[3241] in cryptography@c2.net mail archive
Re: Time Based Token?
daemon@ATHENA.MIT.EDU (Rick Smith)
Tue Aug 25 12:21:18 1998
Date: Tue, 25 Aug 1998 10:23:22 -0500
To: tzeruch@ceddec.com, cryptography@c2.net
From: Rick Smith <rick_smith@securecomputing.com>
In-Reply-To: <98Aug24.210954edt.43013@brickwall.ceddec.com>
At 09:11 PM 8/24/98 -0400, tzeruch@ceddec.com wrote:
>Now that I am playing with my palm III, something came up that made me
>think of that token which displays a different number every 30 seconds.
>
>Would something that would do a SHA1 of about 1K of random data (as a
>shared secret), and the current time be secure? Or would it have to be
>more elaborate?
Given that one time passwords are generally used to authenticate a session,
and that most session mechanisms are vulnerable to attack, then the
proposed approach is probably "good enough."
SecurID cards take a timer value encrypt it with a shared secret, and
generate the OTP from that. I could imagine doing something similar with a
secure hash algorithm, but then you're not using the tool built for the
job. It's a bit cleaner to use a real encryption algorithm since it's
designed to do what you're trying to do.
Another approach is to just emulate an ANSI X9.9 token, and the Palm
software to do is is allegedly available from http://www.securepilot.com. I
haven't investigated this software myself.
Rick.
