312-50V10 · Question #660
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
The correct answer is B. Brute force. When a token performs PIN verification offline, an attacker in possession of the token can systematically try all possible PIN combinations without network-side lockout policies intervening.
Question
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
Options
- ABirthday
- BBrute force
- CMan-in-the-middle
- DSmurf
How the community answered
(39 responses)- A3% (1)
- B74% (29)
- C8% (3)
- D15% (6)
Why each option
When a token performs PIN verification offline, an attacker in possession of the token can systematically try all possible PIN combinations without network-side lockout policies intervening.
A birthday attack targets hash collision probability and is used against cryptographic functions, not against guessing a numeric PIN.
A 4-digit PIN has only 10,000 possible combinations (0000-9999). Because the token checks the PIN locally without any server-side lockout or delay enforcement, an attacker can automate attempts against the token hardware itself, making brute force the viable attack - the small keyspace makes exhaustive guessing practical.
A man-in-the-middle attack requires intercepting live communications between two parties; it is irrelevant when the attacker has physical possession of the token and checks offline.
A smurf attack is an ICMP-based distributed denial-of-service amplification technique and has no relationship to token PIN authentication.
Concept tested: Offline PIN brute force against hardware tokens
Source: https://csrc.nist.gov/publications/detail/sp/800-63b/final
Topics
Community Discussion
No community discussion yet for this question.