[COLUG] NIH: Reinventing SecurID

Jim jep200404 at columbus.rr.com
Tue Feb 20 20:11:26 EST 2007 

Duane wrote:

> Kinda re-inventing SecurID, same idea just a much lower price point, and
> doesn't use their algorithm etc :)

> Jim wrote:

> >> The other reason for the keypad is so the person can enter a PIN to
> >> decrypt the shared secret(s) in the first place, 
> > 
> > decrypt or _encrypt_? 
> 
> initially it will be encrypted, and punching in the right PIN each time
> you need to use it will decrypt it, might be something simple like
> XORing it etc.

I would expect one-way encryption, with no decryption. 
Just hash the PIN in with the rest of the info. 
If you enter the "wrong" PIN, you'll just get different output. 

> > For mass production, you might have to deal with patents. 
> 
> Unless they are only made/used in countries that don't recognise US
> patents, or at least has more sane patent laws...

How many browsers is Cacert in by default? 
How many browsers would Cacert like to be in by default? 

The path to respect is not by theft. 
You'd better work around the patents, not infringe them. 

> > A keypad is too cumbersome for mass production. 
> > An electrical interface is more convenient for mass production. 
> 
> by keypad I meant electrical contacts on a printed circuit board with a
> rubber "spring" to only contact as needed.

In other words, by keypad you mean keypad. 

Entering info by keypad is too cumbersome for mass production. 
A keypad is fine for use by the end user, 
but poor for configuration in the factory. 
A bed of nails is better in the factory. 

> > Ahh, you don't want random bits, you want _pseudo_-random bits. 
> 
> No, for the most part only the shared secret is pseudo random,
> everything else is calculated.

You aren't making much sense. 

I would expect the shared secret to be truly random. 
You can use a pseudo-random number for the secret, 
but truly random would be better. If you used 
pseudo-random numbers for the secret, and someone 
figured out (or stole) the sequence that you generate 
the secrets for the SecurID things, 
then all your SecurID things would be inSecurID things. 

The output is completely predictable if you know the secret. 
For someone who doesn't know the secret, 
the output is very difficult to predict
I.e., the _output_ is pseudo-random. 

> >>> You should mention this at lunch while wearing sandals. 
> >> In this weather???
> > 
> > Yes, we have lunch even in this hot weather. It's indoors and air conditioned. 
> 
> I meant the sandals bit...

OK. By all means, wear sandals. 

Jim

More information about the colug432 mailing list