One Time Pin
Assuming I have 2 different programs, one called Dongle the other called Connect.
One Time Pin (6 digits) is generated by the Dongle. The generation of the OTP is a function of the user, their password and time. The OTP is only valid for 15s.
The Connect program should check the consistency of the username, password and pin, reading from a txt file and generating the pin. Both programs do not communicate.
I am puzzle by the portion on the programs do not communicate, how the Connect program check that the otp is not >15s.
P.S I am not asking for answer.
One Time Pin (6 digits) is generated by the Dongle. The generation of the OTP is a function of the user, their password and time. The OTP is only valid for 15s.
The Connect program should check the consistency of the username, password and pin, reading from a txt file and generating the pin. Both programs do not communicate.
I am puzzle by the portion on the programs do not communicate, how the Connect program check that the otp is not >15s.
P.S I am not asking for answer.
Here is a trivial example of how that could be done; have the OTP include the actual generation time in seconds. When the connect programme reads the OTP, it is trivial to see if it is older than 15 seconds.
For security, disguise this time value with a hash and/or further encryption.
For security, disguise this time value with a hash and/or further encryption.
Hi Moschops, thanks for the reply.
But I don't quite understand your explanation.
As only the username & password is stored in the txt file. Only the Connect has access to it, the Dongle is purely use to generate the OTP with no access to the txt file.
But I don't quite understand your explanation.
As only the username & password is stored in the txt file. Only the Connect has access to it, the Dongle is purely use to generate the OTP with no access to the txt file.
So wait, you're saying the dongle programme has to know the username and password to generate the OTP, but will not ever be told the username or password (which can change at any time by altering the text file) and has no way of reading it?
Well, if that's what you mean, it's impossible. Perhaps you have misunderstood the requirements on the dongle.
I have a real dongle that generates a OTP based on the time and a preset hash/encryption cypher; when I need to use it, that value is not at all based on my username and password. The real-world requirement on that dongle is essentially that it is in my possession at the time of using my account, and that is verified solely by the OTP generated in the last thirty seconds or so - it relies in no way on knowing my username and password. The dongle meets the "something I have" portion of security, and my username/password separately fulfil the "something I know" portion.
Well, if that's what you mean, it's impossible. Perhaps you have misunderstood the requirements on the dongle.
I have a real dongle that generates a OTP based on the time and a preset hash/encryption cypher; when I need to use it, that value is not at all based on my username and password. The real-world requirement on that dongle is essentially that it is in my possession at the time of using my account, and that is verified solely by the OTP generated in the last thirty seconds or so - it relies in no way on knowing my username and password. The dongle meets the "something I have" portion of security, and my username/password separately fulfil the "something I know" portion.
Last edited on
Sorry for not making myself clear.
The Dongle should run as:
The Device doesn't check that the user or password is valid. It starts generating one time pin values, 6 digit pin numbers.
The Dongle should run as:
Dongle username password |
The Device doesn't check that the user or password is valid. It starts generating one time pin values, 6 digit pin numbers.
Device: 107283 Device: 837223 Device: 012123 Device: 492832 Device: 217281 |
The 6-digit token must be a function of the current time. If the time is not included in the pin-generation algorithm, it is simply impossible to determine the time the pin was created without additional information.
Here's a way that could be done; the dongle takes the current time, the username and password (as supplied) and turns them into a six digit number with some kind of hashing function; this is the dongle output.
In a real device, the dongle has an internal clock.
The connector knows the username, password and a range of time values from the last 15 seconds, applies the same hashing function, and calculates a range of value to cover the last 15 seconds. So long as one of those values matches, all's good.
In a real device, the dongle has an internal clock.
The connector knows the username, password and a range of time values from the last 15 seconds, applies the same hashing function, and calculates a range of value to cover the last 15 seconds. So long as one of those values matches, all's good.
Last edited on
I was thinking of something like this. Pls correct me if it wrong.
Dongle Portion:
hex values of username and password * hex values of time (hhmmss), convert to dec use the last 6 as OTP
Connect Portion:
hex values of username and password * hex values of time (hhmmss), convert to dec use the last 6 as OTP.
Use the connect's OTP deduct away the Dongle's OTP
Dongle Portion:
hex values of username and password * hex values of time (hhmmss), convert to dec use the last 6 as OTP
Connect Portion:
hex values of username and password * hex values of time (hhmmss), convert to dec use the last 6 as OTP.
Use the connect's OTP deduct away the Dongle's OTP
Topic archived. No new replies allowed.