[geeks] Interesting: hardware security token for PayPal

[Charles Shannon Hendrix]

On Sat, 31 Mar 2007 23:51:57 -0400
Phil Stracchino <phil.stracchino at speakeasy.net> wrote:

> This is an interesting-looking gadget from PayPal:
> 
> https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/general/PayPalSecurityKey
> 
> If the device generates a six-digit code "about every 30 seconds", then
> it takes it "about a year" to exhaust all possible codes and start over.
> 
> However, the algorithm must necessarily be deterministic, or it wouldn't
> work.  

It seems to me like it would be fairly cheap to build a device like that
which gathered entropy from its environment.

No two units are likely to have the same hash of temperature, vibration,
drops, torque (human holding it), etc.


> And if it's deterministic, and someone can learn (disassemble,
> reverse-engineer, whatever) the algorithm, and can get any single code
> that you used and when it was used, they may possibly (depending on the
> algorithm) be able to determine what code your token will generate at
> any specified time in the future, unless each token has some kind of
> unique-per-token salt.

At $JOB around 1996 we were shown a code generator that had a unique salt and
serial on each unit.  It also was supposed to not go through the number pool
in the same order or sequence each time, and instead of repeating, the card
died.

That seems reasonable, as long as the card lasts at least a year or two.





-- 
shannon / There is a limit to how stupid people really are, just as there's
-------'  a limit to the amount of hydrogen in the Universe.  There's a lot, 
but there's a limit.  -- Dave C. Barber on a.f.c.