[3242] in cryptography@c2.net mail archive
Re: Time Based Token?
daemon@ATHENA.MIT.EDU (Eric Murray)
Tue Aug 25 12:24:32 1998
From: Eric Murray <ericm@lne.com>
To: tzeruch@ceddec.com
Date: Tue, 25 Aug 1998 09:03:20 -0700 (PDT)
Cc: cryptography@c2.net
In-Reply-To: <98Aug24.210954edt.43013@brickwall.ceddec.com> from "tzeruch@ceddec.com" at Aug 24, 98 09:11:44 pm
tzeruch@ceddec.com writes:
>
> Now that I am playing with my palm III, something came up that made me
> think of that token which displays a different number every 30 seconds.
Is that a SecureID access token that you're thinking of?
> Would something that would do a SHA1 of about 1K of random data (as a
> shared secret), and the current time be secure? Or would it have to be
> more elaborate?
Depends on the value of the thing that you're accessing with it.
At the least you should do an HMAC instead of a single hash.
If the palm's timer has high resolution and you can get some sort of
raw data or events from the UI, you could use the same type of code that is
commonly used for PRNG seeds in PC/workstation software... use the low-order
bits of times taken at UI actions, hashed together with whatever else you
can find that changes in unpredictable (to an outsider) ways.
--
Eric Murray Chief Security Scientist N*Able Technologies www.nabletech.com
(email: ericm at lne.com or nabletech.com) PGP keyid:E03F65E5
