[geeks] Interesting: hardware security token for PayPal

Lionel Peterson lionel4287 at gmail.com
Sun Apr 1 13:19:13 CDT 2007


-----Original Message-----
From: "Phil Stracchino" <phil.stracchino at speakeasy.net>
To: "The Geeks List" <geeks at sunhelp.org>
Sent: 4/1/2007 2:02 PM
Subject: Re: [geeks] Interesting:  hardware security token for PayPal

Charles Shannon Hendrix wrote:
> On Sat, 31 Mar 2007 23:51:57 -0400
> Phil Stracchino <phil.stracchino at speakeasy.net> wrote:
>
>> This is an interesting-looking gadget from PayPal:
>>
>>
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/general/PayPalSecurityKe
y
>>
>> If the device generates a six-digit code "about every 30 seconds", then
>> it takes it "about a year" to exhaust all possible codes and start over.
>>
>> However, the algorithm must necessarily be deterministic, or it wouldn't
>> work.
>
> It seems to me like it would be fairly cheap to build a device like that
> which gathered entropy from its environment.
>
> No two units are likely to have the same hash of temperature, vibration,
> drops, torque (human holding it), etc.

True, but you can't use those because they can't be replicated at the
server.  If the key generation is modified using data not available to
the server, the server cannot authenticate the resulting keys.

Accurate clock, big unique number, and a formula for turning both into a 6
digit number is all that's needed, IMHO

Lionel



More information about the geeks mailing list