![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
This is an interesting-looking gadget from PayPal: a hardware security token that you carry around with you on your keyring.
If, as the page says, the device generates a six-digit code "about every 30 seconds", then it can be expected to take "about" a year to exhaust all possible codes and start over. (If it generated a new code exactly every 30 seconds, and did not re-use any code until all codes had been used, it would exhaust the one million available codes in 347.222 days.) On the face of it, this looks like pretty good odds.
However, the algorithm must necessarily be deterministic, or it wouldn't work. And if it's deterministic, and someone can learn (disassemble, reverse-engineer, whatever) the algorithm, and can get (sniff or shoulder-surf, for example) any single code that you used and when it was used, they may possibly (depending on the algorithm) be able to determine what code your token will generate at any specified time in the future, unless each token has some kind of unique-per-token salt. The "frequently asked questions" page does appear to imply that such a per-token key or salt exists.
Discuss.
no subject
I have a VPN keyfob that generates six-digit numbers; it allows me to connect remotely across <NewCompany>'s corporate firewall. Years ago, I had a similar credit-card sized device at <OldCompany>, until they migrated to SoftID, which did all of it in software.
This technology's been around for at least a decade. Granted, you follow this stuff much more than I do, but I think it's safe.
(Then again, doesn't the existence of this imply that PayPal doesn't consider https: secure enough?)
no subject
Though, admittedly, at the time, my knowledge of cryptography was less than it is now, so I didn't properly evaluate it.
no subject
That is an interesting inference, isn't it...?