[RC5] Cracking 40 bits in realtime

Joe Zbiciak j-zbiciak1 at ti.com
Fri Jan 9 08:08:12 EST 1998

'Christopher Hodson' said previously:

| I agree entirely, however, just because you know that there is a credit
| card number 10 bytes in does NOT mean you can otimize a client as much
| as bovine has done.  It would take much longer in practice.

Most credit cards have a set four-digit prefix, which varies according
to the issuing bank.  So, you can quickly check the card against a few
major banks -- Discover, Citibank, etc.

Another tidbit is that credit card numbers have a built-in checksum,
IIRC.  Another way to validate a "potential card number" then would be
to checksum it and see if it passes.  This calculation shouldn't be too
complicated to perform (after all, that ain't a Cray in that WalMart
cash register) and could be nearly as quick as a string compare.  If
the checksum is any good, then it should eliminate a large percentage
of bogus decryptions.

A final bit that would help optimize this cracking job is that many
protocols encode the data being transferred as ASCII text.  Therefore,
a valid decrypted credit card string would have the upper four bits of
each byte set 0011.  This can be checked quickly as well.

Just playing devil's advocate to the devil's advocate.  ;-)


 +----------- Joseph Zbiciak ----------+
 | - - - -  j-zbiciak1 at ti.com  - - - - |  Join your idle CPU cycles into the
 |- http://www.primenet.com/~im14u2c/ -|  world's largest supercomputer:
 | - - -Texas Instruments, Dallas- - - |  http://www.distributed.net/
 +-----#include <std_disclaimer.h>-----+
To unsubcribe, send 'unsubscribe rc5' to majordomo at llamas.net
rc5-digest subscribers replace rc5 with rc5-digest

More information about the rc5 mailing list