[geeks] Interesting: hardware security token for PayPal
Phil Stracchino
phil.stracchino at speakeasy.net
Sun Apr 1 13:04:37 CDT 2007
Dan Duncan wrote:
> On 3/31/07, Phil Stracchino <phil.stracchino at speakeasy.net> wrote:
>> This is an interesting-looking gadget from PayPal:
>>
>> https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/general/PayPalSecurityKey
>>
>> If the device generates a six-digit code "about every 30 seconds", then
>> it takes it "about a year" to exhaust all possible codes and start over.
>
> We use RSA SecurID tokens like this at $WORK. Rumor has it a former
> employee left his at home with a password-protected webcam pointing at it
> so he didn't need to carry it with him. I don't know if that's why
> he's a former
> employee. Of course, it's just a rumor.
>
>> However, the algorithm must necessarily be deterministic, or it wouldn't
>> work.
>
> I always assumed it was a string of pseudo-random numbers with a
> shared seed. The number would seem random, but both ends could
> always generate the same number if they knew how many minutes had
> elapsed (mine is in minutes, not half minutes) from some point in time.
>
> This was always a fun phenomenon to demonstrate to new programming
> students. :)
I'm told the algorithm is something like this: The unit takes a 64-bit
current time, a 128-bit random seed, a 32-bit token serial number, and
32 bits of padding. Pass this 256 bits of data into AES256 in ECB mode,
and then use some proprietary algorithm to select which N digits of the
result to display.
--
It's not the years, it's the mileage.
Phil Stracchino phil.stracchino at speakeasy.net
Renaissance Man, Unix generalist, Perl hacker, Free Stater
Landline: 603-429-0220 Mobile: 603-320-5438
More information about the geeks
mailing list