I should shut up and leave an encryption discussion to a *real* expert like Phil. <g>
Yeah, probably unclear thinking on my part. I could brute-force guess *your* (or any particular) credit card number in well under 10**16 tries, but -- unlike with guessing a decryption key -- I would have no way to know when I had found it, short of presenting it to an on-line merchant and seeing if it worked. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Phil Smith Sent: Tuesday, May 19, 2015 11:43 AM To: [email protected] Subject: Re: PCI DSS compliance for z/OS Charles Mills wrote: >I think much of the problem is with credit card numbers themselves. There are >only ~10**16 possible credit card numbers -- many fewer if you allow for the >fact that only certain combinations are valid. A credit card number is easier >to brute-force guess than its encryption key, format-preserving or not. Not sure what “brute-force” means here. If you mean “create something that looks like a valid credit card number”, then sure, take the first six digits of your Visa, make up nine more, than calculate the Luhn checksum and stick that on the end. Done. But the bank won’t recognize it without a matching ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
