[geeks] Interesting: hardware security token for PayPal
Phil Stracchino
phil.stracchino at speakeasy.net
Sun Apr 1 13:02:04 CDT 2007
Charles Shannon Hendrix wrote:
> On Sat, 31 Mar 2007 23:51:57 -0400
> Phil Stracchino <phil.stracchino at speakeasy.net> wrote:
>
>> This is an interesting-looking gadget from PayPal:
>>
>> https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/general/PayPalSecurityKey
>>
>> If the device generates a six-digit code "about every 30 seconds", then
>> it takes it "about a year" to exhaust all possible codes and start over.
>>
>> However, the algorithm must necessarily be deterministic, or it wouldn't
>> work.
>
> It seems to me like it would be fairly cheap to build a device like that
> which gathered entropy from its environment.
>
> No two units are likely to have the same hash of temperature, vibration,
> drops, torque (human holding it), etc.
True, but you can't use those because they can't be replicated at the
server. If the key generation is modified using data not available to
the server, the server cannot authenticate the resulting keys.
--
It's not the years, it's the mileage.
Phil Stracchino phil.stracchino at speakeasy.net
Renaissance Man, Unix generalist, Perl hacker, Free Stater
Landline: 603-429-0220 Mobile: 603-320-5438
More information about the geeks
mailing list