticator then validates the signature using the public key and thus authenticates the user (the badge holder). The key points are:
The scheme you propose, with GUIDs and PINs stored in the database is, frankly, a joke.
161
I think it isn't. If someone stole your database, that stores the salt and hash of the PIN, it would be trivial for him to compute the actual PIN, because there is only 10000 combinations.
36
You could store just a list of HMAC(PIN, GUID) in your database. The PIN is the secret, the GUID is the data. Having the HMAC alone should not allow anyone with access to the database to get either the GUIDs or the PINs.
If an attacker stole the GUID of one of your badges AND the entire database, it would be simple to calculate the HMAC of that GUID with all possible combinations of a 4-digit PIN, and find a matching row. That 4-digit PIN will always be a weakness. Adding a salt to each row would help, but not by much. It would only increase the number of needed computations by the number of rows, which still leaves you with a trivial number for an offline attack.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
