Re^2: RFC: Algorithm::CouponCode

Whereas you don't publish the divisors and remainders used to check each field, the fact that a correct field is highlighted in green on completion means that the experimentation required to crack these values is very light. It takes less than half an hour to crack the whole system. I would force the user to finish entering all 12 characters before giving the green (or red) light.

I think you misunderstand my intent with this coding scheme. The fact that it's trivially easy for someone to generate a "well formed" code (i.e.: a code that makes all the boxes go green) is irrelevant. An organisation using this system would generate a code and then a) store it in their database and b) send it to their customer. Ultimately the only thing that matters is that the customer enters a code which is in the database.

The main purpose of the coloured highlighting is to alert the user that they have entered a sequence of characters which cannot possibly be part of a valid code. The client-side implementation might only use the red highlight (meaning "definitely wrong") and not bother with the green (meaning "possibly right").

An 'attacker' could definitely generate random codes and calculate valid checksums for them so that all the boxes were green (or at least not red); but that would do them no good because the chances of generating a code which happens to be in the database are slim (there are about 35 trillion possible 3-part codes).

I suggest also changeing the divisors and remainders when you have secured the system.

That sounds like an attempt at "security through obscurity". Which of course is doomed to fail since the client-side Javascript routines would need to know the correct values.

Comment on Re^2: RFC: Algorithm::CouponCode

Replies are listed 'Best First'.
Re^3: RFC: Algorithm::CouponCode by anonymized user 468275 (Curate) on Apr 28, 2011 at 09:30 UTC
That sounds like an attempt at "security through obscurity" I am not theorising here - you have unwittingly compromised an existing government system - what algorithm I personally would use is neither offered nor relevant - it is more important to understand the impact of leaving it as is. One world, one people	[reply]
Re^4: RFC: Algorithm::CouponCode by grantm (Parson) on Apr 28, 2011 at 09:54 UTC
I'm sorry, I have read and re-read your comment but I don't understand what point you're trying to make. Perhaps you could rephrase it. It certainly sounds like I need to update the documentation of my module to discourage further misunderstandings.	[reply]
Re^5: RFC: Algorithm::CouponCode by anonymized user 468275 (Curate) on Apr 28, 2011 at 10:17 UTC
Let me tell it as a story: Once upon a time in the early days of computers a government department chooses a particular mechanism for generating and testing the validity of codes it generates and publishes. It still uses the legacy system in question because noone broke it yet. Lo and behold someone else (you) has accidentally used the same method but is providing it on an online facility that can be brute forced whereas the government system is not available online and cannot be brute forced. How the story continues from here is up to you and the offended government department if they find out. One world, one people	[reply]
Re^6: RFC: Algorithm::CouponCode by Anonymous Monk on Apr 28, 2011 at 21:00 UTC
Re^7: RFC: Algorithm::CouponCode by anonymized user 468275 (Curate) on Apr 29, 2011 at 10:16 UTC
Some notes below your chosen depth have not been shown here


Don't ask to ask, just ask
	PerlMonks