mersenneforum.org  

Go Back   mersenneforum.org > Extra Stuff > Science & Technology

Reply
 
Thread Tools
Old 2007-02-28, 00:26   #1
Xyzzy
 
Xyzzy's Avatar
 
"Mike"
Aug 2002

11110000010002 Posts
Default Key fob security.

We have a rough idea how this thing works, but since we know some of you really know how they work, we thought it would be fun to talk about how they function, their advantages and disadvantages and stuff like that.

We can see ourselves in a few years with a rope full of these things for every site we visit. Kind of like back in the dark ages when you had to stack parallel port dongles for every software package you had.

(This particular key works for Paypal and eBay.)

Attached Thumbnails
Click image for larger version

Name:	key.jpg
Views:	134
Size:	153.6 KB
ID:	1540  
Xyzzy is offline   Reply With Quote
Old 2007-02-28, 02:09   #2
jasong
 
jasong's Avatar
 
"Jason Goatcher"
Mar 2005

5×701 Posts
Default

My dad used one of those when he had a tech job, I've never used one myself. I think what would be cool is if these could be made out of RFID dots, you could place them on e-paper that fits in your wallet. When you needed to enter a site you'd just scroll through the list and activate the appropriate dot.

It could be run off a watch battery.
jasong is offline   Reply With Quote
Old 2007-03-01, 23:17   #3
Xyzzy
 
Xyzzy's Avatar
 
"Mike"
Aug 2002

23×312 Posts
Default

I'm curious how the numbers are generated and how the "server" keeps track of it all. I have a vague idea but I can't express it without getting this thread tossed into "Miscellaneous Math".

Xyzzy is offline   Reply With Quote
Old 2007-03-02, 01:56   #4
potonono
 
potonono's Avatar
 
Jun 2005
USA, IL

193 Posts
Default

Rather than being random, I'd bet there are varying formulas in use.

I believe most servers probably keep track by keeping a database of device serial numbers tied to account ID's. At any given moment, the server knows what the device is displaying.
potonono is offline   Reply With Quote
Old 2007-03-04, 03:01   #5
moo
 
moo's Avatar
 
Jul 2004
Nowhere

809 Posts
Default

ive heard of ones that go off of time were you set the time and it generates the number for that minute
withen that time you need to have your number entered into the website because thats what the server generated for that time.
moo is offline   Reply With Quote
Old 2007-03-04, 17:21   #6
Mystwalker
 
Mystwalker's Avatar
 
Jul 2004
Potsdam, Germany

3·277 Posts
Default

*cough* http://en.wikipedia.org/wiki/Securid *cough*

Btw.:
There are already considerations how a single (hardware) token can be used to authenticate against different companies.

Last fiddled with by Mystwalker on 2007-03-04 at 17:23
Mystwalker is offline   Reply With Quote
Old 2007-03-04, 20:37   #7
biwema
 
biwema's Avatar
 
Mar 2004

3×127 Posts
Default

Quote:
Originally Posted by Xyzzy View Post
I'm curious how the numbers are generated and how the "server" keeps track of it all.
Short answer:
The token generates a sequence of a secret formula f(time). From this Sequence a hashvalue is generated.

The Server can generate the same sequence (knowing the time)
biwema is offline   Reply With Quote
Old 2007-03-05, 04:08   #8
Xyzzy
 
Xyzzy's Avatar
 
"Mike"
Aug 2002

170108 Posts
Default

What happens if the server time and the fob time get radically out of sync?

Or does the server adjust its time to match the fob?
Xyzzy is offline   Reply With Quote
Old 2007-03-05, 06:46   #9
moo
 
moo's Avatar
 
Jul 2004
Nowhere

809 Posts
Default

Quote:
Originally Posted by Xyzzy View Post
What happens if the server time and the fob time get radically out of sync?

Or does the server adjust its time to match the fob?
then it dont work and you call your fob provider and have them ship you another fob united pack and smash style.


actually
difficulty can occur if the authentication server's clock becomes out of sync with the clock built in to the authentication tokens. However, typically the RSA Authentication Manager automatically corrects for this without affecting the user. It is also possible to manually resync a token in the RSA Authentication Manager. Also, providing authentication tokens to everyone who might need to access a network resource can potentially be expensive, particularly as the tokens are programmed to "expire" at a fixed time, usually three years, requiring purchase of a new token.

Last fiddled with by moo on 2007-03-05 at 06:49 Reason: after reading wiki entry...
moo is offline   Reply With Quote
Old 2007-03-05, 09:22   #10
Xyzzy
 
Xyzzy's Avatar
 
"Mike"
Aug 2002

23·312 Posts
Default

Quote:
actually difficulty can occur if the authentication server's clock becomes out of sync with the clock built in to the authentication tokens. However, typically the RSA Authentication Manager automatically corrects for this without affecting the user. It is also possible to manually resync a token in the RSA Authentication Manager. Also, providing authentication tokens to everyone who might need to access a network resource can potentially be expensive, particularly as the tokens are programmed to "expire" at a fixed time, usually three years, requiring purchase of a new token.
Just a pet peeve:

If you are going to quote a source, especially verbatim, perhaps use quote tags and indicate the source.

Xyzzy is offline   Reply With Quote
Old 2007-03-06, 03:37   #11
jasong
 
jasong's Avatar
 
"Jason Goatcher"
Mar 2005

5×701 Posts
Default

I hope I don't offend anyone, but I've got a quick off-topic question:

Are moo and MooMoooo(or whatever) the same person?
jasong is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unclear Security Nick Soap Box 180 2020-06-28 22:04
Water security Nick Soap Box 66 2018-08-03 17:16
security of the webpage? Unregistered Information & Answers 4 2013-02-08 04:42
A security puzzle T.Rex Puzzles 12 2007-02-11 11:54
PrimeNet Security Damian PrimeNet 7 2005-06-21 12:46

All times are UTC. The time now is 21:18.

Fri Sep 18 21:18:08 UTC 2020 up 8 days, 18:29, 1 user, load averages: 0.81, 1.38, 1.60

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.