Saturday, July 21, 2007

See Metallica using only 9 charracters

This is the last Metallica post for now, with a look at what it took to gain entry to the concert.

The picture shows one of the 3 tickets used to gain entrance to the concert, the tickets where e-mailed to me as a pdf-file. One ticket was used by me, one used by Gabi and one was sold in the Friday bar. There is lots of information on the ticket, but the important information was section B, entrance 8 and the bar code. Section A was the few in front, and section B was for the rest of us. Entrance 8 was probably a way to divide up people into groups, so not everyone would use the first entrance.

The only thing they were interested in at the entrance was the bar code. They scanned it with a hand held bar code scanner, the device showed a green light, and I was allowed through to the concert area. So 9 characters of information was all that was needed to gain entrance (in this case "+7MA$7$-V"). The other 2 tickets contained only alphanumerical characters in the bar code, so that gives a message space of at least 39^9 ≈ 47 bits. If we assume 50 000 tickets then roughly 1 out of (2^32) 9 digit codes is a valid entrance value. This 9 character code is probably a hash of some kind, and if it is constructed in a good way it is as good as unbreakable.

On the other hand, as I was a reseller of one ticket, I had ample opportunities to cheat. E.g. Sold the ticket more than once (they have some kind of back end system which allows the bar code to be used only once). The first one would go through easy, but the others would be rejected. I could have modified the hash value to some other value and sold it to some unsuspecting fool as a valid ticket, and so on. Now I am only an honest but curious attacker so no harm was done, but if any of you reading this can come up with attacks on the ticket system then please post a comment.

One more thing to add, a boy got a metal replica of a gun through airport security(link in Norwegian).



Post a Comment

<< Home