webmaniac said:
Lets say. Someone got registered at the website, the private key got
generated by the Public key algorithm, Now user has to enter that
Public key to access the system. But the public key is so long & we
dont want the user to remember that big a key. Is there a way we can
convert that key into a 4 digit pin.
As with most security solutions created by non-experts, and most
applications of cryptography created by non-experts, this is neither
secure nor an appropriate use of cryptographic technology.
Using an asymmetric key pair by itself as an authenticator is a lousy
use of the primitive. It's vulnerable to replay attacks, for example.
If the user's secret is a "public" key, then it's not secret, by
definition. So your scheme makes no sense anyway. (Perhaps you meant
that the user supplies the private key.)
It's not clear why you think you need an asymmetric primitive at all.
What are you gaining over a shared secret, or a secret and a verifier
such as a cryptographic hash? Those are much more common
authentication mechanisms.
As Evertjan already pointed out, client-side security is rarely
useful. If the user is verified by the client, the server has no
grounds for trusting the verification.
Can you reduce an asymmetric key to a 4-digit PIN? Sure. You can
reduce it to a 1-digit PIN, too. But it would be stupid to do so.
Decimal PINs are hard for users to remember, they're inconvenient to
enter on systems that don't have numeric keypads, and they have little
entropy (less than 14 bits for a 4-digit decimal PIN). If your system
has any vulnerability that an attacker can exploit to guess PINs (and
I bet it does), then it only takes an average of 5000 attempts to
break it for a given user.
In short: don't do this. Either employ an actual security expert to
secure your site, or purchase a decent off-the-shelf package for it.
