[geeks] Interesting: hardware security token for PayPal

Phil Stracchino phil.stracchino at speakeasy.net
Sat Mar 31 22:51:57 CDT 2007


This is an interesting-looking gadget from PayPal:

https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/general/PayPalSecurityKey

If the device generates a six-digit code "about every 30 seconds", then
it takes it "about a year" to exhaust all possible codes and start over.

However, the algorithm must necessarily be deterministic, or it wouldn't
work.  And if it's deterministic, and someone can learn (disassemble,
reverse-engineer, whatever) the algorithm, and can get any single code
that you used and when it was used, they may possibly (depending on the
algorithm) be able to determine what code your token will generate at
any specified time in the future, unless each token has some kind of
unique-per-token salt.


-- 
 It's not the years, it's the mileage.
 Phil Stracchino              phil.stracchino at speakeasy.net
 Renaissance Man, Unix generalist, Perl hacker, Free Stater
 Landline: 603-429-0220                Mobile: 603-320-5438



More information about the geeks mailing list